Netgear FR328S User's Manual
Contents
1. 4 8 M 10207 01 Reference Manual v2 Serial Port Configuration Chapter 5 Protecting Your Network This chapter describes how to use the basic firewall features of the FR328S ProSafe Firewall with Dial Back Up to protect your network Protecting Access to Your FR328S Firewall For security reasons the firewall has its own user name and password Also after a period of inactivity for a set length of time the administrator login will automatically disconnect When prompted enter admin for the firewall User Name and password for the firewall password You can use procedures below to change the firewall password and the amount of time for the administrator s login timeout Note The user name and password are not the same as any user name or password your may use to log in to your Internet connection Change this password to a more secure password The ideal password should contain no dictionary words from any language and should be a mixture of both upper and lower case letters numbers and symbols Your password can be up to 30 characters How to Change the Built In Password 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall Protecting Your Network 5 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v22. End Time O hour 0 minute Time Zone GMT 08 00 Pacific Time US Canada Ml Adjust for daylight savings time Cl Use this NTP Server o Current time Tues 2003 08 26 13 04 12 Select your Time Zone This setting will be used for the blocking schedule according to your local time zone and for time stamping log entries Check the Daylight Savings Time box if your time zone is currently in daylight savings time 5 14 M 10207 01 Reference Manual v2 Protecting Your Network FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 5 Note If your region uses Daylight Savings Time you must manually check Adjust for Daylight Savings Time on the first day of Daylight Savings Time and uncheck it at the end Enabling Daylight Savings Time will cause one hour to be added to the standard time The firewall uses Netgear NTP servers by default If you would prefer to use a particular NTP server as the primary server enter its IP address under Use this NTP Server Click Apply to save your settings How to Schedule Firewall Services If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu you can set up a schedule for when blocking occurs or when access isn t restricted 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen fo
3. Troubleshooting 8 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 e Click the Refresh or Reload button in the Web browser The changes may have occurred but the Web browser may be caching the old configuration Troubleshooting the ISP Connection If your firewall is unable to access the Internet you should first determine whether the firewall is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your firewall must request an IP address from the ISP You can determine whether the request was successful using the Web Configuration Manager To check the WAN IP address 1 Launch your browser and select an external site such as www netgear com 2 Access the Main Menu of the firewall s configuration at http 192 168 0 1 3 Under the Maintenance heading select Router Status 4 Check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your firewall has not obtained an IP address from your ISP If your firewall is unable to obtain an IP address from the ISP you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off power to your firewall 3 Wait five minutes and reapply power to the cable or DSL modem 4 When the modem s LEDs indicate that it has reacquired sync with the ISP reapply power to your fire
4. FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 NETGEAR NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Phone 1 888 NETGEAR M 10207 01 Reference Manual v2 October 2003 2003 by NETGEAR Inc Full Manual All rights reserved Trademarks NETGEAR and Auto Uplink are trademarks or registered trademarks of Netgear Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no
5. IP address DNS Server 10 1 1 7 10 1 1 6 Display the Routing Table Reboot the Router Reboot Figure 6 9 Diagnostics menu Managing Your Network 6 11 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Enabling Remote Management Using the Remote Management page you can allow a user or users on the Internet to configure upgrade and check the status of your FR328S ProSafe Firewall with Dial Back Up gt Note Be sure to change the router s default password to a very secure password The ideal password should contain no dictionary words from any language and should be a mixture of letters both upper and lower case numbers and symbols Your password can be up to 30 characters How to Configure Remote Management 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the firewall Select the Allow Remote Management check box Specify what external addresses will be allowed to access the firewall s remote management For stronger security restrict access to as few external IP addresses as practical a To allow access from any IP address on the Internet select Everyone b To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP
6. e RIP 2B uses subnet broadcasting e RIP 2M uses multicasting gt Note If you change the LAN IP address of the firewall while connected through the browser you will be disconnected You must then open a new connection to the new IP address and log in again MTU Size The normal MTU Maximum Transmit Unit value for most Ethernet networks is 1500 Bytes For some ISPs particularly some using PPPoE you may need to reduce the MTU This is rarely required and should not be done unless you are sure it is necessary for your ISP connection Any packets sent through the firewall that are larger than the configured MTU size will be repackaged into smaller packets to meet the MTU requirement To change the MTU size 1 Under MTU Size select Custom 2 Enter a new size between 64 and 1500 3 Click Apply to save the new configuration Advanced Configuration 7 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 DHCP By default the firewall will function as a DHCP Dynamic Host Configuration Protocol server allowing it to assign IP DNS server and default gateway addresses to all computers connected to the router s LAN The assigned default gateway address is the LAN address of the firewall IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate address
7. 2 From the Main Menu of the browser interface under the Maintenance heading select Set Password to bring up the menu shown in Figure 5 1 Set Password Old Password Set Password Repeat New Password Administrator login times out after idle for 100 minutes Figure 5 1 Set Password menu 3 To change the password first enter the old password and then enter the new password twice 4 Click Apply to save your changes Note After changing the password you will be required to log in again to continue the configuration If you have backed up the firewall settings previously you should do a new backup so that the saved settings file includes the new password How to Change the Administrator Login Timeout For security the administrator s login to the firewall configuration will timeout after a period of inactivity To change the login timeout period 1 Inthe Set Password menu type a number in Administrator login times out field The suggested default value is 5 minutes 2 Click Apply to save your changes or click Cancel to keep the current period Configuring Basic Firewall Services Basic firewall services you can configure include access blocking and scheduling of firewall security These topics are presented below 5 2 Protecting Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Blocking Keywords Sites and Services The firewall
8. For each unique value of the network portion of the address the base address of the range host address of all zeros is known as the network address and is not usually assigned to a host Also the top address of the range host address of all ones is not assigned but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address Netmask In each of the address classes previously described the size of the two parts network address and host address is implied by the class This partitioning scheme can also be expressed by a netmask associated with the IP address A netmask is a 32 bit quantity that when logically combined using an AND operator with an IP address yields the network address For instance the netmasks for Class A B and C addresses are 255 0 0 0 255 255 0 0 and 255 255 255 0 respectively For example the address 192 168 170 237 is a Class C IP address whose network portion is the upper 24 bits When combined using an AND operator with the Class C netmask as shown here only the network portion of the address remains 11000000 10101000 10101010 11101101 192 168 170 237 combined with 11111111 11111111 211111111 00000000 255 255 255 0 Equals 11000000 10101000 10101010 00000000 192 168 170 0 As a shorter alternative to dotted decimal notation the netmask may also be expressed in terms of the number of ones from the left This number is appended to the
9. For more information about address assignment refer to the IETF documents RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space For more information about IP address translation refer to RFC 1631 The IP Network Address Translator NAT Networks Routing and Firewall Basics B 9 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Domain Name Server Many of the resources on the Internet can be addressed by simple descriptive names such as www NETGEAR com This addressing is very helpful at the application level but the descriptive name must be translated to an IP address in order for a user to actually contact the resource Just as a telephone directory maps names to phone numbers or as an ARP table maps IP addresses to MAC addresses a domain name system DNS server maps descriptive names of network resources to IP addresses When a PC accesses a resource by its descriptive name it first contacts a DNS server to obtain the IP address of the resource The PC sends the desired message using the IP address Many large organizations such as ISPs maintain their own DNS servers and allow their customers to use the servers to look up addresses IP Configuration by DHCP When an IP based local area network is installed each PC must be configured with an IP address If the PCs need to access the Internet they should also be confi
10. Reply from lt IP address gt bytes 32 time NN ms TTL xxx If the path is not working you see this message Request timed out If the path is not functioning correctly you could have one of the following problems e Wrong physical connections Make sure the LAN port LED is on If the LED is off follow the instructions in Local or Internet Port Link LEDs Not On on page 8 2 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and firewall e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC or workstation Verify that the IP address for your firewall and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your PC to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 lt IP address gt where lt P address gt is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies 8 6 Troubleshooting M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Check that your PC has the IP address of your firewall listed
11. This will set the firewall s IP address to 192 168 0 1 This procedure is explained in Using the Default Reset button on page 8 7 If the error persists you might have a hardware problem and should contact technical support Local or Internet Port Link LEDs Not On If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made check the following e Make sure that the Ethernet cable connections are secure at the firewall and at the hub or PC e Make sure that power is turned on to the connected hub or PC 8 2 Troubleshooting M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Be sure you are using the correct cable When connecting the firewall s Internet port to a cable or DSL modem use the cable that was supplied with the cable or DSL modem This cable could be a standard straight through Ethernet cable or an Ethernet crossover cable Troubleshooting the Web Configuration Interface If you are unable to access the firewall s Web Configuration interface from a PC on your local network check the following Check the Ethernet connection between the PC and the firewall as described in the previous section Make sure your PC s IP address is on the same subnet as the firewall If you are using the recommended addressing scheme your PC s address should be in the range of 192 168 0 2 to 192 168 0 254 Refer to Verifying TCP I
12. To get the information you need to configure the firewall for Internet access 1 From the Apple menu select Control Panels then TCP IP The TCP IP Control Panel opens which displays a list of configuration settings If the Configure setting is Using DHCP Server your account uses a dynamically assigned IP address In this case close the Control Panel and skip the rest of this section 2 Ifan IP address and subnet mask are shown write down the information 3 Ifan IP address appears under Router address write down the address This is the ISP s gateway address 4 Ifany Name Server addresses are shown write down the addresses These are your ISP s DNS addresses 5 If any information appears in the Search domains information box write it down 6 Change the Configure setting to Using DHCP Server 7 Close the TCP IP Control Panel Preparing Your Network C 11 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Restarting the Network Once you ve set up your computers to work with the firewall you must reset the network for the devices to be able to communicate correctly Restart any computer that is connected to the firewall After configuring all of your computers for TCP IP networking and restarting them and connecting them to the local network of your FR328S Firewall you are ready to access and configure the firewall C 12 Prepa
13. and the Ethernet MAC address Note that if the firewall is rebooted the table data is lost until the firewall rediscovers the devices To force the firewall to look for attached devices click the Refresh button 6 4 Managing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Viewing Selecting and Saving Logged Information The firewall will log security related events such as denied incoming service requests hacker probes and administrator logins If you enabled content filtering in the Block Sites menu the Logs page shows you when someone on your network tried to access a blocked site If you enabled e mail notification you ll receive these logs in an e mail message If you don t have e mail notification enabled you can view the logs here An example is shown below Date 2002 08 27 10 36 40 Tue 2002 08 27 07 08 14 NETGEAR activated Sj Tue 2002 00 27 07 15 32 Administrator login successful IP 192 16 0 0 2 Tuc 2002 05 27 07 39 19 UDP packet dropped Source 10 1 1 170 3775 VAN Destination 10 1 4 63 161 LAM Inbound Default ruie astch Tue 2002 68 27 07 29 21 UDP packet dropped Source 10 1 1 170 3128 VAM Destination 10 1 5 63 S5632 LAN Trbound Default cule satch Tue 2002 00 27 07 32 47 TCP packet dropped Source i0 1 1 170 4035 VAN Destination 10 1 1 63 23 7ELMET LAN Irihound Default tule Tue 2002 08 27 07 32 39 TCP p
14. 2 FR328S Rear Panel Viewed from left to right the rear panel contains the following elements e DB 9 serial port for modem connection e Factory Default Reset push button e Eight Local Ethernet RJ 45 ports for connecting the firewall to the local computers e Internet WAN Ethernet RJ 45 port for connecting the firewall to a cable or DSL modem e 12V DC 1 2A power adapter input 2 6 Introduction M 10207 01 Reference Manual v2 Chapter 3 Connecting the Firewall to the Internet This chapter describes how to set up the firewall on your Local Area Network LAN connect to the Internet perform basic configuration of your FR328S ProSafe Firewall with Dial Back Up using the Setup Wizard or how to manually configure your Internet connection What You Will Need Before You Begin You need to prepare these three things before you can connect your firewall to the Internet 1 A computer properly connected to the firewall as explained below 2 Active Internet service such as that provided by a DSL or Cable modem account 3 The Internet Service Provider ISP configuration information for your DSL or Cable modem account Hardware Requirements The FR328S Firewall connects to your LAN via twisted pair Ethernet cables To use the FR328S Firewall on your network each computer must have an installed Ethernet Network Interface Card NIC and an Ethernet cable If the computer will connect to your network at 100 Mbps you must use a Categor
15. Assigned Numbers Authority IANA Individual users and small organizations may obtain their addresses either from the ANA or from an Internet service provider ISP You can contact IANA at www iana org The Internet Protocol IP uses a 32 bit address structure The address is usually written in dot notation also called dotted decimal notation in which each group of eight bits is written in decimal form separated by decimal points For example the following binary address 11000011 00100010 00001100 00000111 is normally written as 19543441207 The latter version is easier to remember and easier to enter into your computer In addition the 32 bits of the address are subdivided into two parts The first part of the address identifies the network and the second part identifies the host node or station on the network The dividing point may vary depending on the address range and the application B 2 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 There are five standard classes of IP addresses These address classes have different ways of determining the network and host sections of the address allowing for different numbers of hosts on a network Each address type begins with a unique bit pattern which is used by the TCP IP software to identify the address class After the address class has been determined the software can correctly iden
16. Back Up Reference Manual v2 Basic Requirements for Dial in Dial in requires these elements 1 A broadband connection to the FR328S 2 An analog phone line 3 A serial modem properly configured and attached to the DB9 connector on the serial port 4 The Dial in settings configured and applied to the FR328S How to Configure Dial in Follow the steps below to configure a serial port dial in connection 1 Configure a serial port modem according to the instructions above 2 From the Serial Port section of the main menu click Dial in Serial Port Dial in Dial in Settings Enable Dial in Dial in PPP Authentication PAP M CI Disconnect after Idle Time of 15 minutes Dial in Users Name Enabled Call Back O 1 guest Disable Disable Add Edit Delete Figure 4 3 Serial Port Dial in settings screen 3 Configure the Dial in settings 4 Click Apply for the changes to take effect Serial Port Configuration 4 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Configuring LAN to LAN Settings LAN to LAN enables direct communications between two FR328S firewalls 192 168 Serial Connection FR328S A FR328S B 3 1 gag eS ES PC s Figure 4 4 LAN to LAN network configuration Basic Requirements for LAN to LAN Connections Serial port LAN to LAN configurations require these elements 1 2 3 4 An ISDN or a
17. Configure WPA PSk Wirelp Chapter 3 Basic Installation and Configuration Tes chapter desenbes how to set up pour 4 Mbps Wireless Access Port WG602 v2 for wireless connectmty to your LAN This basic configuration wil enable coenputers with 802 116 or 802 lig wireless adapters to do such things as ci the letermet or access punters and filez on your LAN You need to prepare these three thangs before you can estabbsh a connection threes i x jur wirelest accets pomit Figure Preface 2 HTML version of this manual 1 Left pane Use the left pane to view the Contents Index Search and Favorites tabs canect to To view the HTML version of the manual you must have a version 4 or later browser with JavaScript enabled 2 Toolbar buttons Use the toolbar buttons across the top to navigate print pages and more The Show in Contents button locates the current topic in the Contents tab Previous Next buttons display the previous or next topic PDF The PDF button links to a PDF version of the full manual E The Print button prints the current topic Using this button when a step by step procedure is displayed will send the entire procedure to your printer you do not have to worry about specifying the correct range of pages 3 Right pane Use the right pane to view the contents of the manual Also each page of the manual includesa PDF of This Chapter link at the top right which links to a PDF file containing just the curren
18. Configure a Serial Port Modem ccccccccsseccessseecssseeeeseeesessaeeesteeesesseeeees 4 2 Configuring Auto Rollover E E E E E E E taco Basic Requirements for Auto aliover si AE E E EA ATA E E How to Configure Auto FAH esos un ckai carasornnizertindveusinrnaivadszadyenancasieduarsadnanavies daivodeie 4 3 Configuring Dial in on the Serial Port sicicccsiscstisnctcncetianincecnoetiodiancnae A Basic Requirements for Dial in How to Configure Dial in Configuring LAN to LAN Settings i pinati Basic Requirements for LAN to LAN i Gannectiies EE EI EE E A 4 6 How to Configure LAN to LAN Connections ccccececceeceeeeeeeeceeeeeaeesteeeeesaaeeenees A 6 Chapter 5 Protecting Your Network Protecting Access to Your FR3285 Firewall sciscetsicotscaccsactssastasuddiatsonsiedtanssisckisuerannnas How te Change the Bullt ln Password ccsisscsivcsssssusvansioinmnaieieadeiataenaaicer How to Change the Administrator Login Timeout Configuring Basic Firewall Services ccccceeeeeeeeee Blocking Keywords Sites and Gerits Howto Block Keywords and SeS cis ieinisiiinidiasrneniuindeiawnsniedeniiae de Services kananpi Howto Deine Gorig cssgonsienni N a a 5 5 RUIG siisii E AA A A A E E aD Inbound Rules s Port Fadi Inbound Rule Example A Local Public Web Server Inbound Rule Example Allowing Videoconference from Restricted Adiesses 5 10 vi Contents M 10207 0
19. Following are examples of log messages In all cases the log entry shows the timestamp as Day Year Month Date Hour Minute Second Activation and Administration Tue 2002 05 21 18 48 39 NETGEAR activated This entry indicates a power up or reboot with initial time entry Tue 2002 05 21 18 55 00 Administrator login successful IP 192 168 0 2 Thu 2002 05 21 18 56 58 Administrator logout IP 192 168 0 2 This entry shows an administrator logging in and out from IP address 192 168 0 2 Tue 2002 05 21 19 00 06 Login screen timed out IP 192 168 0 2 This entry shows a time out of the administrator login Wed 2002 05 22 22 00 19 Log emailed This entry shows when the log was emailed Dropped Packets Wed 2002 05 22 07 15 15 TCP packet dropped Source 64 12 47 28 4787 WAN Destination 134 177 0 11 21 LAN Inbound Default rule match Sun 2002 05 22 12 50 33 UDP packet dropped Source 64 12 47 28 10714 WAN Destination 134 177 0 11 6970 LAN Inbound Default rule match Sun 2002 05 22 21 02 53 ICMP packet dropped Source 64 12 47 28 0 WAN Destination 134 177 0 11 0 LAN Inbound Default rule match These entries show an inbound FTP port 21 packet UDP packet port 6970 and ICMP packet port 0 being dropped as a result of the default inbound rule which states that all inbound packets are denied Managing Your Network 6 7 M 10207 01 Reference Manual v2 FR32
20. Logon Client for Microsoft Networks pa Eile and Print Sharing Description You must have an Ethernet adapter the TCP IP protocol and Client for Microsoft Networks i Note It is not necessary to remove any other network components shown in the Network window in order to install the adapter TCP IP or Client for Microsoft Networks If you need to install a new adapter follow these steps a Click the Add button b Select Adapter and then click Add c Select the manufacturer and model of your Ethernet adapter and then click OK If you need TCP IP a Click the Add button b Select Protocol and then click Add c Select Microsoft d Select TCP IP and then click OK Preparing Your Network C 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 If you need Client for Microsoft Networks a Click the Add button b Select Client and then click Add c Select Microsoft d Select Client for Microsoft Networks and then click OK 3 Restart your PC for the changes to take effect Enabling DHCP to Automatically Configure TCP IP Settings After the TCP IP protocol components are installed each PC must be assigned specific information about itself and resources that are available on its network The simplest way to configure this information is to allow the PC to obtain the information from the internal DHCP server of the FR328S Firewall To
21. Selecting Windows Internet Access Method E E S Verityng TOPP Properties cnisia n Configuring Windows NT 2000 or XP for IP Wewakiig lt A DES Install or Verify Windows Networking Components ssesseeeseeeeereeeeeereesee C 5 Venting TOP NP Properes neice a a a COMO Configuring the Macintosh for TCP IP Networking MacOS 8 6 or 9 x MacOS X P are Verifying TCP IP Papaiat m ees Canteen Verifying the Readiness of Your Internet Account ussite 9 Ae LOGIT PROCS USE eraio isa oaia AEEA C 9 What ls Your Configuration Information sssccdscccsstcncadsnterncussisaearcaiteatanmertacnaned LAO Obtaining ISP Configuration Information for Windows BPP A D Obtaining ISP Configuration Information for Macintosh Computers C 11 Restrito De NEO cicirenna renra a7 Let Contents M 10207 01 Reference Manual v2 Glossary Index x Contents M 10207 01 Reference Manual v2 Chapter 1 About This Manual Thank your for purchasing the NETGEAR FR328S ProSafe Firewall with Dial Back Up This chapter describes the target audience versions conventions and features of this manual Audience Versions Conventions This reference manual assumes that the reader has basic to intermediate computer and Internet skills However basic computer network Internet and firewall technologies tutorial information is provided in the Appendices and on the Netgear website This guide uses the following formats to highlight s
22. address to define the allowed range c To allow access from a single IP address on the Internet select Only this PC Enter the IP address that will be allowed access Specify the Port Number that will be used for accessing the management interface Web browser access normally uses the standard HTTPS service port 80 For greater security you can change the remote management web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use the number of any common service port The default is 8080 which is a common alternate for HTTP Click Apply to have your changes take effect 6 12 Managing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 When accessing your router from the Internet you will type your router s WAN IP address into your browser s Address in IE or Location in Netscape box followed by a colon and the custom port number For example if your external address is 134 177 0 123 and you use port number 8080 enter in your browser https 134 177 0 123 8080 Upgrading the Router s Firmware The software of the FR328S Firewall is stored in FLASH memory and can be upgraded as new software is released by NETGEAR Upgrade files can be downloaded from NETGEAR s website If the upgrade file is compressed ZIP file you must first extract the binary IMG file before uploading
23. are lit for any local ports that are connected c The Internet Link port LED is lit Troubleshooting 8 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 If a port s Link LED is lit a link has been established to the connected device If a port is connected to a 100 Mbps device verify that the port s 100 LED is lit If any of these conditions does not occur refer to the appropriate following section Power LED Not On If the Power and other LEDs are off when your firewall is turned on e Make sure that the power cord is properly connected to your firewall and that the power supply adapter is properly connected to a functioning power outlet e Check that you are using the 12VDC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Test LED Never Turns On or Test LED Stays On When the firewall is turned on the Test LED turns on for about 10 seconds and then turns off If the Test LED does not turn on or if it stays on there is a fault within the firewall If you experience problems with the Test LED e Cycle the power to see if the firewall recovers and the LED blinks for the correct amount of time If all LEDs including the Test LED are still on one minute after power up e Cycle the power to see if the firewall recovers e Clear the firewall s configuration to factory defaults
24. as the default gateway If the IP configuration of your PC is assigned by DHCP this information will not be visible in your PC s Network Control Panel Verify that the IP address of the firewall is listed as the default gateway as described in Verifying TCP IP Properties on page C 5 Check to see that the network address of your PC the portion of the IP address specified by the netmask is different from the network address of the remote device Check that your cable or DSL modem is connected and functioning If your ISP assigned a host name to your PC enter that host name as the Account Name in the Basic Settings menu Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem If this is the case you must configure your firewall to clone or spoof the MAC address from the authorized PC Refer to Manually Configuring Your Internet Connection on page 3 16 Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings changing the firewall s administration password to password and the IP address to 192 168 0 1 You can erase the current configuration and restore factory defaults in two ways Use the Erase function o
25. at the universal resource locator URL http www netgear com A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required iii M 10207 01 Reference Manual v2 M 10207 01 Reference Manual v2 Contents Chapter 1 About This Manual Audience VERSIONS COVE NTIOINE gs cacds cscs sscehcbsecaniecuanceeaiacdhntecacestetiadedeadeaiaianateesard 1 1 Howto Use mis Manual serso ia oa aa a ai E Ai bombed 1 2 How DFii mis MANUA nanaonan o o AAE 1 3 Chapter 2 Introduction noy POAUIOS coinein aA 2 1 Full Routing on Both the Broadband and Serial Ports c ccsssccsessessteeeeseteeees 2 1 A Powerful True Firewall with Comprehensive Content Filtering ceeee 2 2 Protocol SUDDO amen sapere Reet ey aiaa ai 2 2 Configurable Auto Uplink Ethernet Connection sseessessssessssssrrresrrsssrnessrense 2 3 Easy Installation and Management cescsuacccesnesseaaereenstecoinannssetactseudadegivensssenaetneasadeaiats 2 3 Whaa MIN BO apunssnin ana enema nee 2 4 Ee IPS PORE PON girna aA E ao 2 5 The Frewals Rear Panel dogiin aane he A a 2 6 Chapter 3 Connecting the Firewall to the Internet What You Will Need Before You Begin osssssicissirirsisossrssnisooninnnoinnseinnninnnniana anna 3 1 Hardware cise Sit 21g eee tert nt Treen ete treet Ei 3 1 Coniig raton ReguiremeniS esseistinen meina e Ea E LADANN 3 2 Internet Configuration Requirements cccceeeececeeeeeeeeeeeeeeeeeeeaaeseeee
26. domain to your frequently changing IP address The firewall contains a client that can connect to a dynamic DNS service provider To use this feature you must select a service provider and obtain an account with them After you have configured your account information in the firewall whenever your ISP assigned IP address changes your firewall will automatically contact your dynamic DNS service provider log in to your account and register your new IP address 7 6 Advanced Configuration M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 How to Configure Dynamic DNS 1 10 11 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall From the Main Menu of the browser interface under Advanced click Dynamic DNS Access the website of one of the dynamic DNS service providers whose names appear in the Select Service Provider box and register for an account For example for dyndns org go to www dyndns org Select the Use a dynamic DNS service check box Select the name of your dynamic DNS Service Provider Type the Host Name that your dynamic DNS service provider gave you The dynamic DNS service provider may call this the domain name If your URL is myName dyndns org then your Host Name is myName Type
27. e Always any traffic for this service type will be logged e Match traffic of this type which matches the parameters and action will be logged e Not match traffic of this type which does not match the parameters and action will be logged Protecting Your Network 5 9 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Inbound Rule Example Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown in Figure 5 7 CU SeeMe connections are allowed only from a specified range of external IP addresses In this case we have also specified logging of any incoming CU SeeMe requests that do not match the allowed parameters Inbound Services Service CU SEEME TCP UDP 7648 x Action ALLOW always gt Send to LAN Server we fise he Dee WAN Users Address Range y start 134 i7 88 finish 134 i7 jea 254 Log Not Match x Back Cancel Figure 5 7 Rule example Videoconference from Restricted Addresses Considerations for Inbound Rules e If your external IP address is assigned dynamically by your ISP the IP address may change periodically as the DHCP lease expires Consider using the Dynamic DNS feature in the Advanced menus so that external users can always find your network e Ifthe IP a
28. for connecting to the company where you are employed This router s address on your LAN is 192 168 0 100 e Your company s network is 134 177 0 0 When you first configured your firewall two implicit static routes were created A default route was created with your ISP as the gateway and a second static route was created to your local network for all 192 168 0 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your firewall will forward your request to the ISP The ISP forwards your request to the company where you are employed and the request will likely be denied by the company s firewall In this case you must define a static route telling your firewall that 134 177 0 0 should be accessed through the ISDN router at 192 168 0 100 The static route would look like Figure 7 2 In this example e The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses e The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192 168 0 100 e A Metric value of 1 will work since the ISDN router is on the LAN This represents the number of routers between your network and the destination This is a direct connection so it is set to 1 e Private is selected only as a precautionary security measure in case RIP is activated 7 8 Advanced Configuration M 10207 01 Reference M
29. is available enter it also Note DNS servers are required to perform the function of translating an Internet name such as WWw netgear com to a numeric IP address For a fixed IP address configuration you must obtain DNS server addresses from your ISP and enter them manually here You should reboot your PCs after configuring the firewall for these settings to take effect 3 Click Apply to save the settings 4 Click Test to test your Internet connection If the NETGEAR website does not appear within one minute refer to Chapter 8 Troubleshooting Configuring a Serial Port as the Primary Internet Connection Use the procedure below to configure an Internet connection via the serial port of your firewall How to Configure the Serial Port for an Internet Connection There are three steps to configuring the serial port of your firewall for an Internet connection 1 Connect the firewall to your ISDN or dial up analog modem 2 Configure the firewall 3 Connect to the Internet Follow the steps below to configure a serial port Internet connection on your firewall 1 Connect the Firewall to your ISDN or dial up modem a Turn off your modem and connect the cable from the serial port of the FR328S to the modem b Turn on the modem and wait about 30 seconds for the lights to stop blinking 2 Configure the Serial Port of the Firewall a Use a browser to log in to the firewall at http 192 168 0 1 with its default User Name of admi
30. single address account typically used by a single user with a modem rather than a router The FR328S Firewall employs an address sharing method called Network Address Translation NAT This method allows several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your ISP The router accomplishes this address sharing by translating the internal LAN IP addresses to a single address that is globally unique on the Internet The internal LAN IP addresses can be either private addresses or registered addresses For more information about IP address translation refer to RFC 1631 The IP Network Address Translator NAT The following figure illustrates a single IP address operation Private IP addresses assigned by user IP addresses assigned by ISP 192 168 0 2 wee BOe Aree 8S me Leai Figure 8 4 Single IP Address Operation Using NAT B 8 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 This scheme offers the additional benefit of firewall like protection because the internal LAN addresses are not available to the Internet through the translated connection All incoming inquiries are filtered out by the router This filtering can prevent intruders from probing your system However using port forwarding you can allow one PC for example a Web serve
31. the User Name for your dynamic DNS account Type the Password or key for your dynamic DNS account If your dynamic DNS provider allows the use of wildcards in resolving your URL you may select the Use wildcards check box to activate this feature For example the wildcard feature will cause yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org Click Apply to save your configuration You can now check the status of the Dynamic DNS connection by clicking Show Status Note If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x the dynamic DNS service will not work because private addresses will not be routed on the Internet Advanced Configuration 7 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Using Static Routes Static Routes provide additional routing information to your firewall Under normal circumstances the firewall has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network Static Route Example As an example of when a static route is needed consider the following case e Your primary Internet access is through a cable modem to an ISP e You have an ISDN router on your home network
32. the firewall after upgrading 6 14 Managing Your Network M 10207 01 Reference Manual v2 Chapter 7 Advanced Configuration This chapter describes how to configure the advanced features of your FR328S ProSafe Firewall with Dial Back Up Configuring Advanced Security The FR328S ProSafe Firewall with Dial Back Up provides a variety of advanced features such as e Setting up a Demilitarized Zone DMZ Server e The flexibility of configuring your LAN TCP IP settings e Connecting a Remote Access Server through the serial port These features are discussed below Setting Up A Default DMZ Server The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT The firewall is programmed to recognize some of these applications and to work properly with them but there are other applications that may not function well In some cases one local PC can run the application properly if that PC s IP address is entered as the Default DMZ Server Note For security you should avoid using the Default DMZ Server feature When a computer is designated as the Default DMZ Server it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one
33. the single PC would normally use When the firewall s Internet port is connected to the broadband modem the firewall appears to be a single PC to the ISP The firewall then allows the PCs on the local network to masquerade as the single PC to access the Internet through the broadband modem The method used by the firewall to accomplish this is called Network Address Translation NAT or IP masquerading Are Login Protocols Used Some ISPs require a special login protocol in which you must enter a login name and password in order to access the Internet If you normally log in to your Internet account by running a program such as WinPOET or EnterNet then your account uses PPP over Ethernet PPPoE When you configure your router you will need to enter your login name and password in the router s configuration menus After your network and firewall are configured the firewall will perform the login task when needed and you will no longer need to run the login program from your PC It is not necessary to uninstall the login program What Is Your Configuration Information More and more ISPs are dynamically assigning configuration information However if your ISP does not dynamically assign configuration information but instead used fixed configurations your ISP should have given you the following basic information for your account Preparing Your Network C 9 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back U
34. use DHCP with the recommended default addresses follow these steps 1 Connect all PCs to the firewall then restart the firewall and allow it to boot 2 On each attached PC open the Network control panel refer to the previous section and select the Configuration tab From the components list select TCP IP gt your Ethernet adapter and click Properties In the IP Address tab select Obtain an IP address automatically Select the Gateway tab If any gateways are shown remove them Click OK Restart the PC GO eet ON BON ee O Repeat steps 2 through 8 for each PC on your network Selecting Windows Internet Access Method 1 On the Windows taskbar click the Start button point to Settings and then click Control Panel 2 Double click the Internet Options icon 3 Select I want to set up my Internet connection manually or I want to connect through a Local Area Network and click Next 4 Select I want to connect through a Local Area Network and click Next C 4 Preparing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 5 Uncheck all boxes in the LAN Internet Configuration screen and click Next 6 Proceed to the end of the Wizard Verifying TCP IP Properties After your PC is configured and has rebooted you can check the TCP IP configuration using the utility winipcfg exe 1 On the Windows taskbar click the Start butto
35. 1 Reference Manual v2 Considerations for Inbound Rules Outbound Rules Service Blocking a Outbound Rule Example Blocking instant P EIE E ITE A EE ET S Order of Precedence f r Bules icc ccsiscsrasseipecssnienarsionneainsia ne tetiaiatnastin aera 5 13 Setting Times and Scheduling Firewall Services cccccceseeseceeeeeeeeseeteetsteeeteeeee D13 Fow to Sel Your TMG ZONE daririna siriana aia E 5 14 How te Schedule Firewall SAWS seciccs cccssccscsecnessesacevnssseacenssoasassedasaurssannrausacdaeaten 5 15 Chapter 6 Managing Your Network Network Management Information 0 cccceccceeesceeeeeeeeeeneeeceaeeeeeaaeesecaeeeseaeeesstaeetetee O T Viewing Router Status and Usage Statistics A Wane duc E E AN aE Viewing Attached Devices ccccecceseeeseeeeeeeceaeeaeeeaeeeeeesaesaeseaeeeeseaeeseeseaeeneseaeenees 6 4 Viewing Selecting and Saving Logged Information Selecting What Information to Log sesessseessesesssessssssssressrnssrnsssrnsssnsssresssessssssees 8 6 Saving Log Files On g SENET surasi a ASEA 6 7 Examples of log messages pipen Hoenn T T Hak Me sipna we Acivation and Administation sadist iusseedesnid seen Dropped PNT ace ctr orcs octondaie be caila sagen n 6 7 Enabling Security Event E mail Notification 0 00 00 E E E janlareanaee 6 8 Backing Up Restoring or Erasing Your Settings cccccsceeseeseeeeeeeeeeeeeeeeeeaeeeeeeeaes 6 9 How to Back Up the Configuration to a Fi
36. 10 seconds e The firewall s LOCAL LINK ACT lights are lit for any computers that are connected to it e The firewall s INTERNET LINK light is lit indicating a link has been established to the cable or DSL modem c Next use a browser like Internet Explorer or Netscape to log in to the firewall at its default address of http 192 168 0 1 http 192 168 0 1 j Figure 3 4 Log in to the firewall 3 6 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 A login window opens as shown in Figure 3 5 below FR3285 User name f admin v Password jooecceee Remember my password Figure 3 5 Login window d For security reasons the firewall has its own user name and password When prompted enter admin for the firewall User Name and password for the firewall Password both in lower case letters Note The user name and password are not the same as any user name or password you may use to log in to your Internet connection 3 Connect to the Internet Setup Wizard Will you be using NAT Network Address Translation or Classical Routing NaT O Classical Routing Next NAT is the default mode and should be chosen unless you are using valid IP addresses for all devices on your network NAT allows sharing of a single valid IP address among a range of private IP addresses Figure 3 6 Setup Wizard
37. 255 254 0 Domain Name Server 10 1 1 7 10 1 1 6 Show Statistics WAN Status Figure 6 1 Router Status screen The Router Status menu provides a limited amount of status and usage information From the Main Menu of the browser interface under Maintenance select Router Status to view the status screen shown in Figure 6 1 Managing Your Network 6 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 This screen shows the following parameters Table 6 1 Menu 3 2 Router Status Fields Field Description System Name Firmware Version This field displays the Host Name assigned to the firewall in the Basic Settings menu This field displays the firewall firmware version LAN Port MAC Address IP Address IP Subnet Mask These parameters apply to the Local WAN port of the firewall This field displays the Ethernet MAC address being used by the Local LAN port of the firewall This field displays the IP address being used by the Local LAN port of the firewall The default is 192 168 0 1 This field displays the IP Subnet Mask being used by the Local LAN port of the firewall The default is 255 255 255 0 IP Subnet Mask Domain Name Servers DNS DHCP If set to OFF the firewall will not assign IP addresses to local PCs on the LAN If set to ON the firewall is configured to assign IP addresses to local PCs on the LAN WAN Port Thes
38. 328S serial port lets you share the broadband connection of another FR328S share resources between two LANs and take advantage of the routing functions on the broadband WAN LAN and serial network interfaces Note If you configure the serial port of the FR328S as the primary Internet connection you will not be able to configure the other serial port options For instructions on configuring the serial port as the primary Internet connection please see Configuring a Serial Port as the Primary Internet Connection on page 3 13 The FR328S provides these serial port configuration options e Modem Use this option to configure the serial modem settings for any of the features below e Auto Rollover Use this option to provide a backup connection for your broadband service If the broadband service you configured in the Basic Settings menu fails the FR328S will automatically connect to the Internet through the serial port However you will then be accessing the Internet at a slower speed than you would through your broadband service e Dial in Dial in lets a single remote computer connect to the FR328S through the serial port to gain access to LAN resources or a remote access server e LAN to LAN LAN to LAN enables direct communications between two FR328S firewalls to Share resources on the two LANS Let users on one FR328S share the Internet connection of the other FR328S Let users on one FR328S connect to the Interne
39. 8S ProSafe Firewall with Dial Back Up Reference Manual v2 Enabling Security Event E mail Notification In order to receive logs and alerts by e mail you must provide your e mail information in the E Mail subheading E mail Turn e mail notification on Send alerts and logs by e mail Outgoing Mail Server mail mylSP com E mail Address Chris xv myISP com Send E Mail alerts immediately C ifa Dos attack is detected C Ifa Port Scan is detected CI f someone attempts to access a blocked site Send logs according to this schedule When Log is Full Day Time Figure 6 7 E mail notification menu e Turn e mail notification on Check this box if you wish to receive e mail logs and alerts from the firewall e Your outgoing mail server Enter the name or IP address of your ISP s outgoing SMTP mail server such as mail myISP com You may be able to find this information in the configuration menu of your e mail program If you leave this box blank log and alert messages will not be sent via e mail 6 8 Managing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 e Send to this e mail address Enter the e mail address to which logs and alerts are sent This e mail address will also be used as the From address If you leave this box blank log and alert messages will not be sent via e mail You can specify that logs are automatically sent to t
40. BASE T or L1OOBASE Tx RJ 45 A 2 Technical Specifications M 10207 01 Reference Manual v2 Appendix B Networks Routing and Firewall Basics This chapter provides an overview of IP networks routing and networking Related Publications As you read this document you may be directed to various RFC documents for further information An RFC is a Request For Comment RFC published by the Internet Engineering Task Force IETF an open organization that defines the architecture and operation of the Internet The RFC documents outline and define the standard protocols and procedures for the Internet The documents are listed on the World Wide Web at www ietf org and are mirrored and indexed at many other sites worldwide Basic Router Concepts Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area network LAN However providing high bandwidth between a local network and the Internet can be very expensive Because of this expense Internet access is usually provided by a slower speed wide area network WAN link such as a cable or DSL modem In order to make the best use of the slower WAN link a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet The function of selecting and forwarding this data is performed by a router What is a Router A router is a device that forwards traffic between networks based on network layer information in t
41. IP address following a backward slash as n In the example the address could be written as 192 168 170 237 24 indicating that the netmask is 24 ones followed by 8 zeros B 4 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Subnet Addressing By looking at the addressing structures you can see that even with a Class C address there are a large number of hosts per network Such a structure is an inefficient use of addresses if each end of a routed link requires a different network number It is unlikely that the smaller office LANs would have that many devices You can resolve this problem by using a technique known as subnet addressing Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks Some of the node numbers are used as a subnet number instead A Class B address gives us 16 bits of node numbers translating to 64 000 nodes Most organizations do not use 64 000 nodes so there are free bits that can be reassigned Subnet addressing makes use of those bits that are free as shown below Class B ae Network Subnet Node Figure 8 3 Example of Subnetting a Class B Address A Class B address can be effectively translated into multiple Class C addresses For example the IP address of 172 16 0 0 is assigned but node addresses are limited to 255 maximu
42. Install and add them 6 Select Internet Protocol TCP IP click Properties and verify that Obtain an IP address automatically is selected 7 Click OK and close all Network and Dialup Connections windows 8 Make sure your PC is connected to the firewall then reboot your PC Verifying TCP IP Properties To check your PC s TCP IP configuration 1 On the Windows taskbar click the Start button and then click Run The Run window opens 2 Type cma and then click OK A command window opens 3 Type ipconfig all Your IP Configuration information will be listed and should match the values below if you are using the default TCP IP settings that NETGEAR recommends e The IP address is between 192 168 0 2 and 192 168 0 254 e The subnet mask is 255 255 255 0 e The default gateway is 192 168 0 1 4 Type exit Configuring the Macintosh for TCP IP Networking Beginning with Macintosh Operating System 7 TCP IP is already installed on the Macintosh On each networked Macintosh you will need to configure TCP IP to use DHCP MacOS 8 6 or 9 x 1 From the Apple menu select Control Panels then TCP IP C 6 Preparing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 The TCP IP Control Panel opens o TCP IP Connect via Ethernet Setup Configure Using DHCP Server DHCP Client ID IP Address lt will be suppl
43. P Properties on page C 5 or Configuring the Macintosh for TCP IP Networking on page C 6 to find your PC s IP address Follow the instructions in Appendix C to configure your PC Note If your PC s IP address is shown as 169 254 x x Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the PC to the firewall and reboot your PC If your firewall s IP address has been changed and you don t know the current IP address clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 0 1 This procedure is explained in Using the Default Reset button on page 8 7 Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure the Java applet is loaded Try quitting the browser and launching it again Make sure you are using the correct login information The factory default login name is admin and the password is password Make sure that CAPS LOCK is off when entering this information If the firewall does not save changes you have made in the Web Configuration Interface check the following When entering configuration settings be sure to click the APPLY button before moving to another menu or tab or your changes are lost
44. PROM for firmware upgrade 2 4 Ethernet 2 3 Ethernet cable B 11 F factory settings restoring 6 10 features 2 1 firewall features 2 2 FLASH memory 6 13 front panel 2 5 G gateway address C 11 H host name 3 10 3 11 3 17 M 10207 01 Reference Manual v2 IANA contacting B 2 IETF B 1 Web site address B 7 inbound rules 5 7 installation 2 3 Internet account address information C 9 establishing C 9 IP addresses C 10 C 11 and NAT B 8 and the Internet B 2 assigning B 2 B 9 auto generated 8 3 private B 7 translating B 9 IP configuration by DHCP B 10 IP networking for Macintosh C 6 for Windows C 2 C 5 L LAN IP Setup Menu 7 6 LEDs description 2 5 troubleshooting 8 2 log sending 6 8 MAC address 8 7 B 9 spoofing 3 12 3 17 8 5 Macintosh C 10 configuring for IP networking C 6 DHCP Client ID C 7 Obtaining ISP Configuration Information C 11 masquerading C 9 MDI MDI X B 15 G 1 MDI MDI X wiring B 14 G 5 metric 7 10 Modem 4 2 modem 2 1 2 6 3 13 Modem Type 3 15 MTU 7 3 multicasting 7 3 N NAT C 9 NAT See Network Address Translation netmask translation table B 6 Network Address Translation 2 2 B 8 C 9 Network Time Protocol 5 13 8 8 NTP 5 13 8 8 O order of precedence 5 13 outbound rules 5 11 P package contents 2 4 password restoring 8 7 PC using to configure C 12 ping 7 2 port filtering 5 11 port forwarding 5 7 port forwarding behin
45. Quality Category 5 distributed cable that meets ANSI EIA TIA 568 A building wiring standards can be a maximum of 328 feet ft or 100 meters m in length divided as follows 20 ft 6 m between the hub and the patch panel if used 295 ft 90 m from the wiring closet to the wall outlet 10 ft 3 m from the wall outlet to the desktop device The patch panel and other connecting hardware must meet the requirements for 100 Mbps operation Category 5 Only 0 5 inch 1 5 cm of untwist in the wire pair is allowed at any termination point A twisted pair Ethernet network operating at 10 Mbits second 1OBASE T will often tolerate low quality cables but at 100 Mbits second LOBASE Tx the cable must be rated as Category 5 or Cat 5 by the Electronic Industry Association EIA This rating will be printed on the cable jacket A Category 5 cable will meet specified requirements regarding loss and crosstalk In addition there are restrictions on maximum cable length for both 10 and 100 Mbits second networks B 12 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Inside Twisted Pair Cables For two devices to communicate the transmitter of each device must be connected to the receiver of the other device The crossover function is usually implemented internally as part of the circuitry in the device Computers and workstation adapter cards are usually me
46. WAN Destination The name or IP address of the destination device or website Destination port and interface The service port number of the destination device and whether it s on the LAN or WAN Log action buttons are described in Table 6 6 Table 6 6 Security Log action buttons Field Description Refresh Click this button to refresh the log screen Clear Log Click this button to clear the log entries Send Log Click this button to email the log immediately Apply Click this button to apply the current settings Cancel Click this button to clear the current settings Selecting What Information to Log Besides the standard information listed above you can choose to log additional information Those optional selections are as follows e All incoming and outgoing traffic e Attempted access to blocked site e Connections to the Web based interface of this Router 6 6 Managing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 e Router operation start up get time etc Known DoS attacks and Port Scans Saving Log Files on a Server You can choose to write the logs to a PC running a syslog program To activate this feature check the Enable Syslog box and enter the IP address of the server where the log file will be written Be sure to click Apply to save your changes Examples of log messages
47. a You are now connected to the firewall If you do not see the menu above click the Setup Wizard link on the upper left of the main menu Connecting the Firewall to the Internet 3 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 b Select the NAT option and click Next to follow the steps in the Setup Wizard to input the configuration parameters from your ISP to connect to the Internet If you choose not to use NAT each computer on the LAN connected to the FR328S must have a valid public IP address in the same subnet as the Wan port of the FR328S For more information on NAT please see Single IP Address Operation Using NAT on page B 8 If you were unable to connect to the firewall please refer to Troubleshooting Basic Functions on page 8 1 Connecting the FR328S Firewall to the Internet You are now ready to configure your firewall to connect to the Internet There are two ways you can configure your firewall to connect to the Internet e Let the FR328S auto detect the type of Internet connection you have and configure it e Manually choose which type of Internet connection you have and configure it These options are described below Unless your ISP uses DHCP you will need the parameters from your ISP you recorded in Record Your Internet Connection Information on page 3 3 How to Auto Detect Your Internet Connection Type The Web Configuration Manager built i
48. acket dropped Source 10 1 1 170 4071 VAN Destination 10 1 1 63 3535 LAW Inbound Default rule serch Tuc 2002 08 27 07 33 12 TCP packet dropped Source 10 1 1 170 4094 VAN Destination 10 1 1 63 200 LAM Inbound Default rule match Tue 2002 08 27 07 33 31 TCP packet dropped Source 10 1 1 170 ALIG VAN Destination 10 1 1 03 411 LAN inbound Default cule satci Tue 2002 00 27 07 33 49 TCP packet dropped Jource 10 1 1 170 lt gt Rerosh CiearLog Sendtog inchad in Log CI an incomeng ang Outgoing tramc F Amempted access to blocked stes E Connections to the Web boped interface of this Router 2 Rotor oparaton start up get time atc F Known DoS attacks and Port Stans O Enade Systog l Gralog server IF address 6 ts 0 0 Apply Cancel l Figure 6 4 Security Logs menu Managing Your Network 6 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Log entries are described in Table 6 5 Table 6 5 Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the initiating device for this log entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or
49. adband Internet connection Testing Your Internet Connection After completing the Internet connection configuration your can test your Internet connection Log in to the firewall then from the Setup Basic Settings link click on the Test button If the NETGEAR website does not appear within one minute refer to Chapter 8 Troubleshooting To access the Internet from any computer connected to your firewall launch a browser such as Microsoft Internet Explorer or Netscape Navigator You should see the firewall s Internet LED blink indicating communication to the ISP The browser should begin to display a Web page The following chapters describe how to configure the Advanced features of your firewall and how to troubleshoot problems that may occur Connecting the Firewall to the Internet 3 15 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below or you can allow the Setup Wizard to determine your configuration as described in the previous section ISP Does Not Require Login Basic Setti gs e of Internet Connection do you have Broadband No login Broadband with Login username password Serial Port Modem or ISDN Account Name if Required FR328S Domain Name if Required NAT Network Address Translation Enable Disable Internet IP Addre
50. affic that matches or does not match the rule you have defined 5 6 Protecting Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 To access the Rules configuration of the FR328S click the Rules link on the main menu then click Add for either an Outbound or Inbound Service Rules Outbound Services 2 Enable Service Name Action LAN Users WAN Servers Log Default Yes Any ALLOW always Any Any Never Add Edit Mave Delete Inbound Services Enable Service Name Action LAN Server IP address WAN Users Log DMZ Yes Any ALLOW always 88 52 83 55 Any Never Defaut Yes Any BLOCK always Any Match Add Edit Move Delete Figure 5 5 Rules menu e To edit an existing rule select its button on the left side of the table and click Edit e To delete an existing rule select its button on the left side of the table and click Delete e To move an existing rule to a different position in the table select its button on the left side of the table and click Move At the script prompt enter the number of the desired new position and click OK Inbound Rules Port Forwarding When Network Address Translation NAT is on the FR328S presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you can make a local server for example a web server or game serv
51. and then click Properties The TCP IP Properties dialog box opens 4 Select the IP Address tab If an IP address and subnet mask are shown write down the information If an address is present your account uses a fixed static IP address If no address is present your account uses a dynamically assigned IP address Click Obtain an IP address automatically 5 Select the Gateway tab C 10 Preparing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 If an IP address appears under Installed Gateways write down the address This is the ISP s gateway address Select the address and then click Remove to remove the gateway address Select the DNS Configuration tab If any DNS server addresses are shown write down the addresses If any information appears in the Host or Domain information box write it down Click Disable DNS Click OK to save your changes and close the TCP IP Properties dialog box You are returned to the Network window Click OK Reboot your PC at the prompt You may also be prompted to insert your Windows CD Obtaining ISP Configuration Information for Macintosh Computers As mentioned above you may need to collect configuration information from your Macintosh so that you can use this information when you configure the FR328S Firewall Following this procedure is only necessary when your ISP does not dynamically supply the account information
52. anual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 How to Configure Static Routes 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the firewall 2 From the Main Menu of the browser interface under Advanced click on Static Routes to view the Static Routes menu 3 To add or edit a Static Route a Click Edit to open the Static Routes edit menu Static Routes Route Name E Active CO Private Destination IP Address IP Subnet Mask Gateway IP Address Metric Back Apply Cancel Figure 7 2 Static Route Entry and Edit Menu b Type a route name for this static route in the Route Name box under the table This is for identification purpose only c Select Active to make this route effective d Select Private if you want to limit access to the LAN only The static route will not be reported in RIP e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the destination is a single host type 255 255 255 255 g Type the Gateway IP Address which must be a router on the same LAN segment as the firewall Advanced Configuration 7 9 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 h Type a number between 1 a
53. band customer or if you are in an area such as Austria that uses broadband PPTP login is required If so select BigPond or PPTP from the Internet Service Type drop down box Enter your Account Name may also be called Host Name and Domain Name These parameters may be necessary to access your ISP s services such as mail or news servers If needed enter the PPPoE login user name and password provided by your ISP These fields are case sensitive To change the login timeout enter a new value in minutes Note You will no longer need to run the ISP s login program on your PC in order to access the Internet When you start an Internet application your firewall automatically logs you in Internet IP Address If your ISP assigned you a permanent fixed IP address for your PC select Use static IP address Enter the IP address your ISP assigned Also enter the netmask and the Gateway IP address The Gateway is the ISP s router to which your firewall will connect Domain Name Server DNS Address If your ISP does not automatically transmit DNS addresses to the firewall during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it Note A DNS server is a host on the Internet that translates Internet names such as www netgear com to numeric IP addresses Typically your ISP transfers the IP address of one or two DNS servers to your
54. be necessary to access your ISP s services such as mail or news servers If you leave the Domain Name field blank the firewall will attempt to learn the domain automatically from the ISP If this is not successful you may need to enter it manually 2 Ifyou know that your ISP does not automatically transmit DNS addresses to the firewall during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also Note DNS servers are required to perform the function of translating an Internet name such as www netgear com to a numeric IP address For a fixed IP address configuration you must obtain DNS server addresses from your ISP and enter them manually here You should reboot your PCs after configuring the firewall for these settings to take effect Connecting the Firewall to the Internet 3 11 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 3 The Router s MAC Address is the Ethernet MAC address that will be used by the firewall on the Internet port If your ISP allows access from only one specific computer s Ethernet MAC address select Use this MAC address The firewall will then capture and use the MAC address of the computer that you are now using You must be using the one computer that is allowed by the ISP Otherwise you can type in a MAC address Note Some ISPs will regi
55. by this rule e Address range If this option is selected you must enter the Start and Finish fields e Single address Enter the required address in the Start fields Lo You can select whether the traffic will be logged The choices are e Never no log entries will be made for this service e Always any traffic for this service type will be logged e Match traffic of this type which matches the parameters and action will be logged e Not match traffic of this type which does not match the parameters and action will be logged Protecting Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Order of Precedence for Rules As you define new rules they are added to the tables in the Rules menu as shown in Figure 5 9 Rules Outbound Semmens a Ervathe Service Hamu Action LAN Users WAN Servers Log c 1 AIM BLOCK by sehedute Any Ary Mann Def aua res Any ALLOW always Any Arty Never Add Edi Move Dalsie inbound Services linabis Senaca nana Action LAN Served D address WAN Users Log 1 F CU SEEME ALLOW sways 192160011 124 177001 24 177 00 254 Not Match 2 v HTTP ALLOW always 192 168 0 99 Aer Never Defann Yes Any BLOCK always Any Math Add Eda Mow Dole F Default DMZ Server H i a I Respond to Ping on internet WAN Port Apply Cancel Figure 5 9 Rules table with examples For any traffic attempting to pass through the firewall the pack
56. chapter you were viewing opens in a browser window Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can save paper an printer ink by selecting this feature About This Manual 1 3 M 10207 01 Reference Manual v2 Chapter 2 Introduction This chapter describes the features of the NETGEAR FR328S ProSafe Firewall with Dial Back Up The FR328S is a complete security solution that protects your network from attacks and intrusions Unlike simple Internet sharing routers that rely on Network Address Translation NAT for security the FR328S uses Stateful Packet Inspection for Denial of Service DoS attack protection and intrusion detection The 8 port FR328S with auto fail over connectivity through the serial port provides highly reliable Internet access for up to 253 users Key Features The FR328S offers the following key features e Full routing capabilities on both the broadband and serial ports enabling Internet access via either the serial or broadband ports e A powerful true firewall with comprehensive content filtering options e Extensive protocol support e Configurable Auto Uplink Ethernet Connections e Easy installation and management These features are discussed below Full Routing on Both the Broadband and Serial Ports You can install configure and operate the FR328S to take full advantage of a variety of routing o
57. ck Sites link of the Security menu Block Sites Cl Turn keyword blocking on Add Keyword Block sites containing these keywords or domain names Delete Keyword Trusted IP Address 0 0 0 0 Figure 5 2 Block Sites menu 3 To enable keyword blocking check Turn keyword blocking on enter a keyword or domain in the Keyword box click Add Keyword then click Apply Some examples of Keyword application follow e Ifthe keyword XXX is specified the URL lt http www badstuff com xxx html gt is blocked as is the newsgroup alt pictures xxx e Ifthe keyword com is specified only websites with other domain suffixes such as edu or gov can be viewed e Enter the keyword to block all Internet browsing access Up to 32 entries are supported in the Keyword list 4 To delete a keyword or domain select it from the list click Delete Keyword then click Apply 5 To specify a Trusted User enter that PC s IP address in the Trusted User box and click Apply You may specify one Trusted User which is a PC that will be exempt from blocking and logging Since the Trusted User will be identified by an IP address you should configure that PC with a fixed IP address 6 Click Apply to save your settings 5 4 Protecting Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Services Services are functions performed by server com
58. click Erase 6 10 Managing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 2 The firewall will then reboot automatically After an erase the firewall password will be password the LAN IP address will be 192 168 0 1 and the router s DHCP client will be enabled Note To restore the factory default configuration settings without knowing the login password or IP address you must use the Default Reset button on the rear panel of the firewall See Using the Default Reset button on page 8 7 Running Diagnostic Utilities and Rebooting the Router The FR328S Firewall has a diagnostics feature You can use the diagnostics menu to perform the following functions from the firewall Ping an IP Address to test connectivity to see if you can reach a remote host Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that the DNS server configuration is working Display the Routing Table to identify what other routers the router is communicating with Reboot the Router to enable new network configurations to take effect or to clear problems with the router s network connection From the Main Menu of the browser interface under the Maintenance heading select the Router Diagnostics heading to display the menu shown in Figure 6 9 Diagnostics Ping an IP address IP Address Hl Fae Ping Perform a DNS Lookup internet Name
59. ction ALLOW always Send to LAN Server fuse fse f ps WAN Users ay si satb e Le lp finish bi b ai fo Log Never gt Back Cancel Figure 5 6 Rule example A Local Public Web Server 5 8 Protecting Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 The parameters are Service From this list select the application or service to be allowed or blocked The list already displays many common services but you are not limited to these choices Use the Add Services menu to add any additional services or applications that do not already appear Action Choose how you would like this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu Send to LAN Server Enter the IP address of the PC or Server on your LAN which will receive the inbound traffic covered by this rule WAN Users These settings determine which packets are covered by the rule based on their source WAN IP address Select the desired option e Any All IP addresses are covered by this rule e Address range If this option is selected you must enter the Start and Finish fields e Single address Enter the required address in the Start fields Lo You can select whether the traffic will be logged The choices are e Never no log entries will be made for this service
60. d NAT B 9 port numbers 5 5 PPP over Ethernet 2 3 C 9 PPPoE 2 3 3 10 C 9 PPTP 3 17 Primary DNS Server 3 10 3 11 3 13 3 17 protocols Address Resolution B 9 DHCP 2 3 B 10 Routing Information 2 2 B 2 support 2 2 TCP IP 2 2 Index M 10207 01 Reference Manual v2 publications related B 1 R rear panel 2 6 reserved IP addresses 7 5 reset button clearing config 8 7 restore factory settings 6 10 RFC 1466 B 7 B 9 1597 B 7 B 9 1631 B 8 B 9 finding B 7 RIP Router Information Protocol 7 3 router concepts B 1 Routing Information Protocol 2 2 B 2 RTS Threshold 4 3 4 5 4 6 rules inbound 5 7 order of precedence 5 13 outbound 5 11 S Secondary DNS Server 3 10 3 11 3 13 3 17 Serial 3 3 3 13 3 15 4 2 serial 2 1 2 6 3 3 3 13 service blocking 5 11 service numbers 5 5 Setup Wizard 3 1 SMTP 6 8 spoof MAC address 8 5 stateful packet inspection 2 2 B 11 Static Routes 7 5 subnet addressing B 5 subnet mask B 5 C 10 C 11 T TCP IP configuring C 1 network troubleshooting 8 5 Index TCP IP properties verifying for Macintosh C 8 verifying for Windows C 5 C 6 Telstra 3 17 time of day 8 8 time zone 5 14 timeout administrator login 5 2 time stamping 5 14 troubleshooting 8 1 Trusted Host 5 4 U Uplink switch B 14 URL 5 4 USB C 9 W Windows configuring for IP routing C 2 C 5 winipcfg utility C 5 WinPOET C 9 WINS 7 4 World Wide Web 1 iii M 10207 01 R
61. d configuring the firewall wait at least five minutes and check the date and time again e Time is off by one hour Cause The firewall does not automatically sense Daylight Savings Time In the E Mail menu check or uncheck the box marked Adjust for Daylight Savings Time 8 8 Troubleshooting M 10207 01 Reference Manual v2 Appendix A Technical Specifications This appendix provides technical specifications for the FR328S ProSafe Firewall with Dial Back Up Network Protocol and Standards Compatibility Data and Routing Protocols Power Adapter North America United Kingdom Australia Europe Japan All regions output Physical Specifications Dimensions Weight Environmental Specifications Operating temperature Operating humidity Electromagnetic Emissions TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE 120V 60 Hz input 240V 50 Hz input 230V 50 Hz input 100V 50 60 Hz input 12 V DC 1 2A output 20W maximum H 1 56 in 3 96 cm W 10 0 in 25 4 cm D 9 0 in 17 8 cm 2 72 Ib 1 23 Kg 32 140 F 0 to 40 C 90 maximum relative humidity noncondensing Technical Specifications A 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications Local 1OBASE T or 1OOBASE Tx RJ 45 Internet 10
62. ddress is a unique 48 bit hardware address assigned to every network interface card Usually written in the form 01 23 45 67 89 ab Maximum Receive Unit The size in bytes of the largest packet that can be sent or received Maximum Transmit Unit The size in bytes of the largest packet that can be sent or received Mbps Megabits per second MDI MDIX In cable wiring the concept of transmit and receive are from the perspective of the PC which is wired as a Media Dependant Interface MDI In MDI wiring a PC transmits on pins 1 and 2 At the hub switch router or access point the perspective is reversed and the hub receives on pins and 2 This wiring is referred to as Media Dependant Interface Crossover MDI X MTU The size in bytes of the largest packet that can be sent or received packet A block of information sent over a network A packet typically contains a source and destination network address some protocol and length information a block of data and a checksum Point to Point Protocol PPP A protocol allowing a computer using TCP IP to connect directly to the Internet PPP A protocol allowing a computer using TCP IP to connect directly to the Internet PPPoA PPPoA PPP over ATM is a protocol for connecting remote hosts to the Internet over an always on connection by simulating a dial up connection PPPoE PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always on connect
63. ddress of the local server PC is assigned by DHCP it may change when the PC is rebooted To avoid this use the Reserved IP address feature in the LAN IP menu to keep the PC s IP address constant e Local PCs must access the local server using the PCs local LAN address 192 168 0 11 in the example in Figure 5 7 above Attempts by local PCs to access the server using the external WAN IP address will fail 5 10 Protecting Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Outbound Rules Service Blocking The FR328S allows you to block the use of certain Internet services by PCs on your network This is called service blocking or port filtering You can define an outbound rule to block Internet access from a local PC based on the e JP address of the local PC source address e IP address of the Internet site being contacted destination address e Time of day e Type of service being requested service port number Following is an application example of outbound rules Outbound Rule Example Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the firewall log any attempt to use Instant Messenger during that blocked peri
64. dia dependent interface ports called MDI or uplink ports Most repeaters and switch ports are configured as media dependent interfaces with built in crossover ports called MDI X or normal ports Auto Uplink technology automatically senses which connection MDI or MDI X is needed and makes the right connection Figure 8 5 illustrates straight through twisted pair cable Key A UPLINK OR MDI PORT as on a PC B Normal or MDI X port as on a hub or switch 1 2 3 6 Pin numbers Figure 8 5 Straight Through Twisted Pair Cable Figure 8 6 illustrates crossover twisted pair cable Key B Normal or MDI X port as on a hub or switch 1 2 3 6 Pin numbers Figure 8 6 Crossover Twisted Pair Cable Networks Routing and Firewall Basics B 13 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Key 1 RJ 45 plug 2 Category 5 UTP patch cable Figure 8 7 Category 5 UTP Cable with Male RJ 45 Plug at Each End Note Flat silver satin telephone cable may have the same RJ 45 plug However using telephone cable results in excessive collisions causing the attached port to be partitioned or disconnected from the network Uplink Switches Crossover Cables and MDI MDIX Switching In the wiring table above the concept of transmit and receive are from the perspective of the PC which is wired as Media Dependant Interface MDI In this wiring the PC transmits on p
65. e parameters apply to the Internet WAN port of the firewall MAC Address This field displays the Ethernet MAC address being used by the Internet WAN port of the firewall IP Address This field displays the IP address being used by the Internet WAN port of the firewall If no address is shown the firewall cannot connect to the Internet DHCP If set to None the firewall is configured to use a fixed IP address on the WAN If set to Client the firewall is configured to obtain an IP address dynamically from the ISP This field displays the IP Subnet Mask being used by the Internet WAN port of the firewall This field displays the DNS Server IP addresses being used by the firewall These addresses are usually obtained dynamically from the ISP Managing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Click the Show Statistics button to display firewall usage statistics as shown in Figure 6 2 below System Up Time 3 4 35 Port Status TxPkts RxPkts Collisions Tx B s Rx B s Up Time WAN 10 00M 3672 40858 0 14 1637 3 4 35 LAN 10 100M 3902 45063 0 2193 706 3 4 35 Serial Not Connected 0 0 nia 0 0 0 0 0 Poll Interval Set Interval Figure 6 2 Router Statistics screen This screen shows the following statistics Table 6 2 Router Statistics Fields Field Description WAN LAN or The statistics for the WAN Internet LAN local and Se
66. eeeeaeeseeneeeesas 3 2 Where Do Get the Internet Configuration Parameters sesessseessreesseeeee 3 2 Record Your Internet Connection Information ccccccccccsscccccecsceed onccrecisonetactersencsennees 3 3 Gonnecting the FRS28S Firewall to Your LAN sss scccccctscsticesesaecccesisseersenisasreeteataonsinds 3 4 How to Connect the Firewall to Your LAM ssscicccscrsscicnesicctescueadads ieceaddeshonenassaetaneniseren 3 4 Connecting the FR328S Firewall to the Internet ccccecseeeseeeeeeeeeeeeeeeeeeeeeeeeeeeseaees 3 8 How to Auto Detect Your Internet Connection Type ccsceeeeceeeeseeeteeteeeeeseeeeeees 3 8 How to Complete the Wizard Detected Login Account Setup scceeeseeees 3 10 Contents v M 10207 01 Reference Manual v2 How to Complete the Wizard Detected Dynamic IP Account Setup 0006 3 11 How to Complete Wizard Detected Fixed IP Account Setup Configuring a Serial Port as the Primary Internet Connection How to Configure the Serial Port for an Internet Connection cccceeeereees 3 13 Testing Your Internet Connection Manually Configuring Your Internet Connection PT k How to Manually Configure the Primary Internet Connection cecceeeeeee 3 17 Chapter 4 Serial Port Configuration Configuring a Serial Port Modem sisiecccnsssccctasnissedecameadedddnrsoatadansersdencationsanaiienseedentinnne4Ok Basic Requirements for Serial Port odii Gontiguat Ii EA TE E How to
67. eference Manual v2
68. elow if you are using the default TCP IP settings that NETGEAR recommends e The IP Address is between 192 168 0 2 and 192 168 0 254 e The Subnet mask is 255 255 255 0 e The Router address is 192 168 0 1 If you do not see these values you may need to restart your Macintosh or you may need to switch the Configure setting to a different option then back again to Using DHCP Server C 8 Preparing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Verifying the Readiness of Your Internet Account For broadband access to the Internet you need to contract with an Internet service provider ISP for a single user Internet access account using a cable modem or DSL modem This modem must be a separate physical box not a card and must provide an Ethernet port intended for connection to a Network Interface Card NIC in a computer Your firewall does not support a USB connected broadband modem For a single user Internet account your ISP supplies TCP IP configuration information for one computer With a typical account much of the configuration information is dynamically assigned when your PC is first booted up while connected to the ISP and you will not need to know that dynamic information In order to share the Internet connection among several computers your firewall takes the place of the single PC and you need to configure it with the TCP IP information that
69. ent to use a different IP addressing scheme you can make those changes in this menu The LAN TCP IP Setup parameters are e IP Address This is the LAN IP address of the firewall e JP Subnet Mask This is the LAN Subnet Mask of the firewall Combined with the IP address the IP Subnet Mask allows a device to know which other addresses are local to it and which must be reached through a gateway or router 7 2 Advanced Configuration M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 e RIP Direction RIP Router Information Protocol allows a router to exchange routing information with other routers The RIP Direction selection controls how the firewall sends and receives RIP packets Both is the default When set to Both or Out Only the firewall will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP information that it receives When set to None it will not send any RIP packets and will ignore any RIP packets received e RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends It recognizes both formats when receiving By default this is set for RIP 1 RIP 1 is universally supported RIP 1 is probably adequate for most networks unless you have an unusual network setup RIP 2 carries more information Both RIP 2B and RIP 2M send the routing data in RIP 2 format
70. er visible and available to the Internet The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number This is also known as port forwarding When NAT is off all Internet addresses on your LAN are presented to the Internet and outside users can directly address any of your local computers For security purposes do not turn NAT off unless the FR328S is behind another router or firewall Protecting Your Network 5 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Note Some residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to the Acceptable Use Policy of your ISP Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network Following are two application examples of inbound rules Inbound Rule Example A Local Public Web Server If you host a public web server on your local network you can define a rule to allow inbound web HTTP requests from any outside IP address to the IP address of your web server at any time of day This rule is shown in Figure 5 6 Inbound Services Service HTTP TCP 80 w A
71. ering Task Force An organization responsible for providing engineering solutions for TCP IP networks In the network management area this group is responsible for the development of the SNMP protocol Internet Control Message Protocol ICMP is an extension to the Internet Protocol IP that supports packets containing error control and informational messages The PING command for example uses ICMP to test an Internet connection Internet Protocol The method or protocol by which data is sent from one computer to another on the Internet Each computer known as a host on the Internet has at least one IP address that uniquely identifies it among all other computers on the Internet When you send or receive data for example an e mail note or a Web page the message gets divided into little chunks called packets Each of these packets contains both the sender s Internet address and the receiver s address Any packet is sent first to a gateway computer that understands a small part of the Internet The gateway computer reads the destination address and forwards the packet to an adjacent gateway that in turn reads the destination address and so forth across the Internet until one gateway Glossary 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 recognizes the packet as belonging to a computer within its immediate neighborhood or domain That gateway then forwards the packet directly to the co
72. erver records and reports a list of names and IP address of Windows PCs on its local network If you connect to a remote network that contains a WINS server enter the server s IP address here This allows your PCs to browse the network using the Network Neighborhood feature of Windows 7 4 Advanced Configuration M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Reserved IP addresses When you specify a reserved IP address for a PC on the LAN that PC will always receive the same IP address each time it access the firewall s DHCP server Reserved IP addresses should be assigned to servers that require permanent IP settings To reserve an IP address 1 Click Add 2 Inthe IP Address box type the IP address to assign to the PC or server Choose an IP address from the router s LAN subnet such as 192 168 0 X 3 Type the MAC Address of the PC or server Tip If the PC is already present on your network you can copy its MAC address from the Attached Devices menu and paste it here 4 Click Apply to enter the reserved address into the table Note The reserved address will not be assigned until the next time the PC contacts the router s DHCP server Reboot the PC or access its IP configuration and force a DHCP release and renew To edit or delete a reserved address entry 1 Click the button next to the reserved address you want to edit or delete 2 Click Edit or Delete H
73. es on the LAN For most applications the default DHCP and TCP IP settings of the firewall are satisfactory See IP Configuration by DHCP on page B 10 for an explanation of DHCP and information about how to assign IP addresses for your network Use router as DHCP server If another device on your network will be the DHCP server or if you will manually configure the network settings of all of your computers clear the Use router as DHCP server check box Otherwise leave it checked Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address These addresses should be part of the same IP address subnet as the firewall s LAN IP address Using the default addressing scheme you should define a range between 192 168 0 2 and 192 168 0 253 although you may wish to save part of the range for devices with fixed addresses The firewall will deliver the following parameters to any LAN device that requests DHCP e An IP Address from the range you have defined e Subnet Mask e Gateway IP Address is the firewall s LAN IP address e Primary DNS Server if you entered a Primary DNS address in the Basic Settings menu otherwise the firewall s LAN IP address e Secondary DNS Server if you entered a Secondary DNS address in the Basic Settings menu e WINS Server short for Windows Internet Naming Service Server determines the IP address associated with a particular Windows computer A WINS s
74. et information is subjected to the rules in the order shown in the Rules Table beginning at the top and proceeding to the default rules at the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet The Move button allows you to relocate a defined rule to a new position in the table Setting Times and Scheduling Firewall Services The FR328S Firewall uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on the Internet In order to localize the time for your log entries you must select your Time Zone from the list Protecting Your Network 5 13 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 How to Set Your Time Zone In order to localize the time for your log entries you must specify your Time Zone Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN 1 Figure 5 10 Schedule Services menu 3 address you have chosen for the firewall Click Schedule on the Security menu to display menu shown below Schedule CO use this schedule for rules Days C Every Day C sunday CI Monday C Tuesday Cl wednesday C Thursday C Friday C Saturday Time of day use 24 hour clock O All Day Start Time 0 hour o minute
75. ewall is analyzed against the state of these connections in order to determine whether or not it will be allowed to pass through or rejected Denial of Service Attack A hacker may be able to prevent your network from operating or communicating by launching a Denial of Service DoS attack The method used for such an attack can be as simple as merely flooding your site with more requests than it can handle A more sophisticated attack may attempt to exploit some weakness in the operating system used by your router or gateway Some operating systems can be disrupted by simply sending a packet with incorrect length information Ethernet Cabling Although Ethernet networks originally used thick or thin coaxial cable most installations currently use unshielded twisted pair UTP cabling The UTP cable contains eight conductors arranged in four twisted pairs and terminated with an RJ45 type connector A normal straight through UTP Ethernet cable follows the EIA568B standard wiring as described below in Table B 1 Networks Routing and Firewall Basics B 11 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Table B 1 UTP Ethernet cable wiring straight through Pin Wire color Signal 1 Orange White Transmit Tx 2 Orange Transmit Tx 3 Green White Receive Rx 4 Blue 5 Blue White 6 Green Receive Rx 7 Brown White 8 Brown Category 5 Cable
76. existing Service select its button on the left side of the table and click Edit e To delete an existing Service select its button on the left side of the table and click Delete Protecting Your Network 5 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 3 Modify the menu shown below for defining or editing a service Services Service Definition Name Type TCP a Start Port Finish Port Back Apply Cancel Figure 5 4 Add Services menu 4 Click Apply to save your changes Rules Firewall rules are used to block or allow specific traffic passing through from one side to the other Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the FR328S are e Inbound Block all access from outside except responses to requests from the LAN side e Outbound Allow all access from the LAN side to the outside You may define additional rules that will specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day You can also choose to log tr
77. f addresses and you can choose a nonstandard port number Smart Wizard The firewall automatically senses the type of Internet connection asking you only for the information required for your type of ISP account Diagnostic functions The firewall incorporates built in diagnostic functions such as Ping DNS lookup and remote reboot These functions allow you to test Internet connectivity and reboot the firewall You can use these diagnostic functions directly from the FR328S when your are connected on the LAN or when you are connected over the Internet via the remote management function Visual monitoring The firewall s front panel LEDs provide an easy way to monitor its status and activity Flash EPROM for firmware upgrade What s in the Box The product package should contain the following items FR328S ProSafe Firewall with Dial Back Up AC power adapter Category 5 CATS Ethernet cable Resource CD SW 10045 01 including This manual Application Notes Tools and other helpful information Warranty and registration card Support information card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair 2 4 Introduction M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 The Firewall s Front Panel The front pane
78. f the Web Configuration Manager see Backing Up Restoring or Erasing Your Settings on page 6 9 Use the Default Reset button on the rear panel of the firewall Use this method for cases when the administration password or IP address is not known Using the Default Reset button To restore the factory default configuration settings without knowing the administration password or IP address you must use the Default Reset button on the rear panel of the firewall To restore the factory default configuration settings follow these steps Troubleshooting 8 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 1 Press and hold the Default Reset button until the Test LED turns on about 10 seconds Reset Figure 8 1 Reset Button 2 Release the Default Reset button and wait for the firewall to reboot Problems with Date and Time The E Mail menu in the Content Filtering section displays the current date and time of day The FR328S Firewall uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include e Date shown is January 1 2000 Cause The firewall has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just complete
79. firewall during login If the ISP does not transfer an address you must obtain it from the ISP and enter it manually here If you enter an address here you should reboot your PCs after configuring the firewall Router s MAC Address This section determines the Ethernet MAC address that will be used by the firewall on the Internet port Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened They will then only accept traffic from the MAC address of that PC This feature allows your firewall to masquerade as that PC by cloning its MAC address To change the MAC address select Use this Computer s MAC address The firewall will then capture and use the MAC address of the PC that you are now using You must be using the one PC that is allowed by the ISP Or select Use this MAC address and enter it Click Apply to save your settings Click Test to test your Internet connection If the NETGEAR website does not appear within one minute refer to Chapter 8 Troubleshooting Connecting the Firewall to the Internet 3 17 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 3 18 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 Chapter 4 Serial Port Configuration This chapter describes how to configure the serial port options of your FR328S ProSafe Firewall with Dial Back Up The FR
80. guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna e Increase the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to which the receiver is connected e Consult the dealer or an experienced radio TV technician for help EN 55 022 Declaration of Conformance This is to certify that the FR328S ProSafe Firewall with Dial Back Up is shielded against the generation of radio interference in accordance with the application of Council Directive 89 336 EEC Article 4a Conformity is declared by the application of EN 55 022 Class B CISPR 22 M 10207 01 Reference Manual v2 Bestatigung des Herstellers Importeurs Es wird hiermit best tigt da dasFR328S ProSafe Firewall with Dial Back Up gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsmaBige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Beschr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt fiir Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Mark
81. gured with a gateway address and one or more DNS server addresses As an alternative to manual configuration there is a method by which each PC on the network can automatically obtain this configuration information A device on the network may act as a Dynamic Host Configuration Protocol DHCP server The DHCP server stores a list or pool of IP addresses along with other information such as gateway and DNS addresses that it may assign to the other devices on the network The FR328S Firewall has the capacity to act as a DHCP server The FR328S Firewall also functions as a DHCP client when connecting to the ISP The firewall can automatically obtain an IP address subnet mask DNS server addresses and a gateway address if the ISP provides this information by DHCP Internet Security and Firewalls When your LAN connects to the Internet through a router an opportunity is created for outsiders to access or disrupt your network A NAT router provides some protection because by the very nature of the process the network behind the router is shielded from access by outsiders on the Internet However there are methods by which a determined hacker can possibly obtain information about your network or at the least can disrupt your Internet access A greater degree of protection is provided by a firewall router B 10 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual
82. he data and on routing tables maintained by the router In these routing tables a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network Using this information the router chooses the best path for forwarding network traffic Routers vary in performance and scale number of routing protocols supported and types of physical WAN connection they support The FR328S ProSafe Firewall with Dial Back Up is a small office router that routes the IP protocol over a single user broadband connection Networks Routing and Firewall Basics B 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol RIP Using RIP routers periodically update one another and check for changes to add to the routing table The FR328S Firewall supports both the older RIP 1 and the newer RIP 2 protocols Among other improvements RIP 2 supports subnet and multicast protocols RIP is not required for most home applications IP Addresses and the Internet Because TCP IP networks are interconnected across the world every machine on the Internet must have a unique address to make sure that transmitted data reaches the correct destination Blocks of addresses are assigned to organizations by the Internet
83. he local LAN and the Internet WAN interfaces are autosensing and capable of full duplex or half duplex operation The firewall incorporates Auto Uplink technology Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a PC or an uplink connection such as to a switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Easy Installation and Management You can install configure and operate the FR328S within minutes after connecting it to the network The following features simplify installation and management tasks Introduction 2 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Browser based management Browser based configuration allows you to easily configure your firewall from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based interface Remote management The firewall allows you to log in to the browser based management interface from a remote location via the Internet using SSL encryption For security you can limit remote management access to a specified remote IP address or range o
84. he specified e mail address with these options e Send alert immediately Check this box if you would like immediate notification of a significant security event such as a known attack port scan or attempted access to a blocked site e Send logs according to this schedule Specifies how often to send the logs Hourly Daily Weekly or When Full Day for sending log Specifies which day of the week to send the log Relevant when the log is sent weekly or daily Time for sending log Specifies the time of day to send the log Relevant when the log is sent daily or weekly If the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent the log is cleared from the firewall s memory If the firewall cannot e mail the log file the log buffer may fill up In this case the firewall overwrites the log and discards its contents Backing Up Restoring or Erasing Your Settings The configuration settings of the FR328S Firewall are stored in a configuration file in the firewall This file can be backed up to your computer restored or reverted to factory default settings The procedures below explain how to do these tasks How to Back Up the Configuration to a File 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or us
85. ied by server gt Subnet mask lt will be supplied by server gt Router address lt will be supplied by server gt Search domains Name server addr lt will be supplied by server gt 2 2 From the Connect via box select your Macintosh s Ethernet interface 3 From the Configure box select Using DHCP Server You can leave the DHCP Client ID box empty 4 Close the TCP IP Control Panel 5 Repeat this for each Macintosh on your network MacOS X 1 From the Apple menu choose System Preferences then Network 2 If not already selected select Built in Ethernet in the Configure list 3 If not already selected Select Using DHCP in the TCP IP tab 4 Click Save Preparing Your Network C 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Verifying TCP IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted you can check the TCP IP configuration by returning to the TCP IP Control Panel From the Apple menu select Control Panels then TCP IP o TCP IP B Connect via Ethernet Setup Configure Using DHCP Server DHCP Client ID IP Address 192 168 0 2 Subnet mask 255 255 255 0 Router address 192 168 0 1 Search domains Name server addr 192 168 0 1 Q The panel is updated to show your settings which should match the values b
86. in DSL Short for digital subscriber line but is commonly used in reference to the asymmetric version of this technology ADSL that allows data to be sent over existing copper telephone lines at data rates of from 1 5 to 9 Mbps when receiving data known as the downstream rate and from 16 to 640 Kbps when sending data 2 Glossary M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 known as the upstream rate ADSL requires a special ADSL modem ADSL is growing in popularity as more areas around the world gain access DSLAM DSL Access Multiplexor The piece of equipment at the telephone company central office that provides the ADSL signal Dynamic Host Configuration Protocol DHCP An Ethernet protocol specifying how a centralized DHCP server can assign network configuration information to multiple DHCP clients The assigned information includes IP addresses DNS addresses and gateway router addresses Ethernet A LAN specification developed jointly by Xerox Intel and Digital Equipment Corporation Ethernet networks transmit packets at a rate of 10 Mbps Gateway A local device usually a router that connects hosts on a local network to other networks ICMP See Internet Control Message Protocol IEEE Institute of Electrical and Electronics Engineers This American organization was founded in 1963 and sets standards for computers and communications IETF Internet Engine
87. ing whatever password and LAN address you have chosen for the firewall Managing Your Network 6 9 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 2 From the Maintenance heading of the Main Menu select the Settings Backup menu as seen in Figure 6 8 Settings Backup Save a copy of current settings Restore saved settings from file Restore Browse Revert to factory default settings Erase Figure 6 8 Settings Backup menu 3 Click Backup to save a copy of the current settings 4 Store the cfg file on a computer on your network How to Restore a Configuration from a File 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall 2 From the Maintenance heading of the Main Menu select the Settings Backup menu as seen in Figure 6 8 3 Enter the full path to the file on your network or click Browse to browse to the file 4 When you have located the cfg file click Restore to upload the file to the firewall 5 The firewall will then reboot automatically How to Erase the Configuration It is sometimes desirable to restore the firewall to the factory default settings This can be done by using the Erase function 1 To erase the configuration from the Maintenance menu Settings Backup link
88. ins 1 and 2 At the hub the perspective is reversed and the hub receives on pins 1 and 2 This wiring is referred to as Media Dependant Interface Crossover MDI X When connecting a PC to a PC or a hub port to another hub port the transmit pair must be exchanged with the receive pair This exchange is done by one of two mechanisms Most hubs provide an Uplink switch which will exchange the pairs on one port allowing that port to be connected to another hub using a normal Ethernet cable The second method is to use a crossover cable which is a special cable in which the transmit and receive pairs are exchanged at one of the two cable connectors Crossover cables are often unmarked as such and must be identified by comparing the two connectors Since the cable connectors are clear plastic it is easy to place them side by side and view the order of the wire colors on each On a straight through cable the color order will be the same on both connectors On a crossover cable the orange and blue pairs will be exchanged from one connector to the other B 14 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 The FR328S Firewall incorporates Auto Uplink technology also called MDI MDIX Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection e g connecting to a PC or an uplink co
89. ion by simulating a dial up connection PPP over ATM PPPoA PPP over ATM is a protocol for connecting remote hosts to the Internet over an always on connection by simulating a dial up connection Glossary 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an always on connection by simulating a dial up connection PPTP Point to Point Tunneling Protocol A method for establishing a virtual private network VPN by embedding Microsoft s network protocol into Internet packets Protocol A set of rules for communication between devices on a network PSTN Public Switched Telephone Network Qos See Quality of Service Quality of Service QoS is a networking term that specifies a guaranteed level of throughput Throughput is the amount of data transferred from one device to another or processed in a specified amount of time typically throughputs are measured in bytes per second Bps RFC Request For Comment Refers to documents published by the Internet Engineering Task Force IETF proposing standard protocols and procedures for the Internet RFCs can be found at www ietf org router A device that forwards data between networks An IP router forwards data based on IP source and destination addresses Segment A section of a LAN that is connected to the rest of the
90. it to the firewall Note The Web browser used to upload new firmware into the firewall must support HTTP uploads NETGEAR recommends using Microsoft Internet Explorer 5 0 or Netscape Navigator 4 7 and above How to Upgrade the Router 1 Download and unzip the new software file from the NETGEAR web site 2 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall 3 From the Main Menu of the browser interface under the Maintenance heading select the Router Upgrade heading to display the menu shown in Figure 6 10 Router Upgrade Locate and select the upgrade file from your hard disk Upload Cancel Figure 6 10 Router Upgrade menu 4 Inthe Router Upgrade menu click Browse to locate the binary IMG upgrade file Managing Your Network 6 13 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 5 Click Upload Note When uploading software to the firewall it is important not to interrupt the Web browser by closing the window clicking a link or loading a new page If the browser is interrupted it may corrupt the software When the upload is complete your firewall will automatically restart The upgrade process will typically take about one minute In some cases you may need to clear the configuration and reconfigure
91. l automatically log you in 3 Domain Name Server DNS Address If you know that your ISP does not automatically transmit DNS addresses to the firewall during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also Note If you enter an address here after you finish configuring the firewall reboot your PCs so that the settings take effect 3 10 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 4 Click Apply to save your settings 5 Click Test to test your Internet connection If the NETGEAR website does not appear within one minute refer to Chapter 8 Troubleshooting How to Complete the Wizard Detected Dynamic IP Account Setup If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment you will be directed to the menu shown in Figure 3 9 below Dynamic IP Account Name if Required Domain Name if Required Domain Name Server DNS Address Get Automatically From ISP Use These DNS Servers Primary DNS E Secondary DNS fo Router s MAC Address Use Default Address Use This MAC Address Apply Cancel Test Figure 3 9 Setup Wizard menu for Dynamic IP address 1 Enter your Account Name may also be called Host Name and Domain Name These parameters may
92. l of the FR328S Figure 2 1 contains status LEDs NETGEAR the Cable DSL INTERNET 100 UNK ACT UNK ACT 1 8 Figure 2 1 FR328S Front Panel You can use some of the LEDs to verify connections Table 2 1 lists and describes each LED on the front panel of the firewall These LEDs are green when lit except for the TEST LED which is amber Table 2 1 LED Descriptions Label Activity Description POWER On Power is supplied to the firewall TEST On The system is initializing Off The system is ready and running MODEM On Blinking The port detected a link with the Internet WAN connection or Remote Access Server Blinking indicates data transmission INTERNET 100 On Blinking The Internet port is operating at 100 Mbps LINK ACT Activity On Blinking The port detected a link with the Internet WAN connection and is operating at 10 Mbps Blinking indicates data transmission LOCAL 100 On Blinking The Local port is operating at 100 Mbps LINK ACT On Blinking The Local port has detected a link with a LAN connection and is Link Activity operating at 10 Mbps Blinking indicates data transmission Introduction 2 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 The Firewall s Rear Panel The rear panel of the FR328S Figure 2 2 contains the connections identified below LOCAL 10 100M 5 4 3 2 1 INTERNET Figure 2
93. le i siicieiceusasiinasnsioseroneercin OO How to Restore a Configuration from a File ceecceeeseeeeeeeeeteeeeeeeeeeteeeeeeeees O10 How to Erase the Configuration c ccccccccssccecsseccsseeeccsaeeeseeeesesseeeseeeeesnseeeseeeeess 6 10 Running Diagnostic Utilities and Rebooting the Router eee eee eee eeeee ee 6 11 Enabling Remote Management sisssisaviaissisasantesaseanen siemens tiseatton O How to Configure Remote a js Upgrading he Routers FIle sss cast wisn ccccchontncvedetanvonscennudaanteoate ai cca O How to Upgrade ihe Punt siciviesiasictscssuatertnoastdbiisseedaniiriondinintesbaoneseaetantexiendlubes 6 13 Chapter 7 Advanced Configuration Configuring Advanced Security sussiss casein sescastistencsn eben aaenesneliueerssbienanaunerientadonendasaets 7 1 Setting Up A Default DMZ Server PE E A EE E E AAE EEE A E T Fol Respond to Ping on Intemet WAN Port sisssisnssissnim srancnsnearan anes 7 2 GONROOMI LAN NP DEEN aane EEs 7 2 LAN TN EEF SAD eiai A a 7 2 Contents M 10207 01 Reference Manual v2 vii Contain ae DNS aha ease den aia anda eA eat How to Coniigure Dynamic DNS ssieiaresrisni nutinka aasan aaan 7 7 Using Static Routes prenahe pate TE an hono scuecebine renee erases edie 7 8 Siae Roue EN INI cacti danni abcd aaa al ene uea va panne ee Howto Configure Statie FOURS scicnstsrilonantonancaauriniennicitiiemniaaiat Chapter 8 Troubleshooting Baoe FWO ponorenia Power LED NO ON hororsen
94. link technology also called MDI MDIX eliminates the need to worry about crossover vs straight through Ethernet cables Auto Uplink will accommodate either type of cable to make the right connection Bandwidth The information capacity measured in bits per second that a channel could transmit Bandwidth examples include 10 Mbps for Ethernet 100 Mbps for Fast Ethernet and 1000 Mbps I Gbps for Gigabit Ethernet Baud The signaling rate of a line that is the number of transitions voltage or frequency changes made per second Also known as line speed Glossary 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Broadcast A packet sent to all devices on a network Class of Service A term to describe treating different types of traffic with different levels of service priority Higher priority traffic gets faster treatment during times of switch congestion Cat 5 Category 5 unshielded twisted pair UTP cabling An Ethernet network operating at 10 Mbits second LOBASE T will often tolerate low quality cables but at 100 Mbits second 1OBASE Tx the cable must be rated as Category 5 or Cat 5 or Cat V by the Electronic Industry Association EIA This rating will be printed on the cable jacket Cat 5 cable contains eight conductors arranged in four twisted pairs and terminated with an RJ45 type connector In addition there are restrictions on maximum cable length for both 10 a
95. login name The Service Name is not required by all ISPs If you connect using a login name and password then fill in the following Login Name Password Service Name Fixed or Static IP Address If you have a static IP address record the following information For example 169 254 141 148 could be a valid IP address Fixed or Static Internet IP Address Subnet Mask Gateway IP Address ISP DNS Server Addresses If you were given DNS server addresses fill in the following Primary DNS Server IP Address Secondary DNS Server IP Address Host and Domain Names Some ISPs use a specific host or domain name like CCA7324 A or home If you haven t been given host or domain names you can use the following examples as a guide e If your main e mail account with your ISP is aaa yyy com then use aaa as your host name Your ISP might call this your account user host computer or system name e If your ISP s mail server is mail xxx yyy com then use xxx yyy com as the domain name ISP Host Name ISP Domain Name For Serial Port Internet Access If you use a dial up account record the following Account User Name Password Telephone number Alternative number Connecting the Firewall to the Internet 3 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Connecting the FR328S Firewall to Your LAN This section provides instructions for connecting the FR328S P
96. m allowing eight extra bits to use as a subnet address The IP address of 172 16 97 235 would be interpreted as IP network address 172 16 subnet number 97 and node number 235 In addition to extending the number of addresses available subnet addressing provides other benefits Subnet addressing allows a network manager to construct an address scheme for the network by using different subnets for other geographical locations in the network or for other departments in the organization Although the preceding example uses the entire third octet for a subnet address note that you are not restricted to octet boundaries in subnetting To create more network numbers you need only shift some bits from the host address to the network address For instance to partition a Class C network number 192 68 135 0 into two you shift one bit from the host address to the network address The new netmask or subnet mask is 255 255 255 128 The first subnet has network number 192 68 135 0 with hosts 192 68 135 1 to 129 68 135 126 and the second subnet has network number 192 68 135 128 with hosts 192 68 135 129 to 192 68 135 254 Networks Routing and Firewall Basics B 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 gt Note The number 192 68 135 127 is not assigned because it is the broadcast address of the first subnet The number 192 68 135 128 is not assigned because it is the network address
97. me to work all devices on the segment must agree on which bits comprise the host address e So that a local router or bridge recognizes which addresses are local and which are remote Private IP Addresses If your local network is isolated from the Internet for example when using NAT you can assign any IP addresses to the hosts without problems However the ANA has reserved the following three blocks of IP addresses specifically for private networks 1070 700 10 255 255 295 VIZ 162000 T7231 6 2556259 T92 L84040 T9216 2391255 Choose your private network number from this range The DHCP server of the FR328S Firewall is preconfigured to automatically assign private addresses Regardless of your particular situation do not create an arbitrary IP address always follow the guidelines explained here For more information about address assignment refer to RFC 1597 Address Allocation for Private Internets and RFC 1466 Guidelines for Management of IP Address Space The Internet Engineering Task Force IETF publishes RFCs on its Web site at www ietf org Networks Routing and Firewall Basics B 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Single IP Address Operation Using NAT In the past if multiple PCs on a LAN needed to access the Internet simultaneously you had to obtain a range of IP addresses from the ISP This type of Internet account is more costly than a
98. mputer names to IP addresses If a remote network contains a WINS server your Windows PCs can gather information from that WINS server about its local hosts This allows your PCs to browse that remote network using the Windows Network Neighborhood feature WINS WINS Windows Internet Naming Service is a server process for resolving Windows based computer names to IP addresses Glossary 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 8 Glossary M 10207 01 Reference Manual v2 A Account Name 3 10 3 11 3 17 Address Resolution Protocol B 9 Austria 3 17 Auto MDI MDI X B 15 G 1 Auto Uplink 2 3 B 15 G 1 backup configuration 6 9 BigPond 3 17 C Cabling B 11 Cat5 cable 3 1 B 12 G 2 configuration automatic by DHCP 2 3 backup 6 9 erasing 6 10 router initial 3 1 crossover cable 2 3 8 3 B 14 B 15 G 1 customer support l iii D date and time 8 8 Daylight Savings Time 5 15 8 8 daylight savings time 5 14 Default DMZ Server 7 1 default reset button 8 7 Denial of Service DoS protection 2 2 5 3 denial of service attack B 11 DHCP 2 3 7 4 B 10 DHCP Client ID C 7 Index Index DHCP Setup field Ethernet Setup menu 6 2 DMZ Server 7 1 DNS Proxy 2 3 DNS server 3 10 3 11 3 17 C 11 DNS dynamic 7 6 domain C 11 Domain Name 3 10 3 11 3 17 domain name server DNS B 10 DoS attack B 11 Dynamic DNS 2 3 7 6 E EnterNet C 9 E
99. mputer whose address is specified Because a message is divided into a number of packets each packet can if necessary be sent by a different route across the Internet Packets can arrive in a different order than they were sent The Internet Protocol just delivers them It s up to another protocol the Transmission Control Protocol TCP to put them back in the right order IP is a connectionless protocol which means that there is no continuing connection between the end points that are communicating Each packet that travels through the Internet is treated as an independent unit of data without any relation to any other unit of data The reason the packets do get put in the right order is because of TCP the connection oriented protocol that keeps track of the packet sequence in a message In the Open Systems Interconnection OSI communication model IP is in Layer 3 the Networking Layer The most widely used version of IP today is IP version 4 IPv4 However IP version 6 IPv6 is also beginning to be supported IPv6 provides for much longer addresses and therefore for the possibility of many more Internet users IPv6 includes the capabilities of IPv4 and any server that can support IPv6 packets can also support IPv4 packets IP See Internet Protocol IP Address A four byte number uniquely defining each host on the Internet usually written in dotted decimal notation with periods separating the bytes for example 134 177 244 57 Range
100. n The procedures for filling in the configuration menu for each type of connection follow below Connecting the Firewall to the Internet 3 9 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 How to Complete the Wizard Detected Login Account Setup If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over Ethernet PPPoE you will be directed to a menu like the PPPoE menu in Figure 3 8 PPPoE Account Mame Damain Name Login Password Idie Timeout 15 Damain Name Server DNS Address Get atormnatically korm ISP Use thase ONS servers Primary DNS Secondary ONS Apply Cancel Test Figure 3 8 Setup Wizard menu for PPPoE login accounts 1 Enter your Account Name may also be called Host Name and Domain Name These parameters may be necessary to access your ISP s services such as mail or news servers If you leave the Domain Name field blank the firewall will attempt to learn the domain automatically from the ISP If this is not successful you may need to enter it manually 2 Enter the PPPoE login user name and password provided by your ISP These fields are case sensitive If you wish to change the login timeout enter a new value in minutes Note You will no longer need to launch the ISP s login program on your PC in order to access the Internet When you start an Internet application your firewall wil
101. n and then click Run 2 Type winipefg and then click OK The IP Configuration window opens which lists among other things your IP address subnet mask and default gateway 3 From the drop down box select your Ethernet adapter The window is updated to show your settings which should match the values below if you are using the default TCP IP settings that NETGEAR recommends e The IP address is between 192 168 0 2 and 192 168 0 254 e The subnet mask is 255 255 255 0 e The default gateway is 192 168 0 1 Configuring Windows NT 2000 or XP for IP Networking As part of the PC preparation process you need to manually install and configure TCP IP on each networked PC Before starting locate your Windows CD you may need to insert it during the TCP IP installation process Install or Verify Windows Networking Components To install or verify the necessary components for IP networking 1 On the Windows taskbar click the Start button point to Settings and then click Control Panel 2 Double click the Network and Dialup Connections icon 3 Ifan Ethernet adapter is present in your PC you should see an entry for Local Area Connection Double click that entry 4 Select Properties Preparing Your Network C 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 5 Verify that Client for Microsoft Networks and Internet Protocol TCP IP are present If not select
102. n and default Password of password or using whatever Password you have set up Connecting the Firewall to the Internet 3 13 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 b From the Setup Basic Settings menu click Serial Port Basic Settings What type of Internet Connection do you have Broadband No login Broadband with Login username password Serial Port Modem or ISDN Dial up Account AccountUser Name Password Telephone Alternative Telephone Connect as required C Disconnect after Idle Time of 5 min Internet IP Address Get Dynamically From ISP Use Static IP Address DNS IP Address Get Automatically From ISP Use These DNS Servers Primary DNS Secondary DNS Modem Serial Line Speed 115200 pps Modem Type Standard Modem Figure 3 11 Serial Internet Connection configuration menu c Fill in the ISDN or analog ISP Internet configuration parameters as appropriate e Fora Dial up Account enter the Account information Check Connect as required to enable the firewall to automatically dial the number To enable Idle Time disconnect check the box and enter a time in minutes e To configure the Internet IP settings fill in the address parameters your ISP provided d Configure the Modem parameters 3 14 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Fire
103. n items refer to Appendix B Networks Routing and Firewall Basics The FR328S Firewall is shipped preconfigured as a DHCP server The firewall assigns the following TCP IP configuration information automatically when the PCs are rebooted e PC or workstation IP addresses 192 168 0 2 through 192 168 0 254 e Subnet mask 255 255 255 0 e Gateway address the firewall 192 168 0 1 These addresses are part of the IETF designated private address range for use in private networks Configuring Windows 95 98 and ME for TCP IP Networking As part of the PC preparation process you need to manually install and configure TCP IP on each networked PC Before starting locate your Windows CD you may need to insert it during the TCP IP installation process Install or Verify Windows Networking Components To install or verify the necessary components for IP networking 1 On the Windows taskbar click the Start button point to Settings and then click Control Panel 2 Double click the Network icon The Network window opens which displays a list of installed components C 2 Preparing Your Network M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Network 27 x Configuration Identification Access Control The following network components are installed E Client for Microsoft Networks NETGEAR FA310TX Fast Ethernet PCI Adapter Efoperties Primary Network
104. n to the firewall contains a Setup Wizard that can automatically determine your network connection type 1 If your firewall has not yet been configured the Setup Wizard should launch automatically 3 8 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 When the Wizard launches select Yes in the menu below to allow the firewall to automatically determine your connection Setup Wizard Will you be using NAT Network Address Translation or Classical Routing NAT Classical Routing NAT is the default mode and should be chosen unless you are using valid IP addresses for all devices on your network NAT allows sharing of a single valid IP address among a range of private IP addresses Figure 3 7 Setup Wizard Note If you do not see the Setup Wizard click the Setup Wizard link in the upper left to bring up this menu 2 Click Next The Setup Wizard will now check for the following connection types e Dynamic IP assignment e A login protocol such as PPPoE e Fixed IP address assignment Next the Setup Wizard will report which connection type it has discovered and then display the appropriate configuration menu If the Setup Wizard finds no connection you will be prompted to check the physical connection between your firewall and the cable or DSL modem When the connection is properly made the firewall s Internet LED should be o
105. nalog phone line with an active ISDN or dial up ISP account A serial modem properly configured and attached to the DB9 connector on the serial port A broadband connection to one FR328S for LAN to LAN auto rollover Internet access The LAN to LAN settings configured and applied to the two FR328S firewalls How to Configure LAN to LAN Connections Follow the steps below to configure a serial port LAN to LAN connection 1 2 Configure a serial port modem according to the instructions above From the main menu click LAN to LAN in the Serial Port section 4 6 Serial Port Configuration M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 LAN to LAN Enable Serial Port LAN to LAN function Remote Gateway LAN IP address 0 o llo o Network Mask o llo lo fe C Disconnect after Idle Time of 0 minutes C Use LAN to LAN connection for Internet access if Internet Port fails Incoming Connection Enable Incoming connection Login Name Login Password Authentication Outgoing Connection Enable Outgoing connection Telephone Login Name Login Password Figure 4 5 LAN to LAN configuration menu 3 Configure the LAN to LAN settings Note The LAN subnet address of each FR328S must be different 4 Click Apply for the changes to take effect Serial Port Configuration 4 7 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2
106. nd 100 Mbits second networks DHCP An Ethernet protocol specifying how a centralized DHCP server can assign network configuration information to multiple DHCP clients The assigned information includes IP addresses DNS addresses and gateway router addresses DMZ Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven t defined There are security issues with doing this so only do this if you ll willing to risk open access DNS Short for Domain Name System or Service an Internet service that translates domain names into IP addresses Because domain names are alphabetic they re easier to remember The Internet however is really based on IP addresses Every time you use a domain name therefore a DNS service must translate the name into the corresponding IP address For example the domain name www example com might translate to 198 105 232 4 The DNS system is in fact its own network If one DNS server doesn t know how to translate a particular domain name it asks another one and so on until the correct IP address is returned Domain Name A descriptive name for an address or group of addresses on the Internet Domain names are of the form of a registered entity name plus one of a number of predefined top level suffixes such as com edu uk etc For example in the address mail NETGEAR com mail is a server name and NETGEAR com is the doma
107. nd 15 as the Metric value This represents the number of routers between your network and the destination Usually a setting of 2 or 3 works but if this is a direct connection set it to 1 4 Click Apply to have the static route entered into the table 7 10 Advanced Configuration M 10207 01 Reference Manual v2 Chapter 8 Troubleshooting This chapter gives information about troubleshooting your FR328S ProSafe Firewall with Dial Back Up For the common problems listed go to the section indicated e Is the firewall on e Have I connected the firewall correctly Go to Basic Functions on page 8 1 e can t access the firewall s configuration with my browser Go to Troubleshooting the Web Configuration Interface on page 8 3 e Tve configured the firewall but I can t access the Internet Go to Troubleshooting the ISP Connection on page 8 4 e can t remember the firewall s configuration password e want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 8 7 Basic Functions After you turn on power to the firewall the following sequence of events should occur 1 When power is first applied verify that the Power LED is on 2 Verify that the Test LED lights within a few seconds indicating that the self test procedure is running 3 After approximately 10 seconds verify that a The Test LED is not lit b The Local port Link LEDs
108. network using a switch bridge or repeater Subnet Mask Combined with the IP address the IP Subnet Mask allows a device to know which other addresses are local to it and which must be reached through a gateway or router TCP IP The main internetworking protocols used in the Internet The Internet Protocol IP used in conjunction with the Transfer Control Protocol TCP form TCP IP UTP Unshielded twisted pair is the cable used by 1OBASE T and 100BASE Tx Ethernet networks 6 Glossary M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 WAN See Wide Area Network Web Also known as World Wide Web WWW or W3 An Internet client server system to distribute information based upon the hypertext transfer protocol HTTP WEB Proxy Server A Web proxy server is a specialized HTTP server that allows clients access to the Internet from behind a firewall The proxy server listens for requests from clients within the firewall and forwards these requests to remote Internet servers outside the firewall The proxy server reads responses from the external servers and then sends them to internal client clients Wide Area Network A WAN is a computer network that spans a relatively large geographical area Typically a WAN consists of two or more local area networks LANs Windows Internet Naming Service WINS Windows Internet Naming Service is a server process for resolving Windows based co
109. nnection e g connecting to a router switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Networks Routing and Firewall Basics B 15 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 B 16 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FR328S ProSafe Firewall with Dial Back Up and how to verify the readiness of broadband Internet service from an Internet service provider ISP Note If an ISP technician configured your computer during the installation of a broadband modem or if you configured it using instructions provided by your ISP you may need to copy the current configuration information for use in the configuration of your firewall Write down this information before reconfiguring your computers Refer to Obtaining ISP Configuration Information for Windows Computers on page C 10 or Obtaining ISP Configuration Information for Macintosh Computers on page C 11 for further information Preparing Your Computers for TCP IP Networking Computers access the Internet using a protocol called TCP IP Transmission Control Protoc
110. o the firewall Note The FR328S Firewall incorporates Auto Uplink technology Each LOCAL Ethernet port will automatically sense whether the cable plugged into the port should have a normal connection e g connecting to a PC or an uplink connection e g connecting to a switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Connecting the Firewall to the Internet 3 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 e Turn on the Cable or DSL modem and wait about 30 seconds for the lights to stop blinking 2 Log in to the Firewall Note To connect to the firewall your computer needs to be configured to obtain an IP address automatically via DHCP Please refer to Appendix C Preparing Your Network for instructions on how to do this a Turn on the firewall and wait for the Test light to stop blinking b Now turn on your computer Note If you usually run software to log in to your Internet connection do not run that software Now that the Cable or DSL Modem firewall and the computer are turned on verify the following e When power on the firewall was first turned on the PWR light went on the TEST light turned on within a few seconds and then went off after approximately
111. od Outbound Services Service AIM TCP 5130 gt Action BLOCK by schedule otherwise allow gt LAN users Any r start 2 JP J f finish 0 49 f WAN Users Any hs start o a 49 f finish 0 f f Log Match Back Cancel Figure 5 8 Rule example Blocking Instant Messenger Protecting Your Network 5 11 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 The parameters are Service From this list select the application or service to be allowed or blocked The list already displays many common services but you are not limited to these choices Use the Add Services menu to add any additional services or applications that do not already appear Action Choose how you would like this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu LAN Users These settings determine which packets are covered by the rule based on their source LAN IP address Select the desired option e Any All IP addresses are covered by this rule e Address range If this option is selected you must enter the Start and Finish fields e Single address Enter the required address in the Start fields WAN Users These settings determine which packets are covered by the rule based on their destination WAN IP address Select the desired option e Any All IP addresses are covered
112. of the second subnet The following table lists the additional subnet mask bits in dotted decimal notation To use the table write down the original class netmask and replace the 0 value octets with the dotted decimal value of the additional subnet bits For example to partition your Class C network with subnet mask 255 255 255 0 into 16 subnets 4 bits the new subnet mask becomes 255 255 255 240 Table 8 1 Netmask Notation Translation Table for One Octet Number of Bits Dotted Decimal Value 128 192 224 240 248 252 254 255 ON O Oo A U N The following table displays several common netmask values in both the dotted decimal and the mask length formats Table 8 2 Netmask Formats Dotted Decimal Masklength 255 0 0 0 8 255 255 0 0 16 255 255 255 0 24 255 255 255 128 25 255 255 255 192 26 255 255 255 224 27 255 255 255 240 28 255 255 255 248 29 B 6 Networks Routing and Firewall Basics M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Table 8 2 Netmask Formats 255 255 255 252 30 255 255 255 254 31 255 255 255 255 32 Configure all hosts on a LAN segment to use the same netmask for the following reasons e So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors it uses a destination address of the local network address with all ones for the host address In order for this sche
113. of your local computers or a service that you have configured in the Ports menu Instead of discarding this traffic you can have it forwarded to one computer on your network This computer is called the Default DMZ Server Advanced Configuration 7 1 M 10207 01 Reference Manual v2 FR3288S ProSafe Firewall with Dial Back Up Reference Manual v2 To assign a computer or server to be a Default DMZ server 1 Click Default DMZ Server 2 Type the IP address for that server 3 Click Apply Respond to Ping on Internet WAN Port If you want the firewall to respond to a ping from the Internet click the Respond to Ping on Internet WAN Port check box This should only be used as a diagnostic tool since it allows your firewall to be discovered Don t check this box unless you have a specific reason to do so Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP These features can be found under the Advanced heading in the Main Menu of the browser interface LAN TCP IP Setup The firewall is shipped preconfigured to use private IP addresses on the LAN side and to act as a DHCP server The firewall s default LAN IP configuration is e LAN IP addresses 192 168 0 1 e Subnet mask 255 255 255 0 These addresses are part of the IETF designated private address range for use in private networks and should be suitable in most applications If your network has a requirem
114. ol Internet Protocol Each computer on your network must have TCP IP installed and selected as its networking protocol If a Network Interface Card NIC is already installed in your PC then TCP IP is probably already installed as well Most operating systems include the software components you need for networking with TCP IP e Windows 95 or later includes the software components for establishing a TCP IP network e Windows 3 1 does not include a TCP IP component You need to purchase a third party TCP IP application package such as NetManage Chameleon e Macintosh Operating System 7 or later includes the software components for establishing a TCP IP network e All versions of UNIX or Linux include TCP IP components Follow the instructions provided with your operating system or networking software to install TCP IP on your computer Preparing Your Network C 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 In your IP network each PC and the firewall must be assigned a unique IP addresses Each PC must also have certain other IP configuration information such as a subnet mask netmask a domain name server DNS address and a default gateway address In most cases you should install TCP IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup For a detailed explanation of the meaning and purpose of these configuratio
115. ow to Configure LAN TCP IP Setup 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall Advanced Configuration 7 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 2 From the Main Menu under Advanced click the LAN IP Setup link to view the menu shown in Figure 7 1 LAN IP Setup LAN TCPAP Setup IP Address 192 168 0 ha IP Subnet Mask 255 255 255 0 RIP Direction None RIP Version Disabled C Use router as DHCP server Starting IP Address oj jo_ G f A Ending IP Address 0 0 0 0 Reserved IP Table IP Address Mac Address Device Name Figure 7 1 LAN IP Setup Menu 3 Enter the TCP IP MTU or DHCP parameters 4 Click Apply to save your changes Configuring Dynamic DNS If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequently In this case you can use a commercial dynamic DNS service who will allow you to register your domain to their IP address and will forward traffic directed at your
116. ow to configure a serial port auto rollover connection 1 Configure a serial port modem according to the instructions above 2 From the main menu click Auto rollover in the Serial Port section Serial Port Configuration 4 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Auto Rollover Serial Port Internet Access Enable Auto Rollover Use serial port if Broadband connection fails Broadband failure detection Ping ISP DNS Ping publiciP o jojo io Auto Rollover waittime 1 min Dial up Internet Account Account User Name guest Password Telephone Ss Alternative Telephone Ss Connect as required C Disconnect after Idle Time of 5 min Internet IP Address Get Dynamically From ISP Use Static IP Address o Wa Ho 1o DNS IP Address l i Get Automatically From ISP Use These DNS Servers Primary DNS Secondary DNS Figure 4 2 Auto Rollover configuration menu 3 Configure the Auto Rollover settings 4 Click Apply for the changes to take effect Configuring Dial in on the Serial Port Dial in lets a single remote computer connect to the FR328S through the serial port to gain access to LAN resources or a remote access server Be sure you have prepared the basic requirements listed below then follow the how to procedure 4 4 Serial Port Configuration M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial
117. p Reference Manual v2 e An IP address and subnet mask e A gateway IP address which is the address of the ISP s router e One or more domain name server DNS IP addresses e Host name and domain suffix For example your account s full server names may look like this mail xxx yyy com In this example the domain suffix is xxx yyy com If any of these items are dynamically supplied by the ISP your firewall automatically acquires them If an ISP technician configured your PC during the installation of the broadband modem or if you configured it using instructions provided by your ISP you need to copy the configuration information from your PC s Network TCP IP Properties window or Macintosh TCP IP Control Panel before reconfiguring your PC for use with the firewall These procedures are described next Obtaining ISP Configuration Information for Windows Computers As mentioned above you may need to collect configuration information from your PC so that you can use this information when you configure the FR328S Firewall Following this procedure is only necessary when your ISP does not dynamically supply the account information To get the information you need to configure the firewall for Internet access 1 On the Windows taskbar click the Start button point to Settings and then click Control Panel 2 Double click the Network icon The Network window opens which displays a list of installed components 3 Select TCP IP
118. pecial messages Note This format is used to highlight information of importance or special interest This manual is written for the FR328S Firewall according to these versions Table 1 1 Product Firmware Version Manual Version and Publication Date Product FR328S ProSafe Firewall with Dial Back Up Firmware Version Number Version 1 4 Release 05 Manual Part Number M 10207 01 Reference Manual v2 Manual Publication Date October 2003 Note Product updates are available on the NETGEAR Inc web site at http www netgear com support main asp Documentation updates are available on the NETGEAR Inc web site at http www netgear com docs About This Manual 1 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 How to Use this Manual The HTML version of this manual includes a variety of navigation features as well as links to PDF versions of the full manual and individual chapters e mo Yo chapter 1 about The Manual e Chapter 2 Introduction W chapter 2 Basic Installation and Configui Observing Placement and Range Gudi Default Factory Settings inderstanding WGO v2 Wireless Se A installing the 54 Mbps Wireless Acce e Two Ways to Log in to the WG 02 v Using the Base IP Settings Options inderstanding the Basic Wireless Se indarstancing Wreless Secunty Opti E How to Configure wie wireless Secs 3 How to
119. provides a variety of options for blocking Internet based content and communications services With its content filtering feature the FR328S Firewall prevents objectionable content from reaching your PCs The FR328S allows you to control access to Internet content by screening for keywords within Web addresses Key content filtering options include Blocks access from your LAN to Internet locations that you specify as off limits Keyword blocking of newsgroup names Outbound Services Blocking limits access from your LAN to Internet locations or services that you specify as off limits Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocks unwanted traffic from the Internet to your LAN The section below explains how to configure your firewall to perform these functions How to Block Keywords and Sites The FR328S Firewall allows you to restrict access to Internet content based on functions such as Java or Cookies Web addresses and Web address keywords 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall Protecting Your Network 5 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 2 Click on the Blo
120. ptions on both the serial and broadband WAN ports including e Internet access via either the serial or broadband port e Auto fail over connectivity through an analog or ISDN modem connected to the serial port If the broadband Internet connection fails after a waiting for an amount of time you specify the FR328S can automatically establish a backup ISDN or dial up Internet connection via the serial port on the firewall Introduction 2 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Remote Access Server RAS allows you to log in remotely through the serial port to access a server on your LAN other LAN resources or the Internet based on a user name and password you define LAN to LAN access between two FR328S firewalls through the serial port with the option of enabling auto failover Internet access across the serial LAN to LAN connection A Powerful True Firewall with Comprehensive Content Filtering Unlike simple Internet sharing NAT routers the FR328S is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features include Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocks unwanted traffic from the Internet to your LAN Blocks access from your LAN to Internet locations or services that you specify as off limit
121. puters at the request of client computers For example Web servers serve web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the FR328S already holds a list of many service port numbers you are not limited to these choices Use the procedure below to create your own service definitions How to Define Services 1 Log in to the firewall at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever password and LAN address you have chosen for the firewall 2 Click Services on the Security menu to display the Services menu Services Service Table Name Type Ports TCP or UDP Add Custom Service Edit Service Figure 5 3 Services menu To create a new Service click the Add button e To edit an
122. r on your local network to be accessible to outside users MAC Addresses and Address Resolution Protocol An IP address alone cannot be used to deliver data from one LAN device to another To send data between LAN devices you must convert the IP address of the destination device to its media access control MAC address Each device on an Ethernet network has a unique MAC address which is a 48 bit number assigned to each device by the manufacturer The technique that associates the IP address with a MAC address is known as address resolution Internet Protocol uses the Address Resolution Protocol ARP to resolve MAC addresses If a device sends data to another station on the network and the destination MAC address is not yet recorded ARP is used An ARP request is broadcast onto the network All stations on the network receive and read the request The destination IP address for the chosen station is included as part of the message so that only the station with this IP address responds to the ARP request All other stations discard the request Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device The receiving station provides the transmitting station with the required destination MAC address The IP address data and MAC address data for each station are held in an ARP table The next time data is sent the address can be obtained from the address information in the table
123. r the firewall Click Schedule on the Security menu to display the Schedule Services menu To block Internet services based on a schedule select Every Day or select one or more days If you want to limit access completely for the selected days select All Day Otherwise to limit access during certain times for the selected days enter Start Blocking and End Blocking times Note Enter the values as 24 hour time For example 10 30 am would be 10 hours and 30 minutes and 10 30 pm would be 22 hours and 30 minutes 4 Click Apply to save your changes Protecting Your Network 5 15 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 5 16 M 10207 01 Reference Manual v2 Protecting Your Network Chapter 6 Managing Your Network This chapter describes how to perform network management tasks with your FR328S ProSafe Firewall with Dial Back Up Network Management Information The FR328S provides a variety of status and usage information which is discussed below Viewing Router Status and Usage Statistics From the Main Menu under Maintenance select Router Status to view the screen in Figure 6 1 Router Status System Name Firmware Version FR3288 Version 1 4 Release 00 LAN Port MAC Address 00 09 5b 2a a9 c4 IP Address 192 168 0 1 DHCP OFF IP Subnet Mask 256 255 255 0 WAN Port MAC Address 00 09 5b 2a a9 c5 IP Address 10 1 0 117 DHCP Dynamic IP Subnet Mask 255
124. reboot your PC and verify the DNS address as described in Verifying TCP IP Properties on page C 6 Alternatively you may configure your PC manually with DNS addresses as explained in your operating system documentation e Your PC may not have the firewall configured as its TCP IP gateway If your PC obtains its information from the firewall by DHCP reboot the PC and verify the gateway address as described in Verifying TCP IP Properties on page C 6 Troubleshooting a TCP IP Network Using a Ping Utility Most TCP IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made easier by using the ping utility in your PC or workstation Testing the LAN Path to Your Firewall You can ping the firewall from your PC to verify that the LAN path to your firewall is set up correctly To ping the firewall from a PC running Windows 95 or later 1 From the Windows toolbar click on the Start button and select Run Troubleshooting 8 5 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 2 Inthe field provided type Ping followed by the IP address of the firewall as in this example ping 192 168 0 1 3 Click on OK You should see a message like this one Pinging lt IP address gt with 32 bytes of data If the path is working you see this message
125. rial ports For each port the Serial Port screen displays Status The link status of the port TxPkts The number of packets transmitted on this port since reset or manual clear RxPkts The number of packets received on this port since reset or manual clear Collisions The number of collisions on this port since reset or manual clear Tx B s The current line utilization bytes per second of current bandwidth used on this port Rx B s The bytes per second of average line utilization for this port Up Time The time elapsed since this port acquired link System up Time The time elapsed since the last power cycle or reset Poll Interval Specifies the intervals at which the statistics are updated in this window Click on Stop to freeze the display Managing Your Network 6 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Viewing Attached Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network From the Main Menu of the browser interface under the Maintenance heading select Attached Devices to view the table shown in Figure 6 3 Attached Devices IP Arih vss Devece Name MAC Address 192 1680 35 NETGEARAC1 B80 00 40 I FAC 1880 ATRONOU TSHR j PLAYROOM AGF OF OFFICE ODADCC 7440 76 Ratresh Figure 6 3 Attached Devices menu For each device the table shows the IP address NetBIOS Host Name if available
126. ring Your Network M 10207 01 Reference Manual v2 Glossary Use the list below to find definitions for technical terms used in this manual 10BASE T IEEE 802 3 specification for 10 Mbps Ethernet over twisted pair wiring 100BASE Tx IEEE 802 3 specification for 100 Mbps Ethernet over twisted pair wiring Access Control List ACL An ACL is a database that an Operating System uses to track each user s access rights to system objects such as file directories and or files ADSL Short for asymmetric digital subscriber line a technology that allows data to be sent over existing copper telephone lines at data rates of from 1 5 to 9 Mbps when receiving data known as the downstream rate and from 16 to 640 Kbps when sending data known as the upstream rate ADSL requires a special ADSL modem ADSL is growing in popularity as more areas around the world gain access ARP Address Resolution Protocol a TCP IP protocol used to convert an IP address into a physical address called a DLC address such as an Ethernet address A host wishing to obtain a physical address broadcasts an ARP request onto the TCP IP network The host on the network that has the IP address in the request then replies with its physical hardware address There is also Reverse ARP RARP which can be used by a host to discover its IP address In this case the host broadcasts its physical address and a RARP server replies with the host s IP address Auto Uplink Auto Up
127. roSafe Firewall with Dial Back Up to your Local Area Network LAN Note The Resource CD included with your firewall contains an animated Installation Assistant to guide you through this procedure How to Connect the Firewall to Your LAN There are three steps to connecting your firewall 1 Connect the firewall to your network 2 Log in to the firewall 3 Connect to the Internet Follow the steps below to connect your firewall to your network You can also refer to the Resource CD included with your firewall which contains an animated Installation Assistant to help you through this procedure 1 Connect the Firewall a Turn off your computer and Cable or DSL Modem b Disconnect the Ethernet cable A from your computer which connects to your Cable or DSL modem DSL modem Figure 3 1 Disconnect the Cable or DSL Modem 3 4 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 c Connect the Ethernet cable A from your Cable or DSL modem to the FR328S s Internet port Figure 3 2 Connect the Cable or DSL Modem to the firewall d Connect the Ethernet cable B which came with the firewall from a Local port on the router to your computer DSL B modem Figure 3 3 Connect the computers on your network t
128. roSafe Firewall with Dial Back Up Reference Manual v2 e Automatic Configuration of Attached PCs by DHCP The FR328S dynamically assigns network configuration information including IP gateway and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network e DNS Proxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN e PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial up connection This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC e PPTP login support for European ISPs BigPond login for Telstra DSL in Australia e Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned The firewall contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address Configurable Auto Uplink Ethernet Connection With its internal 8 port 10 100 switch the FR328S can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network Both t
129. s Logs security incidents The FR328S will log security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the firewall to email the log to you at specified intervals You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs With its content filtering feature the FR328S prevents objectionable content from reaching your PCs The firewall allows you to control access to Internet content by screening for keywords within Web addresses You can configure the firewall to log and report attempts to access objectionable Internet sites Protocol Support The FR328S supports the Transmission Control Protocol Internet Protocol TCP IP and Routing Information Protocol RIP Appendix B Networks Routing and Firewall Basics provides further information on TCP IP The Ability to Enable or Disable IP Address Sharing by NAT The FR328S allows several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your Internet service provider ISP This technique known as NAT allows the use of an inexpensive single user ISP account This feature can also be turned off completely for using the FR328S in settings where you want to manage the IP address scheme of your organization 2 2 Introduction M 10207 01 Reference Manual v2 FR328S P
130. s of addresses are assigned by Internic an organization formed for this purpose ISP Internet service provider LAN See Local Area Network Local Area Network A communications network serving users within a limited area such as one floor of a building A LAN typically connects multiple personal computers and shared network devices such as storage and printers Although many technologies exist to implement a LAN Ethernet is the most common for connecting personal computers and is limited to a distance of 1 500 feet LANs can be connected together but if modems and telephones connect two or more LANs the larger network constitutes what is called a WAN or Wide Area Network MAC 1 Medium Access Control In LANs the sublayer of the data link control layer that supports medium dependent functions and uses the services of the physical layer to provide services to the logical link control LLC sublayer The MAC sublayer includes the method of determining when a device has access to the transmission medium 2 Message Authentication Code In computer security a value that is a part of a message or accompanies a message and is used to determine that the contents origin author or other attributes of all or part of the message are as they appear to be IBM Glossary of Computing Terms 4 Glossary M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 MAC address The Media Access Control a
131. sinieenuiiesusieasiasixiaaloies B 2 Nomas k anan ns sade htacmuage ta elders ioscan ncadiemea ieee B 4 Subnet pee Less A dons tie UN DAR ete eS B 5 viii Contents M 10207 01 Reference Manual v2 Private IP Addresses EE Single IP Address Operation Using NAT a MAC Addresses and Address Resolution Protocol 0 cccccceeseeetteeeessettteeeeeseees BOO Related Documents cneiccicccecsctixsnscsuserineanunstixiasdutiionisaamubinixenitiierteeaunnivenaiiiuiciessusen B9 Doman Name SEVE scccccccarczsceshceadcacetmancensrsimeamanneneaeraaiecnemetaane a IP Coniiguralon Dy DHOP wcnnsieninenatnonmnonueriannanaunimumumimnarneene ienet cpoiny and FrOnalE assasi a eaae oE AESSR B 10 Wiatka FOWA casna a a a a NE Stateful Packet Inspection PAETA EE E EE E E E B 11 Denial oi Semice Aak ges acer cae cssetdejuexsacauverysslaideavas sntdawess vasaneeueerveddeccnmicew eb Ethernet Cabling E EE AEE A A E E E E E E E a El Category 5 Cable Quality aU ines less tn detach anand enn ial TE EI E E ENE B 12 Inside Twisted Pair Cables sesioetan eae bers Uplink Switches Crossover Sanies aad MDI MDIX es Peat rer ere ety ei Appendix C Preparing Your Network Preparing Your Computers for TCP IP Networking sesser name hime Oe Configuring Windows 95 98 and ME for TCP IP hentia lt A Install or Verify Windows Networking Components 0 sseeeeteteneeees O 2 Enabling DHCP to Automatically Configure TCP IP Settings 0 0 C 4
132. ss Get Dynamically From ISP Use Static IP Address IP Address IP Subnet Mask Gateway IP Address Domain Name Server DNS Address Get Automatically From ISP Use These DNS Servers Primary DNS Secondary DNS Router s MAC Address Use Default Address Use This Computer s MAC use This MAC Address Apply Cancel Test ISP Does Require Login Basic Se ings f pe of Internet Connection do you have adband No login roadband with Login username password Serial Port Modem or ISDN Internet Service Provider Name Other PPPoE Account Name FR328S Domain Name Login guest Password Idle Timeout Minutes Domain Name Server DNS Address Get Automatically From ISP Use These DNS Servers Primary DNS Secondary DNS Router s MAC Address Use Default Address Use This Computer s MAC O Use This MAC Address 00 09 Sb 2a a9 c5 Figure 3 12 Browser based configuration Basic Settings menu Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 How to Manually Configure the Primary Internet Connection Use these steps to manually configure the primary Internet connection in the Basic Settings menu 1 Select your Internet connection type broadband with or without login or serial Note If you are a Telstra BigPond broad
133. ster the Ethernet MAC address of the network interface card in your PC when your account is first opened They will then only accept traffic from the MAC address of that PC This feature allows your firewall to masquerade as that PC by using its MAC address 4 Click Apply to save your settings 5 Click Test to test your Internet connection If the NETGEAR website does not appear within one minute refer to Chapter 8 Troubleshooting How to Complete Wizard Detected Fixed IP Account Setup If the Setup Wizard determines that your Internet service account uses Fixed IP assignment you will be directed to the menu shown in Figure 3 10 below Fixed IP Internet IP Address IP Address fo fo fo fo IP Subnet Mask 255 255 fess fo wer cal ae Domain Name Server DNS Address Primary DNS fo fo fo fo Secondary DNS fo fo fo fo Apply Cancel Test Figure 3 10 Setup Wizard menu for Fixed IP address 3 12 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 1 Enter your assigned IP Address Subnet Mask and the IP Address of your ISP s gateway router This information should have been provided to you by your ISP You will need the configuration parameters from your ISP you recorded in Record Your Internet Connection Information on page 3 3 2 Enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address
134. t gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen Certificate of the Manufacturer Importer It is hereby certified that the FR328S ProSafe Firewall with Dial Back Up has been suppressed in accordance with the conditions set out in the BMPT AmtsblVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling Technical Support Refer to the Support Information Card that shipped with your FR328S ProSafe Firewall with Dial Back Up World Wide Web NETGEAR maintains a World Wide Web home page that you can access
135. t through the second FR328S in case the broadband connection of the first FR328S fails The procedures for these configuration options are presented below Serial Port Configuration 4 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Configuring a Serial Port Modem You can configure a serial port modem for any of the features described above Be sure you have prepared the basic requirements listed below then follow the how to procedure Basic Requirements for Serial Port Modem Configuration Configuring a serial port modem requires these elements 1 A serial analog or ISDN modem 2 A serial modem cable with a DB9 connector 3 An active phone or ISDN line How to Configure a Serial Port Modem Follow the steps below to configure a serial port modem 1 From the main menu click Modem in the Serial Port section Serial Port Modem Serial Line Speed 115200 bps Modem Type Standard Modem xj r Modem Properties Apply Cancel Figure 4 1 Serial Port Modem configuration menu 2 Select the Serial Line Speed This is the maximum speed the modem will attempt to use For ISDN permanent connections the speeds are typically 64000 or 128000 bps For dial up modems 56000 bps would be a typical setting For ISDN select Permanent connection leased line For dial up Standard Modem should work in most cases Otherwise select yo
136. tify the host section of the address The follow figure shows the three main address classes including network and host sections of the address for each address type Class A a Network Node Class B Network Node Class C Network Node Figure 8 2 Three Main Address Classes The five address classes are e Class A Class A addresses can have up to 16 777 214 hosts on a single network They use an eight bit network number and a 24 bit node number Class A addresses are in this range TERLI to 1266x x 4 Ks e Class B Class B addresses can have up to 65 354 hosts on a network A Class B address uses a 16 bit network number and a 16 bit node number Class B addresses are in this range L284 VAR xX ho VILE 2I ER Ee e Class C Class C addresses can have 254 hosts on a network Class C addresses use 24 bits for the network address and eight bits for the node They are in this range T924 OT ETO 223 250 2548 Networks Routing and Firewall Basics B 3 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 e Class D Class D addresses are used for multicasts messages sent to many hosts Class D addresses are in this range 224 0 0 0 to 239 255 255 255 e Class E Class E addresses are for experimental use This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network
137. tly selected chapter of the manual M 10207 01 Reference Manual v2 About This Manual FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 How to Print this Manual To print this manual you man choose one of the following several options according to your needs e Printing a How To Sequence of Steps in the HTML View Use the Print button 5 on the upper right of the toolbar to print the currently displayed topic Using this button when a step by step procedure is displayed will send the entire procedure to your printer you do not have to worry about specifying the correct range of pages e Printing a Chapter Use the PDF of This Chapter link at the top right of any page Click PDF of This Chapter link at the top right of any page in the chapter you want to print The PDF version of the chapter you were viewing opens in a browser window Note Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe web site at http www adobe com Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can save paper an printer ink by selecting this feature e Printing the Full Manual Use the PDF button in the toolbar at the top right of the browser window Click the PDF button on the upper right of the toolbar The PDF version of the
138. to annA a E Test LED Never Turns On oF Test LED Stays ON s assivisisnssuinniiai niai 8 2 Local or Internet Port Link LEDs Not On kusni pee inii rere TEETAR 8 2 Troubleshooting the Web Configuration Interface sssssesseeessseeseesrenssrnrsssrnssrnressnnns 8 3 Troubleshooting The ISP Comecon cxcssiss incdadnrnioncedaantncedaaaasntesaaddats teddexanuteauvaransasanaataants 8 4 Troubleshooting a TCP IP Network Using a Ping Utility sorena AA Aa O 8 5 Testing the LAN Path to Your Firewall c ccccscececeeeeeeeeeeeeeeeeeeeeenaeeeaeesaaeeseeeeeneees 8 5 Testing the Path from Your PC to a Remote Device ccccseececeessteeeeeessteeeeseeees 8 6 Restoring the Default Configuration and Password ccccccscecesseeessseeesseeeesseesesseeeees OO Using the Default Reset button oo ec ccccceccseesecsseecssseeeecseeceeseesesseeeseeeseaeeesees 8 7 Problems with Date and Time jissedane raidos Jiascasnieneaacentie biscaiebeepcueceeens hiiia 8 8 Appendix A Technical Specifications Appendix B Networks Routing and Firewall Basics Related Publications E E E E iecetaansee B 1 Basi Router COMER Nes castsicsseemistend aadacersheanntann dbisindatrsaved teak aaa aN asian B 1 What is a Router ccceeeeerees E E E A E arias on B 1 Routing Information Protocol TEE E fekai ionii pranoi ead eiSeehve B 2 IP Addresses and the Meret os csssscvcanrassiersehaseiiencrtemaniy
139. ur modem from the list 4 2 Serial Port Configuration M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 If your modem is not on the list select User Defined and enter the Modem Properties If you are using the User Defined selection and configuring your own modem stings fill in the Modem Properties settings Note You can validate modem string settings by first connecting the modem directly to a PC establishing a connection to your ISP and then copying the modem string settings from the PC configuration and pasting them into the FR328S Modem Properties Initial String field For more information on this procedure please refer to the support area of the NETGEAR web site 3 Click Apply to save your settings Configuring Auto Rollover You can configure the serial port of the FR328S to provide an auto rollover backup connection for your broadband service Be sure you have prepared the basic requirements listed below then follow the how to procedure Basic Requirements for Auto Rollover Auto Rollover requires these elements 1 A broadband connection to the FR328S 2 An ISDN or analog phone line with an active ISDN or dial up ISP account 3 A serial modem properly configured and attached to the DB9 connector on the serial port 4 The Auto Rollover settings configured and applied to the FR328S How to Configure Auto Rollover Follow the steps bel
140. v2 What is a Firewall A firewall is a device that protects one network from another while allowing communication between the two A firewall incorporates the functions of the NAT router while adding features for dealing with a hacker intrusion or attack Several known types of intrusion or attack can be recognized when they occur When an incident is detected the firewall can log details of the attempt and can optionally send email to an administrator notifying them of the incident Using information from the log the administrator can take action with the ISP of the hacker In some types of intrusions the firewall can fend off the hacker by discarding all further packets from the hacker s IP address for a period of time Stateful Packet Inspection Unlike simple Internet sharing routers a firewall uses a process called stateful packet inspection to ensure secure firewall filtering to protect your network from attacks and intrusions Since user level applications such as FTP and Web browsers can create complex patterns of network traffic it is necessary for the firewall to analyze groups of network connection states Using Stateful Packet Inspection an incoming packet is intercepted at the network layer and then analyzed for state related information associated with all network connections A central cache within the firewall keeps track of the state information associated with all network connections All traffic passing through the fir
141. ve provided you with all the information needed to connect to the Internet If you cannot locate this information you can ask your ISP to provide it or you can try one of the options below e If you have a computer already connected using the active Internet access account you can gather the configuration information from that computer e For Windows 95 98 ME open the Network control panel select the TCP IP entry for the Ethernet adapter and click Properties e For Windows 2000 XP open the Local Area Network Connection select the TCP IP entry for the Ethernet adapter and click Properties e For Macintosh computers open the TCP IP or Network control panel e You may also refer to the FR328S Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs Once you locate your Internet configuration parameters you may want to record them on the page below according to the instructions in Record Your Internet Connection Information on page 3 3 3 2 Connecting the Firewall to the Internet M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Record Your Internet Connection Information Print this page Fill in the configuration parameters from your Internet Service Provider ISP ISP Login Name The login name and password are case sensitive and must be entered exactly as given by your ISP Some ISPs use your full e mail address as the
142. wall If your firewall is still unable to obtain an IP address from the ISP the problem may be one of the following e Your ISP may require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or some other type of login e If your ISP requires a login you may have incorrectly set the login name and password e Your ISP may check for your PC s host name Assign the PC Host Name of your ISP account as the Account Name in the Basic Settings menu 8 4 Troubleshooting M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 e Your ISP only allows one Ethernet MAC address to connect to Internet and may check for your PC s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the firewall s MAC address OR Configure your firewall to spoof your PC s MAC address This can be done in the Basic Settings menu Refer to Manually Configuring Your Internet Connection on page 3 16 If your firewall can obtain an IP address but your PC is unable to load any web pages from the Internet e Your PC may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www netgear com to numeric IP addresses Typically your ISP will provide the addresses of one or two DNS servers for your use If you entered a DNS address during the firewall s configuration
143. wall with Dial Back Up Reference Manual v2 Note You can validate modem string settings by first connecting the modem directly to a PC establishing a connection to your ISP and then copying the modem string settings from the PC configuration and pasting them into the FR328S Modem Properties Initial String field For more information on this procedure please refer to the support area of the NETGEAR web site e Select the Serial Line Speed This is the maximum speed the modem will attempt to use For ISDN permanent connections the speeds are typically 64000 or 128000 bps For dial up modems 56000 bps would be a typical setting e Select the Modem Type For ISDN select Permanent connection leased line For dial up select your modem from the list Standard Modem should work in most cases If your modem is not on the list select User Defined and enter the Modem Properties Note If you are not using modem from the pre defined list but are using the User Defined Modem Type you must first use the Serial Port menu Modem link to fill in the Modem Properties settings for your modem e Click Apply to save your settings 3 Connect to the Internet to test your configuration a If you have a broadband connection disconnect it b From a workstation open a browser and test your serial port Internet connection Note The response time of your serial port Internet connection will be slower than a bro
144. y 5 CATS cable such as the one provided with your firewall For more on CATS cabling please see Ethernet Cabling on page B 11 The broadband modem must provide a standard 10 Mbps 1OBASE T or 100 Mbps 10OBASE T Ethernet interface The serial modem must have the standard serial modem interface and cable with a DB 9 connector as illustrated in FR328S Rear Panel on page 2 6 Connecting the Firewall to the Internet 3 1 M 10207 01 Reference Manual v2 FR328S ProSafe Firewall with Dial Back Up Reference Manual v2 Configuration Requirements For the initial connection to the Internet and configuration of your firewall you will need to connect a computer to the firewall which is set to automatically get its TCP IP configuration from the firewall via DHCP Note For assistance with DHCP configuration please refer to the animated Windows TCP IP Configuration Tutorials on the Resource CD SW 10045 01 or in Appendix C Preparing Your Network Internet Configuration Requirements Depending on how your ISP set up your Internet account you will need one or more of these configuration parameters to connect your firewall to the Internet e Host and Domain Names e ISP Login Name and Password e ISP Domain Name Server DNS Addresses e Fixed or Static IP Address Where Do Get the Internet Configuration Parameters There are several ways you can gather the required Internet connection information e Your ISP should ha
Download Pdf Manuals
Related Search