User manual NETGEAR FWAG114 - Reference Manual

Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA SM-FWAG114NA-0 Version 1.0 June 2003 © 2003 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instructions, may cause harmful interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures: · · · · Reorient or relocate the receiving antenna. Increase the separation between the equipment and receiver. Connect the equipment into an outlet on a circuit different from that to which the receiver is connected. Consult the dealer or an experienced radio/TV technician for help. FCC Caution 1. FCC RF Radiation Exposure Statement: The equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed and operated with a minimum distance of 20 centimeters between the radiator and your body. This Transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. 3. Changes or modifications to this unit not expressly approved by the party responsible for compliance could void the user authority to operate the equipment. 2. EN 55 022 Declaration of Conformance This is to certify that the ProSafe Dual Band Wireless VPN Firewall FWAG114 is shielded against the generation of radio interference in accordance with the application of Council Directive 89/336/EEC, Article 4a. Conformity is declared by the application of EN 55 022 Class B (CISPR 22). ii Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Dual Band Wireless VPN Firewall FWAG114 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung. Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen. Certificate of the Manufacturer/Importer It is hereby certified that the ProSafe Dual Band Wireless VPN Firewall FWAG114 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions. Please refer to the notes in the operating instructions. Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations. Voluntary Control Council for Interference (VCCI) Statement This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas. When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct handling. iii iv Contents Chapter 1 About This Manual Audience .........................................................................................................................1-1 Typographical Conventions ............................................................................................1-1 Special Message Formats ..............................................................................................1-1 Features of the HTML Version of this Manual ................................................................1-2 Chapter 2 Introduction Key Features of the VPN Firewall ..................................................................................2-1 802.11g and 802.11b Wireless Networking ..............................................................2-2 A Powerful, True Firewall with Content Filtering ......................................................2-2 Security ....................................................................................................................2-3 Autosensing Ethernet Connections with Auto Uplink ...............................................2-3 Extensive Protocol Support ......................................................................................2-3 Easy Installation and Management ..........................................................................2-4 Maintenance and Support ........................................................................................2-5 Package Contents ..........................................................................................................2-5 The FWAG114's Front Panel ...................................................................................2-6 The FWAG114's Rear Panel ....................................................................................2-7 Chapter 3 Connecting the FWAG114 to the Internet What You Will Need Before You Begin ...........................................................................3-1 Cabling and Computer Hardware Requirements .....................................................3-1 Computer Network Configuration Requirements .....................................................3-1 Internet Configuration Requirements .......................................................................3-2 Where Do I Get the Internet Configuration Parameters? .........................................3-2 Record Your Internet Connection Information ..........................................................3-3 Connecting the ProSafe Dual Band Wireless VPN Firewall FWAG114 to Your LAN .....3-4 PPPoE Wizard-Detected Option ..............................................................................3-8 Contents v Dynamic IP Wizard-Detected Option .....................................................................3-10 Fixed IP Account Wizard-Detected Option ............................................................. 3-11 Manually Configuring Your Internet Connection ...........................................................3-12 Chapter 4 Wireless Configuration Observe Performance, Placement, and Range Guidelines ............................................4-1 Implement Appropriate Wireless Security ......................................................................4-2 Understanding Wireless Settings ...................................................................................4-4 Common Wireless Settings ......................................................................................4-5 Understanding WEP Authentication and Encryption ................................................4-6 Authentication Type ...........................................................................................4-6 WEP ..................................................................................................................4-7 Default Factory Settings ...........................................................................................4-7 Before You Change the SSID and WEP Settings ....................................................4-8 How to Set Up and Test Basic Wireless Connectivity ..............................................4-9 How to Restrict Wireless Access by MAC Address ...............................................4-10 How to Configure WEP ..........................................................................................4-12 Chapter 5 Firewall Protection and Content Filtering Firewall Protection and Content Filtering Overview ........................................................5-1 Block Sites ......................................................................................................................5-2 Using Rules to Block or Allow Specific Kinds of Traffic ..................................................5-3 Inbound Rules (Port Forwarding) .............................................................................5-5 Inbound Rule Example: A Local Public Web Server ..........................................5-5 Inbound Rule Example: Allowing Videoconference from Restricted Addresses 5-6 Considerations for Inbound Rules .....................................................................5-6 Outbound Rules (Service Blocking) .........................................................................5-7 Following is an application example of outbound rules: ....................................5-7 Outbound Rule Example: Blocking Instant Messenger .....................................5-7 Order of Precedence for Rules ................................................................................5-8 Default DMZ Server .................................................................................................5-8 Respond to Ping on Internet WAN Port ...................................................................5-9 Services ........................................................................................................................5-10 Using a Schedule to Block or Allow Specific Traffic ......................................................5-12 Time Zone ........................................................................................................5-13 vi Contents Getting E-Mail Notifications of Event Logs and Alerts ..................................................5-14 Viewing Logs of Web Access or Attempted Web Access .............................................5-16 Syslog ....................................................................................................................5-17 Chapter 6 Maintenance Viewing VPN Firewall Status Information .......................................................................5-1 Viewing a List of Attached Devices .................................................................................5-5 Upgrading the Router Software ......................................................................................5-5 Configuration File Management .....................................................................................5-6 Restoring and Backing Up the Configuration ...........................................................5-7 Erasing the Configuration .........................................................................................5-8 Changing the Administrator Password ...........................................................................5-8 Chapter 7 Virtual Private Networking Overview of FWAG114 Policy-Based VPN Configuration ..............................................6-1 Using Policies to Manage VPN Traffic .....................................................................6-2 Using Automatic Key Management ..........................................................................6-2 IKE Policies' Automatic Key and Authentication Management ................................6-3 VPN Policy Configuration for Auto Key Negotiation .................................................6-6 VPN Policy Configuration for Manual Key Exchange ...............................................6-9 Using Digital Certificates for IKE Auto-Policy Authentication .......................................6-14 Certificate Revocation List (CRL) ...........................................................................6-14 Walk-Through of Configuration Scenarios on the FWAG114 .......................................6-15 VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets .......................................................6-16 FWAG114 Scenario 1: FWAG114 to Gateway B IKE and VPN Policies ................6-17 How to Check VPN Connections ...........................................................................6-20 FWAG114 Scenario 2: FWAG114 to FWAG114 with RSA Certificates ..................6-22 Chapter 8 Advanced Configuration How to Configure Dynamic DNS ....................................................................................6-1 Using the LAN IP Setup Options ....................................................................................6-3 Configuring LAN TCP/IP Setup Parameters ............................................................6-3 Using the Router as a DHCP server ........................................................................6-4 Using Address Reservation ......................................................................................6-5 Configuring Static Routes ...............................................................................................6-6 Contents vii Enabling Remote Management Access .........................................................................6-8 Chapter 9 Troubleshooting Basic Functioning ...........................................................................................................7-1 Power LED Not On ...................................................................................................7-1 LEDs Never Turn Off ................................................................................................7-2 LAN or Internet Port LEDs Not On ...........................................................................7-2 Troubleshooting the Web Configuration Interface ..........................................................7-3 Troubleshooting the ISP Connection ..............................................................................7-4 Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5 Testing the LAN Path to Your Router .......................................................................7-5 Testing the Path from Your PC to a Remote Device ................................................7-6 Restoring the Default Configuration and Password ........................................................7-7 Problems with Date and Time .........................................................................................7-7 Appendix A Technical Specifications Appendix B Network, Routing, Firewall, and Basics Related Publications ...................................................................................................... B-1 Basic Router Concepts .................................................................................................. B-1 What is a Router? ................................................................................................... B-2 Routing Information Protocol ................................................................................... B-2 IP Addresses and the Internet ....................................................................................... B-2 Netmask .................................................................................................................. B-4 Subnet Addressing .................................................................................................. B-5 Private IP Addresses ............................................................................................... B-7 Single IP Address Operation Using NAT ....................................................................... B-8 MAC Addresses and Address Resolution Protocol ................................................. B-9 Related Documents ................................................................................................. B-9 Domain Name Server ............................................................................................ B-10 IP Configuration by DHCP ........................................................................................... B-10 Internet Security and Firewalls .................................................................................... B-10 What is a Firewall? .................................................................................................B-11 Stateful Packet Inspection ...............................................................................B-11 Denial of Service Attack ..................................................................................B-11 viii Contents Ethernet Cabling .......................................................................................................... B-12 Uplink Switches, Crossover Cables, and MDI/MDIX Switching ............................ B-12 Cable Quality ......................................................................................................... B-13 Appendix C Preparing Your Network Preparing Your Computers for TCP/IP Networking ....................................................... C-1 Configuring Windows 95, 98, and Me for TCP/IP Networking ....................................... C-2 Install or Verify Windows Networking Components ................................................. C-2 Enabling DHCP to Automatically Configure TCP/IP Settings ................................. C-4 Selecting Windows' Internet Access Method .......................................................... C-6 Verifying TCP/IP Properties .................................................................................... C-6 Configuring Windows NT4, 2000 or XP for IP Networking ............................................ C-7 Install or Verify Windows Networking Components ................................................. C-7 Enabling DHCP to Automatically Configure TCP/IP Settings ................................. C-8 DHCP Configuration of TCP/IP in Windows XP ..................................................... C-8 DHCP Configuration of TCP/IP in Windows 2000 ................................................ C-10 DHCP Configuration of TCP/IP in Windows NT4 .................................................. C-13 Verifying TCP/IP Properties for Windows XP, 2000, and NT4 .............................. C-15 Configuring the Macintosh for TCP/IP Networking ...................................................... C-16 MacOS 8.6 or 9.x .................................................................................................. C-16 MacOS X ............................................................................................................... C-16 Verifying TCP/IP Properties for Macintosh Computers ......................................... C-17 Verifying the Readiness of Your Internet Account ....................................................... C-18 Are Login Protocols Used? ................................................................................... C-18 What Is Your Configuration Information? .............................................................. C-18 Obtaining ISP Configuration Information for Windows Computers ....................... C-19 Obtaining ISP Configuration Information for Macintosh Computers ..................... C-20 Restarting the Network ................................................................................................ C-21 Appendix D Wireless Networking Basics Wireless Networking Overview ...................................................................................... D-1 Infrastructure Mode ................................................................................................. D-2 Ad Hoc Mode (Peer-to-Peer Workgroup) ................................................................ D-2 Network Name: Extended Service Set Identification (ESSID) ................................ D-2 Authentication and WEP Data Encryption ..................................................................... D-3 Contents ix 802.11 Authentication .............................................................................................. D-3 Open System Authentication ................................................................................... D-4 Shared Key Authentication ...................................................................................... D-4 Overview of WEP Parameters ................................................................................ D-5 Key Size .................................................................................................................. D-6 WEP Configuration Options .................................................................................... D-7 Wireless Channels ......................................................................................................... D-7 802/11b/g Wireless Channels ................................................................................. D-8 802/11a Legal Power Output and Wireless Channels ............................................. D-9 Appendix E Virtual Private Networking What is a VPN? ............................................................................................................. E-1 What Is IPSec and How Does It Work? ......................................................................... E-2 IPSec Security Features ......................................................................................... E-2 IPSec Components ................................................................................................. E-3 Encapsulating Security Payload (ESP) ................................................................... E-3 Authentication Header (AH) .................................................................................... E-4 IKE Security Association ......................................................................................... E-5 Mode ................................................................................................................. E-5 Key Management .................................................................................................... E-6 Understand the Process Before You Begin ................................................................... E-7 VPN Process Overview ................................................................................................. E-7 Network Interfaces and Addresses ......................................................................... E-8 Interface Addressing ......................................................................................... E-8 Firewalls ........................................................................................................... E-9 Setting Up a VPN Tunnel Between Gateways ........................................................ E-9 VPNC IKE Security Parameters ...................................................................................E-11 VPNC IKE Phase I Parameters ..............................................................................E-11 VPNC IKE Phase II Parameters ............................................................................ E-12 Testing and Troubleshooting ........................................................................................ E-12 Additional Reading ...................................................................................................... E-12 Glossary List of Glossary Terms ................................................................................................... G-1 Index x Contents Chapter 1 About This Manual Congratulations on your purchase of the NETGEAR® ProSafe Dual Band Wireless VPN Firewall FWAG114. The FWAG114 wireless firewall provides connection for multiple personal computers (PCs) to the Internet through an external broadband access device (such as a cable modem or DSL modem) that is normally intended for use by a single PC. Audience This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the Netgear website. Typographical Conventions This guide uses the following typographical conventions: Table 1. italics bold times roman [Enter] Typographical conventions Emphasis. User input. Named keys in text are shown enclosed in square brackets. The notation [Enter] is used for the Enter key and the Return key. DOS file and directory names. SMALL CAPS Special Message Formats This guide uses the following formats to highlight special messages: Note: This format is used to highlight information of importance or special interest. About This Manual 1 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Features of the HTML Version of this Manual The HTML version of this manual includes these features. 1 2 3 Figure Preface -2: HTML version of this manual 1. Left pane. Use the left pane to view the Contents, Index, Search, and Favorites tabs. To view the HTML version of the manual, you must have a version 4 or later browser with Java or JavaScript enabled. To use the Favorites feature, your browser must be set to accept cookies. You can record a list of favorite pages in the manual for easy later retrieval. 2. Toolbar buttons. Use the toolbar buttons across the top to navigate, print pages, and more. ­ ­ ­ ­ ­ ­ The Show in Contents button locates the currently displayed topic in the Contents tab. Previous/Next buttons display the topic that precedes or follows the current topic. The PDF button links to a PDF version of the full manual. The E-mail button enables you to send feedback by e-mail to Netgear support. The Print button prints the currently displayed topic. Using this button when a step-by-step procedure is displayed will send the entire procedure to your printer--you do not have to worry about specifying the correct range of pages. The Bookmark button bookmarks the currently displayed page in your browser. 3. Right pane. Use the right pane to view the contents of the manual. Also, each page of the manual includes a "PDF of This Chapter" link at the top right which links to a PDF file containing just the currently selected chapter of the manual. 2 About This Manual Chapter 2 Introduction This chapter describes the features of the NETGEAR ProSafe Dual Band Wireless VPN Firewall FWAG114. Key Features of the VPN Firewall The ProSafe Dual Band Wireless VPN Firewall FWAG114 with 4-port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FWAG114 is a complete security solution that protects your network from attacks and intrusions. Unlike simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the FWAG114 uses Stateful Packet Inspection for Denial of Service attack (DoS) attack protection and intrusion detection. The FWAG114 allows Internet access for up to 253 users. The FWAG114 wireless firewall provides you with multiple Web content filtering options, plus browsing activity reporting and instant alerts -- both via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, Website addresses and address keywords, and share high-speed cable/DSL Internet access for up to 253 personal computers. In addition to NAT, the built-in firewall protects you from hackers. With minimum setup, you can install and use the router within minutes. The FWAG114 wireless firewall provides the following features: · · · · · · · · 802.11g and 802.11b standards-based wireless networking. Easy, web-based setup for installation and management. Content Filtering and Site Blocking Security. Built in 4-port 10/100 Mbps Switch. Ethernet connection to a WAN device, such as a cable modem or DSL modem. Extensive Protocol Support. Login capability. Front panel LEDs for easy monitoring of status and activity. 2-1 Introduction Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 · Flash memory for firmware upgrade. 802.11g and 802.11b Wireless Networking The FWAG114 wireless firewall includes an 802.11b-compliant wireless access point, providing continuous, high-speed 11 Mbps access between your wireless and Ethernet devices. The access point provides: · · · · · · 802.11b Standards-based wireless networking at up to 11 Mbps. 802.11g wireless networking at up to 54 Mbps, which will conform to the 802.11g standard when ratified. 64-bit and 128-bit WEP encryption security. WEP keys can be generated manually or by passphrase. Wireless access can be restricted by MAC address. Wireless network name broadcast can be turned off so that only devices that have the network name (SSID) can connect. A Powerful, True Firewall with Content Filtering Unlike simple Internet sharing NAT routers, the FWAG114 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: · DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. · · · Blocks unwanted traffic from the Internet to your LAN. Blocks access from your LAN to Internet locations or services that you specify as off-limits. Logs security incidents. The FWAG114 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the router to email the log to you at specified intervals. You can also configure the router to send immediate alert messages to your email address or email pager whenever a significant event occurs. 2-2 Introduction Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 · With its content filtering feature, the FWAG114 prevents objectionable content from reaching your PCs. The router allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the router to log and report attempts to access objectionable Internet sites. Security The FWAG114 wireless firewall is equipped with several features designed to maintain security, as described in this section. · PCs Hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN. Port Forwarding with NAT Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the router allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request, or to one designated "DNS" host computer. You can specify forwarding of single ports or ranges of ports. · Autosensing Ethernet Connections with Auto Uplink With its internal 8-port 10/100 switch, the FWAG114 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The router incorporates Auto UplinkTM technology. Each Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a `normal' connection such as to a PC or an `uplink' connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection. Extensive Protocol Support The FWAG114 wireless firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to Appendix B, "Network, Routing, Firewall, and Basics." Introduction 2-3 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 · IP Address Sharing by NAT The FWAG114 wireless firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account. Automatic Configuration of Attached PCs by DHCP The FWAG114 wireless firewall dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network. DNS Proxy When DHCP is enabled and no DNS addresses are specified, the router provides its own address as a DNS server to the attached PCs. The router obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. PPP over Ethernet (PPPoE) PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as Entersys or WinPOET on your PC. · · · Easy Installation and Management You can install, configure, and operate the ProSafe Dual Band Wireless VPN Firewall FWAG114 within minutes after connecting it to the network. The following features simplify installation and management tasks: · Browser-based management Browser-based configuration allows you to easily configure your router from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface. Smart Wizard The FWAG114 wireless firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account. Diagnostic functions The firewall incorporates built-in diagnostic functions such as Ping, DNS lookup, and remote reboot. · · 2-4 Introduction Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 · Remote management The firewall allows you to login to the Web Management Interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number. Visual monitoring The FWAG114 wireless firewall's front panel LEDs provide an easy way to monitor its status and activity. · Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FWAG114 wireless firewall: · · Flash memory for firmware upgrade Free technical support seven days a week, twenty-four hours a day Package Contents The product package should contain the following items: · · · · ProSafe Dual Band Wireless VPN Firewall FWAG114. AC power adapter. Category 5 (Cat 5) Ethernet cable. Resource CD for ProSafe Dual Band Wireless VPN Firewall, including: -- This guide. -- Application Notes and other helpful information. · Registration and Warranty Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the router for repair. Introduction 2-5 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The FWAG114's Front Panel The front panel of the FWAG114 wireless firewall contains the status LEDs described below. Broadband ProSafe Dual-Band Wireless VPN Firewall 100 PWR TEST LINK/ACT 1 2 3 4 MODEL 100 LINK/ACT 802.11a 802.11g FWAG114 Figure 2-1: FWAG114 Front Panel You can use some of the LEDs to verify connections. Viewed from left to right, Table 2-1 describes the LEDs on the front panel of the router. These LEDs are green when lit. Table 2-1. Label POWER TEST INTERNET 100 (100 Mbps) LINK/ACT (Link/Activity) LOCAL 100 (100 Mbps) LINK/ACT (Link/Activity) WLAN On Off On Blinking On The Local port is operating at 100 Mbps. The Local port is operating at 10 Mbps. The Local port has detected a link with an attached device. Data is being transmitted or received by the Local port. The Wireless (WLAN) port is operating. On Off On Blinking The Internet (WAN) port is operating at 100 Mbps. The Internet (WAN) port is operating at 10 Mbps. The Internet port has detected a link with an attached device. Data is being transmitted or received by the Internet port. LED Descriptions Activity On On Off Description Power is supplied to the firewall. The system is initializing. The system is ready and running. 2-6 Introduction Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 The FWAG114's Rear Panel The rear panel of the FWAG114 wireless firewall contains the port connections listed below. 12VDC, 1.2A Reset Internet 4 3 2 1 Figure 1-2: FWAG114 Rear Panel Viewed from left to right, the rear panel contains the following features: · · · · · · Wireless antenna AC power adapter outlet Factory Default Reset push button Internet (WAN) Ethernet port for connecting the router to a cable or DSL modem Four LAN Ethernet ports Wireless antenna Introduction 2-7 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 2-8 Introduction Chapter 3 Connecting the FWAG114 to the Internet This chapter describes how to set up the router on your local area network (LAN) and connect to the Internet. You find out how to configure your ProSafe Dual Band Wireless VPN Firewall FWAG114 for Internet access using the Setup Wizard, or how to manually configure your Internet connection. What You Will Need Before You Begin You need to prepare these three things before you begin: 1. 2. 3. Have active Internet service such as that provided by an cable or DSL broadband account. Locate the Internet Service Provider (ISP) configuration information for your DSL account. Connect the router to a cable or DSL modem and a computer as explained below. Cabling and Computer Hardware Requirements To use the FWAG114 wireless firewall on your network, each computer must have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable. If the computer will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable such as the one provided with your router. Computer Network Configuration Requirements The FWAG114 includes a built-in Web Configuration Manager. To access the configuration menus on the FWAG114, your must use a Java-enabled web browser program which supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/Linux. For the initial connection to the Internet and configuration of your router, you will need to connect a computer to the router which is set to automatically get its TCP/IP configuration from the router via DHCP. Connecting the FWAG114 to the Internet 3-1 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: For help with DHCP configuration, please refer to Appendix C, "Preparing Your Network. The cable or DSL modem broadband access device must provide a standard 10 Mbps (10BASE-T) Ethernet interface. Internet Configuration Requirements Depending on how your ISP set up your Internet account, you will need one or more of these configuration parameters to connect your router to the Internet: · · · · Host and Domain Names ISP Login Name and Password ISP Domain Name Server (DNS) Addresses Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several ways you can gather the required Internet connection information. · · Your ISP provides all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISP to provide it or you can try one of the options below. If you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer. -- For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the Ethernet adapter, and click Properties. Record all the settings for each tab page. -- For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry for the Ethernet adapter, and click Properties. Record all the settings for each tab page. -- For Macintosh computers, open the TCP/IP or Network control panel. Record all the settings for each section. · You may also refer to the FWAG114 Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below. 3-2 Connecting the FWAG114 to the Internet Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs. If you connect using a login name and password, then fill in the following: Login Name: ______________________________ Password: ____________________________ Service Name: _____________________________ Fixed or Static IP Address: If you have a static IP address, record the following information. For example, 169.254.141.148 could be a valid IP address. Fixed or Static Internet IP Address: ______ . ______ . ______ . ______ Gateway IP Address: ______ . ______ . ______ . ______ Subnet Mask: ______ . ______ . ______ . ______ ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following: Primary DNS Server IP Address: ______ . ______ . ______ . ______ Secondary DNS Server IP Address: ______ . ______ . ______ . ______ Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or home. If you haven't been given host or domain names, you can use the following examples as a guide: · · If your main e-mail account with your ISP is aaa@yyy.com, then use aaa as your host name. Your ISP might call this your account, user, host, computer, or system name. If your ISP's mail server is mail.xxx.yyy.com, then use xxx.yyy.com as the domain name. ISP Host Name: _________________________ ISP Domain Name: _______________________ Connecting the FWAG114 to the Internet 3-3 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Connecting the ProSafe Dual Band Wireless VPN Firewall FWAG114 to Your LAN This section provides instructions for connecting the FWAG114 wireless firewall. Also, the Resource CD for ProSafe Dual Band Wireless VPN Firewall included with your router contains an animated Installation Assistant to help you through this procedure. Procedure: Connecting the VPN Firewall There are three steps to connecting your router: 1. 2. 3. Connect the router to your network Log in to the router Connect to the Internet Follow the steps below to connect your router to your network. You can also refer to the Resource CD included with your router which contains an animated Installation Assistant to help you through this procedure. 1. Connect the VPN firewall to your network. a. b. Turn off your computer and Cable or DSL Modem. Disconnect the Ethernet cable (A) from your computer which connects to your cable or DSL modem. A Cable or DSL modem Figure 3-1: Disconnect the cable or DSL Modem 3-4 Connecting the FWAG114 to the Internet Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 c. Connect the Ethernet cable from your cable or DSL modem to the Internet port (A) on the FWAG114. FWAG114 ProSafe Wireless VPN Firewall I N TER N ET R ESET 5 -1 2 V DC LA N LA N LA N LA N A Broadband Modem Figure 3-2: Connect the cable or DSL Modem to the router d. Connect the Ethernet cable which came with the router from a Local port on the router (B) to your computer. FWAG114 ProSafe Wireless VPN Firewall I N TER N ET R ESET 5 -1 2 V DC LA N LA N LA N LA N B Broadband Modem Figure 3-3: Connect the computers on your network to the router Connecting the FWAG114 to the Internet 3-5 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The FWAG114 wireless firewall incorporates Auto UplinkTM technology. Each LOCAL Ethernet port will automatically sense if the cable should have a normal connection or an uplink connection. This feature eliminates the need to worry about crossover cables because Auto Uplink will make the right connection either type of cable. e. f. Now, turn on your computer. If software usually logs you in to your Internet connection, do not run that software or cancel it if it starts automatically. Verify the following: · · · When your turn the router on, the power light goes on. The router's local lights are lit for any computers that are connected to it. The router's Internet light is lit, indicating a link has been established to the cable or DSL modem. Note: For wireless placement and range guidelines, and wireless configuration instructions, please see Chapter 4, "Wireless Configuration." 2. Log in to the VPN firewall . Note: To connect to the router, your computer needs to be configured to obtain an IP address automatically via DHCP. If you need instructions on how to do this, please refer to Appendix C, "Preparing Your Network. a. Connect to the router by typing http://192.168.0.1 in the address filed of Internet Explorer or Netscape® Navigator. Figure 3-4: Log in to the router b. For security reasons, the router has its own user name and password. When prompted, enter admin for the router user name and password for the router password, both in lower case letters.The router user name and password are not the same as any user name or password you may use to log in to your Internet connection. 3-6 Connecting the FWAG114 to the Internet Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 A login window shown below opens: Figure 3-5: Login window 3. Connect to the Internet Figure 3-6: Setup Wizard a. b. You are now connected to the router. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu. Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet. Note: If you choose not to use the Setup Wizard, you can manually configure your Internet connection settings by following the procedure "Manually Configuring Your Internet Connection" on page 3-12. Unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP as you recorded them previously in "Record Your Internet Connection Information" on page 3-3. Connecting the FWAG114 to the Internet 3-7 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 c. When the router successfully detects an active Internet service, the router's Internet LED goes on. The Setup Wizard reports which connection type it discovered, and displays the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted to check the physical connection between your router and the cable or DSL line. The Setup Wizard will report the type of connection it finds. The options are: · · · Connections which require a login using protocols such as PPPoE, DHCP, or Static IP broadband connections. Connections which use dynamic IP address assignment. Connections which use fixed IP address assignment. d. The procedures for filling in the configuration menu for each type of connection follow below. PPPoE Wizard-Detected Option If the Setup Wizard discovers that your ISP uses PPPoE, you will see this menu: Figure 3-7: Setup Wizard menu for PPPoE accounts 3-8 Connecting the FWAG114 to the Internet Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 · · · · · · Enter the Account Name, Domain Name, Login, and Password as provided by your ISP. These fields are case sensitive. The router will try to discover the domain automatically if you leave the Domain Name blank. Otherwise, you may need to enter it manually. To change the login timeout, enter a new value in minutes. This determines how long the router keeps the Internet connection active after there is no Internet activity from the LAN. Entering a timeout value of zero means never log out. Note: You no longer need to run the ISP's login program on your PC in order to access the Internet. When you start an Internet application, your router will automatically log you in. If you know that your ISP does not automatically transmit DNS addresses to the router during login, select "Use these DNS servers" and enter the IP address of your ISP's Primary DNS Server. If a Secondary DNS Server address is available, enter it also. Note: If you enter DNS addresses, restart your computers so that these settings take effect. If your ISP requires a specific MAC address for the connection, you may need to fill a MAC address. Usually, it is not necessary to change the MAC address setting. Click Apply to save your settings. Click Test to verify that your Internet connection works. If the NETGEAR website does not appear within one minute, refer to Chapter 9, "Troubleshooting." Connecting the FWAG114 to the Internet 3-9 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Dynamic IP Wizard-Detected Option If the Setup Wizard discovers that your ISP uses Dynamic IP assignment, you will see this menu: Figure 3-8: Setup Wizard menu for Dynamic IP address accounts · · · · · Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP's services such as mail or news servers. If you leave the Domain Name field blank, the router try to discover the domain. Otherwise, you may need to enter it manually. If you know that your ISP does not automatically transmit DNS addresses to the router during login, select Use these DNS servers and enter the IP address of your ISP's Primary DNS Server. If a Secondary DNS Server address is available, enter it also. Note: If you enter DNS addresses, restart your computers so that these settings take effect. If your ISP requires a specific MAC address for the connection, you may need to fill a MAC address. Usually, it is not necessary to change the MAC address setting. Click Apply to save your settings. Click Test to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 9, "Troubleshooting." Connecting the FWAG114 to the Internet 3-10 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Fixed IP Account Wizard-Detected Option If the Setup Wizard discovers that your ISP uses Fixed IP assignment, you will see this menu: Figure 3-9: Setup Wizard menu for Fixed IP address accounts · · · · · Fixed IP is also called Static IP. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP's gateway router. This information should have been provided to you by your ISP. You will need the configuration parameters from your ISP you recorded in "Record Your Internet Connection Information" on page 3-3. Enter the IP address of your ISP's Primary and Secondary DNS Server addresses. Note: Restart the computers on your network so that these settings take effect. If your ISP requires a specific MAC address for the connection, you may need to fill a MAC address. Usually, it is not necessary to change the MAC address setting. Click Apply to save the settings. Click Test to test your Internet connection. If the NETGEAR website does not appear within one minute, refer to Chapter 9, "Troubleshooting." Connecting the FWAG114 to the Internet 3-11 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Manually Configuring Your Internet Connection You can manually configure your router using the menu below, or you can allow the Setup Wizard to determine your configuration as described in the previous section. ISP Does Not Require Login ISP Does Require Login Figure 3-10: Browser-based configuration Basic Settings menus 3-12 Connecting the FWAG114 to the Internet Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Procedure: Configuring the Internet Connection Manually You can manually configure the router using the Basic Settings menu shown in Figure 3-10 using these steps: 1. 2. Click the Basic Settings link on the Setup menu. If your Internet connection does not require a login, click No at the top of the Basic Settings menu and fill in the settings according to the instructions below. If your Internet connection does require a login, click Yes, and skip to step 3. a. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP's services such as mail or news servers. Internet IP Address: If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select "Use static IP address". Enter the IP address that your ISP assigned. Also enter the netmask and the Gateway IP address. The Gateway is the ISP's router to which your router will connect. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the router during login, select "Use these DNS servers" and enter the IP address of your ISP's Primary DNS Server. If a Secondary DNS Server address is available, enter it also. Note: If you enter an address here, restart the computers on your network so that these settings take effect. b. c. d. Gateway's MAC Address: This section determines the Ethernet MAC address that will be used by the router on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is first opened. They will then only accept traffic from the MAC address of that PC. This feature allows your router to masquerade as that PC by "cloning" its MAC address. To change the MAC address, select "Use this Computer's MAC address." The router will then capture and use the MAC address of the PC that you are now using. You must be using the one PC that is allowed by the ISP. Or, select "Use this MAC address" and enter it. e. 3. Click Apply to save your settings. If your Internet connection does require a login, fill in the settings according to the instructions below. 3-13 Connecting the FWAG114 to the Internet Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: After you finish setting up your router, you will no longer need to launch the ISP's login program on your PC in order to access the Internet. When you start an Internet application, your router will automatically log you in. a. b. c. d. Select you Internet service provisory from the drop-down list. The screen will change according to the ISP settings requirements of the ISP you select. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on page 3-8. Click Apply to save your settings. 3-14 Connecting the FWAG114 to the Internet Chapter 4 Wireless Configuration This chapter describes how to configure the wireless features of your FWAG114 wireless firewall. Observe Performance, Placement, and Range Guidelines In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your FWAG114 in order to maximize the network speed. For further information on wireless networking, refer to in Appendix D, "Wireless Networking Basics." The operating distance or range of your wireless connection can vary significantly based on the physical placement of the FWAG114 wireless firewall. The latency, data throughput performance, and notebook power consumption also vary depending on your configuration choices. Note: Failure to follow these guidelines can result in significant performance degradation or inability to wirelessly connect to the VPN firewall . For complete range and performance specifications, please see Appendix A, "Technical Specifications." For best results, place your VPN firewall : · · Near the center of the area in which your PCs will operate. In an elevated location such as a high shelf where the wirelessly connected PCs have line-of-sight access (even if through walls). The best location is elevated, such as wall mounted or on the top of a cubicle, and at the center of your wireless coverage area for all the mobile devices. Away from sources of interference, such as PCs, microwaves, and 2.4 GHz cordless phones. The 802.11a standard operates at a higher frequency and should be less susceptible to interference from cordless phones. This higher 802.11a frequency may not offer as much range as the lower frequency 802.11b/g in a indoor environment with lots of obstructions. Away from large metal surfaces. · · Wireless Configuration 4-1 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Be aware that the time it takes to establish a wireless connection can vary depending on both your security settings and placement. WEP connections can take slightly longer to establish. Also, WEP encryption can consume more battery power on a notebook PC. Implement Appropriate Wireless Security Note: Indoors, computers can connect over 802.11 wireless networks at ranges of 300 feet or more. Such distances can allow for others outside of your immediate area to access your network. Unlike wired network data, your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment. The FWAG114 wireless firewall provides highly effective security features which are covered in detail in this chapter. Deploy the security features appropriate to your needs. FWAG11 5 -1 2 V DC R ESET Wireless Data Security Options LA N I N TER N ET LA N LA N LA N Range: Up to 300 Feet 1) Open System: Easy but no security 2) MAC Access List: No data security 3) WEP: Security but some performance impact Figure 4-1: FWAG114 wireless data security options 4-2 Wireless Configuration Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 There are several ways you can enhance the security of you wireless network. · Restrict Access Based on MAC Address. You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the FWAG114. Restricting access by MAC address adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed. Turn Off the Broadcast of the Wireless Network Name SSID. If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network `discovery' feature of some products such as Windows XP, but the data is still fully exposed. Turn Off Bridging to the Wired LAN. If you disable bridging to the LAN, wireless devices cannot communicate with computers on the Ethernet LAN but can still access the Internet. This blocks any access to the computers on the wired LAN but the wireless data routed to the Internet is still fully exposed. WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP Shared Key authentication and WEP data encryption will block all but the most determined eavesdropper. · · · Wireless Configuration 4-3 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Understanding Wireless Settings To configure the wireless settings of your FWAG114, click the Wireless 11a or Wireless 11b/g link in the Setup section of the main menu. The wireless settings menu will appear, as shown below. Figure 4-2: Wireless 11a and 11b/g Settings menus 4-4 Wireless Configuration Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The 802.11b and 802.11g wireless networking protocols are configured in exactly the same fashion. The FWAG114 will automatically adjust to the 802.11g or 802.11b protocol as the device requires without compromising the speed of the other connected devices. Common Wireless Settings The 802.11a and the 802.11b/g wireless network identification settings are configured separately. However, some types of items you configure in each network are the same. The Wireless Settings menu items which are the same for either type of wireless network are discussed below. · · Station Name. The station name of the FWAG114. Regulatory Domain. For the Wireless 802.11a settings, unless you select a regulatory domain, the 802.11a radio is turned off. This field identifies the region where the FWAG114 can be used. It may not be legal to operate the wireless features of the VPN firewall in a region other than one of those identified in this field. SSID (Service Set Identification). The SSID is also known as the wireless network name. Enter a value of up to 32 alphanumeric characters. In a setting where there is more than one wireless network, different wireless network names provide a means for separating the traffic. Any device you want to participate in the 11a or the 11b/g wireless network will need to use this SSID for that network. The FWAG114 default SSID is: NETGEAR. Options. ­ Channel/Frequency. This field determines which operating frequency will be used. It should not be necessary to change the wireless channel unless you notice interference problems with another nearby access point. For more information on the wireless channel frequencies please refer to "Wireless Channels" on page D-7. Turbo Mode, 802.11a Only. Enabling turbo mode allows the wireless node to transmit or receive at a higher rate, up to 108 Mbps. Default: Disable. Data Rate. Shows the available transmit data rate of the wireless network. The possible data rates supported for 802.11a interface are: 54 Mbps, 48 Mbps, 36 Mbps, 24 Mbps, 18 Mbps, 12 Mbps, 9 Mbps, and 6 Mbps. It can go up to 108 Mbps if the turbo mode is enabled. Default: Best. Transmit Power. Set the transmit signal strength of the access point. The options are full, half, quarter, eighth, and min. Decrease the transmit power if more than one AP is co-located using the same channel frequency. Default: Full. 4-5 · · ­ ­ ­ Wireless Configuration Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 ­ ­ ­ · Beacon Interval. Specifies the Beacon Interval value. Enter a value in between 20 to 1000. Default: 100. DTIM. The Delivery Traffic Indication Message. Specifies the data beacon rate between 1 and 255. Default: 1 WEP Status. If WEP is enabled, this will indicate the current settings. Access Point Connections. Lets you restrict wireless connections according to a list of Trusted PCs MAC addresses. When the Trusted PCs Only radio button is selected, the FWAG114 checks the MAC address of the wireless station and only allows connections to PCs identified on the trusted PCs list. SSID Broadcast Enable. The default setting is to enable SSID broadcast. If you disable broadcast of the SSID, only devices that have the correct SSID can connect. Disabling SSID broadcast somewhat hampers the wireless network `discovery' feature of some products. Enable Bridging to the Wired LAN. The default setting is to enable bridging to the wired LAN. If you disable bridging to the LAN, wireless devices cannot communicate with computers on the Ethernet LAN but can still access the Internet. · · Although the types of settings described above are the same for either type of wireless network, the choices you make in each type of network can be different. For example, you can disable the SSID broadcast in you 802.11a wireless network but enable it in your 802.11b/g network. Understanding WEP Authentication and Encryption Restricting wireless access to your network prevents intruders from connecting to your network. However, the wireless data transmissions are still vulnerable to snooping. Using the WEB data encryption settings described below will prevent a determined intruder from eavesdropping on your wireless data communications. Also, if you are using the Internet for such activities as purchases or banking, those Internet sites use another level of highly secure encryption called SSL. You can tell if a web site is using SSL because the web address begins with HTTPS rather than HTTP. Authentication Type The FWAG114 lets you select the following wireless authentication schemes. · · Open System. Shared key. 4-6 Wireless Configuration Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Be sure to set your wireless adapter according to the authentication scheme you choose for the FWAG114 wireless firewall. Please refer to "Authentication and WEP Data Encryption" on page D-3 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. WEP Choose the encryption settings from this menu. Please refer to "Overview of WEP Parameters" on page D-5 for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. · · Disable. No encryption will be applied. This setting is useful for troubleshooting your wireless connection, but leaves your wireless data fully exposed. 64-bit, 128-bit, or in the case of 802.11a, 152-bit WEP. When 64-, 128-, or 152-Bit WEP is selected, WEP encryption will be applied. If WEP is enabled, you can manually or automatically program the four data encryption keys. These values must be identical on all PCs and access points in your network. There are two methods for creating WEP encryption keys: · · Passphrase. Enter a word or group of printable characters in the Passphrase box and click the Generate button. Manual. 64-bit WEP: Enter 10 hexadecimal digits (any combination of 0-9, a-f, or A-F). 128-bit WEP: Enter 26 hexadecimal digits (any combination of 0-9, a-f, or A-F). Clicking the radio button selects which of the four keys will be the default. Default Factory Settings When you first receive your FWAG114, the default factory settings are shown below. You can restore these defaults with the Factory Default Restore button on the rear panel. After you install the FWAG114 wireless firewall, use the procedures below to customize any of the settings to better meet your networking needs. Wireless Configuration 4-7 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 FEATURE SSID for both 802.11a & 802.11b 11a RF Channel DEFAULT FACTORY SETTINGS NETGEAR Off until the Regulatory Domain is selected, then 52 Non-Turbo Mode; 50 Turbo Mode 6 Disabled Open System All wireless stations allowed Enabled Enabled 11b RF Channel WEP Authentication Type Access Point Connections for both 802.11a & 802.11b/g Bridging to wired LAN for both 802.11a & 802.11b/g SSID broadcast for both 802.11a & 802.11b/g Before You Change the SSID and WEP Settings Take the following steps: For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step. · SSID: The Service Set Identification (SSID) identifies the wireless local area network. NETGEAR is the default FWAG114 SSID. However, you may customize it by using up to 32 alphanumeric characters. Write your customized SSID on the line below. Note: The SSID in the VPN firewall is the SSID you configure in the wireless adapter card. All wireless nodes in the same network must be configured with the same SSID. 802.11a SSID: ______________________________ 802.11b SSID: ______________________________ · Authentication The two bands can use different authentication settings. Choose "Shared Key" for more security. 802.11a SSID, circle one: Open System or Shared Key 802.11b SSID, circle one: Open System or Shared Key 4-8 Wireless Configuration Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: If you select shared key, the other devices in the network will not connect unless they are set to Shared Key as well. · WEP Encryption 802.11a and 802.11b differ in their use of WEP encryption keys. See "Security Configuration" on page 2-21 for a description of these differences. 802.11a WEP Encryption Keys Key 1: ___________________________________ Circle Key Size: 64 or 128 or 152 bits Key 2: ___________________________________ Circle Key Size: 64 or 128 or 152 bits Key 3: ___________________________________ Circle Key Size: 64 or 128 or 152 bits Key 4: ___________________________________ Circle Key Size: 64 or 128 or 152 bits 802.11b WEP Encryption Keys For all four 802.11b keys, choose the Key Size. Circle one: 64 or 128 bits Key 1: ___________________________________ Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________ Use the procedures described in the following sections to configure the FWAG114. Store this information in a safe place. How to Set Up and Test Basic Wireless Connectivity Follow the instructions below to set up and test basic wireless connectivity. Once you have established basic wireless connectivity, you can enable security settings appropriate to your needs. 1. 2. 3. 4. Log in the default LAN address of http://192.168.0.1 with the default user name of admin and default password of password, or using whatever LAN address and password you have set up. Depending on the types of wireless adapters you have in your computers, click the Wireless 11a or 11b link in the main menu of the FWAG114. Set the Regulatory Domain correctly. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box, enter a value of up to 32 alphanumeric characters. The default SSID is NETGEAR. Wireless Configuration 4-9 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Note: The characters are case sensitive. An access point always functions in infrastructure mode. The SSID for any wireless device communicating with the access point must match the SSID configured in the ProSafe Dual Band Wireless VPN Firewall FWAG114. If they do not match, you will not get a wireless connection to the FWAG114. 5. Set the Channel. It should not be necessary to change the wireless channel unless you notice interference problems with another nearby wireless router or access point. Select a channel that is not being used by any other wireless networks within several hundred feet of your VPN firewall . For more information on the wireless channel frequencies please refer to "Wireless Channels" on page D-7. 6. 7. For initial configuration and test, leave the Wireless Card Access List set to "All Wireless Stations" and the Encryption Strength set to "Disable." Click Apply to save your changes. Note: If you are configuring the FWAG114 from a wireless PC and you change the VPN firewall 's SSID, channel, or security settings, you will lose your wireless connection when you click on Apply. You must then change the wireless settings of your PC to match the FWAG114's new settings. 8. Configure and test your PCs for wireless connectivity. Program the wireless adapter of your PCs to have the same SSID that you configured in the FWAG114. Check that they have a wireless link and are able to obtain an IP address by DHCP from the VPN firewall . Once your PCs have basic wireless connectivity to the VPN firewall , then you can configure the advanced options and wireless security functions. How to Restrict Wireless Access by MAC Address To restrict access based on MAC addresses, follow these steps: 1. 2. 3. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin and default password of password. Click the Wireless 11a or 11b link in the main menu of the FWAG114. From the Wireless Settings menu, click the Trusted PCs only radio button. 4-10 Wireless Configuration Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 4. Click the Trusted PCs button to display the Wireless Access menu shown below. Figure 4-3. 5. Wireless Access menu Enter the MAC address of a wireless adapter and click the Add button to add a wireless device to the wireless access control list. The Trusted PCs list updates with the new entry. Note: You can copy and paste the MAC addresses from the FWAG114's Attached Devices menu into the MAC Address box of this menu. To do this, configure each wireless PC to obtain a wireless link to the VPN firewall . The PC should then appear in the Attached Devices menu. 6. Click the Back button to return to the Wireless Settings menu. Note: When configuring the FWAG114 from a wireless PC whose MAC address is not in the Trusted PC list, if you select Turn Access Control On, you will lose your wireless connection when you click on Apply. You must then access the VPN firewall from a wired PC or from a wireless PC which is on the access control list to make any further changes. 7. Be sure to click Apply to save your trusted wireless PCs list settings. Now, only devices on this list will be allowed to wirelessly connect to the FWAG114. Wireless Configuration 4-11 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 To remove a MAC address from the table, click on it to select it, then click the Delete button. How to Configure WEP To configure WEP data encryption, follow these steps: 1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin and default password of password, or using whatever LAN address and password you have set up. Click the Wireless 11a or 11b link in the main menu of the FWAG114. Click the Configure WEP button. Choose the Authentication Type and WEP option. You can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network. · · Automatic - Enter a word or group of printable characters in the Passphrase box and click the Generate button. The four key boxes will be automatically populated with key values. Manual - Enter ten hexadecimal digits (any combination of 0-9, a-f, or A-F) Select which of the four keys will be active. 2. 3. 4. 5. Please refer to "Overview of WEP Parameters" on page D-5 for a full explanation of each of these options, as defined by the IEEE 802.11b wireless communication standard. 6. Click Apply to save your settings. Note: When configuring the VPN firewall from a wireless PC, if you configure WEP settings, you will lose your wireless connection when you click on Apply. You must then either configure your wireless adapter to match the VPN firewall WEP settings or access the VPN firewall from a wired PC to make any further changes. 4-12 Wireless Configuration Chapter 5 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the ProSafe Dual Band Wireless VPN Firewall FWAG114 to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface. Firewall Protection and Content Filtering Overview The ProSafe Dual Band Wireless VPN Firewall FWAG114 provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and network administrators can establish restricted access policies based on time-of-day, web addresses and web address keywords. You can also block Internet access by applications and services, such as chat or games. A firewall is a special category of router that protects one network (the "trusted" network, such as your LAN) from another (the "untrusted" network, such as the Internet), while allowing communication between the two. A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. To configure these features of your router, click on the subheadings under the Content Filtering heading in the Main Menu of the browser interface. The subheadings are described below: Firewall Protection and Content Filtering 5-1 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 Block Sites The FWAG114 allows you to restrict access based on Web addresses and Web address keywords. Up to 255 entries are supported in the Keyword list. The Keyword Blocking menu is shown in Figure 5-1: Figure 5-1: Block Sites menu To enable keyword blocking, check "Turn keyword blocking on", then click Apply. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. Keyword application examples: · · · If the keyword "XXX" is specified, the URL is blocked, as is the newsgroup alt.pictures.XXX. If the keyword ".com" is specified, only websites with other domain suffixes (such as .edu or .gov) can be viewed. If you wish to block all Internet browsing access, enter the keyword ".". To specify a Trusted User, enter that PC's IP address in the Trusted User box and click Apply. 5-2 Firewall Protection and Content Filtering Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 You may specify one Trusted User, which is a PC that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that PC with a fixed or reserved IP address. Using Rules to Block or Allow Specific Kinds of Traffic Firewall rules are used to block or allow specific traffic passing through from one side to the other. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to. A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FWAG114 are: · · Inbound: Block all access from outside except responses to requests from the LAN side. Outbound: Allow all access from the LAN side to the outside. These default rules are shown in the Rules table of the Rules menu in Figure 5-2: Figure 5-2: Rules menu Firewall Protection and Content Filtering 5-3 Reference Manual for the ProSafe Dual Band Wireless VPN Firewall FWAG114 You may define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. You can also choose to log traffic that matches or does not match the rule you have defined. To create a new rule, click the Add button. To edit an existing rule, select its button on the left side of the table and click Edit. To delete an existing rule, select its button on the left side of the table and click Delete. To move an existing rule to a different position in the table, select its button on the left side of the table and click Move. At the script prompt, enter the number of the desired new position and click OK. An example of the menu for defining or editing a rule is shown in Figure 5-3. The parameters are: · Service. From this list, select the application or service to be allowed or blocked. The list already displays many common services, but you are not limited to these choices. Use the Services menu to add any additional services or applications that do not already appear. Action. Choose how you would like this type of traffic to be handled. You can block or allow always, or you can choose to block or allow according to the schedule you have defined in the Schedule menu. Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound), and choose whether you would like the traffic to be restricted by source IP address. You can select Any, a Single address, or a Range. If you select a range of addresses, enter the range in the start and finish boxes. If you select a single address, enter it in the start box. Destination Address.The Destination Address will be assumed to be from the opposite (LAN or WAN) of the Source Address. As with the Source Address, you can select Any, a Single address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you must enter a Single LAN address in the start box. Log. You can select whether the traffic will be logged. The choices are: · · Never - no log entries will be made for this service. Match - traffic of this type which matches the parameters and action will be logged.