Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall NETGEAR, Inc.
© 2002 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das Model FVS318 Cable/DSL ProSafe VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
iv
Contents About This Guide Typographical Conventions ............................................................................................. xv Special Message Formats ...............................................................................................xvi Technical Support ............................................................................................................xvi Related Publications ........................................................................................
Chapter 3 Preparing Your Network Preparing Your Personal Computers for IP Networking .................................................3-1 Configuring Windows 95, 98, and ME for IP Networking ................................................3-2 Install or Verify Windows Networking Components ..................................................3-2 Assign TCP/IP configuration by DHCP ....................................................................3-4 Selecting Internet Access Method ..........................
Schedule .........................................................................................................................5-5 Time Zone ..........................................................................................................5-6 E-Mail .............................................................................................................................5-7 Chapter 6 Virtual Private Networking What is a VPN .......................................................................
Chapter 7 Maintenance System Status .................................................................................................................7-1 Attached Devices ............................................................................................................7-4 Changing the Administration Password ..........................................................................7-4 Configuration File Settings Management .......................................................................
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................9-6 Testing the LAN Path to Your Firewall ......................................................................9-6 Testing the Path from Your PC to a Remote Device ................................................9-7 Restoring the Default Configuration and Password ........................................................9-8 Using the Default Reset button ....................................................
x Contents
Figure 2-1. FVS318 Front Panel ................................................................................2-3 Figure 2-2. FVS318 Rear Panel .................................................................................2-4 Figure 4-1. Login window ...........................................................................................4-2 Figure 4-2. Browser-based configuration main menu ................................................4-3 Figure 4-3.
xii
Table 2-1. LED Descriptions .....................................................................................2-3 Table 5-1. Log entry descriptions ..............................................................................5-2 Table 5-2. Log action buttons ....................................................................................5-3 Table 7-1. Menu 3.2 - System Status Fields .............................................................7-2 Table 7-2. Router Statistics Fields ........
xiv
About This Guide Congratulations on your purchase of the NETGEAR™ Model FVS318 Cable/DSL ProSafe VPN Firewall. A firewall is a special type of router that incorporates features for security. The FVS318 VPN Firewall is a complete security solution that protects your network from attacks and intrusions while allowing secure connections with other trusted users over the Internet. This guide describes the features of the firewall and provides installation and configuration instructions.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Special Message Formats This guide uses the following formats to highlight special messages: Note: This format is used to highlight information of importance or special interest. Caution: This format is used to highlight information that will help you prevent equipment failure or loss of data. Warning: This format is used to highlight information about the possibility of injury or equipment damage.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall For more information about address assignment, refer to the IETF documents RFC 1597, Address Allocation for Private Internets, and RFC 1466, Guidelines for Management of IP Address Space. For more information about IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).
Chapter 1 Introduction This chapter describes the features of the NETGEAR Model FVS318 Cable/DSL ProSafe VPN Firewall. About the FVS318 VPN Firewall The FVS318 VPN Firewall is a complete security solution that protects your network from attacks and intrusions while allowing secure connections with other trusted users over the Internet.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall • Logs security incidents The FVS318 VPN Firewall will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Protocol Support The FVS318 VPN Firewall supports the Transmission Control Protocol/Internet Protocol (TCP/ IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to Appendix B, “Networks, Routing, and Firewall Basics.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall • Browser-based management Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.
Chapter 2 Setting Up the Hardware This chapter describes the Model FVS318 Cable/DSL ProSafe VPN Firewall hardware and provides instructions for installing it.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Local Network Hardware Requirements The FVS318 VPN Firewall is intended for use in a network of personal computers (PCs) that are interconnected by twisted-pair Ethernet cables. PC Requirements To install and run the FVS318 VPN Firewall over your network of PCs, each PC must have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall The Firewall’s Front Panel The front panel of the Model FVS318 Cable/DSL ProSafe VPN Firewall (Figure 2-1) contains status LEDs. Figure 2-1. FVS318 Front Panel You can use some of the LEDs to verify connections. Table 2-1 lists and describes each LED on the front panel of the firewall. These LEDs are green when lit, except for the TEST LED, which is amber. Table 2-1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall The Firewall’s Rear Panel The rear panel of the FVS318 VPN Firewall (Figure 2-2) contains port connections. Figure 2-2.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Connecting to Your Internet Access Device Your cable or DSL modem must provide a standard 10BASE-T Ethernet connection (not USB) for connection to your PC or network. The FVS318 VPN Firewall does not include a cable for this connection. Instead, use the Ethernet cable provided with your access device or any other standard 10BASE-T Ethernet cable. Follow these steps: 1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Connecting the Power Adapter To connect the firewall to the power adapter: 1. Plug the connector of the power adapter into the power adapter outlet on the rear panel of the firewall. 2. Plug the other end of the adapter into a standard wall outlet. 3. Turn the Power switch to the ON position. 4. Verify that the Power LED on the firewall is lit.
Chapter 3 Preparing Your Network This chapter describes how to prepare your PC network to connect to the Internet through the Model FVS318 Cable/DSL ProSafe VPN Firewall and how to order broadband Internet service from an Internet service provider (ISP). .
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall • Macintosh Operating System 7 or later includes the software components for establishing a TCP/IP network. • All versions of UNIX or Linux include TCP/IP components. Follow the instructions provided with your operating system or networking software to install TCP/IP on your computer.. In your IP network, each PC and the firewall must be assigned a unique IP addresses.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need the adapter: a. Click the Add button. b. Select Adapter, and then click Add. c. Select the manufacturer and model of your Ethernet adapter, and then click OK.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall d. Select TCP/IP, and then click OK. If you need Client for Microsoft Networks: 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 3. Select “I want to set up my Internet connection manually” or “I want to connect through a Local Area Network” and click Next. 4. Select “I want to connect through a Local Area Network” and click Next. 5. Uncheck all boxes in the LAN Internet Configuration screen and click Next. 6. Proceed to the end of the Wizard.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 3. If an Ethernet adapter is present in your PC, you should see an entry for Local Area Connection. Double-click that entry. 4. Select Properties. 5. Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If not, select Install and add them. 6. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address automatically is selected. 7.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall MacOS 8.6 or 9.x 1. From the Apple menu, select Control Panels, then TCP/IP. The TCP/IP Control Panel opens: 2. From the “Connect via” box, select your Macintosh’s Ethernet interface. 3. From the “Configure” box, select Using DHCP Server. You can leave the DHCP Client ID box empty. 4. Close the TCP/IP Control Panel. 5. Repeat this for each Macintosh on your network. MacOS X 1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Verifying TCP/IP Properties (Macintosh) After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: • The IP Address is between 192.168.0.2 and 192.168.0.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall For a single-user Internet account, your ISP supplies TCP/IP configuration information for one PC. With a typical account, much of the configuration information is dynamically assigned when your PC is first booted up while connected to the ISP, and you will not need to know that dynamic information.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them. If an ISP technician configured your PC during the installation of the broadband modem, or if you configured it using instructions provided by your ISP, you need to copy configuration information from your PC’s Network TCP/IP Properties window (or Macintosh TCP/IP Control Panel) before reconfiguring your PC for use with the firewall.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Obtaining ISP Configuration Information (Macintosh) As mentioned above, you may need to collect configuration information from your Macintosh so that you can use this information when you configure the FVS318 VPN Firewall. Following this procedure is only necessary when your ISP does not dynamically supply the account information. To get the information you need to configure the firewall for Internet access: 1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Ready for Configuration After configuring all of your PCs for TCP/IP networking and connecting them to the local network of your FVS318 VPN Firewall, you are ready to access and configure the firewall. Proceed to the next chapter.
Chapter 4 Basic Configuration This chapter describes how to perform the basic configuration of your Model FVS318 Cable/DSL ProSafe VPN Firewall using the Setup Wizard, which walks you through the configuration process for your Internet connection. Accessing the Web Configuration Manager In order to use the browser-based Web Configuration Manager, your PC must have a web browser program installed such as Microsoft Internet Explorer or Netscape Navigator.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall A login window opens as shown in Figure 4-1 below:. Figure 4-1. Login window This screen may have a different appearance in other browsers. 5. Type admin in the User Name box, password in the Password box, and then click OK. (If your firewall password was previously changed, enter the current password.) If your firewall has not yet been configured, the Setup Wizard should launch automatically.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Figure 4-2. Browser-based configuration main menu You can manually configure your firewall using this menu as described in “Manual Configuration“ on page 4-8, or you can allow the Setup Wizard to determine your configuration as described in the following chapter.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Configuration using the Setup Wizard The Web Configuration Manager contains a Setup Wizard that can automatically determine your network connection type. If the Setup Wizard does not launch automatically, click on the Setup Wizard heading in the upper left of the opening screen, shown in Figure 4-2.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Configuring for Dynamic IP Account If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the menu shown in Figure 4-3 below: Figure 4-3. Setup Wizard menu for Dynamic IP address 1. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 3. Router’s MAC Address: This section determines the Ethernet MAC address that will be used by the firewall on the Internet port. If your ISP allows access by only one specific PC’s Ethernet MAC address, select "Use this MAC address". The firewall will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the ISP.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses. Typically your ISP transfers the IP addresses of one or two DNS servers to your firewall during login. If the ISP does not transfer an address, you must obtain it from the ISP and enter it manually here. If you enter an address here, you should reboot your PCs after configuring the firewall. 3.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Note: You will no longer need to launch the ISP’s login program on your PC in order to access the Internet. When you start an Internet application, your firewall will automatically log you in. 3. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 5. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available, enter it also. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 4-10 Basic Configuration
Chapter 5 Configuring Security Features This chapter describes how to use the security features of your Model FVS318 Cable/DSL ProSafe VPN Firewall. The firewall provides you with Web content filtering by keyword, and with security incident logging. You can configure the firewall to e-mail its log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your e-mail address or e-mail pager whenever a significant security event occurs.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Security Log The firewall will log security-related events such as denied incoming service requests, hacker probes, and administrator logins. If you enabled content filtering in the Block Sites menu, the Logs page shows you when someone on your network tried to access a blocked site. If you enabled e-mail notification, you'll receive these logs in an e-mail message.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Log action buttons are described in Table 5-2 Table 5-2. Log action buttons Field Description Refresh Clear Log Click this button to refresh the log screen. Click this button to clear the log entries. Click this button to email the log immediately. Send Log Block Sites The FVS318 VPN Firewall allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Keyword application examples: • If the keyword "XXX" is specified, the URL is blocked. • If the keyword “.com” is specified, only websites with other domain suffixes (such as .edu or .gov) can be viewed. • If you wish to block all Internet browsing access during a scheduled period, enter the keyword “.” and set the schedule in the Schedule menu.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Schedule If you enabled content filtering in the Block Sites menu, you can set up a schedule for when blocking occurs or when access isn't restricted. The firewall allows you to specify when blocking will be enforced by configuring the Schedule tab shown below: To block keywords or Internet domains based on a schedule: 1. Select Every Day or select one or more days. 2.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Time Zone The FVS318 VPN Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must select your Time Zone from the list. If your region uses Daylight Savings Time, you must manually check Adjust for Daylight Savings Time at the beginning of the Daylight Savings Time, and uncheck it at the end.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall E-Mail In order to receive logs and alerts by e-mail, you must provide your e-mail information in the E-Mail subheading: • Turn e-mail notification on Check this box if you wish to receive e-mail logs and alerts from the firewall. • Your outgoing mail server Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as mail.myISP.com).
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall • Send logs according to this schedule Specifies how often to send the logs: Hourly, Daily, Weekly, or When Full. – Day for sending log Specifies which day of the week to send the log. Relevant when the log is sent weekly or daily. – Time for sending log Specifies the time of day to send the log. Relevant when the log is sent daily or weekly.
Chapter 6 Virtual Private Networking This chapter describes how to use the the virtual private networking (VPN) features of the FVS318 VPN Firewall. A VPN provides secure, encrypted communication between your local network and a remote network or computer. Note: The FVS318 VPN Firewall uses industry standard VPN protocols. However, due to variations in how manufacturers interpret these standards, many VPN products are not interoperable.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall What is a VPN A VPN can be thought of as a secure tunnel passing through the Internet, connecting two devices such as a PC or router, which form the two tunnel endpoints. At one endpoint, data is encapsulated and encrypted, then transmitted through the Internet. At the far endpoint, the data is received, unencapsulated and decrypted.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Accessing Network Resources from a VPN Client PC VPN client remote access allows a remote PC to connect to your network from any location on the Internet. In this case, the remote PC is one tunnel endpoint, running VPN client software. The NETGEAR VPN-enabled router on your network is the other tunnel endpoint, as shown below.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Linking Two Networks Together A VPN between two NETGEAR VPN-enabled routers is a good way to connect branch offices and business partners over the Internet, offering an affordable, high-performance alternative to leased site-to-site lines. The VPN also provides access to remote network resources when NAT is enabled and remote computers have been assigned private IP addresses.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Check the LAN Address Ranges First, be sure that the two LANs have different IP address ranges. If both networks are using the NETGEAR default address range of 192.168.0.x, the connection will not work. In this case, you must change one FVS318’s LAN IP Address and DHCP range to a different range such as 192.168.3.x.. To change the second FVS318’s LAN address range, follow these steps: 1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 1. From the Main Menu of the browser interface click the link labeled VPN Settings. The VPN Settings window opens as shown in Figure 6-1 below: Figure 6-1. 2. Click the button next to an unused profile in the table and click Edit. The VPN Settings - IKE window opens as shown in Figure 6-2 below: Figure 6-2.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 3. Type a name for this Security Association in the Connection Name box. (This name is only to help you identify the Security Association) 4. Enter a Local IPSec Identifier name for this FVS318. You can leave this as ‘Local’. 5. Enter a Remote IPSec Identifier name for the remote FVS318. You can leave this as ‘Remote’. 6. Define the remote network by entering its Remote IP Address and IP Subnet Mask.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Configure the Second Firewall To configure the second FVS318, follow the same steps as the first FVS318, except for steps 6 and 7. For those steps, do the following: 6) Define the remote network by entering its Remote IP Address and IP Subnet Mask. In this case, the Remote network address is the LAN network address of the first FVS318, which is 192.168.0.0 and the Subnet Mask is 255.255.255.0.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall At this point the connection is established. You can also verify the progress of the connection by viewing the FVS318’s VPN Log and Status windows. Go to the main menu and click on Router Status. At the bottom of that menu appear two buttons labeled “Show VPN Logs” and “Show VPN Status”. Clicking on Show VPN Status displays the following screen: When the tunnel is active, the State will show “Q-Established”.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Using the VPN Connection Now that your VPN connection is working, whenever a PC on the second LAN needs to access an IP address on the first LAN, the firewalls will automatically establish the connection. This is fine when you know the IP address of a resource on the other network.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 1. From the Main Menu of the browser interface click the link labeled VPN Settings. The VPN Settings window opens as shown in Figure 6-1 below: Figure 6-3. 2. VPN Settings Window Click the button next to an unused profile in the table and click Edit. The VPN Settings - IKE window opens as shown in Figure 6-4 below: Figure 6-4.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 3. Type a name for this Security Association in the Connection Name box. (This name is only to help you identify the Security Association) 4. Enter a Local IPSec Identifier name for this FVS318. You can leave this as ‘Local’. 5. Enter a Remote IPSec Identifier name for the remote FVS318. You can leave this as ‘Remote’. 6. Define the remote network by entering its Remote IP Address and IP Subnet Mask.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 14. IKE Life Time - Default is 28800 seconds (8 hours). A shorter time increases security, but users will be temporarily disconnected upon renegotiation. 15. Click Apply to enter the SA into the table. Installing the VPN Client Software Note: Use Windows98 Second Edition or a later release of Windows with this VPN Client software. To install and configure the Secure VPN Client, follow the instructions below: 1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Configuring the Client Software Open the Security Policy Editor To launch the VPN client, click on the Windows Start button, then select Programs, then SafeNet Soft-PK (or SoftRemote), then Security Policy Editor. The Security Policy Editor window window will appear:. Create a VPN Connection In this step you will need to provide information about the FVS318 to which you will be connecting.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall From the Edit menu at the top of the Security Policy Editor window, click Add, then Connection. A ”New Connection” listing will appear in the list of policies.. 1. Click and rename the “New Connection” list item to a descriptive name such as “SantaClara” 2. In the Connection Security box on the right side of the Security Policy Editor window, select Secure. 3. In the ID Type menu, select IP Subnet. 4.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 1. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the new connection by double clicking its name or clicking on the “+” symbol. My Identity and Security Policy subheadings should appear below the connection name. 2. Click on the Security Policy subheading to show the Security Policy menu. 3. In the Select Phase 1 Negotiation Mode box, select Main Mode. 4.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 7. From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings. 8. Increase the Retransmit Interval (seconds) period to 45. 9. Check the Allow to Specify Internal Network Address checkbox and click OK. Configure the VPN Client Identity In this step, you will provide information about the remote VPN client PC. You will need to provide: • • The PreShared Key that you configured in the FVS318.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 1. In the Network Security Policy list on the left side of the Security Policy Editor window, click on My Identity. 2. In the Select Certificate menu, choose None. 3. In the ID Type menu, select IP Address. 4. If you are using a “virtual fixed” IP address as discussed in “Configuring the Firewall“ on page 6-10, enter this address in the Internal Network IP Address box. Otherwise, leave this box empty. For this example, use 192.168.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 1. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the Security Policy heading by double clicking its name or clicking on the “+” symbol. 2. Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication. 3. In the Authentication Method menu, select Pre-Shared key. 4. In the Encrypt Alg menu, select DES. 5.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Check the VPN Connection To check the VPN Connection, you can initiate a request from the remote PC to the FVS318’s network. Since the remote PC has a dynamically assigned WAN IP address, it must initiate the request. The simplest method is to ping from the remote PC to the LAN IP address of the FVS318. Using our example, start from the remote PC: 1. On the Windows taskbar, click the Start button, and then click Run. 2.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall The Log Viewer screen for a successful connection is shown below: The Connection Monitor screen for this connection is shown below: In this example: • • • • The FVS318 has a public IP WAN address of 134.177.100.11 The FVS318 has a LAN IP address of 192.168.0.1 The VPN client PC has a dynamically assigned address of 12.236.5.184 The VPN client PC is using a “virtual fixed” IP address of 192.168.100.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Clicking on Show VPN Status displays the following screen: When the tunnel is active, the State will show “Q-Established”. To drop the connection manually, you can click the Drop button. The Show VPN Logs button displays details of the VPN authentication and protocol negotiation.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Accessing Remote Resources across a VPN Only non-broadcast IP traffic will pass over the VPN tunnel. This prevents browsing with Network Neighborhood (which relies on broadcast traffic), or using LAN protocols (such as IPX, AppleTalk, NetBEUI, etc.) to establish connections to machines at the other end of the VPN tunnel. Some methods by which a VPN client may access remote resources across a VPN are: • Use the IP address.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall • SA Life Time is 8 Hours A finite SA Life Time increases security by forcing the two VPN endpoints to update the encryption and authentication keys. However, every time the VPN tunnel renegotiates, users accessing remote resources are disconnected. • For increased reliability, Keep Alive will always be enabled for connections router to router VPN connections.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 3. Outgoing SPI - Enter the Security Parameter Index that this router will send to identify the Security Association (SA). This will be the remote host’s Incoming SPI. The SPI should be a string of hexadecimal [0-9,A-F] characters, and should not be used in any other Security Association. Tip: For simplicity (or troubleshooting), the Incoming and Outgoing SPI can be identical. 4. 5. For Encryption Protocol, select one: a.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 6-26 Virtual Private Networking
Chapter 7 Maintenance This chapter describes how to use the maintenance features of your Model FVS318 Cable/DSL ProSafe VPN Firewall. These features can be found by clicking on the Maintenance heading in the Main Menu of the browser interface. System Status The System Status menu provides a limited amount of status and usage information. From the Main Menu of the browser interface, under Maintenance, select System Status to view the System Status screen, shown in Figure 7-1. Figure 7-1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall This screen shows the following parameters: Table 7-1. Menu 3.2 - System Status Fields Field Description System Name This field displays the Host Name assigned to the firewall in the Basic Settings menu. Firmware Version This field displays the firewall firmware version. WAN Port These parameters apply to the Internet (WAN) port of the firewall.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Click on the “Show Statistics” button to display firewall usage statistics, as shown in Figure 7-2 below: Figure 7-2. Router Statistics screen This screen shows the following statistics:. Table 7-2. Router Statistics Fields Field Description Port The statistics for the WAN (Internet) and LAN (local) ports. For each port, the screen displays: Status The link status of the port.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Click on the “Show VPN Log” “Show VPN Status” buttons to display VPN connection information, as described in Chapter 6, “Virtual Private Networking.” Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table, shown in Figure 7-3 Figure 7-3.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall From the Main Menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown in Figure 7-4. Figure 7-4. Set Password menu To change the password, first enter the old password, and then enter the new password twice. Click Apply. After changing the password, you may be required to log in again to continue the configuration.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall From the Main Menu of the browser interface, under the Maintenance heading, select the Settings Backup heading to bring up the menu shown in Figure 7-5. Figure 7-5. Settings Backup menu Three options are available, and are described in the following sections.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall To erase the configuration, click the Erase button. To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the rear panel of the firewall. See “Using the Default Reset button“ on page 9-8. Router Upgrade The software of the FVS318 VPN Firewall is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall In some cases, you may need to reconfigure the firewall after upgrading.
Chapter 8 Advanced Configuration This chapter describes how to configure the advanced features of your Model FVS318 Cable/DSL ProSafe VPN Firewall. These features can be found under the Advanced heading in the Main Menu of the browser interface.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Configuring for Port Forwarding to Local Servers Although the firewall causes your entire local network to appear as a single machine to the Internet, you can make local servers for different services (for example, FTP or HTTP) visible and available to the Internet. This is done using the Ports menu.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall When a remote computer on the Internet wants to access a service at your IP address, the requested service is identified by a port number in the incoming IP packets. For example, a packet that is sent to the external IP address of your firewall and destined for port number 80 is an HTTP (Web server) request.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Supporting Internet Services, Applications, or Games Before starting, you'll need to determine which type of service, application or game you'll provide and the IP address of the computer that will provide each service. Be sure the computer’s IP address never changes.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Some considerations for this application are: • If your account’s IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. • If the IP address of the local PC is assigned by DHCP, it may change when the PC is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu to keep the PC’s IP address constant.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Dynamic DNS If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall LAN IP Setup The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. From the Main Menu of the browser interface, under Advanced, click on LAN IP Setup to view the LAN IP Setup menu, shown in Figure 8-2 Figure 8-2. LAN IP Setup Menu LAN TCP/IP Setup The firewall is shipped preconfigured to use private IP addresses on the LAN side, and to act.as a DHCP server.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall The LAN IP parameters are: • IP Address This is the LAN IP address of the firewall. • IP Subnet Mask This is the LAN Subnet Mask of the firewall. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router. • RIP Direction RIP (Router Information Protocol) allows a router to exchange routing information with other routers.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Any packets sent through the firewall that are larger than the configured MTU size will be repackaged into smaller packets to meet the MTU requirement. To change the MTU size: 1. Under MTU Size, select Custom. 2. Enter a new size between 64 and 1500. 3. Click Apply to save the new configuration.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Reserved IP adresses When you specify a reserved IP address for a PC on the LAN, that PC will always receive the same IP address each time it access the firewall’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings. To reserve an IP address: 1. Click the Add button. 2. In the IP Address box, type the IP address to assign to the PC or server.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall From the Main Menu of the browser interface, under Advanced, click on Static Routes to view the Static Routes menu, shown in Figure 8-3. Figure 8-3. Static Routes Summary Table To add or edit a Static Route: 1. Select a number and click the Edit button to open the Edit Menu, shown in Figure 8-4. Figure 8-4. Static Route Entry and Edit Menu 2. Type a route name for this static route in the Route Name box under the table.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 5. Type the Destination IP Address of the final destination. 6. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255. 7. Type the Gateway IP Address, which must be a router on the same LAN segment as the firewall. 8. Type a number between 1 and 15 as the Metric value. This represents the number of routers between your network and the destination.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Remote Management Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your NETGEAR Cable/DSL ProSafe VPN Firewall. Note: Be sure to change the router's default password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 8-14 Advanced Configuration
Chapter 9 Troubleshooting This chapter gives information about troubleshooting your Model FVS318 Cable/DSL ProSafe VPN Firewall. For the common problems listed, go to the section indicated. Is the firewall on? Have I connected the firewall correctly? Go to “Basic Functioning“ on page 9-1. I can’t access the firewall’s configuration with my browser. Go to “Troubleshooting the Web Configuration Interface“ on page 9-4. I’ve configured the firewall but I can’t access the Internet.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 3. After approximately 10 seconds, verify that: a. The Test LED is not lit. b. The Local port LEDs are lit for any local ports that are connected. c. The Internet port LED is lit. If a port’s LED is lit, a link has been established to the connected device. If a Local port is connected to a 100 Mbps device, verify that the port’s LED is green. If the port is 10 Mbps, the LED will be amber.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LED do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the firewall and at the hub or workstation. • Make sure that power is turned on to the connected hub or workstation.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the firewall.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall OR Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manual Configuration“ on page 4-8. If your firewall can obtain an IP address, but your PC is unable to load any web pages from the Internet: • Your PC may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Pinging with 32 bytes of data If the path is working, you see this message: Reply from < IP address >: bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections — Make sure the LAN port LED is on.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall — If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu. — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall • Date shown is January 1, 2000 Cause: The firewall has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the firewall, wait at least five minutes and check the date and time again. • Time is off by one hour Cause: The firewall does not automatically sense Daylight Savings Time.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Troubleshooting the VPN Connection Note: The FVS318 VPN Firewall uses industry standard VPN protocols. However, due to variations in how manufacturers interpret these standards, many VPN products are not interoperable. NETGEAR provides support for connections between two FVS318 VPN Firewalls, and between an FVS318 VPN Firewall and the SafeNet Secure VPN Client for Windows.
Appendix A Technical Specifications This appendix provides technical specifications for the Model FVS318 Cable/DSL ProSafe VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) VPN Protocols IKE, IPSec, DES, 3DES, MD5, SHA-1 Power Adapter North America: 120V, 60 Hz, input United Kingdom, Australia: 240V, 50 Hz, input Europe: 230V, 50 Hz, input Japan: 100V, 50/60 Hz, input All regions (output): 12 V DC @ 1.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Weight: 1.2 kg 2.6 lb.
Appendix B Networks, Routing, and Firewall Basics This chapter provides an overview of IP networks, routing, and firewalls. Basic Router Concepts Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area network (LAN). However, providing high bandwidth between a local network and the Internet can be very expensive. Because of this expense, Internet access is usually provided by a slower-speed wide-area network (WAN) link such as a cable or DSL modem.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The Model FVS318 Cable/DSL ProSafe VPN Firewall is a small office router that routes the IP protocol over a single-user broadband connection. Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP).
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the address class. After the address class has been determined, the software can correctly identify the host section of the address.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall • Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range: 224.0.0.0 to 239.255.255.255. • Class E Class E addresses are for experimental use. This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Subnet Addressing By looking at the addressing structures, you can see that even with a Class C address, there are a large number of hosts per network. Such a structure is an inefficient use of addresses if each end of a routed link requires a different network number. It is unlikely that the smaller office LANs would have that many devices. You can resolve this problem by using a technique known as subnet addressing.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Note: The number 192.68.135.127 is not assigned because it is the broadcast address of the first subnet. The number 192.68.135.128 is not assigned because it is the network address of the second subnet. The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Table B-2. Netmask Formats 255.255.255.252 /30 255.255.255.254 /31 255.255.255.255 /32 NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons: • So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FVS318 VPN Firewall employs an address-sharing method called Network Address Translation (NAT).
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system. However, using port forwarding, you can allow one PC (for example, a Web server) on your local network to be accessible to outside users.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall IP Configuration by DHCP When an IP-based local area network is installed, each PC must be configured with an IP address. If the PCs need to access the Internet, they should also be configured with a gateway address and one or more DNS server addresses. As an alternative to manual configuration, there is a method by which each PC on the network can automatically obtain this configuration information.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall Uplink Switches and Crossover Cables In the wiring table, the concept of transmit and receive are from the perspective of the PC. For example, the PC transmits on pins 1 and 2. At the hub, the perspective is reversed, and the hub receives on pins 1 and 2. When connecting a PC to a PC, or a hub port to another hub port, the transmit pair must be exchanged with the receive pair. This exchange is done by one of two mechanisms.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Glossary 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.11b IEEE specification for wireless networking at 11 Mbps using direct-sequence spread-spectrum (DSSS) technology and operating in the unlicensed radio spectrum at 2.5GHz. Denial of Service attack DoS. A hacker attack designed to prevent your computer or network from operating or communicating.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 2 IKE Internet Key Exchange. An automated method for exchanging and managing encryption keys between two VPN devices. IP Internet Protocol. The main internetworking protocol used in the Internet. Used in conjunction with the Transfer Control Protocol (TCP) to form TCP/IP. IP Address A four-byte number uniquely defining each host on the Internet. Ranges of addresses are assigned by Internic, an organization formed for this purpose.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall netmask A number that explains which part of an IP address comprises the network address and which part is the host address on that network. It can be expressed in dotted-decimal notation or as a number appended to the IP address. For example, a 28-bit mask starting from the MSB can be shown as 255.255.255.192 or as /28 appended to the IP address.
Reference Manual for the Model FVS318 Cable/DSL ProSafe VPN Firewall 4 VPN Virtual Private Network. A method for securely transporting data between two private networks by using a public network such as the Internet as a connection. WAN See wide area network. WEP Wired Equivalent Privacy. WEP is a data encryption protocol for 802.11b wireless networks. All wireless nodes and access points on the network are configured with a 64-bit or 128-bit Shared Key for data encryption. wide area network WAN.
Index Numerics 3DES 6-7, 6-12 Default DMZ Server 8-3 default password (is password) 7-4 default reset button 9-8 A Account Name 4-5, 4-7, 4-8 Address Resolution Protocol B-9 Auto Uplink 1-2 B backup configuration 7-6 Denial of Service (DoS) protection 1-1 denial of service attack B-12 DES 6-7, 6-12 DHCP 1-3, 8-9, B-10 DHCP Client ID 3-7 DHCP Setup field, Ethernet Setup menu 7-2 DMZ Server 8-3 DNS Proxy 1-3 DNS server 3-10, 3-11, 4-5, 4-6, 4-8, 4-9 C DNS, dynamic 8-6 Cabling B-10 domain 3-10 Cat5 c
FLASH memory 7-7 front panel 2-3 G gateway address 3-10, 3-11 H L LAN IP Setup Menu 8-7 LEDs description 2-3 troubleshooting 9-3 log sending 5-7 Log Viewer 6-20 Half Life 8-5 host name 4-5, 4-7, 4-8 M I MAC address 9-8, B-9 spoofing 4-6, 4-9, 9-6 IANA contacting B-2 IETF xvi Web site address B-7 Macintosh 3-10 configuring for IP networking 3-6 DHCP Client ID 3-7 Obtaining ISP Configuration Information 3-11 IKE 6-7, 6-12 Manual Keying 6-24 IKE Life Time 6-7, 6-13 masquerading 3-9 installation 1
Perfect Forward Secrecy 6-7, 6-12 ping 8-5 Port Forwarding 8-2 port forwarding behind NAT B-9 Port Forwarding Menu 8-2 PPP over Ethernet 1-3, 3-9 PPPoE 1-3, 3-9, 4-7 PPTP 6-2 PreShared Key 6-7, 6-12 Primary DNS Server 4-5, 4-6, 4-8, 4-9 protocols Address Resolution B-9 DHCP 1-3, B-10 Routing Information 1-3, B-2 support 1-3 TCP/IP 1-3 publications, related xvi Q Quake 8-5 R rear panel 2-4 remote management 8-13 requirements access device 2-2 hardware 2-2 S SA 6-2 SA Life Time 6-24 SafeNet Secure VPN Clie
V VPN 1-2 VPN client 6-3 W warranty 1-4 Windows, configuring for IP routing 3-2, 3-5 winipcfg utility 3-5 WinPOET 3-9 World Wide Web iii 4 Index
