Home » Netgear Manuals » Bridges & Routers » Netgear FVL328 » Manual Viewer

Netgear FVL328 FVL328 Reference Manual

Netgear FVL328 - Cable/DSL ProSafe VPN Firewall Router Manual

UPC - 606449025811

View all Netgear FVL328 manuals

Add to My Manuals
Save this manual to your list of manuals

Netgear FVL328 manual content summary:

Netgear FVL328 | FVL328 Reference Manual - Page 1
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA Phone 1-888-NETGEAR 202-10030-02 May 24, 2004 May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 2
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. EN 55 022 Declaration of Conformance This is to certify that the FVL328 Prosafe High Speed VPN Firewall the operating instructions. The Federal Office for
Netgear FVL328 | FVL328 Reference Manual - Page 3
TV receiver, it may become the cause of radio interference. Read instructions for correct handling. Technical Support Refer to the Support Information Card that shipped with your FVL328 Prosafe High Speed VPN Firewall. World Wide Web NETGEAR maintains a World Wide Web home page that you can access
Netgear FVL328 | FVL328 Reference Manual - Page 4
iv May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 5
Print this Manual 1-4 Chapter 2 Introduction About the FVL328 ...2-1 Summary of New Features in the FVL328 2-1 Key Features ...2-2 Virtual Private Networking 2-2 A Powerful, True Firewall 2-3 Content Filtering ...2-3 Configurable Auto Uplink™ Ethernet Connection 2-3 Protocol Support ...2-4 Easy
Netgear FVL328 | FVL328 Reference Manual - Page 6
DHCP Log 4-3 How to Configure Reserved IP Addresses 4-4 Configuring WAN Settings 4-5 Connect Automatically, as Required 4-6 Setting Up a Default DMZ Server 4-7 How to Assign a Default DMZ Server 4-7 Multi-DMZ Servers 4-7 Responding to Ping on Internet WAN Port 4-8 MTU Size ...4-8 Port Speed
Netgear FVL328 | FVL328 Reference Manual - Page 7
Inbound Rules (Port Forwarding 5-7 Example: Port Forwarding to a Local Public Web Server 5-8 Example: Port Forwarding for Videoconferencing 5-8 Example: Port Forwarding for VPN Tunnels when NAT is Off 5-9 Outbound Rules (Service Blocking or Port Filtering 5-10 Outbound Rule Example: Blocking
Netgear FVL328 | FVL328 Reference Manual - Page 8
to Your FVL328 Firewall 7-1 How to Change the Built-In Password 7-1 How Router 7-19 Upgrading the Router's Firmware 7-20 How to Upgrade the Router 7-20 Chapter 8 Troubleshooting Basic Functions ...8-1 Power LED Not On 8-2 Test LED Never Turns On or Test LED Stays On 8-2 Local or Internet Port
Netgear FVL328 | FVL328 Reference Manual - Page 9
Password 8-7 How to Use the Default Reset Button 8-7 Problems with Date and Time 8-8 Appendix A Technical Specifications Appendix B Networks, Routing, and Firewall Basics Related Publications ...B-1 Basic Router Concepts B-1 What is a Router B-1 Routing Information Protocol B-2 IP Addresses
Netgear FVL328 | FVL328 Reference Manual - Page 10
Computers C-10 Restarting the Network C-11 Appendix D Firewall Log Formats Action List ...D-1 Field List ...D-1 Outbound Log ...D-1 Inbound Log ...D-2 Other IP Traffic ...D-2 Router Operation ...D-3 Other Connections and Traffic to this Router D-4 DoS Attack/Scan ...D-4 Access Block Site
Netgear FVL328 | FVL328 Reference Manual - Page 11
Configuration of FVL328 Gateway B F-5 Test the VPN Connection F-10 Appendix G NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router Configuration Profile ...G-1 Step-By-Step Configuration of FVL328 or FWAG114 Gateway G-2 Step-By-Step Configuration of the FVL328 Firewall B G-7 Contents vii
Netgear FVL328 | FVL328 Reference Manual - Page 12
Testing the VPN Connection G-14 From the Client PC to the FVL328 G-14 From the FVL328 to the Client PC G-15 Monitoring the PC VPN Connection G-15 Viewing the FVL328 VPN Status and Log Information G-17 Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328 Configuration
Netgear FVL328 | FVL328 Reference Manual - Page 13
according to these specifications: Table 1-1. Manual Specifications Product Firmware Version Number Manual Part Number Manual Publication Date FVL328 Prosafe High Speed VPN Firewall Version 2.0 Release 05 202-10030-02 May 24, 2004 Note: Product updates are available on the NETGEAR Web site at
Netgear FVL328 | FVL328 Reference Manual - Page 14
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Typographical Conventions This guide uses the following typographical conventions: Table 1-2. italics bold [Enter] SMALL CAPS Typographical conventions Emphasis. User input. Named keys in text are shown enclosed in square
Netgear FVL328 | FVL328 Reference Manual - Page 15
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Use this Manual This manual is published in both HTML and .PDF file formats. The HTML version of this manual provides links to the .PDF versions of the manual and includes these features. To view the HTML version of
Netgear FVL328 | FVL328 Reference Manual - Page 16
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Print this Manual To print this manual you can choose one the PDF version of the full manual. - Click the print icon in the upper left side of the window. - Tip: If your printer supports printing two pages on a single
Netgear FVL328 | FVL328 Reference Manual - Page 17
. The 8-port FVL328 provides highly reliable Internet access for up to 253 users with up to 100 concurrent VPN tunnels. Summary of New Features in the FVL328 The NETGEAR FVL328 VPN ProSafe Firewall contains many new features, including: • Multi-DMZ (One-to-One DMZ) - Up to 7 different WAN IPs can be
Netgear FVL328 | FVL328 Reference Manual - Page 18
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • IP-MAC access control: ensures a computer with an assigned MAC address always gets the same IP address when using DHCP • Port Triggering • Ease of Use Improvements - Period (.) can be used to advance IP address, like using
Netgear FVL328 | FVL328 Reference Manual - Page 19
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS feature is enabled with one of the supported service providers. • VPNC Certified. A Powerful, True Firewall Unlike simple Internet sharing NAT
Netgear FVL328 | FVL328 Reference Manual - Page 20
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The firewall incorporates Auto UplinkTM technology. Each local Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a 'normal' connection such as to a PC or an 'uplink' connection
Netgear FVL328 | FVL328 Reference Manual - Page 21
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned. The firewall contains a client that can connect to many popular Dynamic DNS services
Netgear FVL328 | FVL328 Reference Manual - Page 22
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: Product updates are available on the NETGEAR Web site at http://kbserver.netgear.com/products/FVL328.asp. • Includes a battery-backed real-time clock so time will persist if power is removed. • Regional support,
Netgear FVL328 | FVL328 Reference Manual - Page 23
2-2) contains the connections identified below. Figure 2-2: FVL328 Rear Panel Viewed from left to right, the rear panel contains the following elements: • Factory Default Reset push button • Eight Local Ethernet RJ-45 ports for connecting the firewall to local computers • Internet WAN Ethernet RJ
Netgear FVL328 | FVL328 Reference Manual - Page 24
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2-8 Introduction May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 25
perform basic configuration of your FVL328 Prosafe High Speed VPN Firewall using the Setup Wizard, or manually configure your Internet connection. Connecting the FVL328 to Your LAN This section provides instructions for connecting the FVL328 Prosafe High Speed VPN Firewall to your Local Area Network
Netgear FVL328 | FVL328 Reference Manual - Page 26
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 c. Locate the Ethernet cable (Cable 1 in the diagram Ethernet cable (Cable 1) that you disconnected from your computer into the Internet port (B) on the FVL328. Cable 1 now connects from your cable or DSL broadband modem to the
Netgear FVL328 | FVL328 Reference Manual - Page 27
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 e. Locate the blue Ethernet cable that came with your router. Securely insert one end of the cable (Cable 2 in the diagram below) into a LAN port on the router such as LAN port 8 (C), and the other end into the Ethernet port of
Netgear FVL328 | FVL328 Reference Manual - Page 28
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE Warning: Failure to restart your network in the correct sequence could prevent you from connecting to the
Netgear FVL328 | FVL328 Reference Manual - Page 29
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 c. A login window opens as shown here: Figure 3-5: Login window Enter admin for the router user name and password for the router password, both in lower case letters. d. After logging in to the router, you will see the
Netgear FVL328 | FVL328 Reference Manual - Page 30
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 a. You are now connected to the firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. b. Choose NAT or Classical Routing. NAT automatically assigns private IP addresses (192
Netgear FVL328 | FVL328 Reference Manual - Page 31
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP's services such as mail or news servers. If you leave the Domain Name field blank, the firewall
Netgear FVL328 | FVL328 Reference Manual - Page 32
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Configuring for a Wizard-Detected Dynamic IP Account If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment, you will be directed to the Dynamic IP menu. 1. Enter your Account Name (may
Netgear FVL328 | FVL328 Reference Manual - Page 33
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP's gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you
Netgear FVL328 | FVL328 Reference Manual - Page 34
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not
Netgear FVL328 | FVL328 Reference Manual - Page 35
factory default. Disable NAT only if you plan to install the FVL328 in a setting where you will be manually administering the IP address space on the LAN side of the router. - Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall
Netgear FVL328 | FVL328 Reference Manual - Page 36
ProSafe High-Speed VPN Firewall Reference Manual Revision 2 - If you want to disable NAT, select the Disable radio button. Before disabling NAT, back up your current configuration settings. Note: Disabling NAT will reboot the router and reset all the FVL328 configuration settings to the factory
Netgear FVL328 | FVL328 Reference Manual - Page 37
This chapter describes how to configure the WAN and LAN settings of your FVL328 Prosafe High Speed VPN Firewall. Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP. These features can be found under the Advanced heading in the
Netgear FVL328 | FVL328 Reference Manual - Page 38
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • RIP Direction RIP (Router Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction selection controls how the firewall sends and receives RIP packets. Both is the default. -
Netgear FVL328 | FVL328 Reference Manual - Page 39
the DHCP Log 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall. 2. From the Main Menu, under Advanced, click the LAN IP Setup link
Netgear FVL328 | FVL328 Reference Manual - Page 40
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 4-1: LAN IP Setup Menu 3. Enter the LAN TCP/IP and DHCP parameters. 4. Click Apply to save your changes. How to Configure Reserved IP Addresses When you specify a reserved IP address for a PC on the LAN, that PC will
Netgear FVL328 | FVL328 Reference Manual - Page 41
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. Type the MAC Address of the PC or server. Note: If the PC is already present on your network, you can copy its MAC address from the Attached Devices menu and paste it here. 4. Click Apply to enter the reserved address into
Netgear FVL328 | FVL328 Reference Manual - Page 42
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 4-2: WAN Setup Connect Automatically, as Required Normally, this option should be Enabled, so that an Internet connection will be made automatically, whenever Internet-bound traffic is detected.
Netgear FVL328 | FVL328 Reference Manual - Page 43
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Setting Up a Default DMZ Server Specifying a Default DMZ Server allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined. There are security issues with doing
Netgear FVL328 | FVL328 Reference Manual - Page 44
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. Select the PC to be used as the DMZ Server for this IP address. • Click Apply. Note: • All incoming traffic to that IP address will be sent to the selected PC. • Out-going traffic from the selected PC will use the IP address
Netgear FVL328 | FVL328 Reference Manual - Page 45
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M; otherwise, select 10M. Use the half-duplex settings unless you are sure you need full duplex. Port Triggering Port Triggering is used to
Netgear FVL328 | FVL328 Reference Manual - Page 46
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Port Triggering Rules This table lists the current rules: • Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to disable a rule unless it interferes with some other function, such as Port Forwarding
Netgear FVL328 | FVL328 Reference Manual - Page 47
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Incoming (Response) Port Range - enter the range of port numbers used by the remote system when it responds to the PC's request. Modifying or Deleting an existing Rule 1. Select the desired rule by clicking
Netgear FVL328 | FVL328 Reference Manual - Page 48
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Configure Dynamic DNS 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have
Netgear FVL328 | FVL328 Reference Manual - Page 49
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses
Netgear FVL328 | FVL328 Reference Manual - Page 50
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. To add or edit a Static Route: the Gateway IP Address, which must be a router on the same LAN segment as the firewall. h. Type a number between 1 and 15 as the Metric value. This represents the number of routers between your
Netgear FVL328 | FVL328 Reference Manual - Page 51
The FVL328 Prosafe High Speed VPN Firewall provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, Web addresses, and Web address keywords
Netgear FVL328 | FVL328 Reference Manual - Page 52
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Many Web sites will not function correctly if these components are blocked. These options are discussed below. The Keyword Blocking menu is shown here.
Netgear FVL328 | FVL328 Reference Manual - Page 53
FVL328 ProSafe High-Speed VPN Firewall Reference Manual ".". Up to 255 entries are supported in the Keyword list. Apply Keyword Services and Rules Regulate Inbound and Outbound Traffic The FVL328 Prosafe High Speed VPN Firewall firewall lets you regulate what ports are available to the various TCP/IP
Netgear FVL328 | FVL328 Reference Manual - Page 54
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Defining a Service Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about
Netgear FVL328 | FVL328 Reference Manual - Page 55
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Using Inbound/Outbound Rules to Block or Allow Services Firewall rules are used to block or allow specific traffic passing through from one side of the firewall to the other. Inbound rules (WAN to LAN) restrict access by
Netgear FVL328 | FVL328 Reference Manual - Page 56
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 You can define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Netgear FVL328 | FVL328 Reference Manual - Page 57
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Examples of Using Services and Rules to Regulate Traffic Use the examples to see how you combine Services and Rules to regulate how the TCP/IP protocols are used on your firewall to enable either blocking or allowing specific
Netgear FVL328 | FVL328 Reference Manual - Page 58
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Example: Port Forwarding to a Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web
Netgear FVL328 | FVL328 Reference Manual - Page 59
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-4: Rule example: Videoconference from Restricted Addresses Example: Port Forwarding for VPN Tunnels when NAT is Off If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses anywhere on
Netgear FVL328 | FVL328 Reference Manual - Page 60
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-6: Inbound rule example: VPN IPSec when NAT is off In the example shown in Figure 5-6, VPN IPSec connections are allowed for any internal LAN IP address. Outbound Rules (Service Blocking or Port Filtering) The FVL328
Netgear FVL328 | FVL328 Reference Manual - Page 61
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-7: Rule example: Blocking Instant Messenger order of the entries in the Rules Table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules
Netgear FVL328 | FVL328 Reference Manual - Page 62
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Rules Menu Options Figure 5-8: Rules menu options Use the Options checkboxes to enable the following: • Enable VPN Passthrough (IPSec, PPTP, L2TP) If LAN users need to use VPN (Virtual Private Networking) software on their
Netgear FVL328 | FVL328 Reference Manual - Page 63
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Using a Schedule to Block or Allow Content or Traffic If you enabled content filtering in the Block Sites menu, or if you defined an
Netgear FVL328 | FVL328 Reference Manual - Page 64
FVL328 ProSafe High-Speed VPN Firewall Reference Manual supported for your region, you can check Automatically adjust for Daylight Savings Time. If this is not supported, you must manually NTP (Network Time Protocol) If enabled, the RTC is updated regularly by contacting a NTP Server on the Internet.
Netgear FVL328 | FVL328 Reference Manual - Page 65
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 User-defined NTP Server Choose your NTP server. The firewall uses NETGEAR NTP servers by default. If you would prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server. If you
Netgear FVL328 | FVL328 Reference Manual - Page 66
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Send alerts and logs by e-mail. If you enable e-mail notification, these boxes cannot be blank. • Enter the e-mail address to which logs and alerts will be sent. This e-mail address will also be used as the From address. If
Netgear FVL328 | FVL328 Reference Manual - Page 67
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 - If a user specified e-mail address. After the log is sent, the log is cleared from the router's memory. If the router cannot e-mail The router will log security-related events, such as denied incoming and outgoing service requests,
Netgear FVL328 | FVL328 Reference Manual - Page 68
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 5-12: Logs menu See Appendix D, "Firewall Log Formats" for a full explanation of log entry formats. Log action buttons are described in Table 5-1 5-18 May 2004, 202-10030-02 Protecting Your Network
Netgear FVL328 | FVL328 Reference Manual - Page 69
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 . Table 5-1. Field Refresh Clear Log • Other IP traffic - If checked, all other traffic (IP packets which are not TCP, UDP, or ICMP) is logged. • Router operation (start up, get time, etc.) - If checked, Router operations,
Netgear FVL328 | FVL328 Reference Manual - Page 70
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Disable - select this if you do not have a Syslog server. • Broadcast on LAN - the Syslog data is broadcast, rather than sent to a specific Syslog server. Use this if your Syslog Server does not have a fixed IP address. •
Netgear FVL328 | FVL328 Reference Manual - Page 71
equipment vendors. Telecommuter with client software FVL328 VPN Firewall VPN tunnels encrypt data FVL328 VPN Firewall Figure 6-1: Secure access through FVL328 VPN routers Using Policies to Manage VPN Traffic You create policy definitions to manage VPN traffic on the FVL328. There are two kinds
Netgear FVL328 | FVL328 Reference Manual - Page 72
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • IKE Policies: Define the authentication scheme and VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you can create a VPN policy which does not use an IKE policy but in which you manually
Netgear FVL328 | FVL328 Reference Manual - Page 73
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 IKE Policies' Automatic Key and Authentication Management Click the IKE Policies link from the VPN section of the main menu, and then click the Add button of the IKE Policies screen to display the IKE Policy Configuration menu
Netgear FVL328 | FVL328 Reference Manual - Page 74
to the Local FVL328 firewall. Use this field to identify the local FVL328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain Name (FQDN) - your domain name. • By a Fully Qualified User Name - your name
Netgear FVL328 | FVL328 Reference Manual - Page 75
parameters apply to the target remote FVL328 firewall, VPN gateway, or VPN client. Remote Identity Type Use this field to identify the remote FVL328. You can choose one of the following four options from the drop-down list: • By its Internet (WAN) port IP address. • By its Fully Qualified Domain
Netgear FVL328 | FVL328 Reference Manual - Page 76
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 VPN Policy Configuration for Auto Key Negotiation An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN Policies section of the main menu, you can navigate to the VPN - Auto Policy
Netgear FVL328 | FVL328 Reference Manual - Page 77
policy BEFORE creating a VPN - Auto policy. Remote VPN Endpoint The address used to locate the remote VPN firewall or client to which you want to connect. The remote VPN endpoint must have this FVL328's Local Identity Data entered as its "Remote VPN Endpoint": • By its IP Address. • By its Fully
Netgear FVL328 | FVL328 Reference Manual - Page 78
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Auto Policy Configuration Fields Field Description Traffic Selector These settings determine if and when a VPN tunnel will be established. If network traffic meets all criteria, then a VPN tunnel will be
Netgear FVL328 | FVL328 Reference Manual - Page 79
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Auto Policy Configuration Fields Field Description Encapsulated Security Payload (ESP) Configuration ESP provides security for the payload (data) sent through the VPN tunnel. Generally, you will want to
Netgear FVL328 | FVL328 Reference Manual - Page 80
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 6-4: VPN - Manual Policy Menu 6-10 May 2004, 202-10030-02 Virtual Private Networking
Netgear FVL328 | FVL328 Reference Manual - Page 81
help you identify VPN policies. Remote VPN Endpoint The WAN Internet IP address or Fully Qualified Domain Name of the remote VPN firewall or client to which you want to connect. The remote VPN endpoint must have this FVL328's WAN Internet IP address entered as its "Remote VPN Endpoint." Traffic
Netgear FVL328 | FVL328 Reference Manual - Page 82
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Manual Policy Configuration Fields Field Description Authenticating Header (AH) Configuration AH specifies the authentication protocol for the VPN header. These settings must match the remote VPN the default •
Netgear FVL328 | FVL328 Reference Manual - Page 83
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Manual Policy Configuration Fields Field Description Encapsulated Security Payload (ESP) Configuration ESP provides security for the payload (data) sent through the VPN : • DES - the default • 3DES -more secure
Netgear FVL328 | FVL328 Reference Manual - Page 84
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 6-1. VPN Manual Policy Configuration Fields Field Description Enable Authentication Use this check box to enable or disable ESP authentication for this VPN NetBIOS traffic to be forwarded over the VPN tunnel. The NetBIOS
Netgear FVL328 | FVL328 Reference Manual - Page 85
in "Example: Port Forwarding for VPN Tunnels when NAT is Off" on page 5-9. Follow this procedure to configure a VPN tunnel using the VPN Wizard. Note: The LAN IP address ranges of each VPN endpoint must be different. The connection will fail if both are using the NETGEAR default address range of 192
Netgear FVL328 | FVL328 Reference Manual - Page 86
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Log in to the FVS318 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the VPN Wizard link in the main menu to display this screen. Click Next to
Netgear FVL328 | FVL328 Reference Manual - Page 87
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next. Figure 6-7: Remote IP 4. Identify the IP addresses at the target endpoint which can use this tunnel, and click Next. Figure 6-8:
Netgear FVL328 | FVL328 Reference Manual - Page 88
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 6-9: VPN Wizard Summary To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings the VPN Wizard used, click the "here" link. 5. Click Done to complete the configuration procedure. The VPN
Netgear FVL328 | FVL328 Reference Manual - Page 89
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • VPN Consortium Scenarios without any product implementation details • VPN Consortium Scenarios based on the FVL328 user interface The purpose of providing these two versions of the same scenarios is to help you determine
Netgear FVL328 | FVL328 Reference Manual - Page 90
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The IKE Phase 1 parameters used in Scenario 1 are bits) • Perfect forward secrecy for rekeying • SA lifetime of 3600 seconds (one hour) with no kbytes rekeying • Selectors for all IP protocols, all ports, between 10.5.6.0/24
Netgear FVL328 | FVL328 Reference Manual - Page 91
in "Example: Port Forwarding for VPN Tunnels when NAT is Off" on page 5-9. 1. Log in to the FVL328 labeled Gateway A as in the illustration. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using
Netgear FVL328 | FVL328 Reference Manual - Page 92
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 WAN IP addresses ISP provides these addresses Figure 6-12: FVL328 Internet IP Address menu b. Select whether enable or disable NAT (Network Address Translation). NAT allows all LAN computers to gain Internet access via this Router
Netgear FVL328 | FVL328 Reference Manual - Page 93
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 d. From the main menu Advanced section, click the LAN IP Setup link. e. Configure the LAN IP address according to the settings in Figure 6-11 above and click Apply to save your settings. For more information on LAN TCP/IP setup
Netgear FVL328 | FVL328 Reference Manual - Page 94
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 a. From the main menu VPN section, click the IKE Policies link, and then click the Add button to display the screen below. Figure 6-13: Scenario 1 IKE Policy b. Configure the IKE
Netgear FVL328 | FVL328 Reference Manual - Page 95
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 4. Set up the FVL328 VPN -Auto Policy illustrated below. a. From the main menu VPN section, click the VPN Policies link, and then click the Add Auto Policy button. Figure 6-14: Scenario 1 VPN - Auto Policy b. Configure the
Netgear FVL328 | FVL328 Reference Manual - Page 96
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 5. After applying these changes, you will see a table entry like the one below. Figure 6-15: VPN Policies table Now all traffic from the range of LAN IP addresses specified on FVL328 A and FVL328 B will flow over a secure VPN
Netgear FVL328 | FVL328 Reference Manual - Page 97
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. To test connectivity between the FVL328 Gateway A and Gateway B WAN ports, follow these steps: a. Using our example, log in to the FVL328 correct Time Zone is set on the FVL328. For instructions on this topic, please see, "Setting
Netgear FVL328 | FVL328 Reference Manual - Page 98
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: The procedure for obtaining 2. Install the trusted CA certificate for the Trusted Root CA. a. Log in to the FVL328. b. From the main menu VPN section, click the CAs link. c. Click Add to add a CA. d. Click Browse to
Netgear FVL328 | FVL328 Reference Manual - Page 99
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 b. Click the Generate Request button the desired option: 512, 1024, or 2048. • Optional - IP Address. If you have a fixed IP address on your WAN (Internet) port, you can enter it here. Otherwise, you should leave this blank
Netgear FVL328 | FVL328 Reference Manual - Page 100
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 d. Click the Next button to continue. The FVL328 generates a Self Certificate button. You will return to the Certificates screen where your pending "FVL328" Self Certificate Request will be listed, as illustrated in Figure 6-
Netgear FVL328 | FVL328 Reference Manual - Page 101
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 6-19: Self Certificate Requests a text file called final.txt. 6. Upload the new certificate. a. From the main menu VPN section, click the Certificates link. b. Click the radio button of the Self Certificate Request you
Netgear FVL328 | FVL328 Reference Manual - Page 102
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 f. You will now see the "FVL328" entry in the Active Self Certificates table and the pending "FVL328" Self Certificate Request is gone, as illustrated below. Figure 6-20: Self Certificates table 7. Associate the new
Netgear FVL328 | FVL328 Reference Manual - Page 103
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Now, the traffic from devices within the range of the LAN subnet addresses on FVL328 will not be allowed to use the VPN tunnels managed by IKE policies which use this CA. Note: You must update the CRLs regularly in order to maintain
Netgear FVL328 | FVL328 Reference Manual - Page 104
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 6-34 May 2004, 202-10030-02 Virtual Private Networking
Netgear FVL328 | FVL328 Reference Manual - Page 105
Network This chapter describes how to perform network management tasks with your FVL328 Prosafe High Speed VPN Firewall. Protecting Access to Your FVL328 Firewall For security reasons, the firewall has its own user name and password. Also, after a period of inactivity for a set length of time, the
Netgear FVL328 | FVL328 Reference Manual - Page 106
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-1: Set Password menu 3. To change the password, first enter the old password, then enter the new password twice. 4. Click Apply to save your changes. Note: After changing the password, you will be required to log in
Netgear FVL328 | FVL328 Reference Manual - Page 107
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Internet Traffic Figure 7-2: Internet Traffic Internet Traffic Limit • Enable WAN Port Traffic Meter-Check this if you wish to record the volume of Internet traffic passing through the Router's WAN port. Managing Your Network
Netgear FVL328 | FVL328 Reference Manual - Page 108
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: Enter a Monthly Limit if Traffic Limit is enabled; otherwise, the default Traffic Statistics This displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are
Netgear FVL328 | FVL328 Reference Manual - Page 109
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Traffic by Protocol Click this button known by the following methods: • DHCP Client Requests By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network
Netgear FVL328 | FVL328 Reference Manual - Page 110
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-4: Network Database Advantages of the Network Database • Generally, you do not need to enter either IP address or MAC addresses. • Instead, you can just select the desired PC or device. • No need to reserve an IP address
Netgear FVL328 | FVL328 Reference Manual - Page 111
name. • IP Address The current IP address. For DHCP clients, where the IP address is allocated by the DHCP Server in this device, this IP address will not change. Where the IP address is set on the PC (as a fixed IP address), you may need to update this entry manually if the IP address on the PC
Netgear FVL328 | FVL328 Reference Manual - Page 112
Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FVL328 Prosafe High Speed VPN Firewall. Note: Be sure to change the router's default password to a very secure password. The ideal password should contain no dictionary words from any
Netgear FVL328 | FVL328 Reference Manual - Page 113
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 6. The IP Address to connect to this device is used to manage this router via the Internet. You need its public IP Address, as seen from the Internet. This public IP Address is allocated by your ISP, and is shown here. But if
Netgear FVL328 | FVL328 Reference Manual - Page 114
Speed VPN Firewall Reference Manual Revision 2 Figure 7-5: Router Status screen The Router Status menu provides a limited amount of status and usage information. This screen shows the following parameters: Table 7-1. Router Status Fields Field System Name Firmware Version LAN Port MAC Address IP
Netgear FVL328 | FVL328 Reference Manual - Page 115
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 7-1. Router Status Fields Field Description IP Subnet Mask This field displays the IP Subnet Mask being used by the Local (LAN) port of the firewall. The default is 255.255.255. WAN Port These parameters apply to
Netgear FVL328 | FVL328 Reference Manual - Page 116
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 7-2. Router Statistics Fields Field System up Time WAN or LAN Port Status TxPkts RxPkts Collisions Tx B/s Rx B/s Up Time Poll Interval Description The time elapsed since the last power cycle or reset. The statistics
Netgear FVL328 | FVL328 Reference Manual - Page 117
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall Logged Information The firewall logs security-related events such as denied incoming service requests, hacker probes
Netgear FVL328 | FVL328 Reference Manual - Page 118
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Log entries are described below: Table 7-9: Security Log entry descriptions Field Date and Time Description or Action Source IP Source port and interface Destination Destination port and interface Description The date and
Netgear FVL328 | FVL328 Reference Manual - Page 119
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • All Outgoing TCP/UDP/ICMP traffic • Other IP traffic - if selected, all other traffic (IP packets which are not TCP, UDP, or ICMP) is logged • Router operation (start up, get time, etc.) - if selected, Router operations, such
Netgear FVL328 | FVL328 Reference Manual - Page 120
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-11: E-mail notification menu To enable E-mail notification, configure the following fields: • Turn e-mail notification on Select this check box if you want to receive e-mail logs and alerts from the firewall. • Your
Netgear FVL328 | FVL328 Reference Manual - Page 121
, or reverted to factory default settings. The procedures below explain how to do these tasks. How to Back Up the FVL328 Configuration to a File 1. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default User Name of admin, default password of password, or using
Netgear FVL328 | FVL328 Reference Manual - Page 122
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-12: Settings Backup menu 3. Click Backup to save a copy of the current settings. 4. Store the .cfg file on a computer on your network. How to Restore a Configuration from a File 1. Log in to the firewall at its default
Netgear FVL328 | FVL328 Reference Manual - Page 123
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. The firewall will then reboot automatically. After an erase, the firewall's password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client will be enabled. Note: To restore the factory default
Netgear FVL328 | FVL328 Reference Manual - Page 124
updates are available on the NETGEAR, Inc. Web site at http://www.netgear.com/docs. How to Upgrade the Router 1. Download and unzip the new software file from NETGEAR. 2. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password
Netgear FVL328 | FVL328 Reference Manual - Page 125
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure 7-14: Router Upgrade menu 4. In the Router Upgrade menu, click Browse to locate the binary (.BIN or .IMG) upgrade file. 5. Click Upload. Note: Do not interrupt the process of uploading software to the firewall by closing
Netgear FVL328 | FVL328 Reference Manual - Page 126
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 7-22 May 2004, 202-10030-02 Managing Your Network
Netgear FVL328 | FVL328 Reference Manual - Page 127
gives information about troubleshooting your FVL328 Prosafe High Speed VPN Firewall. For the common problems listed, go to the section indicated. • Is the firewall on? • Have I connected the firewall correctly? Go to "Basic Functions" on page 8-1. • I can't access the firewall's configuration with
Netgear FVL328 | FVL328 Reference Manual - Page 128
configuration to factory defaults. This will set the firewall's IP address to 192.168.0.1. This procedure is explained in "How to Use the Default Reset Button" on page 8-7. If the error persists, you might have a hardware problem and should contact technical support. 8-2 Troubleshooting May 2004
Netgear FVL328 | FVL328 Reference Manual - Page 129
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Local or Internet Port Link LEDs Not On If either the Local or Internet Port Link LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the firewall
Netgear FVL328 | FVL328 Reference Manual - Page 130
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Try quitting the browser and launching it again. • Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering
Netgear FVL328 | FVL328 Reference Manual - Page 131
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 If your firewall is still unable to obtain an IP address from the ISP, the problem may be one of the following: • Your ISP may require a login program. Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other
Netgear FVL328 | FVL328 Reference Manual - Page 132
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 How to Test the LAN Path to Your Firewall You can ping the firewall from your computer to verify that the LAN path to your firewall is set up correctly. To ping the firewall from a PC running Windows 95 or later: 1. From the
Netgear FVL328 | FVL328 Reference Manual - Page 133
the administration password or IP address is not known. How to Use the Default Reset Button To restore the factory default configuration settings without knowing the administration password or IP address, you must use the Default Reset button on the rear panel of the firewall. Troubleshooting
Netgear FVL328 | FVL328 Reference Manual - Page 134
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds). 2. Release the Default Reset button and wait for the firewall to reboot. Problems with Date and Time The E-mail menu in the Security
Netgear FVL328 | FVL328 Reference Manual - Page 135
This appendix provides technical specifications for the FVL328 Prosafe High Speed VPN Firewall. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter North America: 120V, 60 Hz, input United Kingdom
Netgear FVL328 | FVL328 Reference Manual - Page 136
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Meets requirements of: Interface Specifications Local: Internet: Certifications Firewall: VPN: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B 10BASE-T or 100BASE-Tx, RJ-45 10BASE-T or 100BASE-Tx, RJ-45 ICSA
Netgear FVL328 | FVL328 Reference Manual - Page 137
IP networks, routing, and firewalls by a slower-speed wide-area network router chooses the best path for forwarding network traffic. Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. Networks, Routing, and Firewall
Netgear FVL328 | FVL328 Reference Manual - Page 138
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Routing Information Protocol One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for
Netgear FVL328 | FVL328 Reference Manual - Page 139
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Class A Network Class B Node Network Class C Node Network Figure 8-1: Three Main Address Classes Node The five address classes are: • Class A Class A addresses can have up to 16,777,214 hosts on a single network. They
Netgear FVL328 | FVL328 Reference Manual - Page 140
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network. For each unique value of the network portion of the address, the base address of the range (host
Netgear FVL328 | FVL328 Reference Manual - Page 141
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node
Netgear FVL328 | FVL328 Reference Manual - Page 142
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Table 8-1. Netmask Notation Translation Table for One Octet Number /8 /16 /24 /25 /26 /27 /28 /29 /30 /31 /32 NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the
Netgear FVL328 | FVL328 Reference Manual - Page 143
the following three blocks of IP addresses specifically for private networks: 10.0.0.0 - 10.255.255.255 172.16.0.0 - 172.31.255.255 192.168.0.0 - 192.168.255.255 NETGEAR recommends that you choose your private network number from this range. The DHCP server of the FVL328 Firewall is preconfigured to
Netgear FVL328 | FVL328 Reference Manual - Page 144
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Private IP addresses assigned by user 192.168.0.2 IP addresses assigned by ISP 192.168.0.3 192.168.0.4 192.168.0.1 172.21.15.105 Internet 192.168.0.5 Figure 8-3: Single IP Address Operation Using NAT This scheme offers
Netgear FVL328 | FVL328 Reference Manual - Page 145
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Related Documents The station with the correct IP address responds with its own MAC address directly to the sending device. The receiving station provides the transmitting station with the required destination MAC address. The IP
Netgear FVL328 | FVL328 Reference Manual - Page 146
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The FVL328 Firewall also functions as a DHCP client when connecting to the ISP. The firewall can automatically obtain an IP address, subnet mask, DNS server addresses, and a gateway address if the ISP provides this information
Netgear FVL328 | FVL328 Reference Manual - Page 147
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Denial of Service Attack A hacker may be able to prevent your network from operating or communicating by launching a Denial of Service (DoS) attack. The method used for such an attack can be as simple as merely flooding your
Netgear FVL328 | FVL328 Reference Manual - Page 148
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 10 ft. (3 m) from the wall outlet to the desktop ports, called MDI or uplink ports. Most repeaters and switch ports are configured as media-dependent interfaces with built-in crossover ports, called MDI-X or normal ports.
Netgear FVL328 | FVL328 Reference Manual - Page 149
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure B-2: Crossover Twisted-Pair Cable Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat "silver satin" telephone cable may
Netgear FVL328 | FVL328 Reference Manual - Page 150
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 When connecting a PC to a PC, or a hub port to another hub port, the transmit PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration. This
Netgear FVL328 | FVL328 Reference Manual - Page 151
the FVL328 Prosafe High Speed VPN Firewall and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided
Netgear FVL328 | FVL328 Reference Manual - Page 152
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 LAN Configuration Requirements For the initial connection to the Internet and configuration of your firewall, you will need to connect a computer to the firewall which is set to automatically get its TCP/IP configuration from
Netgear FVL328 | FVL328 Reference Manual - Page 153
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Worksheet for Recording Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and
Netgear FVL328 | FVL328 Reference Manual - Page 154
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Preparing Your Computers for TCP/IP Networking Computers access the Internet using a protocol called TCP/IP (Transmission Control Protocol/ Internet Protocol). Each computer on your network must have TCP/IP installed and
Netgear FVL328 | FVL328 Reference Manual - Page 155
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Configuring Windows 95, 98, and Me for TCP/IP Networking As part of the PC preparation process, you need to manually install and configure TCP/IP , the TCP/IP protocol, and Client for Microsoft Networks. Preparing Your Network C-5 May
Netgear FVL328 | FVL328 Reference Manual - Page 156
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps:
Netgear FVL328 | FVL328 Reference Manual - Page 157
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 3. From the components list, select TCP/IP->(your Ethernet adapter) and click Properties. 4. In the IP Address tab, select "Obtain an IP address automatically". 5. Select the Gateway tab. 6. If any gateways are shown, remove
Netgear FVL328 | FVL328 Reference Manual - Page 158
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • The default gateway is 192.168.0.1 Configuring Windows NT, 2000 or XP for IP Networking As part of the PC preparation process, you need to manually install and configure TCP/IP on each networked PC. Before starting, locate
Netgear FVL328 | FVL328 Reference Manual - Page 159
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: • The IP address is between 192.168.0.2 and 192.168.0.254 • The subnet
Netgear FVL328 | FVL328 Reference Manual - Page 160
Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: • The IP Address is between 192.168.0.2 and 192.168.0.254 • The Subnet mask is 255.255.255.0 • The Router address is 192.168
Netgear FVL328 | FVL328 Reference Manual - Page 161
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Restarting the Network Once you have set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the firewall. After
Netgear FVL328 | FVL328 Reference Manual - Page 162
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 C-12 May 2004, 202-10030-02 Preparing Your Network
Netgear FVL328 | FVL328 Reference Manual - Page 163
prior to being forwarded and/or replied to. : Log's date and time : Event is that access the device or access other host via the device : Packet type pass Firewall : IP address in the packet : Port in the packet
Netgear FVL328 | FVL328 Reference Manual - Page 164
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The format is: [Fri, 2003-12-05 22:19:42] - UDP Packet - Source:172.31.12.233,138 ,WAN Destination:172.31.12.255,138 ,LAN [Drop] - [Inbound Default
Netgear FVL328 | FVL328 Reference Manual - Page 165
FVL328 ProSafe High-Speed VPN Firewall Reference Manual IP packet [Type Field: Num]", "IPSEC" ACTION = "Forward", "Drop" Router Operation Operations that the router initiates are logged. The format is: [Wed, 2003-07-30 16:30:59] - Log emailed [Wed, 2003-07-30 13:38:31] - NETGEAR
Netgear FVL328 | FVL328 Reference Manual - Page 166
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Other Connections and Traffic to this Router The format is: < WAN Destination: 10.10.10.4,1765 LAN - [Receive] [Fri, 2003-12-05 22:07:11] - IP Packet [Type Field:8], from 20.97.173.18 to 172.31.12.157 - [Drop] Notes: ACTION =
Netgear FVL328 | FVL328 Reference Manual - Page 167
FVL328 ProSafe High-Speed VPN Firewall Reference Manual 21:30:30] - IP Packet - Source:227.113.223.77,WAN ,LAN Destination:192.168.0.1,20[FTP Data] ,WAN [Reset] - [SYN Flood] [Fri, 2003-12-05 19 Forward] Notes: PKT_TYPE = "TCP", "UDP", "ICMP", "Proto: Number" Firewall Log Formats D-5 May 2004, 202
Netgear FVL328 | FVL328 Reference Manual - Page 168
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Forward] Notes: EVENT = Attempt to access blocked sites SRC_INF = LAN or WAN DST_INF = WAN or LAN System Admin Sessions Administrator session logins and failed attempts are logged, as well as manual or idle-time logouts. D-6 Firewall
Netgear FVL328 | FVL328 Reference Manual - Page 169
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The format is: [Fri, 2003-12-05 21:07:43] - Administrator login successful - IP:192.168.0.10 [Fri, 2003-12-05 21:09:16] -
Netgear FVL328 | FVL328 Reference Manual - Page 170
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 D-8 Firewall Log Formats May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 171
any type of IP network, including the Internet, Frame Relay, ATM, and MPLS, but only the Internet is ubiquitous and inexpensive. VPNs are traditionally used for: • Intranets: Intranets connect an organization's locations. These locations range from the headquarters offices, to branch offices, to
Netgear FVL328 | FVL328 Reference Manual - Page 172
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual pay the associated long distance telephone and service costs. Remote access VPNs greatly reduce expenses by enabling mobile workers between communication points across IP networks. IPSec provides data security at the IP packet level. A
Netgear FVL328 | FVL328 Reference Manual - Page 173
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Encapsulating Security the intended receiver. ESP also provides all encryption services in IPSec. Encryption translates a readable message for the payload and not for the IP header. Figure E-1: Original packet and packet
Netgear FVL328 | FVL328 Reference Manual - Page 174
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The ESP header is inserted into the packet between the IP IP HDR represents the IP header and includes both source and destination IP addresses multiple secure VPNs, as well as define SAs within the VPN to support different departments
Netgear FVL328 | FVL328 Reference Manual - Page 175
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Mode SAs operate using modes. A mode is the method . The IP header is not changed. After the packet is processed with IPSec, the new IP packet contains the old IP header (with the source and destination IP addresses unchanged)
Netgear FVL328 | FVL328 Reference Manual - Page 176
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a
Netgear FVL328 | FVL328 Reference Manual - Page 177
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and
Netgear FVL328 | FVL328 Reference Manual - Page 178
the firewall instructions for both gateways to understand how to open specific protocols, ports, and addresses that you intend to allow. Setting Up a VPN Tunnel Between Gateways An SA, frequently called a tunnel, is the set of information that allows two entities (networks, PCs, routers, firewalls
Netgear FVL328 | FVL328 Reference Manual - Page 179
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 A B Figure E-5: VPN Tunnel SA VPN Gateway 2) IKE Phase I authentication VPN Gateway 3) IKE Phase II negotiation 4) Secure data transfer 5) IPSec tunnel termination Figure E-6: IPSec SA negotiation 1. The IPSec software
Netgear FVL328 | FVL328 Reference Manual - Page 180
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 2. IKE Phase I. a. The two parties the SA keys are created and exchanged, the IPSec SAs are ready to protect user data between the two VPN gateways. 4. Data transfer. Data is transferred between IPSec peers based on the IPSec
Netgear FVL328 | FVL328 Reference Manual - Page 181
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • TripleDES • SHA-1 • ESP tunnel mode • MODP group 1 • Perfect forward secrecy for rekeying • SA lifetime of 28800 seconds (one hour)
Netgear FVL328 | FVL328 Reference Manual - Page 182
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483]
Netgear FVL328 | FVL328 Reference Manual - Page 183
2003 Model/Firmware Tested: NETGEAR-Gateway A FVS318 firmware version A1.4 or FVM318 firmware version 1.1 NETGEAR-Gateway B FVL328 with firmware version 1.5 Release 07 IP Addressing: NETGEAR-Gateway A Static IP address NETGEAR-Gateway B Static IP address NETGEAR VPN Configuration FVS318 or
Netgear FVL328 | FVL328 Reference Manual - Page 184
user name of admin and default password of password. For this example we will assume you have set the local LAN address as 10.5.6.1 for Gateway A and have set your own password. Figure F-2: NETGEAR FVS318 VPN Settings Pre-Configuration F-2 NETGEAR VPN Configuration FVS318 or FVM318 to FVL328
Netgear FVL328 | FVL328 Reference Manual - Page 185
the finishing LAN IP Address of Gateway A (0.0.0.0 in our example) in the Local IP Local LAN finish IP Address field. - Type the LAN Subnet Mask of Gateway A (255.255.255.0 in our example) in the Local LAN IP Subnetmask field. NETGEAR VPN Configuration FVS318 or FVM318 to FVL328 F-3 May 2004, 202
Netgear FVL328 | FVL328 Reference Manual - Page 186
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 - Choose a subnet from local address from the Tunnel can access pull-down menu. - Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Remote LAN Start IP Address field. - Type the finishing
Netgear FVL328 | FVL328 Reference Manual - Page 187
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-5: NETGEAR FVS318 VPN Settings After Inputting Configuration Info 4. When the screen returns to the VPN Settings, make sure the Enable check box is selected. Step-By-Step Configuration of FVL328 Gateway B 1. Log in to
Netgear FVL328 | FVL328 Reference Manual - Page 188
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-6: NETGEAR FVL328 IKE Policy Configuration - Part 1 - Enter an appropriate name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE
Netgear FVL328 | FVL328 Reference Manual - Page 189
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-7: NETGEAR FVL328 IKE Policy Configuration - Part 2 - NETGEAR FVL328 IKE Policies (Post Configuration) The FVS318 IKE Policy is now displayed in the IKE Policies page. 4. Click the VPN Policies link under the VPN
Netgear FVL328 | FVL328 Reference Manual - Page 190
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-9: NETGEAR FVL328 VPN - Auto Policy (part 1) - Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used "to318" as the Policy Name. In the Policy
Netgear FVL328 | FVL328 Reference Manual - Page 191
ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-10: NETGEAR FVL328 VPN - Auto Policy (part 2) - From the Traffic Selector Remote IP drop-down box, select Subnet address. - Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address
Netgear FVL328 | FVL328 Reference Manual - Page 192
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure F-11: NETGEAR FVL328 VPN Policies Menu (Post Configuration) 6. When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click the Apply button. Test the VPN Connection 1. From a PC behind
Netgear FVL328 | FVL328 Reference Manual - Page 193
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 13:19:02 - FVS318 IPSec:sizeof(connection)=1724 sizeof(state)=10048 sizeof(SA)=732 13:19:42 - FVS318 IPsec:call ipsecdoi_initiate 13:19:42 - FVS318 IPsec:New State index:0, sno:1 13:19:42 - FVS318 IPsec:Initiating Main Mode 13:
Netgear FVL328 | FVL328 Reference Manual - Page 194
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 F-12 NETGEAR VPN Configuration FVS318 or FVM318 to FVL328 May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 195
December 2003 Model/Firmware Tested: Gateway NETGEAR FVL328 firmware v 1.5 or FWAG114 firmware v 2.1 Client FVL328 Prosafe High Speed VPN Firewall v10.1 IP Addressing: Gateway Static IP address Client Dynamic NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router G-1 May 2004, 202
Netgear FVL328 | FVL328 Reference Manual - Page 196
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 LAN IP 192.168.0.0 Gateway FVL328 Network Addresses WAN IP Client WAN IP 66.120.188.153 0.0.0.0 PC with NETGEAR ProSafe VPN client Figure G-1: Addressing and Subnet Used for Examples Note: Product updates are available
Netgear FVL328 | FVL328 Reference Manual - Page 197
Domain Name (the actual WAN IP address of the FVL328 will also be used in the Connection ID Type fields of the FVL328 Prosafe High Speed VPN Firewall as seen in "Security Policy Editor New Connection" on page G-8). NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router G-3 May 2004, 202-10030
Netgear FVL328 | FVL328 Reference Manual - Page 198
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 - For this example we typed FVL328 in the Local Identity Data field. - From the Remote Identity drop-down box, select Fully Qualified Domain Name. - Type VPNclient in the Remote Identity Data. This will also be entered in the FVL328
Netgear FVL328 | FVL328 Reference Manual - Page 199
High-Speed VPN Firewall Reference Manual Revision 2 3. Click the VPN Policies link under the VPN category on the left side of the main menu. This will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new screen titled VPN - Auto Policy. Figure G-3: NETGEAR FVL328 VPN
Netgear FVL328 | FVL328 Reference Manual - Page 200
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 - From the Remote VPN Endpoint Address Type drop-down box, select IP Address. - Type 0.0.0.0 as the Address Data of the client because we are assuming the remote PC will have a dynamically assigned IP address. This will also be
Netgear FVL328 | FVL328 Reference Manual - Page 201
(AH) option. Using the AH option will prevent clients behind a home NAT router from connecting. - From the ESP Configuration Authentication Algorithm drop-down box, select SHA-1. This will also be entered in the FVL328 Prosafe High Speed VPN Firewall Security Policy Key Exchange (Phase 2) Hash Alg
Netgear FVL328 | FVL328 Reference Manual - Page 202
means, and we will assume it has a dynamically assigned IP address. 1. Install the FVL328 Firewall Software on the PC. Note: Before installing the FVL328 Prosafe High Speed VPN Firewall software, be sure to turn off any virus protection or firewall software you may be running on your PC. • You may
Netgear FVL328 | FVL328 Reference Manual - Page 203
the Gateway IP Address, which is the static IP address for the FVL328 WAN port. 3. Configure the Connection Identity Settings. a. In the Network Security Policy list, click the My Identity subheading. Figure G-6: My Identity NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router G-9 May 2004
Netgear FVL328 | FVL328 Reference Manual - Page 204
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 In this example, select Domain Name as the ID Type, and enter VPNclient. Also, accept the default Internal Network IP Address of 0.0.0.0. Figure G-7: My Identity Pre-Shared Key b. Click Pre-Shared Key. In this example, enter
Netgear FVL328 | FVL328 Reference Manual - Page 205
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure G-9: Security Policy b. For this example, ensure that the following settings are configured: - In the Select Phase 1 Negotiation Mode menu, select Aggressive Mode. - Select the Enable Perfect Forward Secrecy (PFS) check
Netgear FVL328 | FVL328 Reference Manual - Page 206
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 • Expand the Security Policy heading, then expand the Authentication ( Hash Alg, select SHA-1. - In the Encapsulation menu, select Tunnel. G-12 NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 207
FVL328 ProSafe High-Speed VPN Firewall Reference Manual VPN client information, your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN router NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router May 2004, 202-10030-02 G-13
Netgear FVL328 | FVL328 Reference Manual - Page 208
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Testing the VPN Connection You can test the VPN connection in several ways: • From the client PC to the FVL328 • From the FVL328 to the client PC These procedures are explained below. Note: Virus protection or firewall software
Netgear FVL328 | FVL328 Reference Manual - Page 209
Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then FVL328 Prosafe High Speed VPN Firewall, then either the Connection Monitor or Log Viewer. NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router May 2004, 202-10030-02 G-15
Netgear FVL328 | FVL328 Reference Manual - Page 210
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 The Log Viewer screen for a successful FVL328 has a public IP WAN address of 66.120.188.153 • The FVL328 has a LAN IP address of 192.168.0.1 • The VPN client PC is behind a home NAT router and has a dynamically assigned address
Netgear FVL328 | FVL328 Reference Manual - Page 211
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Viewing the FVL328 VPN Status and Log Information Information on the status of the VPN client connection can be viewed by opening the FVL328 VPN Status screen. To view this screen, click the VPN Status link on the FVL328 main
Netgear FVL328 | FVL328 Reference Manual - Page 212
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 G-18 NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 213
/Firmware Tested: NETGEAR-Gateway A FVS318 firmware version A1.4 or FVM318 firmware version 1.1 NETGEAR-Gateway B FVL328 with firmware version 1.5 Release 07 IP Addressing: NETGEAR-Gateway A Fully Qualified Domain Name (FQDN) NETGEAR-Gateway B Static IP address NETGEAR VPN Configuration FVS318
Netgear FVL328 | FVL328 Reference Manual - Page 214
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 10.5.6.0/24 LAN IP 10.5.6.1 VPNC Example Network Interface Addressing 172.23.9.0/24 Gateway A WAN IP FQDN netgear.dydns.org WAN IP 22.23.24.25 Gateway B LAN IP 172.23.9.1 Figure H-1: Addressing and Subnet Used for
Netgear FVL328 | FVL328 Reference Manual - Page 215
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS, and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider. Again, the following step-by-
Netgear FVL328 | FVL328 Reference Manual - Page 216
Note: The router supports only basic DDNS and the login and password may not be secure. If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. 6. Click on the VPN Settings link
Netgear FVL328 | FVL328 Reference Manual - Page 217
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-4: NETGEAR FVS318 VPN Settings (part 1) - Main Mode - In the Connection Name box, enter in a unique name for the VPN tunnel to be configured between the NETGEAR devices. For this example we have used toFVL328. - Enter
Netgear FVL328 | FVL328 Reference Manual - Page 218
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 - Type the starting LAN IP Address of Gateway B (172.23.9.1 in our example) in the Local IP Remote LAN Start IP Address field. - Type the finishing LAN IP Address of Gateway B (0.0.0.0 in our example) in the Local IP Remote LAN
Netgear FVL328 | FVL328 Reference Manual - Page 219
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-6: NETGEAR FVS318 VPN Settings After Inputting Configuration Info 9. When the screen returns to the VPN Settings, make sure the Enable check box is selected. Step-By-Step Configuration of FVL328 Gateway B 1. Log in to
Netgear FVL328 | FVL328 Reference Manual - Page 220
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-7: NETGEAR FVL328 IKE Policy Configuration - Part 1 - Enter an appropriate name for the policy in the Policy Name field. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the IKE
Netgear FVL328 | FVL328 Reference Manual - Page 221
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-8: NETGEAR FVL328 IKE Policy Configuration - Part 2 - NETGEAR FVL328 IKE Policies (Post Configuration) The FVS318 IKE Policy is now displayed in the IKE Policies page. 4. Click the VPN Policies link under the VPN
Netgear FVL328 | FVL328 Reference Manual - Page 222
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-10: NETGEAR FVL328 VPN - Auto Policy (part 1) - Enter a unique name to identify this policy. This name is not supplied to the remote VPN endpoint. In our example we have used to318 as the Policy Name. In the Policy
Netgear FVL328 | FVL328 Reference Manual - Page 223
ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-11: NETGEAR FVL328 VPN - Auto Policy (part 2) - From the Traffic Selector Remote IP drop-down box, select Subnet address. - Type the starting LAN IP Address of Gateway A (10.5.6.1 in our example) in the Remote IP Start IP Address
Netgear FVL328 | FVL328 Reference Manual - Page 224
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 Figure H-12: NETGEAR FVL328 VPN Policies Menu (Post Configuration) 6. When the screen returns to the VPN Policies, make sure the Enable check box is selected. Click the Apply button. Test the VPN Connection 1. From a PC behind
Netgear FVL328 | FVL328 Reference Manual - Page 225
Glossary 10BASE-T 100BASE-Tx 3DES 802.11b AH CA CRL Denial of Service attack DES Deffie Helman IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 3DES (Triple DES) achieves a high level of security by
Netgear FVL328 | FVL328 Reference Manual - Page 226
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 DHCP DMZ DNS domain name Domain Name Server Dynamic Host Configuration Protocol ESP gateway IETF IKE IP See Dynamic Host Configuration Protocol. A Demilitarized Zone is used by a company that wants to host its own Internet services
Netgear FVL328 | FVL328 Reference Manual - Page 227
FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 IP Address A four-position number uniquely defining each host on the Internet. Ranges of addresses networks. IPSec is a VPN method providing a higher level of security than PPTP. ISP Internet service provider. LAN See local
Netgear FVL328 | FVL328 Reference Manual - Page 228
ProSafe High-Speed VPN Firewall Reference Manual Revision 2 NetBIOS netmask Network Address Translation PKIX packet PPP PPP over Ethernet PPTP PSTN Point-to-Point Protocol Public Key Infrastructure Network Basic Input Output System. An application programming interface (API) for sharing services
Netgear FVL328 | FVL328 Reference Manual - Page 229
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 RFC RIP router Routing Information Protocol subnet mask URL UTP VPN VPNC WAN wide area network Windows Internet Naming Service WINS Request For Comment. Refers to documents published by the Internet Engineering Task Force (
Netgear FVL328 | FVL328 Reference Manual - Page 230
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2 6 Glossary May 2004, 202-10030-02
Netgear FVL328 | FVL328 Reference Manual - Page 231
8-3, B-14 customer support 1-iii D date and time 8-8 Index Index Daylight Savings Time 8-8 daylight savings time 5-14 Default DMZ Server 4-7 default reset button 8-7 Denial of Service (DoS) protection 2-3 denial of service attack B-11 DHCP 2-4, 4-2, B-9 DHCP Client ID C-9 DHCP Setup field, Ethernet
Netgear FVL328 | FVL328 Reference Manual - Page 232
L LAN IP Setup Menu 4-4 LEDs description 2-7 troubleshooting 8-3 log sending 5-15, 7-15 Log Viewer G-15 M MAC address 8-7, B-8 spoofing 3-8, 3-12, 8-5 Macintosh configuring for IP networking C-9 DHCP Client ID C-9 MDI/MDI-X B-14 MDI/MDI-X wiring B-13 metric 4-14 MTU 4-8 multicasting 4-2 Multi-DMZ
Netgear FVL328 | FVL328 Reference Manual - Page 233
6-27 port filtering 5-10 port forwarding behind NAT B-8 port numbers 5-4 Port Triggering 2-2 PPP over Ethernet 2-4 PPPoE 2-4, 3-6 PPTP 3-11 Primary DNS Server 3-7, 3-8, 3-9, 3-11, 3-12 protocols Address Resolution B-8 DHCP 2-4, B-9 Routing Information 2-4, B-2 support 2-4 TCP/IP 2-4 publications
Netgear FVL328 | FVL328 Reference Manual - Page 234
V Virtual Private Networking 2-2, 2-3 VPN E-1 VPN Consortium E-6 VPN features 2-2 VPN Process Overview E-7 VPN Wizard 2-1 VPNC IKE Phase I Parameters E-10 VPNC IKE Phase II Parameters E-11 W Windows, configuring for IP routing C-5, C-8 winipcfg utility C-7 World Wide Web 1-iii 4 Index

Section	Page
Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2	1
Trademarks	2
Statement of Conditions	2
EN 55 022 Declaration of Conformance	2
Certificate of the Manufacturer/Importer	2
Bestätigung des Herstellers/Importeurs	3
Voluntary Control Council for Interference (VCCI) Statement	3
Technical Support	3
World Wide Web	3
Contents	5
Chapter 1 About This Manual	13
Audience	13
Scope	13
Typographical Conventions	14
Special Message Formats	14
How to Use this Manual	15
How to Print this Manual	16
Chapter 2 Introduction	17
About the FVL328	17
Summary of New Features in the FVL328	17
Key Features	18
Virtual Private Networking	18
A Powerful, True Firewall	19
Content Filtering	19
Configurable Auto Uplink™ Ethernet Connection	19
Protocol Support	20
Easy Installation and Management	21
What’s in the Box?	22
The Firewall’s Front Panel	22
The Firewall’s Rear Panel	23
Chapter 3 Connecting the FVL328 to the Internet	25
Connecting the FVL328 to Your LAN	25
How to Connect the FVL328 to Your LAN	25
Configuring for a Wizard-Detected Login Account	30
Configuring for a Wizard-Detected Dynamic IP Account	32
Configuring for a Wizard-Detected Fixed IP (Static) Account	32
Testing Your Internet Connection	33
Manually Configuring Your Internet Connection	34
How to Complete a Manual Configuration	35
Chapter 4 WAN and LAN Configuration	37
Configuring LAN IP Settings	37
Using the Router as a DHCP Server	38
How to Configure LAN TCP/IP Settings and View the DHCP Log	39
How to Configure Reserved IP Addresses	40
Configuring WAN Settings	41
Connect Automatically, as Required	42
Setting Up a Default DMZ Server	43
How to Assign a Default DMZ Server	43
Multi-DMZ Servers	43
Responding to Ping on Internet WAN Port	44
MTU Size	44
Port Speed	44
Port Triggering	45
Port Triggering Rules	46
Adding a new Rule	46
Checking Operation and Status	47
Configuring Dynamic DNS	47
How to Configure Dynamic DNS	48
Using Static Routes	48
Static Route Example	48
How to Configure Static Routes	49
Chapter 5 Protecting Your Network	51
Firewall Protection and Content Filtering Overview	51
Using the Block Sites Menu to Screen Content	51
Apply Keyword Blocking to Groups	53
Services and Rules Regulate Inbound and Outbound Traffic	53
Defining a Service	54
Using Inbound/Outbound Rules to Block or Allow Services	55
Examples of Using Services and Rules to Regulate Traffic	57
Inbound Rules (Port Forwarding)	57
Example: Port Forwarding to a Local Public Web Server	58
Example: Port Forwarding for Videoconferencing	58
Example: Port Forwarding for VPN Tunnels when NAT is Off	59
Outbound Rules (Service Blocking or Port Filtering)	60
Outbound Rule Example: Blocking Instant Messaging	60
Other Rules Considerations	61
Order of Precedence for Rules	61
Rules Menu Options	62
Using a Schedule to Block or Allow Content or Traffic	63
Setting the Time Zone	64
Set Clock	64
Enable NTP (Network Time Protocol)	64
User-defined NTP Server	65
Getting E-Mail Notifications of Event Logs and Alerts	65
Viewing Logs of Web Access or Attempted Web Access	67
What to Include in the Event Log	69
Chapter 6 Virtual Private Networking	71
Overview of FVL328 Policy-Based VPN Configuration	71
Using Policies to Manage VPN Traffic	71
Using Automatic Key Management	72
IKE Policies’ Automatic Key and Authentication Management	73
VPN Policy Configuration for Auto Key Negotiation	76
VPN Policy Configuration for Manual Key Exchange	79
Using Digital Certificates for IKE Auto-Policy Authentication	84
Certificate Revocation List (CRL)	85
How to Use the VPN Wizard to Configure a VPN Tunnel	85
Walk-Through of Configuration Scenarios	88
VPNC Scenario 1: Gateway-to-Gateway with Preshared Secrets	89
FVL328 Scenario 1: How to Configure the IKE and VPN Policies	91
How to Check VPN Connections	96
FVL328 Scenario 2: Authenticating with RSA Certificates	97
Chapter 7 Managing Your Network	105
Protecting Access to Your FVL328 Firewall	105
How to Change the Built-In Password	105
How to Change the Administrator Login Timeout	106
Internet Traffic	107
Internet Traffic Limit	107
Enable Monthly Limit	108
Internet Traffic Statistics	108
Traffic by Protocol	109
Network Database	109
Advantages of the Network Database	110
Known PCs and Devices	111
Operations	111
Network Management	112
How to Configure Remote Management	112
Viewing Router Status and Usage Statistics	113
Viewing Attached Devices	116
Viewing, Selecting, and Saving Logged Information	117
Changing the Include in Log Settings	118
Enabling the Syslog Feature	119
Enabling Security Event E-mail Notification	119
Backing Up, Restoring, or Erasing Your Settings	121
How to Back Up the FVL328 Configuration to a File	121
How to Restore a Configuration from a File	122
How to Erase the Configuration	122
Running Diagnostic Utilities and Rebooting the Router	123
Upgrading the Router’s Firmware	124
How to Upgrade the Router	124
Chapter 8 Troubleshooting	127
Basic Functions	127
Power LED Not On	128
Test LED Never Turns On or Test LED Stays On	128
Local or Internet Port Link LEDs Not On	129
Troubleshooting the Web Configuration Interface	129
Troubleshooting the ISP Connection	130
Troubleshooting a TCP/IP Network Using a Ping Utility	131
How to Test the LAN Path to Your Firewall	132
How to Test the Path from Your PC to a Remote Device	132
Restoring the Default Configuration and Password	133
How to Use the Default Reset Button	133
Problems with Date and Time	134
Appendix A Technical Specifications	135
Appendix B Networks, Routing, and Firewall Basics	137
Related Publications	137
Basic Router Concepts	137
What is a Router?	137
Routing Information Protocol	138
IP Addresses and the Internet	138
Netmask	140
Subnet Addressing	140
Private IP Addresses	143
Single IP Address Operation Using NAT	143
MAC Addresses and Address Resolution Protocol	144
Related Documents	145
Domain Name Server	145
IP Configuration by DHCP	145
Internet Security and Firewalls	146
What is a Firewall?	146
Stateful Packet Inspection	146
Denial of Service Attack	147
Ethernet Cabling	147
Category 5 Cable Quality	147
Inside Twisted Pair Cables	148
Uplink Switches, Crossover Cables, and MDI/MDIX Switching	149
Appendix C Preparing Your Network	151
What You Will Need Before You Begin	151
LAN Hardware Requirements	151
LAN Configuration Requirements	152
Internet Configuration Requirements	152
Where Do I Get the Internet Configuration Parameters?	152
Worksheet for Recording Your Internet Connection Information	153
Preparing Your Computers for TCP/IP Networking	154
Configuring Windows 95, 98, and Me for TCP/IP Networking	155
Install or Verify Windows Networking Components	155
Enabling DHCP to Automatically Configure TCP/IP Settings	156
Selecting Windows’ Internet Access Method	157
Verifying TCP/IP Properties	157
Configuring Windows NT, 2000 or XP for IP Networking	158
Installing or Verifying Windows Networking Components	158
Verifying TCP/IP Properties	158
Configuring the Macintosh for TCP/IP Networking	159
MacOS 8.6 or 9.x	159
MacOS X	160
Verifying TCP/IP Properties for Macintosh Computers	160
Restarting the Network	161
Appendix D Firewall Log Formats	163
Action List	163
Field List	163
Outbound Log	163
Inbound Log	164
Other IP Traffic	164
Router Operation	165
Other Connections and Traffic to this Router	166
DoS Attack/Scan	166
Access Block Site	168
All Web Sites and News Groups Visited	168
System Admin Sessions	168
Policy Administration LOG	169
Appendix E Virtual Private Networking	171
What is a VPN?	171
What is IPSec and How Does It Work?	172
IPSec Security Features	172
IPSec Components	172
Encapsulating Security Payload (ESP)	173
Authentication Header (AH)	174
IKE Security Association	174
Mode	175
Key Management	176
Understand the Process Before You Begin	176
VPN Process Overview	177
Network Interfaces and Addresses	177
Interface Addressing	177
Firewalls	178
Setting Up a VPN Tunnel Between Gateways	178
VPNC IKE Security Parameters	180
VPNC IKE Phase I Parameters	180
VPNC IKE Phase II Parameters	181
Testing and Troubleshooting	181
Additional Reading	181
Appendix F NETGEAR VPN Configuration FVS318 or FVM318 to FVL328	183
Configuration Template	183
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	184
Step-By-Step Configuration of FVL328 Gateway B	187
Test the VPN Connection	192
Appendix G NETGEAR VPN Client to NETGEAR FVL328 or FWAG114 VPN Router	195
Configuration Profile	195
Step-By-Step Configuration of FVL328 or FWAG114 Gateway	196
Step-By-Step Configuration of the FVL328 Firewall B	201
Testing the VPN Connection	208
From the Client PC to the FVL328	208
From the FVL328 to the Client PC	209
Monitoring the PC VPN Connection	209
Viewing the FVL328 VPN Status and Log Information	211
Appendix H NETGEAR VPN Configuration FVS318 or FVM318 with FQDN to FVL328	213
Configuration Template	213
Using DDNS and Fully Qualified Domain Names (FQDN)	214
Step-By-Step Configuration of FVS318 or FVM318 Gateway A	215
Step-By-Step Configuration of FVL328 Gateway B	219
Test the VPN Connection	224
Glossary	225