Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10027-01 Version 2.
~ ~ 2004 by NETGEAR, Inc. All rights reserved. , Trademarks NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions . In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
iv March 2004, 202-10027-01
Contents Chapter 1 About This Manual Audience, Conventions, Scope ......................................................................................1-1 How to Use this Manual ..................................................................................................1-2 How to Print this Manual .................................................................................................1-3 Chapter 2 Introduction Key Features of the FWG114P .....................................................
Basic Setup Troubleshooting Tips ..................................................................................3-9 FWG114P Setup Wizard Auto Detection ........................................................................3-9 Wizard-Detected Login Account Setup ..................................................................3-10 Wizard-Detected Dynamic IP Account Setup .........................................................3-12 Wizard-Detected Fixed IP Account Setup ................................
Chapter 6 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview ........................................................6-1 Using the Block Sites Menu to Screen Content ..............................................................6-1 Services and Rules Regulate Inbound and Outbound Traffic .........................................6-3 Defining a Service ....................................................................................................
IKE Policies’ Automatic Key and Authentication Management ................................8-3 VPN Policy Configuration for Auto Key Negotiation .................................................8-6 VPN Policy Configuration for Manual Key Exchange ...............................................8-9 Using Digital Certificates for IKE Auto-Policy Authentication .......................................8-14 Certificate Revocation List (CRL) ...........................................................................
Configuring LAN TCP/IP Setup Parameters ..........................................................10-5 Using the Router as a DHCP server ......................................................................10-7 Using Address Reservation ....................................................................................10-7 Configuring Static Routes .............................................................................................10-8 Enabling Remote Management Access ...........................
Domain Name Server .............................................................................................. B-9 IP Configuration by DHCP .................................................................................... B-10 Internet Security and Firewalls .................................................................................... B-10 What is a Firewall? .................................................................................................B-11 Stateful Packet Inspection ........
Outbound Log ................................................................................................................ D-1 Inbound Log ................................................................................................................... D-2 Other IP Traffic .............................................................................................................. D-2 Router Operation .....................................................................................................
Changes to Wireless Client Programs ............................................................ E-18 Appendix F Virtual Private Networking What is a VPN? ..............................................................................................................F-1 What is IPSec and How Does It Work? ..........................................................................F-2 IPSec Security Features ..........................................................................................
Step-By-Step Configuration of FVS328 Gateway B ....................................................... H-7 Test the VPN Connection ............................................................................................ H-11 Glossary List of Glossary Terms ...................................................................................................
xiv Contents March 2004, 202-10027-01
Chapter 1 About This Manual Congratulations on your purchase of the NETGEAR® ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P. This chapter introduces important features of this manual. Audience, Conventions, Scope This reference manual assumes that the reader has basic-to-intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and networking technology tutorial information is provided in the appendices.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P How to Use this Manual The HTML version of this manual includes a variety of navigation features as well as links to PDF versions of the full manual and individual chapters. 2 1 3 Figure Preface -2: HTML version of this manual 1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P How to Print this Manual To print this manual you may choose one of the following options, according to your needs: • Printing a “How To” Sequence of Steps in the HTML View. Use the Print button on the upper right of the toolbar to print the currently displayed topic. Using this button when a step-by-step procedure is displayed will send the entire procedure to your printer.
Reference Manual for the ProSafe Wireless 802.
Chapter 2 Introduction This chapter describes the features of the NETGEAR ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P. Key Features of the FWG114P The ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P, with a 4-port switch, connects your LAN to the Internet through a broadband modem. With auto fail-over connectivity through the serial port, the FWG114P provides highly reliable Internet access.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Full Routing on Both the Broadband and Serial Ports You can install, configure, and operate the FWG114P to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including: • Internet access via either the serial or broadband port. • Auto fail-over connectivity through an analog or ISDN modem connected to the serial port.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Virtual Private Networking The FWG114P Wireless Firewall/Print Server provides a secure encrypted connection between your local network and remote networks or clients. Its VPN features include: • Support for up to 2 simultaneous VPN connections. • Support for industry standard VPN protocols. The ProSafe Wireless 802.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Security The FWG114P Wireless Firewall/Print Server is equipped with several features designed to maintain security, as described in this section: • PCs hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P • The ability to enable or disable IP address sharing by NAT. The FWG114P allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P • • • • • • • Browser-based management. Browser-based configuration allows you to easily configure your router from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface. Smart Wizard.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P The FWG114P Front Panel The front panel of the FWG114P contains the status LEDs. Use the LEDs to verify various operations. Viewed from left to right, Table 2-1 describes the LEDs on the front of the router. Broadband PWR TEST ProSafe 802.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P The FWG114P Rear Panel The rear panel of the FWG114P Wireless Firewall/Print Server contains the port connections listed below. USB MODEM LO CA L 4 3 10/100M 2 1 IN TER N ET 12VDC, 1.0A Figure 1-2: FWG114P Rear Panel Viewed from left to right, the rear panel contains the following features: • Wireless antenna. • DB-9 serial port for modem connection. • • • • • USB 2.0 Printer Port.
Chapter 3 Connecting the FWG114P to the Internet This chapter describes how to set up the router on your local area network (LAN) and connect to the Internet. You will find out how to configure your ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P for Internet access using the Setup Wizard, or how to manually configure your Internet connection. What You Will Need Before You Begin You need to prepare these three things before you begin: 1.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P For the initial connection to the Internet and configuration of your router, you will need to connect a computer to the router that is set to automatically get its TCP/IP configuration from the router via DHCP. Note: For help with DHCP configuration, please refer to Appendix C, “Preparing Your Network.” The cable or DSL modem broadband access device must provide a standard 10 Mbps (10BASE-T) Ethernet interface.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Connecting the FWG114P Wireless Firewall/Print Server This section provides instructions for connecting the FWG114P Wireless Firewall/Print Server. Also, the Resource CD for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P (SW-10023-02), included with your router, contains an animated Installation Assistant to help you through this procedure.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P c. Securely insert the Ethernet cable from your broadband modem into the Internet port (B) on the FWG114P. Internet Port USB MODEM B LO CA L 4 3 10/100M 2 1 IN TER N ET 12VDC, 1.0A Broadband modem Figure 3-2: Connect the broadband modem to the router d.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P 2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Warning: Failure to restart your network in the correct sequence could prevent you from connecting to the Internet. First, turn on the broadband modem and wait 2 minutes. b. Now, turn on your wireless firewall/print server. c. Last, turn on your computer.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P 3. LOG IN TO THE WIRELESS FIREWALL/PRINT SERVER a. From your PC, launch your Internet browser. Because you are not yet connected to the Internet, your browser will display a page not found message. b. Connect to the wireless firewall/print server by typing http://192.168.0.1 in the address field of Internet Explorer or Netscape® Navigator. Figure 3-5: Log in to the firewall c.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P 4. RUN THE SETUP WIZARD TO CONNECT TO THE INTERNET Figure 3-7: Setup Wizard a. You are now connected to the router. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. b. Choose NAT or Classical Routing. Typically, NAT is used. NAT automatically assigns private IP addresses (192.168.0.x) to LAN connected devices.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Basic Setup Troubleshooting Tips Here are some tips for correcting simple problems that prevent with you from connecting to the Internet or connecting to the wireless firewall/print server. Be sure to restart your network in the correct sequence. Follow this sequence. Turn off the modem, wireless firewall/print server, and computer. Turn on the modem first and wait two minutes.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P • Fixed IP address assignment Next, the Setup Wizard will report which connection type it has discovered, and then display the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted to check the physical connection between your firewall and the cable or DSL modem. When the connection is properly made, the firewall’s Internet LED should be on.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Note: You will no longer need to launch the ISP’s login program on your computer in order to access the Internet. When you start an Internet application, your firewall will automatically log you in. 3. The Idle Timeout setting determines how long to wait after there is no activity before disconnecting from the Internet.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Wizard-Detected Dynamic IP Account Setup If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the menu shown in Figure 3-9 below: Figure 3-9: Setup Wizard menu for Dynamic IP address 1. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services, such as mail or news servers.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P If your ISP allows access from only one specific computer’s Ethernet MAC address, select “Use this MAC address.” The firewall will then capture and use the MAC address of the computer that you are now using. You must be using the one computer that is allowed by the ISP. Otherwise, you can type in a MAC address.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P 1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in “Record Your Internet Connection Information” on page 3. 2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Figure 3-11: Serial Internet Connection configuration menu c. Fill in the ISDN or analog ISP Internet configuration parameters as appropriate: • • d. For a Dial-up Account, enter the Account information. Check “Connect as required” to enable the firewall to automatically dial the number. To enable Idle Time disconnect, check the box and enter a time in minutes.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Note: You can validate modem string settings by first connecting the modem directly to a computer, establishing a connection to your ISP, and then copying the modem string settings from the computer configuration and pasting them into the FWG114P Modem Properties Initial String field. For more information on this procedure, please refer to the support area of the NETGEAR Web site. • • Select the Serial Line Speed.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P How to Manually Configure the Primary Internet Connection Use these steps to manually configure the primary Internet connection in the Basic Settings menu. 1. Select your Internet connection type (broadband with or without login, or serial). Note: If you are a Telstra BigPond broadband customer, or if you are in an area, such as Austria that uses broadband PPTP, login is required.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P 7. Router’s MAC Address: This section determines the Ethernet MAC address that will be used by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your computer when your account is first opened. They will then only accept traffic from the MAC address of that computer.
Reference Manual for the ProSafe Wireless 802.
Chapter 4 Wireless Configuration This chapter describes how to configure the wireless features of your FWG114P Wireless Firewall/Print Server. Observing Performance, Placement, and Range Guidelines In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your FWG114P in order to maximize the network speed. For further information on wireless networking, refer to in Appendix E, “Wireless Networking Basics.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Implementing Appropriate Wireless Security Note: Indoors, computers can connect to wireless networks at ranges of 300 feet or more. Such distances allow others outside of your area to access your network. Unlike wired network data, your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P • WPA or WPA-PSK. Wi-Fi Protected Access (WPA) data encryption provides data security. The very strong authentication along with dynamic per frame rekeying of WPA make it virtually impossible to compromise. Because this is a new standard, wireless device driver and software availability may be limited.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P • Wireless Network. The station name of the FWG114P. — Wireless Network Name (SSID). The SSID is also known as the wireless network name. Enter a value of up to 32 alphanumeric characters. In a setting where there is more than one wireless network, different wireless network names provide a means for separating the traffic. Any device you want to participate in the 802.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P • Security Options Table 4-1. Wireless Security Options Field Description Disable Wireless security is not used. WEP (Wired Equivalent Privacy) You can select the following WEP options: Authentication Type • Open: the FWG114P does not perform any authentication. • Shared: WEP shared key authentication. For a full explanation of WEP shared key, see “Authentication and WEP Data Encryption” on page E-2.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Table 4-1. Field Wireless Security Options Description WPA-PSK WPA Pre-Shared-Key uses a pre-shared key to perform the authentication and generate (Wi-Fi Protected the initial data encryption keys. Then, it dynamically varies the encryption key. For a full Access explanation of WPA, see “WPA Wireless Security” on page E-8. Pre-Shared Key) Note: Not all wireless adapters support WPA.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Default Factory Settings The FWG114P default factory settings shown below. You can restore these defaults with the Factory Default Restore button on the rear panel as seen in the illustration “FWG114P Rear Panel” on page 2-8. After you install the FWG114P Wireless Firewall/Print Server, use the procedures below to customize any of the settings to better meet your networking needs.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Before You Change the SSID and WEP Settings Take the following steps: For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P How to Set Up and Test Basic Wireless Connectivity Follow the instructions below to set up and test basic wireless connectivity. Once you have established basic wireless connectivity, you can enable security settings appropriate to your needs. 1. Log in using the default LAN address of http://192.168.0.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P 7. Click Apply to save your changes. Note: If you are configuring the FWG114P from a wireless computer and you change the wireless firewall/print server’s SSID, channel, or security settings, you will lose your wireless connection when you click on Apply. You must then change the wireless settings of your computer to match the FWG114P’s new settings. 8. Configure and test your PCs for wireless connectivity.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P 6. Be sure to click Apply to save your trusted wireless PCs list settings. Now, only devices on this list will be allowed to wirelessly connect to the FWG114P. To remove a MAC address from the table, click to select it, then click the Delete button. How to Configure WEP Note: When changing the wireless settings from a wireless computer, you will lose your wireless connection when you click Apply.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P How to Configure WPA Note: Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA. Consult the product document for your wireless adapter and WPA client software for instructions on configuring WPA settings.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P How to Configure WPA-PSK Note: Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA.
Reference Manual for the ProSafe Wireless 802.
Chapter 5 Serial Port Configuration This chapter describes how to configure the serial port options of your ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P. The FWG114P serial port lets you share the broadband connection of another FWG114P, share resources between two LANs, and take advantage of the routing functions on the broadband (WAN), LAN, and serial network interfaces.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Configuring a Serial Port Modem You can configure a serial port modem for any of the features described above. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure. Basic Requirements for Serial Port Modem Configuration Configuring a serial port modem requires these elements: 1. A serial analog or ISDN modem. 2. A serial modem cable with a DB9 connector. 3.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P — For dial-up, “Standard Modem” should work in most cases. Otherwise, select your modem from the list. — If your modem is not on the list, select “User Defined” and enter the Modem Properties. If you are using the “User Defined” selection and configuring your own modem stings, fill in the Modem Properties settings.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Figure 5-2: Auto-Rollover configuration menu 3. Configure the Auto-Rollover settings. 4. Click Apply for the changes to take effect. Configuring Dial-in on the Serial Port Dial-in lets a single remote computer connect to the FWG114P through the serial port to gain access to LAN resources or a remote access server. Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Basic Requirements for Dial-in Dial-in requires these elements: 1. A broadband connection to the FWG114P. 2. An analog phone line. 3. A serial modem properly configured and attached to the DB9 connector on the serial port. 4. The Dial-in settings configured and applied to the FWG114P. How to Configure Dial-in Follow the steps below to configure a serial port dial-in connection. 1.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Configuring LAN-to-LAN Settings LAN-to-LAN enables direct communications between two FWG114P wireless firewall/print servers. 6HULDO &RQQHFWLRQ )LUHZDOO $ Á?aM?a $&7 $/(57 # $/(57 8 ¤¤|+ +Á.?wjËoåÔ±¤¤~Ë8ÁjjÄÄË ÁjÝ?Ê+ÁÍË.jÁÜjÁ $&7 -/$%- ).4%2.%4 3:5 7(67 $/(57 $/(57 # 8 ¤¤|+ /1. $&7 /1. $&7 /1. $&7 /1. $&7 02).4%2 02).
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P Figure 5-5: LAN-to-LAN configuration menu 3. Configure the LAN-to-LAN settings. Note: The LAN subnet address of each FWG114P must be different. 4. Click Apply for the changes to take effect.
Reference Manual for the ProSafe Wireless 802.
Chapter 6 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface. Firewall Protection and Content Filtering Overview The ProSafe Wireless 802.
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P • Web addresses • Web address keywords These options are discussed below. The Keyword Blocking menu is shown here. Figure 6-1: Block Sites menu To enable filtering, click the checkbox next to the type of filtering you want to enable.