Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA SM-FWAG114NA-0 Version 1.
© 2003 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Dual Band Wireless VPN Firewall FWAG114 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
iv
Contents Chapter 1 About This Manual Audience .........................................................................................................................1-1 Typographical Conventions ............................................................................................1-1 Special Message Formats ..............................................................................................1-1 Features of the HTML Version of this Manual ....................................................
Dynamic IP Wizard-Detected Option .....................................................................3-10 Fixed IP Account Wizard-Detected Option ............................................................. 3-11 Manually Configuring Your Internet Connection ...........................................................3-12 Chapter 4 Wireless Configuration Observe Performance, Placement, and Range Guidelines ............................................4-1 Implement Appropriate Wireless Security .............
Getting E-Mail Notifications of Event Logs and Alerts ..................................................5-14 Viewing Logs of Web Access or Attempted Web Access .............................................5-16 Syslog ....................................................................................................................5-17 Chapter 6 Maintenance Viewing VPN Firewall Status Information .......................................................................5-1 Viewing a List of Attached Devices ..
Enabling Remote Management Access .........................................................................6-8 Chapter 9 Troubleshooting Basic Functioning ...........................................................................................................7-1 Power LED Not On ...................................................................................................7-1 LEDs Never Turn Off ................................................................................................
Ethernet Cabling .......................................................................................................... B-12 Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-12 Cable Quality ......................................................................................................... B-13 Appendix C Preparing Your Network Preparing Your Computers for TCP/IP Networking .......................................................
802.11 Authentication .............................................................................................. D-3 Open System Authentication ................................................................................... D-4 Shared Key Authentication ...................................................................................... D-4 Overview of WEP Parameters ................................................................................ D-5 Key Size ......................................
Chapter 1 About This Manual Congratulations on your purchase of the NETGEAR® ProSafe Dual Band Wireless VPN Firewall FWAG114. The FWAG114 wireless firewall provides connection for multiple personal computers (PCs) to the Internet through an external broadband access device (such as a cable modem or DSL modem) that is normally intended for use by a single PC. Audience This reference manual assumes that the reader has basic to intermediate computer and Internet skills.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Features of the HTML Version of this Manual The HTML version of this manual includes these features. 2 1 3 Figure Preface -2: HTML version of this manual 1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs. To view the HTML version of the manual, you must have a version 4 or later browser with Java or JavaScript enabled. To use the Favorites feature, your browser must be set to accept cookies.
Chapter 2 Introduction This chapter describes the features of the NETGEAR ProSafe Dual Band Wireless VPN Firewall FWAG114. Key Features of the VPN Firewall The ProSafe Dual Band Wireless VPN Firewall FWAG114 with 4-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FWAG114 is a complete security solution that protects your network from attacks and intrusions.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Flash memory for firmware upgrade. 802.11g and 802.11b Wireless Networking The FWAG114 wireless firewall includes an 802.11b-compliant wireless access point, providing continuous, high-speed 11 Mbps access between your wireless and Ethernet devices. The access point provides: • 802.11b Standards-based wireless networking at up to 11 Mbps. • 802.11g wireless networking at up to 54 Mbps, which will conform to the 802.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • With its content filtering feature, the FWAG114 prevents objectionable content from reaching your PCs. The router allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the router to log and report attempts to access objectionable Internet sites.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • IP Address Sharing by NAT The FWAG114 wireless firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Remote management The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring The FWAG114 wireless firewall’s front panel LEDs provide an easy way to monitor its status and activity.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The FWAG114’s Front Panel The front panel of the FWAG114 wireless firewall contains the status LEDs described below. Broadband MODEL ProSafe Dual-Band Wireless VPN Firewall 100 PWR TEST LINK/ACT 1 2 3 4 100 802.11a LINK/ACT 802.11g FWAG114 Figure 2-1: FWAG114 Front Panel You can use some of the LEDs to verify connections. Viewed from left to right, Table 2-1 describes the LEDs on the front panel of the router.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The FWAG114’s Rear Panel The rear panel of the FWAG114 wireless firewall contains the port connections listed below. Internet 12VDC, 1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 2-8 Introduction
Chapter 3 Connecting the FWAG114 to the Internet This chapter describes how to set up the router on your local area network (LAN) and connect to the Internet. You find out how to configure your ProSafe Dual Band Wireless VPN Firewall FWAG114 for Internet access using the Setup Wizard, or how to manually configure your Internet connection. What You Will Need Before You Begin You need to prepare these three things before you begin: 1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: For help with DHCP configuration, please refer to Appendix C, “Preparing Your Network. The cable or DSL modem broadband access device must provide a standard 10 Mbps (10BASE-T) Ethernet interface.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Connecting the ProSafe Dual Band Wireless VPN Firewall FWAG114 to Your LAN This section provides instructions for connecting the FWAG114 wireless firewall. Also, the Resource CD for ProSafe Dual Band Wireless VPN Firewall included with your router contains an animated Installation Assistant to help you through this procedure. Procedure: Connecting the VPN Firewall There are three steps to connecting your router: 1. 2. 3.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 c. Connect the Ethernet cable from your cable or DSL modem to the Internet port (A) on the FWAG114. FWAG114 ProSafe Wireless VPN Firewall I N TER N ET 5 -1 2 V DC LA N LA N LA N LA N R ESET A Broadband Modem Figure 3-2: Connect the cable or DSL Modem to the router d. Connect the Ethernet cable which came with the router from a Local port on the router (B) to your computer.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The FWAG114 wireless firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet port will automatically sense if the cable should have a normal connection or an uplink connection. This feature eliminates the need to worry about crossover cables because Auto Uplink will make the right connection either type of cable. e. Now, turn on your computer.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 A login window shown below opens: Figure 3-5: Login window 3. Connect to the Internet Figure 3-6: Setup Wizard a. You are now connected to the router. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. b. Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 c. When the router successfully detects an active Internet service, the router’s Internet LED goes on. The Setup Wizard reports which connection type it discovered, and displays the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted to check the physical connection between your router and the cable or DSL line. d. The Setup Wizard will report the type of connection it finds.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • • • • • • Enter the Account Name, Domain Name, Login, and Password as provided by your ISP. These fields are case sensitive. The router will try to discover the domain automatically if you leave the Domain Name blank. Otherwise, you may need to enter it manually. To change the login timeout, enter a new value in minutes.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Dynamic IP Wizard-Detected Option If the Setup Wizard discovers that your ISP uses Dynamic IP assignment, you will see this menu: Figure 3-8: Setup Wizard menu for Dynamic IP address accounts • • • • • Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Fixed IP Account Wizard-Detected Option If the Setup Wizard discovers that your ISP uses Fixed IP assignment, you will see this menu: Figure 3-9: Setup Wizard menu for Fixed IP address accounts • • Fixed IP is also called Static IP. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway router. This information should have been provided to you by your ISP.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Manually Configuring Your Internet Connection You can manually configure your router using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Procedure: Configuring the Internet Connection Manually You can manually configure the router using the Basic Settings menu shown in Figure 3-10 using these steps: 1. Click the Basic Settings link on the Setup menu. 2. If your Internet connection does not require a login, click No at the top of the Basic Settings menu and fill in the settings according to the instructions below.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: After you finish setting up your router, you will no longer need to launch the ISP’s login program on your PC in order to access the Internet. When you start an Internet application, your router will automatically log you in. a. Select you Internet service provisory from the drop-down list. b. The screen will change according to the ISP settings requirements of the ISP you select. c.
Chapter 4 Wireless Configuration This chapter describes how to configure the wireless features of your FWAG114 wireless firewall. Observe Performance, Placement, and Range Guidelines In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your FWAG114 in order to maximize the network speed. For further information on wireless networking, refer to in Appendix D, “Wireless Networking Basics.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Be aware that the time it takes to establish a wireless connection can vary depending on both your security settings and placement. WEP connections can take slightly longer to establish. Also, WEP encryption can consume more battery power on a notebook PC. Implement Appropriate Wireless Security Note: Indoors, computers can connect over 802.11 wireless networks at ranges of 300 feet or more.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 There are several ways you can enhance the security of you wireless network. • Restrict Access Based on MAC Address. You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the FWAG114. Restricting access by MAC address adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Understanding Wireless Settings To configure the wireless settings of your FWAG114, click the Wireless 11a or Wireless 11b/g link in the Setup section of the main menu. The wireless settings menu will appear, as shown below.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The 802.11b and 802.11g wireless networking protocols are configured in exactly the same fashion. The FWAG114 will automatically adjust to the 802.11g or 802.11b protocol as the device requires without compromising the speed of the other connected devices. Common Wireless Settings The 802.11a and the 802.11b/g wireless network identification settings are configured separately.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 – Beacon Interval. Specifies the Beacon Interval value. Enter a value in between 20 to 1000. Default: 100. – DTIM. The Delivery Traffic Indication Message. Specifies the data beacon rate between 1 and 255. Default: 1 – WEP Status. If WEP is enabled, this will indicate the current settings. • Access Point Connections. Lets you restrict wireless connections according to a list of Trusted PCs MAC addresses.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Be sure to set your wireless adapter according to the authentication scheme you choose for the FWAG114 wireless firewall. Please refer to “Authentication and WEP Data Encryption” on page D-3 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. WEP Choose the encryption settings from this menu.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 FEATURE SSID for both 802.11a & 802.11b DEFAULT FACTORY SETTINGS NETGEAR 11a RF Channel Off until the Regulatory Domain is selected, then 52 Non-Turbo Mode; 50 Turbo Mode 11b RF Channel 6 WEP Authentication Type Access Point Connections for both 802.11a & 802.11b/g Disabled Open System All wireless stations allowed Bridging to wired LAN for both 802.11a & 802.11b/g Enabled SSID broadcast for both 802.11a & 802.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: If you select shared key, the other devices in the network will not connect unless they are set to Shared Key as well. • WEP Encryption 802.11a and 802.11b differ in their use of WEP encryption keys. See “Security Configuration” on page 2-21 for a description of these differences. 802.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The characters are case sensitive. An access point always functions in infrastructure mode. The SSID for any wireless device communicating with the access point must match the SSID configured in the ProSafe Dual Band Wireless VPN Firewall FWAG114. If they do not match, you will not get a wireless connection to the FWAG114. 5. Set the Channel.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 4. Click the Trusted PCs button to display the Wireless Access menu shown below. Figure 4-3. 5. Wireless Access menu Enter the MAC address of a wireless adapter and click the Add button to add a wireless device to the wireless access control list. The Trusted PCs list updates with the new entry. Note: You can copy and paste the MAC addresses from the FWAG114’s Attached Devices menu into the MAC Address box of this menu.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 To remove a MAC address from the table, click on it to select it, then click the Delete button. How to Configure WEP To configure WEP data encryption, follow these steps: 1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin and default password of password, or using whatever LAN address and password you have set up. 2. Click the Wireless 11a or 11b link in the main menu of the FWAG114. 3.
Chapter 5 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual Band Wireless VPN Firewall FWAG114 to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Block Sites The FWAG114 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Keyword Blocking menu is shown in Figure 5-1: Figure 5-1: Block Sites menu To enable keyword blocking, check “Turn keyword blocking on”, then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 You may specify one Trusted User, which is a PC that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed or reserved IP address. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 You may define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined. To create a new rule, click the Add button.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Inbound Rules (Port Forwarding) Because the FWAG114 uses Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a web server or game server) visible and available to the Internet.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Inbound Rule Example: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 5-4, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Outbound Rules (Service Blocking) The FWAG114 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 5-6: Figure 5-6: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules at the bottom.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The router is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PC’s IP address is entered as the Default DMZ Server.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Services Services are functions performed by server computers at the request of client computers. For example, Web servers serve web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, go the Services menu and click on the Add Custom Service button.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Using a Schedule to Block or Allow Specific Traffic If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 To block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, If you want to limit access during certain times for the selected days, type a Start Blocking time and an End Blocking time. Note: Note: Enter the values as 24-hour time.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Getting E-Mail Notifications of Event Logs and Alerts In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading: Figure 5-10: E-mail menu • Turn e-mail notification on. Check this box if you wish to receive e-mail logs and alerts from the router. • Send alerts and logs by e-mail. If your enable e-mail notification, these boxes cannot be blank.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 – • If a user on your LAN attempts to access a website that you blocked using Keyword blocking. Send logs according to this schedule. You can specify that logs are sent to you according to a schedule. Select whether you would like to receive the logs None, Hourly, Daily, Weekly, or When Full. Depending on your selection, you may also need to specify: – Day for sending log Relevant when the log is sent weekly or daily.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Viewing Logs of Web Access or Attempted Web Access The router will log security-related events such as denied incoming and outgoing service requests, hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu, the Log page will also show you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Log entries are described in Table 5-1 Table 5-1. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 5-18 Firewall Protection and Content Filtering
Chapter 6 Maintenance This chapter describes how to use the maintenance features of your ProSafe Dual Band Wireless VPN Firewall FWAG114. These features can be found by clicking on the Maintenance heading in the Main Menu of the browser interface. Viewing VPN Firewall Status Information The Router Status menu provides status and usage information. From the main menu of the browser interface, click on Maintenance, then select Router Status to view this screen.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 This screen shows the following parameters: Table 6-1. Menu 3.2 - FWAG114 Status Fields Field Description System Name This field displays the System Name assigned to the router. Firmware Version This field displays the router firmware version. WAN Port These parameters apply to the Internet (WAN) port of the router. MAC Address This field displays the MAC address being used by the Internet (WAN) port of the router.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Click “Show WAN Status” to display the WAN connection status. Figure 6-2: Connection Status screen This screen shows the following statistics:. Table 6-1. Connection Status Fields Field Description Connection Time The length of time the router has been connected to your Internet service provider’s network. Connection Method The method used to obtain an IP address from your Internet service provider.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Click “Show Statistics” to display router usage statistics. Figure 6-3: Router Statistics screen This screen shows the following statistics: Table 6-1. Router Statistics Fields Field Description interface The statistics for the WAN (Internet), LAN (local), 802.11a, and 802.11b/g interfaces. For each interface, the screen displays: Status The link status of the interface.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 WAN Status action buttons are described in Table 6-2 Table 6-2. Connection Status action buttons Field Description Set Interval Enter a time and click the button to set the polling frequency. Stop Click the Stop button to freeze the polling information. Viewing a List of Attached Devices The Attached Devices menu contains a table of all IP devices that the router has discovered on the local network.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The Web browser used to upload new firmware into the FWAG114 wireless firewall must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or Netscape Navigator 3.0 or above. From the Main Menu of the browser interface, under the Maintenance heading, select the Router Upgrade heading to display the menu shown below. Figure 6-5: Router Upgrade menu To upload new firmware: 1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 From the Main Menu of the browser interface, under the Maintenance heading, select the Settings Backup heading to bring up the menu shown below. Figure 6-6: Settings Backup menu Three options are available, and are described in the following sections.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Erasing the Configuration It is sometimes desirable to restore the router to a known blank condition. This can be done by using the Erase function, which will restore all factory settings. After an erase, the router's password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client will be enabled. To erase the configuration, click the Erase button.
Chapter 7 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FWAG114 wireless firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Overview of FWAG114 Policy-Based VPN Configuration The FWAG114 uses state-of-the-art firewall and security technology to facilitate controlled and actively monitored VPN connectivity.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FWAG114. There are two kinds of policies: • IKE Policies: Define the authentication scheme and automatically generate the encryption keys.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 IKE Policies’ Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 7-2.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The IKE Policy Configuration fields are defined in the following table. Table 7-1. IKE Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the IKE policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify IKE policies.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Table 7-1. IKE Policy Configuration Fields Field Description Remote These parameters apply to the target remote FWAG114, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FWAG114. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) -- your domain name.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The VPN Auto Policy fields are defined in the following table. Table 7-1. VPN Auto Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The descriptive name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN endpoint. It is only used to help you identify VPN policies.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Table 7-1. VPN Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be created. Local IP The drop-down menu allows you to configure the source IP address of the outbound network traffic for which this VPN policy will provide security.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Table 7-1. VPN Auto Policy Configuration Fields Field Description Enable Authentication Authentication Algorithm NETBIOS Enable Use this checkbox to enable or disable ESP transform for this VPN policy. You can select the ESP mode also with this menu. Two ESP modes are available: • Plain ESP • ESP with authentication If you enable AH, then use this menu to select which authentication algorithm will be employed.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Figure 7-4: VPN - Manual Policy Menu 7-10 Virtual Private Networking
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The VPN Manual Policy fields are defined in the following table. Table 7-1. VPN Manual Policy Configuration Fields Field Description General These settings identify this policy and determine its major characteristics. Policy Name The name of the VPN policy. Each policy should have a unique policy name. This name is not supplied to the remote VPN Endpoint. It is used to help you identify VPN policies.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Table 7-1. VPN Manual Policy Configuration Fields Field Description SPI - Outgoing Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the remote VPN endpoint has the same value in its "Incoming SPI" field. Enable Authentication Use this checkbox to enable or disable AH. Authentication is often not used. In this case, leave the checkbox unchecked.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Table 7-1. VPN Manual Policy Configuration Fields Field Description Key - In Enter the key in the fields provided. • For DES, the key should be 8 characters. • For 3DES, the key should be 24 characters. Any value is acceptable, provided the remote VPN endpoint has the same value in its Encryption Algorithm "Key - Out" field. Key - Out Enter the key in the fields provided. • For DES, the key should be 8 characters.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Using Digital Certificates for IKE Auto-Policy Authentication Digital certificates are strings generated using encryption and authentication schemes which cannot be duplicated by anyone without access to the different values used in the production of the string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation uniquely.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Walk-Through of Configuration Scenarios on the FWAG114 There are a variety of configurations you might implement with the FWAG114. The scenarios listed below illustrate typical configurations you might use in your organization. In order to help make it easier to set up an IPsec system, the following two scenarios are provided. These scenarios were developed by the VPN Consortium (http://www.vpnc.org).
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication. 10.5.6.0/24 172.23.9.0/24 Gateway A 10.5.6.1 Gateway B Internet 14.15.16.17 22.23.24.25 172.23.9.1 Figure 7-5: VPN Consortium Scenario 1 Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 FWAG114 Scenario 1: FWAG114 to Gateway B IKE and VPN Policies Note: This scenario assumes all ports are open on the FWAG114. You can verify this by reviewing the security settings as seen in the “Rules menu” on page 3-6. Scenario 1 10.5.6.1/24 LAN IP 14.15.16.17 WAN IP 22.23.24.25 WAN IP 172.23.9.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 b. Configure the WAN Internet Address according to the settings above and click Apply to save your settings. For more information on configuring the WAN IP settings in the Basic Setup topics, please see “How to Complete a Manual Configuration” on page 2-14. c. From the main menu Advanced section, click on the LAN IP Setup link. Figure 7-8: LAN IP configuration menu d.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 3. Set up the IKE Policy illustrated below on the FWAG114. a. From the main menu VPN section, click on the IKE Policies link, and then click the Add button to display the screen below. Figure 7-9: Scenario 1 IKE Policy b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 4. Set up the FWAG114 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click on the VPN Policies link, and then click on the Add Auto Policy button. WAN IP address LAN IP addresses Figure 7-10: Scenario 1 VPN - Auto Policy b. Configure the IKE Policy according to the settings in the illustration above and click Apply to save your settings.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 1. 2. To test connectivity between the Gateway A FWAG114 LAN and the Gateway B LAN, follow these steps: a. Using our example, from a PC attached to the FWAG114 on LAN A, on a Windows PC click the Start button on the taskbar and then click Run. b. Type ping -t 172.23.9.1, and then click OK. c. This will cause a continuous ping to be sent to the LAN interface of Gateway B.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 FWAG114 Scenario 2: FWAG114 to FWAG114 with RSA Certificates The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509 (PKIX) certificates for authentication. The network setup is identical to the one given in scenario 1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 b. Click the Generate Request button to display the screen illustrated in Figure 7-11 below. . FWAG114 Figure 7-11: Generate Self Certificate Request menu c. Fill in the fields on the Add Self Certificate screen. • Required – – – – – • Name. Enter a name to identify this certificate. Subject. This is the name which other organizations will see as the holder (owner) of this certificate.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 d. Click the Next button to continue. The FWAG114 generates a Self Certificate Request as shown below. Highlight, copy and paste this data into a text file. Figure 7-12: Self Certificate Request data 4. Transmit the Self Certificate Request data to the Trusted Root CA. a. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file. b. Give the certificate request data to the CA.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 c. When you have finished gathering the Self Certificate Request data, click the Done button. You will return to the Certificates screen where your pending “FWAG114” Self Certificate Request will be listed, as illustrated in Figure 7-13 below. FWAG114 Figure 7-13: Self Certificate Requests table 5. Receive the certificate back from the Trusted Root CA and save it as a text file.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 f. You will now see the “FWAG114” entry in the Active Self Certificates table and the pending “FWAG114” Self Certificate Request is gone, as illustrated below. FWAG Figure 7-14: Self Certificates table 7. Associate the new certificate and the Trusted Root CA certificate on the FWAG114. a.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Now, the traffic from devices within the range of the LAN subnet addresses on FWAG114 A and Gateway B will be authenticated using the certificates rather than via a shared key. 8. Set up Certificate Revocation List (CRL) checking. a. Get a copy of the CRL from the CA and save it as a text file.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 7-28 Virtual Private Networking
Chapter 8 Advanced Configuration This chapter describes how to configure the advanced features of your ProSafe Dual Band Wireless VPN Firewall FWAG114. These features can be found under the Advanced heading in the Main Menu of the browser interface. How to Configure Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 1. Log in to the router at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the router. 2. From the Main Menu of the browser interface, under Advanced, click on Dynamic DNS. 3.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Using the LAN IP Setup Options The second feature category under the Advanced heading is LAN IP Setup. This menu allows configuration of LAN IP services such as DHCP and RIP. From the Main Menu of the browser interface, under Advanced, click on LAN IP Setup to view the LAN IP Setup menu, shown below.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The LAN IP parameters are: • IP Address This is the LAN IP address of the router. • IP Subnet Mask This is the LAN Subnet Mask of the router. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router. • RIP Direction RIP (Router Information Protocol) allows a router to exchange routing information with other routers.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 For most applications, the default DHCP and TCP/IP settings of the router are satisfactory. See “IP Configuration by DHCP” on page B-10 for an explanation of DHCP and information about how to assign IP addresses for your network. If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The reserved address will not be assigned until the next time the PC contacts the router's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew. To edit or delete a reserved address entry: 1. Click the button next to the reserved address you want to edit or delete. 2. Click Edit or Delete. Configuring Static Routes Static Routes provide additional routing information to your router.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Figure 8-3. Static Route Entry and Edit Menu 2. Type a route name for this static route in the Route Name box under the table. (This is for identification purpose only.) 3. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. 4. Select Active to make this route effective. 5. Type the Destination IP Address of the final destination. 6.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Your company’s network is 134.177.0.0. When you first configured your router, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your router will forward your request to the ISP.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 3. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 8-10 Advanced Configuration
Chapter 9 Troubleshooting This chapter gives information about troubleshooting your ProSafe Dual Band Wireless VPN Firewall FWAG114. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functioning After you turn on power to the router, the following sequence of events should occur: 1. When power is first applied, verify that the PWR LED is on. 2. After approximately 10 seconds, verify that: a. The TEST LED is not lit. b.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 LEDs Never Turn Off When the router is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the router. If all LEDs are still on one minute after power up: • Cycle the power to see if the router recovers. • Clear the router’s configuration to factory defaults. This will set the router’s IP address to 192.168.0.1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Troubleshooting the Web Configuration Interface If you are unable to access the router’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the router as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the router.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Troubleshooting the ISP Connection If your router is unable to access the Internet, you should first determine whether the router is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your router must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 OR Configure your router to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 3-12. If your router can obtain an IP address, but your PC is unable to load any web pages from the Internet: • Your PC may not recognize any DNS server addresses.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections — Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 9-2.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 — If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu. — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 9-8 Troubleshooting
Appendix A Technical Specifications This appendix provides technical specifications for the ProSafe Dual Band Wireless VPN Firewall FWAG114. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications LAN: 10BASE-T or 100BASE-Tx, RJ-45 WAN: 10BASE-T or 100BASE-Tx Wireless Data Encoding: Direct Sequence Spread Spectrum (DSSS) Maximum Computers Per Wireless Network: Limited by the amount of wireless network traffic generated by each node. Typically 30-70 nodes. 802.
Appendix B Network, Routing, Firewall, and Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 195.34.12.7 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 128.1.x.x to 191.254.x.x. • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range: 224.0.0.0 to 239.255.255.255. • Class E Class E addresses are for experimental use.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address. The new netmask (or subnet mask) is 255.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Table 9-2. Netmask Formats 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 255.255.255.254 /31 255.255.255.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FWAG114 wireless firewall employs an address-sharing method called Network Address Translation (NAT).
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system. However, using port forwarding, you can allow one PC (for example, a Web server) on your local network to be accessible to outside users.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Domain Name Server Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Ethernet Cabling Although Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring and pinout as described in Table 9-1. Table 9-1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The FWAG114 wireless firewall incorporates Auto UplinkTM technology (also called MDI/ MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 B-14 Network, Routing, Firewall, and Basics
Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the ProSafe Dual Band Wireless VPN Firewall FWAG114 and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 If you need Client for Microsoft Networks: 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address. • Click OK to continue. Restart the PC. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-down box, select your Ethernet adapter.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows. DHCP Configuration of TCP/IP in Windows XP Locate your Network Neighborhood icon. • Select Control Panel from the Windows XP new Start Menu.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties button to view details about the connection. • The TCP/IP details are presented on the Support tab page. • Select Internet Protocol, and click Properties to view the configuration information.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box appears. • Verify that you have the correct Ethernet card selected in the Connect using: box.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected. • Click OK to return to Local Area Connection Properties. • Click OK again to complete the configuration process for Windows 2000. Restart the PC.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window. • Double-click the Network icon in the Control Panel window. The Network panel will display.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • The TCP/IP Properties dialog box now displays. • Click the IP Address tab. • Select the radio button marked Obtain an IP address from a DHCP server. • Click OK. This completes the configuration of TCP/IP in Windows NT. Restart the PC. Repeat these steps for each PC with this version of Windows on your network. Verifying TCP/IP Properties for Windows XP, 2000, and NT4 To check your PC’s TCP/IP configuration: 1.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • 4. The default gateway is 192.168.0.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x 1. From the Apple menu, select Control Panels, then TCP/IP. The TCP/IP Control Panel opens: 2.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 2. If not already selected, select Built-in Ethernet in the Configure list. 3. If not already selected, Select Using DHCP in the TCP/IP tab. 4. Click Save. Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com. If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS. 7.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FWAG114 wireless firewall.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 C-22 Preparing Your Network
Appendix D Wireless Networking Basics This chapter provides an overview of Wireless networking. Wireless Networking Overview The FWAG114 wireless firewall conforms to the Institute of Electrical and Electronics Engineers (IEEE) 802.11b standard for wireless LANs (WLANs) and a product update will bring the FWAG114 into conformance to the 802.11g standard when it is ratified. On an 802.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Infrastructure Mode With a wireless Access Point, you can operate the wireless LAN in the infrastructure mode. This mode provides wireless connectivity to multiple wireless network devices within a fixed range or area of coverage, interacting with wireless nodes via an antenna.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The ESSID is usually broadcast in the air from an access point. The wireless station sometimes can be configured with the ESSID ANY. This means the wireless station will try to associate with whichever access point has the stronger radio frequency (RF) signal, providing that both the access point and wireless station use Open System authentication.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 An access point must authenticate a station before the station can associate with the access point or communicate with the network. The IEEE 802.11 standard defines two types of authentication: Open System and Shared Key. • Open System Authentication allows any device to join the network, assuming that the device SSID matches the access point SSID.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 3. The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and sends the encrypted text to the access point. 4. The access point decrypts the encrypted text using its configured WEP Key that corresponds to the station’s default key. The access point compares the decrypted text with the original challenge text.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 2. Use WEP for Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the network uses Open System Authentication. 3. Use WEP for Authentication and Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 When configured for 128-bit encryption, 802.11 products typically support four WEP Keys but some manufacturers support only one 128-bit key. The 128-bit WEP Key is expressed as 13 sets of two hexadecimal digits (0-9 and A-F). For example, “12 34 56 78 90 AB CD EF 12 34 56 78 90” is a 128-bit WEP Key.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 802/11b/g Wireless Channels IEEE 802.11b/g wireless nodes communicate with each other using radio frequency signals in the ISM (Industrial, Scientific, and Medical) band between 2.4 GHz and 2.5 GHz. Neighboring channels are 5 MHz apart. However, due to spread spectrum effect of the signals, a node sending signals using a particular channel will utilize frequency spectrum 12.5 MHz above and below the center channel frequency.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The preferred channel separation between the channels in neighboring wireless networks is 25 MHz (5 channels). This means that you can apply up to three different channels within your wireless network. There are only 11 usable wireless channels in the United States. It is recommended that you start using channel 1 and grow to use channel 6, and 11 when necessary, as these three channels do not overlap.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Figure 4-6: IEEE 802.11a Channel Allocations The FWAG114 user can use thirteen channels in non-turbo mode. Table D-1: 802.11a Turbo Mode Off Radio Frequency Channels Turbo Mode OFF Channel 36 40 44 48 52 56 60 64 149 153 157 161 165 Frequency 5.745 GHz 5.765 GHz 5.785 GHz 5.805 GHz 5.825 GHz The FWAG114 user can use five channels in turbo mode. Turbo Mode ON Channel Frequency 42 50 58 152 5.21 GHz 5.25 GHz 5.29 GHz 5.
Appendix E Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Intranets: Intranets connect an organization’s locations. These locations range from the headquarters offices, to branch offices, to a remote employee’s home. Often this connectivity is used for e-mail and for sharing applications and files. While Frame Relay, ATM, and MPLS accomplish these tasks, the shortcomings of each limits connectivity.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Confidentiality: Conceals the message content through encryption. IPSec Components IPSec contains the following elements: • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Figure 4-7: Original packet and packet with IPSec Encapsulated Security Payload The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Figure 4-8: Original packet and packet with IPSec Authentication Header IKE Security Association IPSec introduces the concept of the Security Association (SA). An SA is a logical connection between two devices transferring data. An SA provides data protection for unidirectional traffic by using the defined IPSec protocols.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • Tunnel Mode: The tunnel mode IPSec implementation encapsulates the entire IP packet. The entire packet becomes the payload of the packet that is processed with IPSec. A new IP header is created that contains the two IPSec gateway addresses. The gateways perform the encapsulation/decapsulation on behalf of the hosts.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Understand the Process Before You Begin This TechNote provides case studies on how to configure a secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Network Interfaces and Addresses The VPN gateway is aptly named because it functions as a “gatekeeper” for each of the computers connected on the Local Area Network behind it. In most cases, each Gateway will have a “public” facing address (WAN side) and a “private” facing address (LAN side). These addresses are referred to as the “network interface” in documentation regarding the construction of VPN communication.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Table 4-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.1 It will also be important to know the subnet mask of both gateway LAN Connections. Use the worksheet in Appendix A to gather the necessary address and subnet mask information to aid in the configuration and troubleshooting process. Table 4-2.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 VPN Tunnel VPN Gateway B VPN Gateway A Figure 4-11: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 E-14 Virtual Private Networking
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management. The IEEE 802.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 ARP Address Resolution Protocol, a TCP/IP protocol used to convert an IP address into a physical address (called a DLC address), such as an Ethernet address. A host wishing to obtain a physical address broadcasts an ARP request onto the TCP/IP network. The host on the network that has the IP address in the request then replies with its physical hardware address.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 DNS Short for Domain Name System (or Service), an Internet service that translates domain names into IP addresses. Because domain names are alphabetic, they're easier to remember. The Internet however, is really based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 198.105.232.4.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 IP Internet Protocol is the main internetworking protocol used in the Internet. Used in conjunction with the Transfer Control Protocol (TCP) to form TCP/IP. IP Address A four-byte number uniquely defining each host on the Internet, usually written in dotted-decimal notation with periods separating the bytes (for example, 134.177.244.57). Ranges of addresses are assigned by Internic, an organization formed for this purpose.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 NAT A technique by which several hosts share a single IP address for access to the Internet. NetBIOS Network Basic Input Output System. An application programming interface (API) for sharing services and information on local-area networks (LANs). Provides for communication between stations of a network where each station is given a name. These names are alphanumeric names, 16 characters in length.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 SSID A Service Set Identification is a thirty-two character (maximum) alphanumeric key identifying a wireless local area network. For the wireless devices in a network to communicate with each other, all devices must be configured with the same SSID. This is typically the configuration parameter for a wireless PC card. It corresponds to the ESSID in the wireless Access Point and to the wireless network name.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 If a remote network contains a WINS server, your Windows PCs can gather information from that WINS server about its local hosts. This allows your PCs to browse that remote network using the Windows Network Neighborhood feature. WINS WINS. Windows Internet Naming Service is a server process for resolving Windows-based computer names to IP addresses.
Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 8 Glossary
Index Numerics 64 or 128 bit WEP 4-7 802.
F factory settings, restoring 5-8 firewall features 2-2 Flash memory, for firmware upgrade 2-2 front panel 2-6, 2-7 fully qualified domain name (FQDN) 4-6 G gateway address C-20 General 6-4, 6-7, 6-11 H host name 3-10, 3-13 I IANA contacting B-2 IETF B-1 Web site address B-7 for Macintosh C-16 for Windows C-2, C-7 IPSec E-1 IPSec Components E-3 IPSec SA negotiation E-10 IPSec Security Features E-2 ISP 3-1 L LAN IP Setup Menu 6-3 LEDs description 2-6 troubleshooting 7-2 log sending 5-14 M MAC address 7
O Open System authentication D-3 order of precedence 5-8 outbound rules 5-7 P package contents 2-5 Passphrase 4-7, 4-12 passphrase 2-2 password restoring 7-7 PC, using to configure C-21 Restrict Wireless Access by MAC Address 4-10 RFC 1466 B-7, B-9 1597 B-7, B-9 1631 B-8, B-9 finding B-7 RIP (Router Information Protocol) 6-4 router concepts B-1 Router Status 5-1 Routing Information Protocol 2-3, B-2 rules inbound 5-5 order of precedence 5-8 outbound 5-7 ping 5-9 pinout, Ethernet cable B-12 PKIX 6-22 port
time zone 5-13 time-stamping 5-13 Transport Mode E-5 troubleshooting 7-1 Trusted Host 5-3 Tunnel Mode E-6 typographical conventions 1-1 U Uplink switch B-12 USB C-18 V VPN E-1 VPN Consortium E-7 VPN Process Overview E-7 VPNC IKE Phase I Parameters E-11 VPNC IKE Phase II Parameters E-12 W WEP D-3 Wi-Fi D-1 Windows, configuring for IP routing C-2, C-7 winipcfg utility C-6 WinPOET C-18 Wired Equivalent Privacy.
