How it Works
Netgear orporated
Loading...
FWAG114
DoC Statement
1 pgs38.47 Kb0
Users Manual
158 pgs2.75 Mb0
Table of contents
Loading...

Netgear orporated FWAG114 Users Manual

Download

Reference Manual for the Model FWAG114 Cable/ DSL Wireless ProSafe Firewall

NETGEAR, Inc.
4500 Great America Parkway Santa Clara, CA 95054 USA
SM-FWAG114NA-0 Version 1.0 March 2003
© 2002 by NETGEAR, Inc. All rights reserved.
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This device  may not cause harmful interference, and (2) this device must accept any interference received, including interference that  may cause undesired operation.  FCC Caution: Any changes or modifications not expressly approved by the party responsible for compliance could void  the user's authority to operate this equipment.  IMPORTANT NOTE: FCC Radiation Exposure Statement: This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This equipment  should be installed and operated with minimum distance 20cm between the radiator & your body. If this device is going to be operated in 5.15 ~ 5.25GHz frequency range, then it is restricted in indoor environment only. This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
EN 55 022 Declaration of ConformanceThis is to certify that the Model FWAG114 Cable/DSL Wireless ProSafe Firewall is  shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC,  Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22).
Trademarks
NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corpor at io n. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
NETGEAR does not assume any liabi l ity that may occur due to the use or applicat ion of the product(s) or circuit layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has b een tested and found to comply with the limit s for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protecti on against harmful interference in a residential inst allation. This equipment generates, uses, a nd can radiate radio frequency energy and, if not installed and used in accordance with the inst ructions, m ay caus e harmful inte rference to radio c ommunic ations. Ho wever, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving an t enna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help .
EN 55 022 Declaration of Conformance
This is to certify that the Model FWAG114 Cable/DSL Wireless ProSafe Firewall is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B ( CISPR 22).
ii
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das Model FWAG114 Cable/DSL Wireless ProSafe Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B . Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wur de davon unterrich tet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the Model FWAG114 Cable/DSL Wireless ProSafe Firewall has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/199 1 and Vfg 46/1992. The oper ation of some equipment (for example, test transm itt ers) i n accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information eq uipment to be used in a residen tial area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference i n such residential areas.
When used near a radio or TV receiver, it may become the cause of radi o i nt erference. Read instructions for correct handling.
Customer Support
Refer to the Support Information Card that shipped with your Model FWAG114 Cable/DSL Wireless ProSafe Firewall .
World Wide Web
NETGEAR maintains a World Wide Web home page that you can access at the universal resource locat or (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.
iii
iv

Contents

About This Manual

Audience ....................................................................................................................... .xi
Typographical Conventions .......................................................................................... .xi
Special Message Formats ............................................................................................ xii

Chapter 1 Introduction

Key Features of the Firewall ...........................................................................................1-1
802.11g and 802.11b Wireless Networking ..............................................................1-2
A Powerful, True Firewall with Content Filtering ......................................................1-2
Security ....................................................................................................................1-3
Autosensing Ethernet Connections with Auto Uplink™ ...........................................1-3
Extensive Protocol Support ......................................................................................1-4
Easy Installation and Management ..........................................................................1-4
Maintenance and Support ........................................................................................1-5
Package Contents ..........................................................................................................1-5
The Firewall’s Front Panel .......................................................................................1-6
The Firewall’s Rear Panel ........................................................................................1-6

Chapter 2 Connecting the Firewall to the Internet

What You Will Need Before You Begin ...........................................................................2-1
Cabling and Computer Hardware Requirements .....................................................2-1
Computer Network Configuration Requirem ents ..... ....... ...... ...... .............................2-1
Internet Configuration Requirements .......................................................................2-2
Where Do I Get the Internet Configuration Parameters? .........................................2-2
Record Your Internet Connection Information ..........................................................2-3
Connecting the Model FWAG114 Cable/DSL Wireless ProSafe Firewall to Your LAN .2-4
PPPoE Wizard-Detected Option ..............................................................................2-8
Telstra Bigpond Cable Wizard-Detected Option .......................................................2-9
Dynamic IP Wizard-Detected Option .....................................................................2-10
Contents v
Fixed IP Account Wizard-Detected Option .. ....... ....................................................2-11
Manually Configuring Your Internet Connection ...........................................................2-12

Chapter 3 Wireless Configuration

Observe Performance, Placement, and Range Guidelines ............................................3-1
Implement Appropriate Wireless Security ......................................................................3-2
Understanding Wireless Settings ...................................................................................3-3
Common Wireless Settings ......................................................................................3-5
Understanding WEP Authentication and Encryption ................................................3-6
Authentication Scheme Selection ......................................................................3-6
Encryption Strength Choices .............................................................................3-6
Default Factory Settings ...........................................................................................3-7
Before You Change the SSID and WEP Settings ....................................................3-7
How to Set Up and Test Basic Wireless Connectivity ..............................................3-9
How to Restrict Wireless Access by MAC Address ...............................................3-10
How to Configure WEP ..........................................................................................3-12

Chapter 4 Firewall Protection and Content Filtering

Firewall Protection and Content Filtering Overview ........................................................4-1
Block Sites ......................... ...... ....... ...... ....... ...... ............................................. ................4-2
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-3
Inbound Rules (Port Forwarding) .............................................................................4-5
Inbound Rule Example: A Local Public Web Server ..........................................4-6
Inbound Rule Example: Allowing Videoconference from Restricted Addresses 4-7
Considerations for Inbound Rules .....................................................................4-7
Outbound Rules (Service Blocking) .........................................................................4-8
Following is an application example of outbound rules: ....................................4-8
Outbound Rule Example: Blocking Instant Messenger .....................................4-8
Order of Precedence for Rules ................................................................................4-9
Default DMZ Server .................................................................................................4-9
Respond to Ping on Internet WAN Port .................................................................4-10
Services ...................... .............................................. ............................................. .......4-11
Using a Schedule to Block or Allow Specific Traffic ......................................................4-13
Time Zone ........................................................................................................4-14
Getting E-Mail Notifications of Event Logs and Alerts ..................................................4-15
vi Contents
Viewing Logs of Web Access or Attempted Web Access .............................................4-17
Examples of log messages ....................................................................................4-19
Activation and Administration ..........................................................................4-19
Dropped Packets .............................................................................................4-19
Syslog ....................................................................................................................4-20
Configuring E-Mail Alert and Web Access Log Notifications ........................................4-20

Chapter 5 Maintenance

Viewing Firewall Status Information ................................................................................5-1
Viewing a List of Attached Devices .................................................................................5-5
Upgrading the Router Software ......................................................................................5-5
Configuration File Management .....................................................................................5-6
Restoring and Backing Up the Configuration ...........................................................5-7
Erasing the Configuration .........................................................................................5-8
Changing the Administrator Password ...........................................................................5-8

Chapter 6 Advanced Configuration

Configuring for Port Forwarding to Local Servers ..........................................................6-1
Adding a Custom Service .........................................................................................6-2
Editing or Deleting a Port Forwarding Entry .............................................................6-3
Local Web and FTP Server Example .......................................................................6-3
Multiple Computers for Half Life, KALI or Quake III Example ..................................6-3
Configuring the WAN Setup Options ..............................................................................6-4
Setting Up a Default DMZ Server .............................................................................6-4
Respond to Ping on Internet WAN Port ...................................................................6-5
Setting the MTU Size ...............................................................................................6-5
Using the LAN IP Setup Options ....................................................................................6-6
Configuring LAN TCP/IP Setup Parameters ............................................................6-6
Using the Router as a DHCP server ........................................................................6-7
Using Address Reservation ......................................................................................6-8
Using a Dynamic DNS Service .......................................................................................6-9
Configuring Static Routes .............................................................................................6-10
Enabling Remote Management Access .......................................................................6-12
Using Universal Plug and Play (UPnP) ........................................................................6-14
Contents vii

Chapter 7 Troubleshooting

Basic Functioning ................................. ....... ...... ....... ...................................... ....... ...... ...7-1
Power LED Not On ...................................................................................................7-1
LEDs Never Turn Off ................................................................................................7-2
LAN or WAN Port LEDs Not On ...............................................................................7-2
Troubleshooting the Web Configuration Interface ..........................................................7-3
Troubleshooting the ISP Connection ..............................................................................7-4
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5
Testing the LAN Path to Your Router .......................................................................7-5
Testing the Path from Your PC to a Remote Device ................................................7-6
Restoring the Default Configuration and Password ........................................................7-7
Problems with Date and Time .........................................................................................7-7

Appendix A Technical Specifications

Appendix B Network, Routing, Firewall, and Basics

Related Publications ...................................................................................................... B-1
Basic Router Concepts ................... ...... ....... ...... ............................................. ............... B-1
What is a Router? ................................................................................................... B-2
Routing Information Protocol ................................................................................... B-2
IP Addresses and the Internet ....................................................................................... B-2
Netmask ............................ ................................................................. ..................... B-4
Subnet Addressing .................................................................................................. B-5
Private IP Addresses ............................................................................................... B-7
Single IP Address Operation Using NAT ....................................................................... B-8
MAC Addresses and Address Resolution Protocol ................................................. B-9
Related Documents ................................................................................................. B-9
Domain Name Server ............................................................................................ B-10
IP Configuration by DHCP ........................................................................................... B-10
Internet Security and Firewalls .................................................................................... B-10
What is a Firewall? .................................................................................................B-11
Stateful Packet Inspection ...............................................................................B-11
Denial of Service Attack ..................................................................................B-11
Ethernet Cabling .......................................................................................................... B-12
viii Contents
Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-12
Cable Quality ......................................................................................................... B-13

Appendix C Preparing Your Network

Preparing Y our Computers for TCP/IP Networking .......................................................C-1
Configuring Windows 95, 98, and Me for TCP/IP Networking .......................................C-2
Install or Verify Windows Networking Components ................................................. C-2
Enabling DHCP to Automatically Configure TCP/IP Settings C-4
Selecting Windows’ Internet Access Method ..................................... ...... ....... ...... .. C-6
Verifying TCP/IP Properties ....................................................................................C-6
Configuring Windows NT4, 2000 or XP for IP Networking ............................................ C-7
Install or Verify Windows Networking Components ................................................. C-7
DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4 ............................... C-8
DHCP Configuration of TCP/IP in Windows XP ..................................................... C-8
DHCP Configuration of TCP/IP in Windows 2000 ................................................C-10
DHCP Configuration of TCP/IP in Windows NT4 .................................................. C-13
Verifying TCP/IP Properties for Windows XP, 2000, and NT4 .............................. C-15
Configuring the Macintosh for TCP/IP Networking ......................................................C-16
MacOS 8.6 or 9.x .............. ....... ...... ....... ...... ....... ...... ....... ...... ...... ....... ...... ....... ...... C-16
MacOS X .. ...... ...... ....... ...... ....... ...... ............................................. ....... ...................C -16
Verifying TCP/IP Properties for Macintosh Computers ......................................... C-17
Verifying the Readiness of Your Internet Account .......................................................C-18
Are Login Protocols Used? ...................................................................................C-18
What Is Your Configuration Information? .............................................................. C-18
Obtaining ISP Configuration Information for Windows Computers ....................... C-19
Obtaining ISP Configuration Information for Macintosh Computers ..................... C-20
Restarting the Network ................................................................................................C-21

Appendix D Wireless Networking Basics

Wireless Networking Overview ...................................................................................... D-1
Infrastructure Mode ..................................... ....... ...... ....... ...... ...... ....... ...... ....... ...... .. D-2
Ad Hoc Mode (Peer-to-Peer Workgroup) ................................................................D-2
Network Name: Extended Service Set Identification (ESSID) ................................D-2
Authentication and WEP Data Encryption .....................................................................D-3
802.11 Authentication .............................................................................................. D-3
Contents ix
Open System Authentication .... ...... ....... ...... ....... ...... ...............................................D-4
Shared Key Authentication ......................................................................................D-4
Overview of WEP Parameters .............. ...................................... ....... ...... ....... ...... .. D-5
Key Size .................................................................................................................. D-6
WEP Configuration Options .................................................................................... D-7
Wireless Channels ......................................................................................................... D-7
802/11b/g Wireless Channels .................................................................................D-8
802/11a Legal Power Output and Wireless Channels ............................................. D-9
Glossary Index
x Contents

About This Manual

Congratulations on your purchase of the NETGEAR® Model FWAG114 Cable/DSL Wireless ProSafe Fi rewall .
The FWAG114 wireless firewall provides connection for multiple personal computers (PCs) to the Internet throu gh an exte rnal broa dband acce ss devic e (such a s a cable modem or DSL modem) that is normally intended for use by a single PC.

Audience

This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the Netgear website.

Typographical Conventions

This guide uses the following typographical conventions: italics Media titles, UNIX files, commands, URLs, and directory names. bold times roman User input Internet Protocol
courier font Screen text, user-typed command-line entries.
[Enter] Named keys in text are shown enclosed in square brackets. The notation
[Ctrl]+C Two or more keys that must be pressed simultaneously are shown in text
MALL CAPS DOS file and directory names.
S
About This Manual xi
(IP)First time an abbreviated term is used.
[Enter] is used for the Enter key and the Return key.
linked with a plus (+) sign.
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Special Message Forma ts

This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
xii About This Manual
Chapter 1
Introduction
This chapter describes the features of the NETGEAR Model FWAG114 Cable/DSL Wireless ProSafe Fi rewall .

Key Features of the Firewall

The Model FWAG114 Cable/DSL Wireless ProSafe Firewall with 4-port switch connects your local area network or DSL modem.
The FWAG114 is a complete security solution tha t protects your network from attacks and intrusions. Unlike simple Internet sharing routers that rely on NAT for security, the FWAG114 uses Stateful Packet Inspection for Denial of Service (DoS) attack protection and intrusion detection. The FWAG114 allows Internet access for up to 253 users. The FWAG114 wireless firewall provides you with multiple Web content filtering options, plus browsing activity reporting and instant alerts -- both via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, Website addresses and address keywords, and share high-speed cable/DSL Internet access for up to 253 personal computers. In addition to the Network Address Translation (NAT) feature, the built-in firewall protects you from hackers.
(LAN) to the Internet t hrough an extern al a ccess de vice su ch as a cabl e modem
With minimum setup, you can install and use the router within minutes. The FWAG114 wireless firewall provides the following features:
802.11 g and 802.11b Standards-based wireless networking.
Easy, web-based setup for installation and management.
Content Filtering and Site Blocking Security.
Built in 4-port 10/100 Mbps Switch.
Introduction 1-1
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Ethernet connection to a wide area network (WAN) device, such as a cable modem or DSL modem.
Extensive Protocol Support.
Login capability.
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.

802.11g and 802.11b Wireless Networking

The FWAG114 wireless firewall includes an 802.11b-compliant wireless access point, providing continuous, high-speed 11 Mbps access between your wireless and Ethernet devices. The access point provides:
802.11b Standards-based wireless networking at up to 11 Mbps.
802.11g wireless networking at up to 54 Mbps, which will conform to the 802.11g standard when ratified.
64-bit and 128-bit WEP encryption security.
WEP keys can be generated manually or by passphrase.
Wireless access can be restricted by MAC address.
Wirele ss n et work n ame br oadcast can be turned of f so that only devices that ha ve the network name (SSID) can connect.

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FWAG114 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:
Denial of Service Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND
Attack, and IP Spoofing.
Blocks unwanted traffic from the Internet to your LAN.
Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Logs sec urity incidents.
1-2 Introduction
(DoS) protection.
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
The FWAG114 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the router to email the log to you at specified intervals. You can also configure the router to send immediate alert messages to your email address or email pager whenever a significant event occurs.
With its content filtering feature, the FWAG114 prevents objectionable content from reaching your PCs. The router allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the router to log and report attempts to access objectionable Internet sites .

Security

The FW AG114 wireless firewall is equipped with several features designed to maintain security, as described in this section.
PCs Hidden by NAT NAT opens a temporary path to the Interne t for requests originating from the local network . Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.
Port Forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the router allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request, or to one designated “DMZ” host computer. You can specify forwarding of single ports or ranges of ports.

Autosensing Ethernet Connections with Auto Uplink™

With its internal 8-port 10/100 switch, the FWAG114 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
TM
The router incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
Introduction 1-3
technology. Each Ethernet port will automatically sense
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Extensive Protocol Support

The FWAG114 wireless firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol
Appendix B, “Network, Routing, Firewall, and Basics.”
IP Address Sharing by NAT The FWAG114 wireless firewall allows several networked PCs to share an Internet accoun t using only a single IP address, which may be statically or dynamically assigned by your Internet service provider inexpensive single-user ISP account.
Automatic Configuration of Attached PCs by DHCP The FWAG114 wireless firewall dynamically assigns network configuration information, including IP, gateway, and domain name server using the Dynamic Host Configuration Protocol configuration of PCs on your local network.
DNS Proxy When DHCP is enabled and no DNS addresses are specified, the router provides its own address as a DNS server to the attached PCs. The router obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
(ISP). This technique, known as NAT, allows the use of an
(RIP). For further information about TCP/IP, refer to
(DNS) addresses, to attached PCs on the LAN
(DHCP). This feature gr eatly simpli fies
PPP over Ethernet PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as Entersys or WinPOET on your PC.
(PPPoE)

Easy Installation and Management

You can install, configure, and operate the Model FWAG114 Cable/DSL Wireless ProSafe Firewall within minutes after connecting it to the network. The following features sim plify installation and management tasks:
Browser-based management Browser-based configuration allows you to easily configure your router from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user -fr iendly Setu p W izard is provided and online help documentation is built into the browser-based Web Management Interface.
Smart Wizard The FWAG114 wireless firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.
1-4 Introduction
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Diagnostic functions The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot.
Remote management The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specif ied remote IP address or range of addresses, and you can choose a nonstandard port number.
Visual monitoring The FWAG114 wireless firewall’s front panel LED s provide an easy way to monitor its stat us and activity.

Maintenance and Support

NETGEAR offers the followi ng feature s to help you maxi mize your use of the FWAG11 4 wireless firewall:
Flash memory for firmware upgrade
Free technical support seven days a week, twenty-four hours a day

Package Contents

The product package should contain the following items:
Model FWAG114 Cable/DSL Wireless ProSafe Firewall .
AC power adapter.
Category 5 (CAT5) Ethernet cable.
Model FWAG114 Resource CD, including: — This guide. — Application Notes and other helpful information.
FWAG114 Cable/DSL Wireless ProSafe Firewall Installation Guide.
Registration and Warranty Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the router for repair.
Introduction 1-5
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

The Firewall’s Front Panel

The front panel of the FWAG114 wireless firewall contains the status LEDs described below.
need product front panel photo
Figure 1-1: FWAG114 Front Panel
You can use some of the LEDs to verify connections. Viewed from left to right, Table 1-1 describes the LEDs on the front panel of the router. These LEDs are green when lit.
Table 1-1. LED Descriptions
Label Activity Description
POWER On Power is supplied to the firewall. TEST On
Off
INTERNET
100 (100 Mbps) On
Off
LINK/ACT (Link/Activity)
LOCAL
100 (100 Mbps) On
LINK/ACT (Link/Activity)
WLAN On The Wireless (WLAN) port is operating.
On Blinking
Off On
Blinking
The system is initializing. The system is ready and running.
The Internet (WAN) port is operating at 100 Mbps. The Internet (WAN) port is operating at 10 Mbps.
The Internet port has detected a link with an attached device. Data is being transmitted or received by the Internet port.
The Local port is operating at 100 Mbps. The Local port is operating at 10 Mbps.
The Local port has detected a link with an attached device. Data is being transmitted or received by the Local port.

The Firewall’s Rear Panel

The rear panel of the FWAG114 wireless firewall contains the port connections listed below.
1-6 Introduction
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
need product back panel photo
Figure 1-2: FWAG114 Rear Panel
Viewed from left to rig ht, the rear pa nel contains the following features:
AC power adapter outlet
Four Local (LAN) Ethernet ports for connecting the router to the local PCs
Internet (WAN) Ethernet port for connecting the router to a cable or DSL modem
Factory Default Reset push button
Wireless antenna
Introduction 1-7
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
1-8 Introduction
Chapter 2
Connecting the Firewall to the Internet
This chapter describes how to set up the router on your local area network (LAN) and connect to the Internet. You find out how to configure your Model FWAG114 Cable/DSL Wireless ProSafe Firewall for Internet acc ess using the Setup Wizard, or how to manually configure your Internet connection.

What You Will Need Before You Begin

You need to prepare these three things before you begin:
1. Have active Internet service such as that provided by an cable or DSL broadband account.
2. Locate the Internet Service Provider (ISP) configuration information for your DSL account.
3. Connect the router to a cable or DSL modem and a computer as explained below.

Cabling and Computer Hardware Requirements

To use the FWAG114 wireless firewall on your network, each computer must have an installed Ethernet Network In terface Card (NIC) a nd an Ether net cable . If the c omputer wil l connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided wit h your router.

Computer Network Configuration Requirements

The FWAG114 includes a built-in Web Configuration Manager . T o acces s the configura tion menus on the FWAG114, your must use a Java-enabled web browser program which supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/Linux.
Connecting the Firewall to the Internet 2-1
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
For the initial c onnect ion to t he Int ernet and confi gurat ion of your router , you wil l need t o connec t a computer to the router which is set to aut omat ic all y get it s TCP/I P conf iguration from the router via DHCP.
Note: For help with DHCP configuration, please refer to Appendix C, “Preparing Your Network”.
The cable or DSL modem broadb and access device mu st provid e a standard 10 Mbps (10BASE-T ) Ethernet interface.

Internet Configuration Requirements

Depending on how your ISP set up your Internet account, you will need one or more of these configuration parameters to connect your router to the Internet:
Host and Domain Names
ISP Login Name and Password
ISP Domain Name Server (DNS) Addresses
Fixed IP Address which is also known as Static IP Address

Where Do I Get the Internet Configuration Parameters?

There are several ways you can gather the required Internet connection information.
Your ISP provides all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISP to provide it or you can try one of the options below.
If you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer.
— For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the
Ethernet adapter, and click Properties. Record all the settings for each tab page.
— For W i ndows 2000/XP, open the Local Area Net work Connecti on, select the TCP/IP entry
for the Ethernet adapter, and click Properties. Record all the settings for each tab page.
— For Macintosh computers, open the TCP/IP or Network control panel. Record all the
settings for each section.
You may also refer to the FWAG11 4 Resource CD for the NETGEAR Rout er ISP Guide which provides Internet connection information for many ISPs.
Once you locate your Internet configu ration par ameters , you may want to rec ord them on the page below.
2-2 Connecting the Firewall to the Internet
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Record Your Internet Connection Information

Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name an d pas swor d ar e ca se s ens itive and must be entered exact ly as
given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs. If you connect using a login name and password, then fill in the following:
Login Name: ______________________________ Service Name: _____________________________
Fixed or Static IP Address: If you have a static IP address, record the following information. For example, 169.254.141.148 could be a valid IP address.
Fixed or Static Internet IP Address: ______ Gateway IP Address: ______ . ______ . ______ . ______ Subnet Mask: ______ . ______ . ______ . ______
ISP DNS Se rver Addres ses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______ Secondary DNS Server IP Address: ______ . ______ . ______ . ______
Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or home. If you haven’t been given host or domain names, you can use the following examples as a
guide:
If your main e-mail account with your ISP is aaa@yyy.com, then use aaa as your host name. Your ISP might call this your account, user, host, computer, or system name.
If your ISP’s mail server is mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.
ISP Host Name: _________________________
. ______ . ______ . ______
. ______ . ______ . ______
Password: ____________________________
ISP Domain Name: _______________________
For Wireless Acce ss: For configuration of the wireless network, record the following: Wireless Network Name (SSID): __________________ Encryption (circle one): WEP 64, or WEP 128 WEP passphrase or key: ____________________
Connecting the Firewall to the Internet 2-3
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Connecting the Model FWAG114 Cable/DSL Wireless ProSafe Firewall to Your LAN

This section provides inst ructi ons for connec ting t he FWAG114 wi reles s fir ewall. Also, th e Model FWAG114 Resource CD included with your router contains an animated Installation Assistant to
help you through this procedure.
Procedure: Connecting the Firewall
There are three steps to connecting your router:
1. Connect the router to your network
2. Log in to the router
3. Connect to the Internet
Follow the steps below to c onnect your router to your net work. You can also refer to the Resource CD included with your router which contains an animated Installation Assistant to help you through this procedure.
1. Connect the firewall to your network.
a. Turn off your computer and Cable or DSL Modem. b. Disconnect the Ethernet cable (A) from your computer which connects to your cable or
DSL modem.
A
Cable or DSL modem
Figure 2-1: Disconnect the cable or DSL Modem
2-4 Connecting the Firewall to the Internet
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
c.
Connect the Etherne t cabl e fr om your cable or DSL modem to the In ternet port (A) on th e FWAG114.
Cable or DSL modem
A
need product back panel photo
Figure 2-2: Connect the cable or DSL Modem to the router
d.
Connect the Ether net ca ble whi ch ca me with the r outer from a Loc al por t on the r outer (B) to your computer.
Cable or DSL modem
B
need product back panel photo
Figure 2-3: Connect the computers on your network to the router
Note: The FWAG114 wireless firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet port will automatically sense if the cable should have a normal connection or an uplink connection. This feature eliminates the need to worry about crossover cables because Auto Uplink will make the right connection either type of cable.
e. Now, turn on your computer. If software usually logs you in to your Internet connection,
do not run that software or cancel it if it starts automatically.
Connecting the Firewall to the Internet 2-5
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
f.
Verify the following:
When your turn the router on, the power light goes on.
The router’s local lights are lit for any computers that are connected to it.
The router’s Internet light is lit, indicating a link has been established to the cable or DSL modem.
Note: For wireless placement and range guidelines, and wireless configuration instructions, please see Chapter 3, “Wireless Configuration.”
2. Log in to the firewall. Note: To connect to the router, your computer needs to be configured to obtain an IP address
automatically via DHCP. If you need instructions on how to do this, please refer to
Appendix C, “Preparing Your Network”.
a. Connect to the router by typing http://192.168.0.1 in the address filed of Internet Explorer
or Netscape® Navigator.
Figure 2-4: Log in to the router
b.
For security reasons, the router has its own user name and password. When prompted, enter admin for the r outer use r name and password for the router password , both in lowe r case letters.The router user name and password are not the same as any user name or password you may use to log in to your Internet connection.
A login window shown below opens:
Figure 2-5: Login window
2-6 Connecting the Firewall to the Internet
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
3. Connect to the Internet
Figure 2-6: Setup Wizard
You are now connected to the router. If you do not see the menu above, click the Setup
a.
Wizard link on the upper left of the main menu.
b. Click Next and follow the steps in the Setup Wizard for inputting the configuration
parameters from your ISP to connect to the Internet. Note: If you choose not to use the Setup Wizard, you can manually configure your
Internet connection settings by following the procedure “Manually Configuring Your
Internet Connection” on page 2-12.
Unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP as you recorded them previously in
“Record Your Internet Connection Information” on page 2-3.
c. When the router successfully detects an active Internet service, the router’s Internet LED
goes on. The Setup Wizard reports which connection type it discovered, and displays the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted to check the physic al co nnec tion bet ween your ro uter and t he cab le or DSL li ne.
d. The Setup Wizard will report the type of connection it finds. The options are:
Connections which require a login using protocols such as
PPPoE, PPTP, Telstra, or Bigpond broadband connections.
Connections which use dynamic IP address assignment.
Connections which use fixed IP address assignment. The procedures for filling in the configuration menu for each type of connection follow
below.
Connecting the Firewall to the Internet 2-7
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

PPPoE Wizard-Detected Option

If the Setup Wizard discovers that your ISP uses PPPoE, you will see this menu:
Figure 2-7: Setup Wizard menu for PPPoE accounts
Enter the Account Name, Domain Name, Logi n, and Passwor d as provide d by your ISP. These fields are case sensitive. The router will try to discover the domain automatically if you leave the Domain Name blank. Otherwise, you may need to enter it manually.
To change the login timeout, enter a new value in minutes. This determines how long the router keeps the Internet connection active after there is no Internet activity from the LAN. Entering a timeout value of zero means never log out.
Note: You no longer need to run the ISP’s login program on your PC in order to access the Internet. When you start an Internet application, your router will automatically log you in.
If you know that your ISP does not automatically transmi t DNS addresses to the router during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Note: If you enter DNS addresses, restart your computers so that these settings take effect.
Click Apply to save your settings.
Click Test to verify that your Internet connection works. If the NETGEAR website does not appear within one minute, refer to Chapter 7, “Troubleshooting.”
2-8 Connecting the Firewall to the Internet
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Telstra Bigpond Cable Wizard-Detected Option

If the Setup Wizard discovers Telstra Bigpond Cable is your ISP, you will see this menu:
Figure 2-8: Setup Wizard menu for Telstra Bigpond Cable accounts
Enter your Login, Password and Authentication Server. These fields are case sensitive. Note: You will no longer need to launch the ISP’ s lo gin program on your PC in order to acce ss
the Internet. When you start an Internet application, your router will automatically log you in.
The Domain Name Server (DNS) Address parameters may be necessary to access your ISP’s services such as mail or news servers. Note: If you enter DNS addresses, restart your computers so that these settings take effect.
Firewall MAC Address: This section determines the Ethernet MAC address that will be used by the router on the Internet port. Some ISPs will register the Ethe rne t M AC add res s of the network interface car d in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your router to masquerade as that PC.
Connecting the Firewall to the Internet 2-9
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
T o change the MAC address, select “Use this Computer’s MAC address.” The router will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the IS P. Or, select “Use this MAC address” and enter it.
Click Apply to save your settings.
Click Test to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 7, “Troubleshooting.

Dynamic IP Wizard-Detected Option

If the Setup Wizard discovers that your ISP uses Dynamic IP assignment, you will see this menu:
Figure 2-9: Setup Wizard menu for Dynamic IP address accounts
Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be ne cessary to acc ess your ISP’s services such as mail or news se rvers. If you leave the Domain Name field blank, the r outer tr y to discover the domain. Ot herwise, yo u may need to enter it manually.
If you know that your ISP does not automatically transmi t DNS addresses to the router during login, select Use these DNS servers and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Note: If you enter DNS addresses, restart your computers so that these settings take effect.
Click Apply to save your settings.
Click Test to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 7, “Troubleshooting.”
2-10 Connecting the Firewall to the Internet
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Fixed IP Account Wizard-Detected Option

If the Setup Wizard discovers that your ISP uses Fixed IP assignment, you will see this menu:
Figure 2-10: Setup Wizard menu for Fixed IP address accounts
Fixed IP is also called Static IP. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in “Record
Your Internet Connection Information” on page 2-3.
Enter the IP address of your ISP’s Primary and Secondary DNS Server addresses. Note: Restart the computers on your network so that these settings take effect.
Click Apply to save the settings.
Click Test to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 7, “Troubleshooting.”
Connecting the Firewall to the Internet 2-11
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Manually Configuring Your Internet Connection

You can manually configure your router using the menu below, or you can allow the Setup W iza rd to determine your configuration as described in the previous section.
ISP Does Not Require Login
ISP Does Require Login
Figure 2-11: Browser-based configuration Basic Settings menus
2-12 Connecting the Firewall to the Internet
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Procedure: Configuring the Internet Connection Manually
You can manually configure the router using the Basic Settings menu shown in Figure 2-11 using these steps:
1. Click the Basic Settings link on the Setup menu.
2. If your Internet connection does not require a login, click No at the top of the Basic Settings
menu and fill in the settings accord ing to the instructions below. If your Internet conn ection does require a login, click Yes, and skip to step 3.
a. Enter your Account Name (may also be called Host Name) and Domain Name.
These parameters may be necessary to access your ISP’s services such as mail or news servers.
b. Internet IP Address:
If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select “Use static IP address”. Enter the IP address that your ISP ass igned. Also enter the netmask and the Gateway IP addres s. The Gateway is the ISP’s router to which your router will connect.
c. Domain Name Server (DNS) Address:
If you know that your ISP does not automatically transmit DNS addresses to the router during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Note: If you enter an address here, restart the computers on your network so that these settings take effect.
d. Gateway’s MAC Address:
This section determines the Ethernet MAC address that will be used by the router on the Internet po rt. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is fir st open ed. They wil l then only acce pt tra f fic f rom the MAC address of that PC. This feature allows your router to masquerade as that PC by “cloning” its MAC add ress.
To change the MAC address, select “Use this Computer’s MAC address.” The router will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the ISP. Or, select “Use this MAC address” and enter it.
e. Click Apply to save your settings.
Connecting the Firewall to the Internet 2-13
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
3.
If your Internet connectio n does require a login, fi ll in the settings according to the instruc tions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to acc ess the Internet.
Note: After you finish setti ng up your route r, you will no lo nger need to la unch the ISP’s login program on your PC in order to access the Internet. When you start an Internet application, your router will automatically log you in.
a. Select you Internet service provisory from the drop-down list.
Figure 2-12: Basic Settings ISP list
b.
The screen will change according to the ISP settings requirements of the ISP you select.
c. Fill in the parameters for your ISP according to th e W izard-detect ed procedures starting on
page 2-8.
d. Click Apply to save your settings.
2-14 Connecting the Firewall to the Internet
Chapter 3
Wireless Configuration
This chapter describes how to configure the wireless features of your FWAG114 wireless firewall.

Observe Performance, Placement, and Range Guidelines

In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your firewall in order to maximize the network speed. For further information on wireless networking, refer to in Appendix D, “Wireless Networking
Basics.”
The operating distance or range of your wireless connection can vary significantly based on the physical placement of the wireless firewall. The latency, data throughput performance, and notebook power consumption also vary depending on your configuration choices.
Note: Failure to follow these guidelines can result in significant performance degradation or inability to wirelessly connect t o the firewall. For comple te range and performance specifications, please see Appendix A, “Technical Specifications.”
For best results, place yo ur firewall:
Near the center of the ar ea in which your PCs will operate.
In an elevated location such as a high shelf where the wirelessly connected PCs have line-of-sight access (even if through walls). The best location is elevated, such as wall mounted or on the top of a cubicle, and at the center of your wireless coverage area for all the mobile devices.
Away from sources of interference, such as PCs, microwaves, and 2.4 GHz cordless phones. The 802.11a standard operates at a higher frequency and should be less susceptible to interference from cordless phones. This higher 802.11a frequency may not offer as much range as the lower frequency 802.11b/g in a indoor environment with lots of obstructions.
Wireless Configuration 3-1
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Away from large me tal surfaces.
Be aware that the time it take s to establish a wireless conne ct ion can var y depending on both your security settings and plac ement. WEP conne ctions ca n take sl ightly l onger to establi sh. Also, WEP encryption can consume more battery power on a notebook PC.

Implement Appropriate Wireless Security

Note: Indoors, computers can connect over 802.11 wireless networks at ranges of 500 feet or more. Such distances can allow for others outside of your immediate area to access your network.
Unlike wired network data, your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment. The FWAG114 wireless firewall provides highly effective security features which are covered in detail in this chapter. Deploy the security features appropriate to your needs.
Wireless Data
FWAG11
INTERNET
5-12VDC
Figure 3-1: FWAG114 wireless data security options
There are several ways you can enhance the security of you wireless network.
3-2 Wireless Configuratio n
LAN LAN LAN LA N
RESET
1) Open System: Easy but no security
2) MAC Access List: No data security
3) WEP: Security but some performance impact
Security Options
Range: Up to 500 Feet
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Restrict Access Base d on MAC Address. You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly co nnect to the FWAG114. Rest ricting acce ss by MAC address adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed.
Turn Off the Broadcast of the Wireless N etwork Name S SID. If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network ‘discovery’ feature of some products such as Windows XP, but the data is still fully exposed.
Turn Off Bridging to the Wired LAN. If you disable bridging to the LAN, wireless devices cannot communicate with computers on the Ethernet LAN but can still access the Internet. This blocks any access to the computers on the wired LAN but the wireless data routed to the Internet is still fully exposed.
WEP. Wired Equivalent Privacy Key authentication and WEP data encryption will block all but the most determined eavesdropper.
(WEP) data encryption provides data security. WEP Shared

Understanding Wireless Settings

T o conf ig ure the wi reles s setti ngs of you r fire wall , click the Wireless 11a or Wireless 11b/ g link in the Setup section of the main menu. The wireless settings menu will appear, as shown below.
Wireless Configuration 3-3
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Figure 3-2: Wireless 11a and 11b/g Settings menus
Note: The 802.11b a nd 802.11g wireless networking protocol s are confi gured in ex actly the same fashion. The FWAG114 will automatically adjust to the 802.11g or 802.11b protocol as the device requires without compromising the speed of the other connected devices.
3-4 Wireless Configuratio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Common Wireless Settings

The 802.11a and the 802.11b/g wireless network identification settings are configured separately. However, some types of items you configure in each network are the same. The Wireless Settings menu items which are the same for either type of wireless network are discussed below.
Station Name. The station name of the FWAG114.
Regulatory Domain. This fi eld id entif ies the r egion whe re the FWAG114 can be used. It may not be legal to operate the wireless features of the firewall in a region other than one of those identified in this field.
SSID (Service Set Identification). The SSID is also known as the wireless network name. Enter a value of up to 32 alphanumeric characters. In a setting where there is more than one wireless network, different wireless net wor k names provide a means for se par at in g th e traffic. Any device you want to participate in the 11a or the 11b/g wireless network will need to use this SSID fo r that network. The FWAG114 default SSID is: NETGEAR.
Channel. This field determines which operating frequency will be used. It should not be necessary to change the wirele ss channel u nless y ou notice i nterfer ence prob lems with ano ther nearby access point. For more information on the wireless channel frequencies please refer to
“Wireless Channels” on page D-7.
Access Point Connections. Lets you restrict wireless connections according to a list of Trusted PCs MAC addresses. When the Trusted PCs Only radio button is selected, the FWAG114 checks the MAC address of the wireless station and only allows conne ctions to PCs identified on the trusted PCs list.
SSID Broadcast Enable. The default setting is to enable SSID broadcast. If you disable broadcast of the SSID, only devices that have the correct SSID can connect. Disabling SSID broadcast nullifies the wireless network ‘discovery’ feature of some products such as Windows XP.
Enable Bridging to the Wired LAN. The default setting is to enable bridging to the wired LAN. If you disable bridging to the LAN, wireless devices cannot communicate with computers on the Ethernet LAN but can still access the Internet.
Although the types of settings described above are the same for either type of wireless network, the choices you make in each type of network can be different. For example, you can disable the SSID broadcast in you 802.11a wireless network but enable it in your 802.11b/g network.
Wireless Configuration 3-5
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Understanding WEP Authentication and Encryption

Restricting wireless access to your network prevents intruders from connecting to your network. However, the wireless data transmissions are still vulnerable to snooping. Using the WEB data encryption settings described below will prevent a determined intruder from eavesdropping on your wireless data communications. Also, if you are using the Internet for such activities as purchases or bank ing, t hose Int ernet si tes use another level of highly s ecure enc ryption called SS L. You can tell if a web site is using SSL because the web address begins with HTTPS rather than HTTP.
Authentication Scheme Selection
The FWAG114 lets you select the following wireless authentication schemes.
Automatic.
Open System.
Shared key.
Note: The authentication scheme is separate from the data encryption. You can
choose an authentication scheme which requires a shared key but still leave the data transmissions unencrypted. If you require strong security, use both the Shared Key and WEP encryption settings.
Be sure to set your wireless adapter according to the authentication scheme you choose for the FWAG 114 wireless firewall. Please refer to “Authentication and WEP Data Encryption” on page
D-3 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless
communication standard.
Encryption Strength Choices
Choose the encryption strength from the drop-down list. Please refer to “Overview of WEP
Parameters” on page D-5 for a full explanation of each of these options, as defined by the IEEE
802.11 wireless communication standard.
Disable. No encryption will be applied. This sett ing is useful f or troubleshoo ting your wirele ss connection, but leaves your wireless data fully exposed.
64-bit, 128-bit, or in the case of 802.11a, 152-bit WEP. When 64-, 128-, or 152-Bit WEP is selected, WEP encryption will be applied.
3-6 Wireless Configuratio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
If WEP is enabled, you can manually or automatically program the four data encryption keys. These values must be identical on all PCs and access points in your network.
There are two methods for creating WEP encryption keys:
Passphrase. Enter a word or grou p of pr in table characters in the Pass phr ase box and click the Generate button.
Manual. 64-bit WEP: Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F). 128-bit WEP: Enter 26 hexadecimal digits (any combination of 0-9, a-f, or A-F).
Clicking the radio button selects which of the four keys will be the default.

Default Factory Settings

When you first receive your FWAG114, the default factory settings are shown below. You can restore these defaults with the Factory Default Restore button on the rear panel. After you install the FWAG114 wireless firewall, use the procedures below to customize any of the settings to better meet your networking needs.
FEATURE DEFAULT FACTORY SETTINGS
SSID for both 802.11a & 802.11b NETGEAR
11a RF Channel 52 Non-Turbo Mode; 50 Turbo Mode 11b RF Channel 6
WEP Disabled
Authentication Type Open System
Access Point Connections for both
802.11a & 802.11b/g
Bridging to wired LAN for both
802.11a & 802.11b/g
SSID broadcast for both
802.11a & 802.11b/g
All wireless stations allowed
Enabled
Enabled

Before You Change the SSID and WEP Settings

Take the following steps:
Wireless Configuration 3-7
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, print or copy this form and fill in the configuration parameters. The person who set up or is responsible for the network will be able to provide this information.
SSID: The Service Set Identification (SSID) identifies the wireless local area network.
NETGEAR is the default FWAG114 SSID. However, you may customize it by using up to 32 alphanumeric characters. NETGEAR recommends that you write your customized SSID on the line below.
Note: The SSID in the firewall is the SSID yo u confi gure in the wire less a dapter card. Fo r the access point and wireless nodes to communicate with each other, all must be configured with the sam e SSID.
802.11a SSID: ______________________________
802.11b SSID: ______________________________
Authentication
The authentication setting, “Open System” or “Shared Key,” is unrelated to encryption of transmissions. The two bands can use different authentication settings. Choose “Shared Key” for more security.
802.11a SSID, circle one: Open System or Shared Key
802.11b SSID, circle one: Open System or Shared Key Note: If you select shared key, the other devices in the network will not connect unless
they are set to Shared Key as well.
WEP Encryption
802.11a and 802.11b differ in their use of WEP encryption keys. See “Security
Configuration” on page 2-21 for a description of these differences.
802.11a WEP Encryption Keys:
Key 1: _____________________ Circle Key Size: 64 or 128 or 152 bits Key 2: _____________________ Circle Key Size: 64 or 128 or 152 bits Key 3: _____________________ Circle Key Size: 64 or 128 or 152 bits Key 4: _____________________ Circle Key Size: 64 or 128 or 152 bits
802.11b WEP Encryption Keys:
For all four 802.11b keys, choose the Key Size. Circle one: 64 or 128 bits Key 1: ___________________________________ Key 2: ___________________________________
3-8 Wireless Configuratio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Key 3: ___________________________________ Key 4: ___________________________________
Use the procedures described in the following sections to configure the FWAG114. Store this information in a safe place.

How to Set Up and Test Basic Wireless Connectivity

Follow the instructions below to set up and test basic wireless connectivity. Once you have established basic wireless connectivity, you can enable security settings appropriate to your needs.
1. Log in to the FWAG114 firewall at its default LAN address of http://192.168.0.1 with its
default user name of admin and default password of password, or using whatever LAN address and password you have set up.
2. Depending on the types of wireless adapters you have in your computers, click the Wireless
11a or 11b link in the main menu of the FWAG114 firewall.
3. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box,
enter a value of up to 32 alphanumeric characters. The default SSID is NETGEAR. Note: The characters are case sensitive. An access point always functions in infrastructure
mode. The SSID for any wireless device communicating with the access poi nt must match the SSID configured in the Model FWAG114 Cable/DSL Wireless ProSafe Firewall . If they do not match, you will not get a wireless connection to the FWAG114.
4. Set the Channel.
It should not be necessary to change the wireless channel unless you notice interference problems with another nearby wireles s router or acce ss point. Select a channel that is not bein g used by any other wireless networks within several hundred feet of your firewall. For more information on the wireless channel frequencies please refe r to “Wireless Channels” on page
D-7.
5. For initial configuratio n and test, leave the Wireless Card Access List set to “All Wireless
Stations” and the Encryption Strength set to “Disable.”
6. Click Apply to save your changes.
Wireless Configuration 3-9
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Note: If you are configuring the firewall from a wireless PC and you change the firewall’s SSID, cha nnel, or security settings, you will lose your wire less connection when you click on Apply. You must then change the wireless settings of your PC to match the firewall’s new settings.
7.
Configure and test your PCs for wireless connectivity. Program the wireless adapter of your PCs to have the same SSID that you configured in the
FWAG114. Check that they have a wireless link and are a ble to obtai n an IP addres s by DHCP from the firewall.
Once your PCs have basic wireless connectivity to the firewall, then you can configure the advanced options and wireless security functions of the firewall.

How to Restrict Wireless Access by MAC Address

To restrict access based on MAC addresses, follow these steps:
1. Log in to the FWAG114 firewall at its default LAN address of http://192.168.0.1 with its
default user name of admin and default password of password.
2. Click the Wireless 11a or 11b link in the main menu of the FWAG114 firewall.
3. From the Wireless Settings menu, click the Trusted PCs only radio button.
3-10 Wireless Configuratio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
4.
Click the Trusted PCs button to display the Wireless Access menu shown below.
Figure 3-3. Wireless Access menu
Enter the MAC addr ess of a wire less adapte r and c lick th e Add but ton to ad d a wir eless device
5.
to the wireless access control list. The Trusted PCs list updates with the new entry. Note: You can copy and pa ste t he M AC ad dresses from the fire wal l’s Attached Devices menu
into the MAC Address box of this menu. To do this, configure each wireless PC to obtain a wireless link to the firewall. The PC should then appear in the Attached Devices menu.
6. Click the Back button to return to the Wireless Settings menu.
Note: When configuring the firewall from a wireless PC whose MAC address is not in the Trusted PC list, if you select Turn Access Control On, you will lose your wireless connection when you cl ick on Appl y. You must the n access t he firewall from a wire d PC or from a wireless PC whic h is on the access control li st to make any further chan ges.
7. Be sure to click Apply to save your trusted wireless PCs list settings.
Now, only devices on this list will be allowed to wirelessly c onnect to the FWAG114.
To remove a MAC address from the table, click on it to select it, then click the Delete button .
Wireless Configuration 3-11
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

How to Configure WEP

To configure WEP data encryption, follow these steps:
1. Log in to the FWAG114 firewall at its default LAN address of http://192.168.0.1 with its
default user name of admin and default password of password, or using whatever LAN address and password you have set up.
2. Click the Wireless 11a or 11b link in the main menu of the FWAG114 firewall.
3. Click the Configure WEP butto.
4. Choose the Authentication Type and WEP option.
5. You can manually or automatically program the four data encryption keys. These values must
be identical on all PCs and Access Points in your network.
Automatic - Enter a word or group of printable characters in the Passphrase box and click
the Generate button. The four key boxes will be automatically populated with key values.
Manual - Enter ten hexadecimal digits (any combination of 0-9, a-f, or A-F)
Select which of the four keys will be active.
Please refer to “Overview of WEP Parameters” on page D-5 for a full explanation of each of these options, as defined by the IEEE 802.11b wireless communication standard.
6. Click Apply to save your settings.
Note: When configuring the f irewall from a wirel ess PC, if you confi gure WEP setti ngs, you will lose your wireless connection when you click on Apply. You must then either configure your wireless adapter to match the firewall WEP settings or access the firewall from a wired PC to make any further changes.
3-12 Wireless Configuratio n
Chapter 4
Firewall Protection and
Content Filtering
This chapter describes how to use the content filtering features of the Model FWAG114 Cable/ DSL Wireless ProSafe Firewall to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface.

Firewall Protection and Content Filtering Overview

The Model FWAG114 Cable/DSL Wireless ProSafe Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, web addresses and web address keywords. You can also block Internet access by applications and services, such as chat or games.
A firewall is a special category of router that protects one net w ork (t he “trusted” network, such as your LAN) from another (the “untrusted” network, such as the Internet), while allowing communication between the two. A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.
To configure these features of your router, click on the subheadings under the Content Filtering heading in the Main Menu of the browser interface. The subheadings are described below:
Firewall Protection and Content Filtering 4-1
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Block Sites

The FWAG114 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Keyword Blocking menu is shown in
Figure 4-1:
Figure 4-1: Block Sites menu
To enable keyword blocking, check “Turn keyword blocking on”, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. Keyword application examples:
If the keyword "XXX" is speci fied , the URL <ht tp://www.badstuff.com/xxx.html> is blocke d, as is the newsgroup alt.pictures.XXX.
If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu or .gov) can be viewed.
If you wish to block all Internet browsing access, enter the keyword “.”.
To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.
4-2 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
You may specify one Trusted User, which is a PC that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed or reserved IP address.

Using Rules to Block or Allow Specific Kinds of Traffic

Firewall rules are used to bloc k or allow specifi c traf fic passi ng through from one side to the other. Inbound rules (WAN to LAN) restrict access by outsiders to pri vate resourc es, selective ly allowing only specific outside users to access specific resourc es. Outbound rules (LAN to WAN) determ ine what outside resources local users can have access to.
A firewall has two defau lt rules, one fo r inbound traffic and one for outbo und. The defa ult ru les of the FWAG114 are:
Inbound: Block all access from outside except responses to requests from the LAN side.
Outbound: Allow all access from the LAN side to the outside.
These default rules are shown in the Rules table of the Rules menu in Figure 4-2:
Figure 4-2: Rules menu
Firewall Protection and Content Filtering 4-3
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
You may define additional rules that will spec ify except ions to the def ault rules. By addi ng custo m rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined.
To create a new rule, click the Add button. To edit an ex isting rule, select its button on the left side of the table and click Edit. To delete an existing rule, select its button on the left side of the table and c lick Delete. To move an existing rule to a different position in the table, select its button on the left side of the
table and click Move. At th e script prompt, enter t he nu mb er of t he desired new position a nd cl i ck OK.
An example of the menu for defining or editing a rule is shown in Figure 4-3. The parameters are:
•Service From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Services menu to add any additional services or applications that do not already appear.
Action Choose how you would like this type of traffic to be handled. You can block or allow always, or you can choose to block or allow according to the schedule you have defined in the Schedule menu.
Source Address Specify traf fic origi natin g o n the LAN (out bound) or t he WAN (inbound), and ch oose wh ether you would like the traffic to be restricted by source IP address. You can select Any, a Single address, or a Range. If you select a range of addresses, enter the range in the start and finish boxes. If you select a single address, enter it in the start box.
Destination Address The Destination Address will be assumed to be from the opposite (LAN or WAN) of the Source Address. As with t he Sou rce Add ress, you ca n sel ect Any, a Single address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you must enter a Single LAN address in the sta r t box.
•Log You can select whether the traffic will be logged. The choices are:
Never - no log entries will be made for this service.
Always - any traffic for this service type will be logged.
4-4 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Match - traffic of this type which matches the parameters and action will be logged.
Not match - traffic of this type which does not match the parameters and action will be
logged.

Inbound Rules (Port Forwarding)

Because the FWAG114 uses Netw ork Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a web server or game server) visible and ava il abl e t o the Internet. The rule tell s the rout er to di rec t i nbound traffic for a particula r servic e to one lo cal serve r based on the desti nation po rt number. This is also known as port forwarding.
Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Remember that allowing inbound services opens holes in your firewall. Only enable those ports that are necessary for your network. Following are two application examples of inbound rules:
Firewall Protection and Content Filtering 4-5
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Inbound Rule Example: A Local Public Web Server
If you host a public web s erver on your local network, you can define a rule to al l ow inb ound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of day. This rule is shown in Figure 4-3:
Figure 4-3: Rule example: A Local Public Web Server
4-6 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Inbound Rule Example: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconf er enc in g to be initi at ed fr om a rest ri ct ed ra nge of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 4-4, CU-SeeMe connections are allowed only from a specified range of external IP addresses. In this case, we have also specified logging of any incoming CU-SeeMe requests that do not match the allowed parameters.
Figure 4-4: Rule example: Videoconference from Restricted Addresses
Considerations for Inbound Rules
If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep th e PC’s IP address constant.
Local PCs must access th e local ser ver using th e PCs’ local LAN addres s (192.168 .0.99 in this example). Attempts by local PCs to access the server using the external WAN IP address will fail.
Firewall Protection and Content Filtering 4-7
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Outbound Rules (Service Blocking)

The FWAG114 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering. You can define an outbound rule to block Internet access from a local PC based on:
the IP address of the local PC (source address)
the IP address of the Internet site being contacted (destination address)
the time of day
the type of service being requested (service port number)
Following is an application example of outbound rules:
Outbound Rule Example: Blocking Instant Messenger
If you want to block Instant Me sse nge r usa ge by employees during working hours, you can cr ea te an outbound rule to block that application from any internal IP address to any external address according to th e schedul e that you have c reated i n the Sc hedule menu. You can also have th e router log any attempt to use Instant Messenger during that blocked period.
Figure 4-5: Rule example: Blocking Instant Messenger
4-8 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Order of Precedence for Rules

As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 4-6:
Figure 4-6: Rules table with examples
For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown i n the Rule s Table, beginning at the top and procee ding to t he defaul t rules at the bottom. In some cases, the order of precedence of two or more rules may be important in determining the dispo sition of a pac ket. The Move button allows you to relo cate a defin ed rule to a new position in the table.

Default DMZ Server

Incoming traffic from the Internet is normally discarded by the router unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of d iscardin g this tr aff ic, you can h ave it for warded to o ne compute r on your ne twork. This computer is called the Default DMZ Server.
Firewall Protection and Content Filtering 4-9
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
The Default DMZ Server feature is helpful whe n using some online game s and videoconferencing applications that are in compatible wit h NAT . The router i s programmed t o recogni ze some of th ese applications and to wor k p roperly with t hem, but th ere are other appli cati ons t hat may not funct ion well. In some cases, one local PC can r un the appl ication properly i f that PC’s IP address is entered as the Default DMZ Server.
Note: For security, NETGEAR strongly recommends that you avoid using the Default DMZ Server feature. When a computer is designated as the Default DMZ Server, it loses much of the protection of the firewall , and is expose d to many ex ploits from th e Internet . If compromised, the computer can be used to attack your network.
To assign a computer or server to be a Default DMZ server:
1. Click Default DMZ Server.
2. Type the IP address for that server.
3. Click Apply.
Note: In this application, the use of the term ‘DMZ’ has become common, although it is a misnomer. In tradition al fi re wal ls, a DMZ is actually a sepa ra te physical network port . A true DMZ port is for connecting servers that require greater access from the outside, and will therefore be provided with a different level of security by the firewall. A better term for our application is Exposed Host.

Respond to Ping on Internet WAN Port

If you want the router to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your router to be discovered. Don't check this box unless you have a specific reason to do so.
4-10 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Services

Services are functions performed by server computers at the request of client computers. For example, Web servers serve web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FWAG114 already holds a list of many service port numbers, you are not limited to these choices. Use the Service s menu to add additional services and appli cat io ns to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 4-7:
Figure 4-7: Services menu
Firewall Protection and Content Filtering 4-11
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, go the Services menu and click on the Add Custom Service button. The Add Services menu will appear, as shown in Figure 4-8:
Figure 4-8: Add Custom Service menu
To add a service,
1. Enter a descriptive name for the service so that you will remember what it is.
2. Select whether the service uses TCP or UDP as its transport protocol.
If you can’t determine which is used, se lect both.
3. Enter the lowest port nu mber used by the service.
4. Enter the highest port number used by the service.
If the service only uses a single port number, enter the same number in both fields.
5. Click Apply.
The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu.
4-12 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Using a Schedule to Block or Allow Specific Traffic

If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The router allows you to specify when blocking will be enforced by configuring the Schedule tab shown below:
Figure 4-9: Schedule menu
Firewall Protection and Content Filtering 4-13
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit ac cess compl etely for the sel ected days, sel ect All Day. Otherwise, If you want to limit access during certain times for the selected days, type a Start Blocking time and an End Blocking time.
Note: Note: Enter the values as 24-hour time. For example, 10:30 am would be 10 hours and 30 minutes and 10:30 pm would be 22 hours and 30 minutes.
Be sure to click Apply when you have finished configuring this menu.

Time Zone

The FW AG1 14 wireless firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must specify your Time Zone:
Time Zone. Select your local time zone. This setting will be used for the blocking schedule and for time-stamping log entries.
Daylight Savings Time. Check this box for daylight savings time.
Note: If your region uses Daylight Savings Time, you must manually select Adjust for Daylight Savings Time on the first day of Daylight Savings Time, and unselect it at the end. Enabling Daylight Savings Time will add one hour to the standard time.
Be sure to click Apply when you have finished configuring this menu.
4-14 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Getting E-Mail Notifications of Event Logs and Alerts

In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading:
Figure 4-10: E-mail menu
Turn e-mail notification on. Check this box if you wish to re ceive e-mai l logs and aler ts from the router.
Your outgoing mail server. Enter the name or IP address of yo ur ISP’s outgoing (SMTP) mail server (suc h as mail.myISP.com). You may be ab le to find this information in the configuration menu of your e-mail program. If you leave this box blank, log and alert messages will not be sent via e-mail.
Send to this e-mail address. Enter the e-mail addres s to which logs and alerts ar e sent. This e-mail address will al so be used as the From address. If you leave this box blank, log and alert messages will not be sent via e-mail.
You can specify that logs are immediately sent to the specified e-mail address when any of the following events occur:
If a Denial of Service attack is detected.
Firewall Protection and Content Filtering 4-15
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
If a Port Scan is detected.
If a user on your LAN attempts to access a website that you blocked using Keyword blocking.
You can specify that logs are s ent t o you a ccordi ng to a s chedul e. Sel ect whe ther you wo uld l ike t o receive the logs Hourly, Daily, Weekly, or When Full. Depending on your selection, you may also need to specify:
Day for sending log
Relevant when the log is sent weekly or daily.
Time for sending log
Relevant when the log is sent daily or weekly.
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified period, the log is automatically e-mailed to the specified e-mail address. After the log is sent, the log is cleared from the router’s memory. If the router cannot e-mail the log file, the log buffer may fill up. In this case, the router overwrites the log and discards its contents.
Be sure to click Apply when you have finished configuring this menu.
4-16 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Viewing Logs of Web Access or Attempted Web Access

The router will l og security-related e vents such as denied incoming and outgoing ser vice requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message. If you don't have e-mail notification enabled, you can view the logs here. An example is shown in Figure 4-11:
Figure 4-11: Logs menu
Firewall Protection and Content Filtering 4-17
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Log entries are described in Table 5
Table 5. Log entry descriptions
Field Description
Date and Time The date and time the log entry was recorded. Description or
The type of event and what action was taken if any.
Action Source IP The IP address of the initiating device for this log entry. Source port and
interface
The service port number of the initiating device, and whether it
originated from the LAN or WAN Destination The name or IP address of the destination device or website. Destination port
and interface
The service port number of the destination device, and whether
it’s on the LAN or WAN.
Log action buttons are described in Table 6
Table 6. Log action buttons
Field Description
Refresh Click this button to refresh the log screen. Clear Log Click this button to clear the log entries. Send Log Click this button to email the log immediately.
4-18 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Examples of log messages

Following are examples of log messages. In all cases, the log entry shows the timestamp as: Day, Year-Month-Date Hour:Minute:Second
Activation and Administration
Tue, 2002-05-21 18:48:39 - NETGEAR activated
[This entry indicates a power-up or reboot with initial time entry.]
Tue, 2002-05-21 18:53:28 - Administrator login failed - IP:192.168.0.2 Tue, 2002-05-21 18:55:00 - Administrator login successful - IP:192.168.0.2 Thu, 2002-05-21 18:56:58 - Administrator logout - IP:192.168.0.2
[This entry shows an administrator logging in and logging out of the router from IP address
192.168.0.2.]
Tue, 2002-05-21 19:00:06 - Login screen timed out - IP:192.168.0.2
[This entry shows a timout of the administrator login.]
Wed, 2002-05-22 22:00:19 - Log emailed
[This entry shows when the log was emailed.]
Dropped Packets
Wed, 2002-05-22 07:15:15 - TCP packet dropped - Source:64.12.47.28,4787,WAN ­Destination:134.177.0.11,21,LAN - [Inbound Default rule match]
Sun, 2002-05-22 12:50:33 - UDP packet dropped - Source:64.12.47.28,10714,WAN ­Destination:134.177.0.11,6970,LAN - [Inbound Default rule match]
Sun, 2002-05-22 21:02:53 - ICMP packet dropped - Source:64.12.47.28,0,WAN ­Destination:134.177.0.11,0,LAN - [Inbound Default rule match]
[These entries show an inbound FTP (port 21) packet, UDP packet, and ICMP packet being dropped as a result of the default inbound rule, which states that all inbound packets are denied.]
Firewall Protection and Content Filtering 4-19
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Syslog

You can configure the router to s end syste m logs t o a n exter nal PC that i s runn ing a s ysl og log ging program. Enter the IP address of the logging PC and click the Enable Syslog checkbox.
Logging programs are available for Windows, Macintosh, and Linux computers.

Configuring E-Mail Alert and Web Access Log Notifications

In order to receive logs and aler ts by email, you must provide your email information in the E-Mail menu, shown below:
Figure 6-1: Email menu
Turn e-mail notification on. Check this box if you wish to re ceive e-mai l logs and aler ts from
the router.
4-20 Firewall Protection and Content Filtering
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Your outgoing mail server. Enter the name of your ISP ’s outgoing (SMTP) mail server (such
as mail.myISP.com). You may be able to find this information in the configuration menu of your e-mail program. If you leave this box blank, log and alert messages will not be sent via e-mail.
Send to this e-mail address. Enter the e-mail addre ss to which logs and alerts are sent. This
e-mail address will al so be used as the From address. If you leave this box blank, log and alert messages will not be sent via e-mail.
You can specify that logs are automatically sent to the specified e-mail address with these options:
Send alert immediately
Check this box if you would like immediate notification of attempted access to a blocked site.
Send logs according to this schedule
Specifies how often to send the logs: Hourly, Daily, Weekly, or When Full. – Day for sending log
Specifies which day of the week to send the log. Relevant when the log is sent weekly or daily.
Time for sending log
Specifies the time of day to send the log. Relevant when the log is sent daily or weekly.
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified period, the log is automatically e-mailed to the specified e-mail address. After the log is sent, the log is cleared from the router’s memory. If the router cannot e-mail the log file, the log buffer may fill up. In this case, the router overwrites the log and discards its contents.
Firewall Protection and Content Filtering 4-21
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
4-22 Firewall Protection and Content Filtering
Chapter 5
Maintenance
This chapter describes how to use the maintenance features of your Model FWAG114 Cable/DSL Wireless ProSafe Firewall . These features can be found by clicking on the Maintenance heading in the Main Men u of the browse r interface.

Viewing Firewall Status Information

The Router Status menu provides a limited amount of status and usage information. From the Main Menu of the browser interface, click on Maintenance, then select System Status to view the System Status screen, shown below.
Figure 5-1: Router Status screen
Maintenance 5-1
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
This scree n shows the fo llowing parameters:
Table 6. Menu 3.2 - Firewall Status Fields
Field Description
Account Name This field displays the Host Name assigned to the router. Firmware Version This field displays the router firmware version. Internet Port These parameters apply to the Internet (WAN) port of the router.
MAC Address This field displays the Media Access Control address being used by the
Internet (WAN) port of the router.
IP Address This field displays the IP add res s be ing us ed b y the Inte rnet (WAN) port
of the router. If no address is shown, the router cannot connect to the Internet.
IP Subnet Mask This field displays the IP Subn et Mask bein g used by the Inter net (W AN)
port of the router.
DHCP If set to None, the router is configured to use a fixed IP address on the
WAN. If set to Client, the router is configured to obtain an IP address dynami­cally from the ISP.
LAN Port These parameters apply to the Local (WAN) port of the router.
MAC Address This field displays the Media Access Control address being used by the
LAN port of the router.
IP Address This field displays the IP address being used by the Local (LAN) port of
the router. The default is 192.168.0.1
IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN)
port of the router. The default is 255.255.255.0
DHCP Identifies if the router’s built-in DHCP server is active for the LAN
attached devi ces.
Wireless Port These parameters apply to the Wireless port of the router.
MAC Address This field displays the Media Access Control address being used by the
Wireless port of the router.
Name (SSID) This field displays the wireless network name (SSID) being used by the
wireless port of the ro uter. The default is Wireless.
Region This field displa ys the g eog raph ic regi on w h ere th e rou ter be ing used. It
may be illegal to use the wireless features of the router in some parts of the world.
Channel Identifies if the channel the wireless port is using. See “Wireless Chan-
nels” on page D-7 for the frequencies used on each channel.
5-2 Maintenance
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Click on the “Show Statistics” button to display the connection status, as shown below.
Figure 6-1: Connection Status screen
This scree n shows the following stat istics:.
Table 7. Connection Status Fields
Field Description
Connection Time The length of time the router has been connected to your Internet service provider’s
network. Connection Method The method used to obtain an IP address from your Internet service provider. IP Address The WAN (Internet) IP Address assigned to the router. Network Mask The WAN (Internet) Subnet Mask assigned to the router. Default Gateway The WAN (Internet) default gateway the router communicates with.
Log action buttons are described in Table 8
Table 8. Connection Status action buttons
Field Description
Renew Click the Renew button to renew the DHCP lease.
Maintenance 5-3
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Click on the “Show WAN Status” button to display router usage statistics, as shown below.
Figure 8-1: Router Statistics screen
This scree n shows the following stat istics:
Table 9. Router Statistics Fields
Field Description
Port The statistics for the WAN (Internet) and LAN (local) ports. For each port, the screen
displays:
Status The link status of the port. TxPkts The number of packets transmitted on this port since reset or manual clear. RxPkts The number of packets received on this port since reset or manual clear. Collisions The number of collisions on this port since reset or manual clear. Tx B/s The current transmission (outbound) bandwidth used on the WAN and LAN ports. Rx B/s The current reception (inbound) bandwidth used on the WAN and LAN ports. Up Time The amount of time since the router was last restarted. Up Time The time elapsed since this port acquired the link.
Poll Interval Speci fie s the intervals at which the st ati sti cs are up dated in this window. Click on Stop
to freeze the display.
WAN Status action buttons are described in Table 8
Table 10. Connection Status action buttons
Field Description
Set Interval Enter a time and click the button to set the polling frequency.
Stop Click the Stop button to freeze the polling information.
5-4 Maintenance
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Viewing a List of Attached Devices

The Attached Device s men u contains a table of al l IP devices that the router has discovere d on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown below.
Figure 10-1: Attached Devices menu
For each device, the table shows the IP address, NetBIOS Host Name (if available), and Ethernet MAC address. Note that if the router is rebooted, the table data is lost until the router rediscovers the devices. To force the router to look for attached devices, click the Refresh button.

Upgrading the Router Software

The routing software of the FWAG114 wireless firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from Netgear's website. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.BIN) file before sending it to the router. The upgrade file can be sent to the router using your browser.
Note: The Web browser used to upload new firmware into the FWAG114 wireless firewall must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or Netscape Navigator 3.0 or above.
Maintenance 5-5
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
From the Main Menu of the browser interface, under the Maintenance heading, select the Router Upgrade heading to display the menu shown below.
Figure 10-2: Router Upgrade menu
To upload new firmware:
1. Download a nd unzip the new software file from NETGEAR.
2. In the Router Upgrade menu, click the Browse button and browse to the locati on of the binary
(.BIN) upgrade file
3. Click Upload.
Note: When uploading software to the FWAG 114 wireless firewall, it is important not to interrupt the Web browser by closi ng the window, clicking a link, or loadin g a ne w page. If t he browser is interrupted, it may corrupt the software. When the upload is complete, your router will automatically restart. The upgrade process will typically take about one minute.
In some cases, you may need to reconfigure the router after upgrading.

Configuration File Management

The configuration settings of the FWAG114 wireless firewall are stored within the router in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings.
5-6 Maintenance
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
From the Main Menu of the browser inter fa ce, und er the Main tenance heading, select the Set ti ngs Backup heading to bring up the menu shown below.
Figure 10-3: Settings Backup menu
Three options are available, and are described in the following sections.

Restoring and Backing Up the Configuration

The Restore and Backup options in the Sett ings Bac kup menu al low you to save and retr ieve a fi le containing your router’s configuration settings.
To save your settings, select the Backup tab. Click the Backup button. Your browser will extract the configuration file from the router and will prompt you for a location on your PC to store the file. You can give the file a meaningful name at this time, such as pacbell.cfg.
T o r estor e your set tings from a save d conf igura tion file , ente r the f ull path t o the fil e on your PC or click the Browse button to browse to the file. When you have loca ted it, click the Rest ore button to send the file to the router. The router will then reboot automatically.
Maintenance 5-7
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Erasing the Configuration

It is sometimes desirable to restore the router to a known blank condition. This can be done by using the Erase function, which will restore all factory settings. After an erase, the router's password will be password, the LAN IP address will be 192.1 68.0.1, and th e router's DHCP clie nt will be enabled.
To erase the configuration, click the Erase button. To restore the factory default configuration settings without knowing the login password or IP
address, you must use the Default Reset button on the rear panel of the router. See “Restoring the
Default Configuration and Password” on page 7-7.

Changing the Administrator Password

The default password for the router’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password.
From the Main Menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown below.
Figure 10-4: Set Password menu
T o change the password, first enter the old password, and then enter the new password twice. Click Apply.
5-8 Maintenance
Chapter 6
Advanced Configuration
This chapter describes how to configure the advanced features of your Model FWAG114 Cable/ DSL Wireless ProSafe Firewall . These features can be found under the Advanced heading in the Main Menu of the browser interface.

Configuring for Port Forwarding to Local Servers

Although the router ca use s your ent ir e lo cal network to appear as a single machine to the Internet, you can make a local server (for exampl e, a web server or ga me server) vis ible and avai lable to the Internet. This is done using the Port Forwarding menu. From the Main Menu of the browser interface, under Advanced, click on Port Forwarding to view the port forwarding menu, shown below.
Figure 6-1: Port Forwarding Menu
Advanced Configuration 6-1
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
.
Note: If you are unfamiliar with networking and routing , refer to Append ix B, “Network, Routing, Firewall,
and Basics,” to become more familiar with the terms and procedures used in this manual.
Use the Port Forwardi ng me nu to config ure t he rou ter t o for ward i ncoming p rotoc ols t o comp uters on your local network. In addition to servers for specific applications, you can also specify a Default DMZ Server to which all other incoming protocols are forwarded. The DMZ Server is configured in the Security Menu.
Before starting, you'l l ne ed t o determine which type of serv ic e, app li cat i on or game you'll provide and the IP address of the computer that will provide each service. Be sure the computer’s IP address never changes. To configure port forwarding to a local server:
1. From the Service & Game box, select the service or game that you will host on your network.
If the service does not appear in the list, refer to the following sec tion, “Adding a Custom
Service”.
2. Enter the IP address of the local server in the corresponding Server IP Address box.
3. Click the Add button.

Adding a Custom Service

To define a service, game or application that does not appear in the Services & Games list, you must determine what port numbers are used by the service. For this information, you may need to contact the manufacturer of the program that you wish to use. When you have the port number information , follow these steps:
1. Click the Add Custom Service button.
2. Enter the first port number in an unus ed Start Port box.
3. To forward only one port, enter it again in the End Port box. To specify a range of ports, enter
the last port to be forwarded in the End Port box.
4. Enter the IP address of the local server in the corresponding Server IP Address box.
5. Type a name for the service.
6. Click Apply at the bottom of the menu.
6-2 Advanced Configura tio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Editing or Deleting a Port Forwarding Entry

To edit or delete a Port Forwarding entry, follow these steps.
1. In the table, select the button next to the service name.
2. Click Edit or Delete.

Local Web and FTP Server Example

If a local PC with a pr ivate IP addr ess of 192.168.0 .33 a cts as a Web and FTP server , config ure the Ports menu to forward HTTP (port 80) and FTP (port 21) to local address 192.168.0.33
In order for a remote user to access this server from the Internet, the remote user must know the IP address that has been assigned by your ISP. If this address is 172.16 .1.23, for example, an Inte rne t user can access your Web server by directing the browser to http://172.16.1.23. The assigned IP address can be found in the Maintenance Status Menu, where it is shown as the WAN IP Address.
Some consid erations for this application are:
If your account’s IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires.
If the IP address of the l ocal PC is assign ed by DHCP, it may change when the PC is reboot ed. To avoid this, you can manually configure the PC to use a fixed address.
Local PCs must access th e local ser ver using th e PCs’ local LAN addres s (192.168 .0.33 in this example). Attempts by local PCs to access the server using the e xternal IP address (172.16.1.23 in this example) will fail.

Multiple Computers for Half Life, KALI or Quake III Example

To set up an additional computer to play Half Life, KALI or Quake III:
1. Click the button of an unused port in the table.
2. Select the game again from the Services/Games list.
3. Change the beginning port number in the Start Port box.
For these games, use the supplied number in the default listing and add +1 for each additional computer. For example, if you've already configured one computer to play Hexen II (using port 26900), the second computer's port number would be 26901, and the third computer would be 26902.
Advanced Configuration 6-3
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
4.
Type the same port number in the End Port box that you typed in the Start Port box.
5. Type the IP address of the additional computer in the Server IP Address box.
6. Click Apply.
Some online games and videoconferencing applications are incompatible with NAT. The FWAG114 wireless firewall is progr ammed to recognize some of these applications and to work properly with them, but th ere are other app licat ions th at may not funct ion well . In some case s, one local PC can run the application properly if that PC’s IP address is entered as the default in the POR TS Menu. If one local PC ac ts as a ga me or vid eoconf erenci ng host , en ter its IP addr ess as th e default.

Configuring the WAN Setup Options

The WAN Setup options let you configure a DMZ server, change the MTU size and enable the firewall to respond to a Ping on the WAN port. These options are discussed below.

Setting Up a Default DMZ Server

The default DMZ server feature is helpful when using some online games and videoconferencing applications that are in compatible wit h NAT . The router i s programmed t o recogni ze some of th ese applications and to wor k p roperly with t hem, but th ere are other appli cati ons t hat may not funct ion well. In some cases, one local PC can r un the appl ication properly i f that PC’s IP address is entered as the default DMZ server.
Note: DMZ servers pose a security risk. A computer designated as the default DMZ server loses much of the protection of the firewall, and is exposed to exploits from the Internet. If compromised, the DMZ server can be used to attack your network.
Incoming traffic from the Internet is normally discarded by the router unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu. Instead of discardin g this t raffi c, you ca n have it forw arded to one computer on you r network. This computer is called the Default DMZ Server.
6-4 Advanced Configura tio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
The WAN Setup menu, shown below lets you configure a Default DMZ Server.
Figure 6-2: WAN Setup menu.
To assign a computer or server to be a Default DMZ server, follow these steps:
1. Click WAN Setup link on the Advanced section of the main menu.
2. Type the IP address for that server. To remove the default DMZ server, replace the IP address
numbers wi th all zeros.
3. Click Apply.

Respond to Ping on Internet WAN Port

If you want the router to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your router to be discovered. Don't check this box unless you have a specific reason to do so.

Setting the MTU Size

The default MTU size i s usua ll y fine. The normal MTU (Maxi m um Transmit Unit) value for most Ethernet networks is 15 00 Bytes. Fo r some ISPs , part icula rly some u sing PPPoE, you may need t o reduce the MTU. This should not be done unless you are sure it is necessary by your ISP.
Any packets sent through the router that are larger than the configured MTU size will be repackaged into smaller packets to meet the MTU req uirement. To change the MTU size:
1. Under MTU Size, enter a new size between 64 and 1500.
2. Click Apply to save the new configuration.
Advanced Configuration 6-5
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Using the LAN IP Setup Options

The second feature category under the Advanced heading is LAN IP Setup. This menu allows configuration of LAN IP services such as DHCP and RIP. From the Main Menu of the browser interface, under Advanced, click on LAN IP Setup to view the LAN IP Setup menu, shown below.
Figure 6-3: LAN IP Setup Menu

Configuring LAN TCP/IP Setup Parameters

The router is shipped preconfigured to use private IP addresses on the LAN side, and to act.as a DHCP server. The router’s default LAN IP configuration is:
LAN IP addresses—192.168.0.1
Subnet mask—255.255.255.0
These addresses ar e p art of the IETF-designated private address range fo r use in private networks, and should be suit able in mos t appl ic ations . If yo ur net work has a requ irement to us e a different IP addressing scheme, you can make those changes in this menu.
6-6 Advanced Configura tio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
The LAN IP pa rameters are:
IP Address This is the LAN IP address of the router.
IP Subnet Mask This is the LAN Sub net Mask of the rou ter. Comb ined with the IP address, the IP Sub net Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.
RIP Direct ion RIP (Router Informat ion Prot ocol) allows a router to exc hange routing information wi th other routers. The RIP Direction selection controls how the router sends and receives RIP packets. Both is the default.
— When set to Both or Out Only, the router will broadcast its routing table periodically. — When set to Both or In Only, it will incorporate the RIP information that it receives. — When set to None, it will not send any RIP packets and will ignore any RIP packets
received.
RIP Version This controls the fo rm at and the broadcasting met hod of the RIP packets that the ro uter sends. (It recognizes both formats when receiving.) By default, this is set for RIP-1.
— RIP-1 is uni ver sally supported. RIP-1 is proba bl y adequate for most networks, unless you
have an unusual network setup.
— RIP-2 carries more information. RIP-2B uses subnet broadcasting.
Note: If you change the LAN IP address of the router while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again.

Using the Router as a DHCP server

By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the router's LAN. The assigned default gateway address i s the LAN address of the router. IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
Advanced Configuration 6-7
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
For most applications, the def ault DHCP and TCP/I P settin gs of the ro uter are satisfa ctory. See “IP
Configuration by DHCP” on page B-10 fo r an explanat ion of DHCP and infor mation about how to
assign IP addresses for your network. If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box. Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address. These addresses should be part of the same IP address subnet as the router’s LAN IP address. Using th e d efa ul t addressing scheme, you should define a range be twee n 192.168.0.2 and
192.168.0.253, although you may wish to save part of the range for devices with fixed addresses.
The router will deliver the following parameters to any LAN device that requests DHCP:
An IP Address from the range you have defined
Subnet Mask
Gateway IP Address (the router’s LAN IP address)
Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu; otherwise , the router’s LAN IP address)
Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu

Using Address Reservation

When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it access the router’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings.
To reserve an IP address:
1. Click the Add button.
2. In the IP Address box, type the IP address to assign to the PC or server.
(choose an IP address from the router’s LAN subnet, such as 192.168.0.X)
3. Type the MAC Address of the PC or server.
(Tip: If the PC is already present on your network, you can copy its MAC address from the Attached Devices menu and paste it here.)
4. Click Apply to enter the reserved address into the table.
6-8 Advanced Configura tio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Note: The reserved address will not be assigned until the next time the PC contacts the router's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.
To edit or delete a reserved address entry:
1. Click the button next to the reserved address you want to edit or delete.
2. Click Edit or Delete.

Using a Dynamic DNS Service

If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently. In this case, you can use a commercial dynamic DNS service, who will allow you to register your domain to their IP address, and will forward traffic directed at your domain to your frequently-changing IP address.
Note: If your ISP assig ns a private WAN IP address (such as 19 2.168.x.x or 10.x.x.x), the dynamic DNS
service will not work because private addresses will not be routed on the Internet.
The router contains a client that can connect to many popular dynamic DNS services. You can select one of these services and obtain an account with them. Then, whenever your ISP-assigned IP address changes, your router will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.
From the Main Menu of the browser interface, under Advanced, click on Dynamic DNS. To configure Dynamic DNS:
1. Register for an account with one of the dynamic DNS service providers whose names appear
in the ‘Select Service Provider’ box. For example, for dyndns.org, go to www.dyndns.org.
2. Select the Use a dynamic DNS service check box.
3. Select the name of your dynamic DNS Service Provider.
4. Type the Host Name (or domain name) that your dynamic DNS service provider gave you.
5. Type the User Name for your dynamic DNS account.
6. Type the Password (or key) for your dynamic DNS account.
Advanced Configuration 6-9
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
7.
If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org
8. Click Apply to save your configuration.

Configuring Static Routes

Static Routes provide additional routing information to your router. Under normal circumstances, the router has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network.
From the Main Menu of the browser inter face , under Advanc ed, click on S ta tic Routes t o view the Static Route menu, shown below.
Figure 6-4. S tatic Route Summary Table
To add or edit a Static Route:
6-10 Advanced Configuratio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
1.
Click the Add button to open the Add/Edit Menu, shown below.
Figure 6-5. Static Route Entry and Edit Menu
Type a route name for this static route in the Route Name box under the table.
2.
(This is for identification purpose only.)
3. Select Private if you want to lim it access to th e LAN only. The static route will not be reported
in RIP.
4. Select Active to make this route effective.
5. Type the Destination IP Address of the final destination.
6. Type the IP Subnet Mask for this destination.
If the destination is a single host, type 255.255.255.255.
7. T ype the Gat eway IP Address , which must be a router on th e same LAN segment as t he router.
8. Type a number between 1 and 15 as the Metric value.
This represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
9. Click Apply to have the static route entered into the table.
As an example of when a static route is needed, consider the following case:
Your primary Internet access is through a cable modem to an ISP.
You have an ISDN router on your home network for connecting to the company where
you are employed. This router’s address on your LAN is 192.168.0.100.
Your company’s network is 134.177.0.0.
Advanced Configuration 6-11
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
When you first configur ed your r outer , two impl icit stat ic rou tes wer e crea ted. A defaul t rout e was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the
134.177.0.0 network, your router will forward your request to the ISP. The ISP forwards your
request to the company where you are employed, and the request will likely be denied by the company’s firewall.
In this case you must define a static route, telling your router that 134.177.0.0 should be accessed through the ISDN router at 192.168.0.100. The static route would look like Figure 6-5.
In this example:
The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.x.x addresses.
The Gateway IP Address fields specifies that all traffic for these addresse s should be forwarded to the ISDN router at 192.168.0.100.
A Metric value of 1 will work since the ISDN router is on the LAN.
Private is selected only as a precautionary security measure in case RIP is activated.

Enabling Remote Management Access

Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FWAG114 wireless firewall.
Note: Be sure to change the router's default configuration password to a very secure password. The ideal password should cont ain no dictionary words f rom any language, and should be a mixture of letters (both upper and lower case), numbers, and sym bols. Your password can be up to 30 characters.
To configure your router for Remote Management:
1. Select the Turn Remote Management On check box.
2. Specify what external addresses will be allowed to access the router’s remote management.
Note: For enhanced security, restrict access to as few exter nal IP addres ses as practical.
a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range.
Enter a beginning and ending IP address to define the allowed range.
6-12 Advanced Configuratio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
c.
To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access.
3. Specify the Port Number that will be used for accessing the management interface.
Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP.
4. Click Apply to have your changes take effect.
Note: When accessing your router from the Internet, you will type your router's WAN IP address into your browser's Address (in IE) or Locat ion (in Netscape) box, followed by a col on (: ) and the custom port number. For example, if your external address is 134.177.0.123 and you use port number 8080, you must enter in your browser:
http://134.177.0.123:8080
Advanced Configuration 6-13
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Using Universal Plug and Pla y (UPnP)

Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access the network and connect to other devices as needed. UPnP devices can automatically discover the services from other registered UPnP devices on the network.
Figure 6-6. UPnP Menu
From the Main Menu of the browser interface, under Advanced, click on UPnP. Set up UPnP according to the guidelines below.
Turn UPnP On: UPnP can be enabled or disab led fo r aut omatic device co nfigur ation . The de fau lt setting for UPnP is enabled. If disabled, the router will not allow any device to automatically control the resources, such as port forwarding (mapping), of the router.
Advertisement Period: T he Adver tisemen t Per iod i s how of ten t he rou ter wi ll br oadcas t it s UPnP information. This value can range from 1 to 1440 minutes. The default period is 30 minutes. Shorter durations will ensure that control points have current device status at the expense of additional network tr affic . Longer duratio ns may compromise the freshness of the device st atus but can significantly reduce network traffic.
6-14 Advanced Configuratio n
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
Advertisement Time To Live: The time to live for the advertisement is measured in hops (steps) for each UPnP packet sent. The time to live hop count is the number of st eps a broadcast packet is allowed to propagate for each UPnP advertisement before it disappears. The number of hops can range from 1 to 255. The default value for the advertisement time to live is 4 hops, which should be fine for most home networks. If you notice that some devices are not being updated or reached correctly, then it may be n ecessary to i ncrease this value a little.
UPnP Portmap T able : The UPnP Port map Table displays the IP addres s of each UPnP device that is currently accessing the router and which ports (Internal and External) that device has opened. The UPnP Portmap Table also displays what type of port is opene d and if that port is s till act ive for each IP address.
Advanced Configuration 6-15
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
6-16 Advanced Configuratio n
Chapter 7
Troubleshooting
This chapter gives infor mation abo ut t rouble shooti ng your Mo del FWAG114 Cabl e/DSL Wireless ProSafe Firewall . After each problem description, instructions are provided to help you diagnose and solve the problem.

Basic Functioning

After you turn on power to the router, the following sequence of events should occur:
1. When power is first applied, verify that the Power LED is on.
2. After approximately 10 seconds, verify that: a. The Test LED is not lit. b. The LAN port LEDs are lit for any local ports that are connected. c. The WAN port LED is lit.
If a port’s LED is lit, a link has been established to the connected device. If a LAN port is connected to a 100 Mbps de vice, veri fy that th e port’s LED is green. If the port is 10 Mbps, the LED will be amber.
If any of these conditions does not occur, refer to the appropriate following section.

Power LED Not On

If the Power and other LE Ds are off when your router is turned on:
Make sure that the power cord is properly connected to your router and that the power supply adapter is properly connected to a functioning power outlet.
Check that you a re us in g the 7.5 V DC power ada pte r su pplied by NETGEAR for this product.
Troubleshooting 7-1
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
If the error persists, you have a hardware problem and should contact technical support.

LEDs Never Turn Off

When the router is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the router.
If all LEDs are still on one minute after power up:
Cycle the power to see if the router recovers.
Clear the router’s configuration to factory defaults. This will set the router’s IP address to
192.168.0.1. This procedure is explained in “Restoring the Default Configuration and
Password” on page 7-7.
If the error persists, you might have a hardware problem and should contact technical support.

LAN or WAN Port LEDs Not On

If either the LAN LEDs or WAN LED do not light when the Ethernet connection is made, check the following:
Make sure that the Ethernet cable connections are secure at the router and at the hub or workstation.
Make sure that power is turned on to the connected hub or workstation.
Be sure you are using the correct cable: — When con nec ti ng t h e rou ter’s W AN port to a cable or DSL modem, use t he c abl e t hat was
supplied with the cable or DSL modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable.
7-2 Troubleshooting
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Troubleshooting the Web Configuration Interface

If you are unable to access the router’s Web Configuration interface from a PC on your local network, check the following:
Check the Ethernet connection between the PC and the router as described in the previous section.
Make sure your PC’s IP address is on the same subnet as the router. If you are using the recommended addressing scheme, your PC’s address should be in the range of 192.168.0.2 to
192.168.0.254. Refer to “Verifying TCP/IP Properties” on page 4-5 or “Verifying TCP/IP
Properties (Macintosh)” on page 4-8 to find your PC’s IP address. Follow the instructions in Chapter 4 to configure your PC.
Note: If your PC’s IP address is shown as 169.254.x.x: Recent versions of Windows and
MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the PC to the router and reboot your PC.
If your router’s IP address has been changed and you don’t know the current IP address, clear the router’s configuration to factory defaults. This will set the router’s IP address to
192.168.0.1. This procedure is explained in “Restoring the Default Configuration and
Password” on page 7-7.
Make sure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure the Java applet is loaded.
Try quitting the browser and launching it again.
Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.
If the router does not save changes you have made in the Web Configuration Interface, check the following:
When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes are lost.
Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.
Troubleshooting 7-3
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall

Troubleshooting the ISP Connection

If your router is unable to acces s the Inte rnet, you sho uld first det ermine whether the router is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your router must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager.
To check the WAN IP address:
1. Launch your browser and select an external site such as www.netgear.com
2. Access the Main Menu of the router’s configuration at http://192.168.0.1
3. Under the Maintenance heading, select Router Status
4. Check that an IP address is shown for the WAN Port
If 0.0.0.0 is shown, your router has not obtained an IP address from your ISP.
If your router is unable to obtain an IP address from the ISP, you may need to force your cable or DSL modem to recognize your new router by performing the following procedure:
1. Turn off power to the cable or DSL modem.
2. Turn off power to your router.
3. Wait five minutes and reapply power to the cable or DSL modem.
4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to
your router.
If your router is still unable to obtain an IP address from the ISP, the problem may be one of the following:
Your ISP may require a login program. Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login.
If your ISP requires a login, you may have incorrectly set the login name and password.
Your ISP may check for your PC's host name. Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu.
Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for your PC’s MAC address. In this case:
Inform your ISP that you have bought a new network device, and ask them to use the router’s MAC address.
7-4 Troubleshooting
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
OR Configure your route r to spoo f your PC’s MAC address. This can be done in the Basic Settings
menu. Refe r to “Manually Configuring Your Internet Connection” on page 2-12.
If your router can obtain an IP address, but your PC is unable to load any web pages from the Internet:
Your PC may not recognize any DNS server addresses. A DNS server is a host on the Intern et that tr ans la te s Int er net names (su ch as www addres ses )
to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. If you entered a DNS address during the router’s configuration, reboot your PC and verify the DNS address as described in “Verifying TCP/IP Properties” on page
4-5. Alternatively, you may configure your PC manually with DNS addresses, as explained in
your operating system documenta ti on.
Your PC may not have the router configured as its TCP/IP gateway. If your PC obtains its information from the router by DHCP, reboot the PC and verify the
gateway address as described in “Verifying TCP/IP Properties” on page 4-5.

Troubleshooting a TCP/IP Network Using a Ping Utility

Most TCP/IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the ping utility in your PC or workstation.

Testing the LAN Path to Your Router

You can ping the router from your PC to verify that the LAN path to your router is set up correctly. To ping the router from a PC running Windows 95 or later:
1. From the Windows toolbar, click on the Start button and select Run.
2. In the field provided, type Ping followed by the IP address of the router, as in this example:
ping 192.168.0.1
3. Click on OK.
You should see a message like this one:
Pinging <IP address> with 32 bytes of data
Troubleshooting 7-5
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
If the path is working, you see this messa ge:
Reply from < IP address >: bytes=32 time=NN ms TTL=xxx
If the path is not working, you see this message:
Request timed out
If the path is not functioning correctly, you could have one of the following problems:
Wrong physical connections
— Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN
or WAN Port LEDs Not On” on page 7-2.
— Check that the corresponding Link LEDs are on for your network interface card and
for the hub ports (if any) that are connected to your workstation and router.
Wrong network configuration
— Verify that the Ethern et card driver software and TCP/IP software are bot h installed
and configured on your PC or workstation.
— Verify that the IP addre ss for your router and your works tati on are cor rect and that the
addresses are on the same subnet.

Testing the Path from Yo ur PC to a Remote Device

After verifying that the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type:
PING -n 10 <IP address>
where <IP address> is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not
receive replies:
— Check t hat your PC h as the IP ad dress of y our router listed as the d efault ga teway. If the IP
configuration of yo ur PC is as signed by DHCP, this infor mat ion wil l not be vis ible in your PC’ s Networ k Control Panel. Verify that t he IP add ress of th e route r is l isted as the d efaul t gateway as described in “Verifying TCP/IP Properties” on page 4-5.
— Check to see that the network address of your PC (the portion of the IP address specified
by the netmask) is different from the network address of the remote device.
— Check that your cable or DSL modem is connected and functi oning.
7-6 Troubleshooting
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
— If your I SP assi gned a ho st name t o your PC, e nter t hat ho st name a s the Acc ount Name i n
the Basic Settings menu.
— Your ISP could be rej ectin g the Ethern et MAC a ddress es of all but one of yo ur PCs. Man y
broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem. If this is the case, you must configure your router to “clone” or “spoof” the MAC address from the authorized PC. Refer to “Manually
Configuring Your Internet Connection” on page 2-12.

Restoring the Default Configuration and Password

This section explains how to restore the factory default configuration settings, changing the router’s admin istrati on passwor d to password and the IP address to 192. 168.0.1. You can erase the current configuration and restore factory defaults in two ways:
Use the Erase function of the router (see “Erasing the Configuration” on page 5-8).
Use the Default Reset button on the rear panel of the router. Use this method for cases when the administration password or IP address is not known.
To restore the factory default configuration settin gs wit hout k nowin g the ad mi ni st rat io n password or IP address, you must use the Default Reset button on the rear panel of the router.
1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).
2. Release the Default Reset button and wait for the router to reboot.

Problems with Date and Time

The E-Mail menu in the Content Filtering section displays the current date and time of day. The FWAG114 wireless firew all uses the N etwork Time Protoc ol (NTP) to obtain the cur rent time from one of several Network Time Servers on the Internet. Each entry in the log i s stamped wi th the date and time of day. Problems with the date and time function can include:
Date shown is January 1, 2000. Cause: The router has not yet succe ss ful ly reached a Network Time Serv er. Check that your Internet acces s s ettings ar e confi gured corre ctly. If you have just completed configuring the router, wait at least five minutes and check the date and time again.
Time is off by one hour. Cause: The router does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings Time”.
Troubleshooting 7-7
Reference Manual for the Model FWAG114 Cable/DSL Wireless ProSafe Firewall
7-8 Troubleshooting
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use