background image

Protecting Your Network

4-1

v2.3, May 2007

Chapter 4

Protecting Your Network

This chapter describes how to use the basic firewall features of the DG834 ADSL Modem Router 
to protect your network.

Protecting Access to Your DG834 ADSL Modem Router

For security reasons, the modem router has its own user name and password. Also, after a period 
of inactivity for a set length of time, the administrator login will automatically disconnect. When 
prompted, enter 

admin

 

for the modem router User Name and 

password

 for the modem router 

Password. You can use procedures below to change the modem router's password and the amount 
of time for the administrator’s login timeout.

NETGEAR recommends that you change this password to a more secure password. The ideal  
password should contain no dictionary words from any language, and should be a mixture of both 
upper and lower case letters, numbers, and symbols.  Your password can be up to 30 characters.

How to Change the Built-In Password

1.

Log in to the modem router at its default LAN address of 

http://192.168.0.1

 with its default 

User Name of 

admin

, default password of 

password

, or using whatever Password and LAN 

address you have chosen for the modem router.

Note: 

The user name and password are not the same as any user name or password your 

may use to log in to your Internet connection.

Figure 4-1

Summary of Contents for DG834v3 - ADSL Modem Router

Page 1: ...202 10153 04 May 2007 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA Reference Manual for the ADSL Modem Router DG834 ...

Page 2: ...stallation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined ...

Page 3: ... of Directive 1999 5 EC Español Spanish Por medio de la presente NETGEAR Inc declara que el DG834 ADSL Modem Router cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999 5 CE Ελληνική Greek ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc ΔΗΛΩΝΕΙ ΟΤΙ DG834 ADSL Modem Router ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗ...

Page 4: ...ranted the right to test the series for compliance with the regulations Malti Maltese Hawnhekk NETGEAR Inc jiddikjara li dan DG834 ADSL Modem Router jikkonforma mal tiijiet essenzjali u ma provvedimenti orajn relevanti li hemm fid Dirrettiva 1999 5 EC Magyar Hungarian Alulírott NETGEAR Inc nyilatkozom hogy a DG834 ADSL Modem Router megfelel a vonatkozó alapvetõ követelményeknek és az 1999 5 EC irá...

Page 5: ...ce by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read instructions for correct handling WProduct and Publication Details Model Number DG834 v3 Publication Date May 2007 Product Family Modem Router Product Name DG834 ADSL Modem Router Hom...

Page 6: ...v2 3 May 2007 vi ...

Page 7: ...tual Private Networking VPN 2 5 Auto Sensing and Auto Uplink LAN Ethernet Connections 2 5 Content Filtering 2 5 What s in the Box 2 6 The Modem Router s Front Panel 2 6 The Router s Rear Panel 2 8 Chapter 3 Configuring Your Internet Connection Connecting the Router to the Internet 3 1 Manual Setup 3 2 What You Need Before You Begin 3 2 Understanding ADSL Microfilters 3 2 Computers Set to DHCP 3 3 ...

Page 8: ...rvices 4 3 Blocking Keywords Sites and Services 4 3 How to Block Keywords and Sites 4 3 Firewall Rules 4 5 Inbound Rules Port Forwarding 4 6 Outbound Rules Service Blocking 4 9 Order of Precedence for Rules 4 11 Services 4 12 How to Define Services 4 12 Setting Times and Scheduling Firewall Services 4 13 How to Set Your Time Zone 4 13 How to Schedule Firewall Services 4 15 Chapter 5 Managing Your ...

Page 9: ...pond to Ping on Internet WAN Port 6 4 MTU Size 6 4 Configuring LAN IP Settings 6 4 DHCP 6 6 How to Configure LAN TCP IP Settings 6 8 Configuring Dynamic DNS 6 8 How to Configure Dynamic DNS 6 9 Using Static Routes 6 10 Static Route Example 6 10 How to Configure Static Routes 6 11 Universal Plug and Play UPnP 6 13 Chapter 7 Virtual Private Networking Advanced Feature Overview of VPN Configuration 7...

Page 10: ...AN or Internet Port LEDs Not On 8 2 Troubleshooting the Web Configuration Interface 8 3 Troubleshooting the ISP Connection 8 4 ADSL link 8 4 Obtaining a WAN IP Address 8 5 Troubleshooting PPPoE or PPPoA 8 6 Troubleshooting Internet Browsing 8 7 Troubleshooting a TCP IP Network Using the Ping Utility 8 7 Testing the LAN Path to Your Router 8 7 Testing the Path from Your Computer to a Remote Device ...

Page 11: ...Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office B 15 Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter s Home Office B 17 Monitoring the VPN Tunnel Telecommuter Example B 27 Viewing the PC Client s Connection Monitor and Log Viewer B 27 Viewing the VPN Router s VPN Status and Log Information B 28 Appendix C Related D...

Page 12: ...xii v2 3 May 2007 ...

Page 13: ...his guide uses the following typographical conventions This guide uses the following formats to highlight special messages This manual is written for the DG834 ADSL Modem Router according to these specifications Table 1 1 Typographical Conventions italics Emphasis books CDs URL names bold User input fixed Screen text file and server names extensions commands IP addresses Note This format is used t...

Page 14: ...pens in a browser window Click the print icon in the upper left of the window Printing the Full Manual Use the Complete PDF Manual link at the top left of any page Click the Complete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window Click the print icon in the upper left of the window Note Your computer must have the free Ado...

Page 15: ...ices With minimum setup you can install and use the modem router within minutes The DG834 ADSL Modem Router provides multiple Web content filtering options plus e mail alerts and logging Parents and network administrators can establish restricted access policies based on time of day Web site addresses and address keywords They can also share high speed ADSL Internet access for up to 253 personal c...

Page 16: ...firewall using stateful packet inspection to defend against hacker attacks Its firewall features include Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocks unwanted traffic from the Internet to your LAN Blocks access from your LAN to Internet locations or services that you specify as of...

Page 17: ...ons The modem router incorporates built in diagnostic functions such as Ping DNS lookup and remote reboot These functions allow you to test Internet connectivity and reboot the modem router You can use these diagnostic functions directly from the DG834 v3 when you are connected on the LAN or when you are connected over the Internet via the remote management function Visual monitoring The modem rou...

Page 18: ...ection by simulating a dial up connection This feature eliminates the need to run a login program such as EnterNet or WinPOET on your computer PPP over ATM PPPoA PPP over ATM is a protocol for connecting remote hosts to the Internet over an ADSL connection by simulating an ATM connection Point to Point Tunneling Protocol PPTP Typically used as a protocol for virtual private networks This protocol ...

Page 19: ... either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network The local LAN ports are autosensing and capable of full duplex or half duplex operation The modem router incorporates Auto UplinkTM technology Each local Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection ...

Page 20: ...llation Guide Warranty and Support Information Cards Two plastic feet that can be used to stand the DG834 ADSL Modem Router on end If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair The Modem Router s Front Panel The DG834 ADSL Modem Router front panel shown belo...

Page 21: ...running 3 Internet Blink Amber On Green Blink Green Indicates ADSL training The Internet port has detected a link with an attached device Data is being transmitted or received by the Internet port 4 LAN On Green Blink Green On Amber Blink Amber Off The Local port has detected a link with a 100 Mbps device Data is being transmitted or received at 100 Mbps The Local port has detected a link with a 1...

Page 22: ...uter Figure 2 2 contains port connections Viewed from left to right the rear panel contains the following elements 1 RJ 11 ADSL port for connecting the firewall to an ADSL line 2 Four Local Ethernet RJ 45 LAN ports for connecting the firewall to the local computers 3 Factory Default Reset push button 4 AC power adapter outlet Figure 2 2 1 2 3 4 ...

Page 23: ...anual on the ADSL Modem Router Resource CD or online as shown in the following table Table 3 1 Language URL Dutch http documentation netgear com dg834 nld 208 10032 01 English http documentation netgear com dg834 enu 208 10026 01 French http documentation netgear com dg834 fra 208 10027 01 German http documentation netgear com dg834 deu 208 10028 01 Italian http documentation netgear com dg834 ita...

Page 24: ...ith all the information needed to connect to the Internet If you cannot locate this information you can ask your ISP to provide it Internet Configuration Requirements Depending on how your ISP set up your Internet account you need one or more of these configuration parameters to connect your firewall to the Internet Virtual Path Identifier VPI Virtual Channel Indentifier VCI parameters Multiplexin...

Page 25: ...e initial connection to your firewall your computer has to be set to automatically get its TCP IP configuration from the firewall via DHCP This is usually the case The NETGEAR Smart Wizard CD automatically takes care of this requirement For manual setup refer to the documentation that came with your computer Figure 3 1 Warning Do not connect the modem router to the ADSL line through a microfilter ...

Page 26: ...SL configuration information from your Internet Service Provider ISP 1 Connect the ADSL filter a You need to install an ADSL filter for every telephone that uses the same phone line as your modem router Select the filter that came with your modem router Note If you purchased the DG834 v3 in a country where an ADSL filter is not included you must acquire one 1 One Line Filter Use with a phone or fa...

Page 27: ...lter Example Insert the two line filter into the phone outlet and connect the phone to the phone line connector A Figure 3 4 Note To use a one line filter with a separate splitter insert the splitter into the phone outlet connect the one line filter to the splitter and connect the phone to the filter Phone DSL Line A ...

Page 28: ...07 2 Connect the modem router to the ADSL filter a Using the included phone cable with RJ 11 jacks connect the ADSL port B of the modem router to the ADSL port C of the two line filter Figure 3 5 Warning Improperly connecting a filter to your modem router will block your ADSL connection 3KRQH 6 LQH C B ...

Page 29: ... briefly then goes off The ADSL light is green indicating you are connected to the ADSL network d Now turn on your computer If software usually logs you in to your Internet connection do not run that software Cancel it if it starts automatically Verify the following The local lights are lit for any connected computers 3 Log in to the modem router Figure 3 6 Note Your computer needs to be configure...

Page 30: ...ult IP Address Variable in the address field of a browser such as Internet Explorer or Netscape Navigator This login window opens Enter admin for the user name and password for the password both in lower case letters b After logging in you will see the menu below 4 Connect to the Internet Figure 3 7 Figure 3 8 Figure 3 9 ...

Page 31: ...ally connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enternet to connect log in or disconnect These functions are performed automatically by the modem router as needed To access the Internet from any computer connected to your modem router launch a browser such as Microsoft Internet Explorer ...

Page 32: ...protocol such as PPP over Ethernet PPPoE you will be directed to the PPPoE page shown Enter the PPPoE login user name and password Wizard Detected PPPoA Login Account Setup If the Setup Wizard determines that your Internet service account uses a login protocol such as PPP over ATM PPPoA you will be directed to the PPPoA page shown Enter your login user name and password These fields are case sensi...

Page 33: ...connection method Wizard Detected IP Over ATM Account Setup If the Setup Wizard determines that your Internet service account uses IP over ATM Classical IP assignment RFC1577 you will be directed to the page shown 1 Enter your assigned IP Address and Subnet Mask This information should have been provided to you by your ISP You need the configuration parameters from your ISP 2 Enter the IP address ...

Page 34: ...P 2 Choose Use Static IP Address or Use IP Over ATM IPoA RFC1483 Routed according to the information from your ISP If you choose IPoA the router will be able to detect the gateway IP address but you still need to provide the router IP address 3 Enter your assigned IP Address Subnet Mask and the IP Address of your ISP s gateway modem router This information should have been provided to you by your ...

Page 35: ...our modem router automatically connects to the Internet when one of your computers requires access It is not necessary to run a dialer or login application such as Dial Up Networking or Enternet to connect log in or disconnect These functions are performed by the modem router as needed To access the Internet from any computer connected to your modem router launch a browser such as Microsoft Intern...

Page 36: ... v2 3 May 2007 Manually Configuring Your Internet Connection You can manually configure your modem router using the menu below or you can allow the Setup Wizard to determine your configuration as described in the previous section Figure 3 14 ISP Does Not Require Login ISP Does Require Login ...

Page 37: ...tings work fine for most ISPs and you can skip this step If you have any problems with your connection check the ADSL Settings See ADSL Settings on page 3 19 for more details Internet Connection Requires Login and Uses PPPoE 1 If your Internet connection does require login select Yes and fill in the settings according to the instructions below 2 Choose PPPoE for the encapsulation method 3 Enter th...

Page 38: ...addition to disabling NAT The Disable option leaves the firewall active With the firewall disabled the protections normally provided to your network will be disabled Internet Connection Requires Login and Uses PPPoA 1 If your Internet connection does require login select Yes and fill in the settings according to the instructions below 2 Choose PPPoA for the encapsulation method 3 Enter the login n...

Page 39: ...tly manage the IP addresses the DG834 v3 uses Classical routing should be selected only by experienced users The Disable Firewall option disables the firewall in addition to disabling NAT The Disable option leaves the firewall active With the firewall disabled the protections normally provided to your network will be disabled Internet Connection Requires Login and Uses PPTP 1 If your Internet conn...

Page 40: ...your ISP uses DHCP to assign your IP address Your ISP will automatically assign this address If you know that your ISP does not automatically transmit DNS addresses to the modem router during login select Use these DNS servers and enter the IP address of your ISP s Primary DNS Server If a Secondary DNS Server address is available enter it also A DNS server is a host on the Internet that translates...

Page 41: ...allows your modem router to masquerade as that computer by cloning its MAC address To change the MAC address select Use this Computer s MAC address The modem router will then capture and use the MAC address of the computer that you are now using You must be using the one computer that is allowed by the ISP Alternatively select Use this MAC address and enter it 8 Click Apply to save your settings 9...

Page 42: ...ith a specific Multiplexing Method or VPI VCI number then fill in the following 1 Select the ADSL Settings link from the main menu 2 For the Multiplexing Method select LLC based or VC based 3 Type a number between 0 and 255 for the VPI The default is 8 4 Type a number between 1 and 65535 for the VCI The default is 35 5 Click Apply ...

Page 43: ... change the modem router s password and the amount of time for the administrator s login timeout NETGEAR recommends that you change this password to a more secure password The ideal password should contain no dictionary words from any language and should be a mixture of both upper and lower case letters numbers and symbols Your password can be up to 30 characters How to Change the Built In Passwor...

Page 44: ... security the administrator s login to the modem router configuration will timeout after a period of inactivity To change the login timeout period 1 In the Set Password menu type a number in Administrator login times out field The suggested default value is 5 minutes 2 Click Apply to save your changes or click Cancel to keep the current period Figure 4 2 Note After changing the password you will b...

Page 45: ...ptions include Keyword blocking of HTTP traffic Outbound Service Blocking limits access from your LAN to Internet locations or services that you specify as off limits Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocking unwanted traffic from the Internet to your LAN The section below ex...

Page 46: ... the Keyword box click Add Keyword then click Apply Some examples of Keyword application follow If the keyword XXX is specified the URL http www badstuff com xxx html is blocked If the keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed Enter the keyword to block all Internet browsing access Up to 32 entries are supported in the Keyword list 5 To del...

Page 47: ...und rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the DG834 v3 are Inbound Block all access from outside except responses to requests from the LAN side Outbound Allow all access from the LAN side to the outside You can define additional rules that will specify excep...

Page 48: ...e left side of the table and click Delete To move an existing rule to a different position in the table select its button on the left side of the table and click Move At the script prompt enter the number of the desired new position and click OK Instant Messaging IM Ports In addition to the handling of rules for inbound and outbound services the Firewall Rules menu provides options for the handlin...

Page 49: ...rding Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network Following are two application examples of inbound rules Inbound Rule Example A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of yo...

Page 50: ...ddress of the computer or server on your LAN which will receive the inbound traffic covered by this rule WAN Users These settings determine which packets are covered by the rule based on their source WAN IP address Select the desired option Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields Single address enter the requ...

Page 51: ...eriodically as the DHCP lease expires Consider using the Dynamic DNS feature in the Advanced menu so that external users can always find your network If the IP address of the local server computer is assigned by DHCP it may change when the computer is rebooted To avoid this use the Reserved IP address feature in the LAN IP menu to keep the computer s IP address constant Local computers must access...

Page 52: ... employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the modem router log any attempt to use Instant Messenger during that blocked period The parameters are Service From this list select the application or service to be all...

Page 53: ...elds Single address enter the required address in the Start field WAN Users These settings determine which packets are covered by the rule based on their destination WAN IP address Select the desired option Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields Single address enter the required address in the Start field Lo...

Page 54: ...t computers For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that...

Page 55: ...have chosen for the modem router 2 Select the Services link of the Security menu to display the Services menu shown in Figure 4 9 To create a new Service click the Add Custom Service button To edit an existing Service select its button on the left side of the table and click Edit Service To delete an existing Service select its button on the left side of the table and click Delete Service 3 Use th...

Page 56: ...er to localize the time for your log entries you must specify your Time Zone 1 Log in to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router 2 Select the Schedule link of the Security menu to display menu shown below 3 Select your Time Zone Th...

Page 57: ...of NETGEAR NTP servers If you would prefer to use a particular NTP server as the primary server enter its IP address under Use this NTP Server 5 Click Apply to save your settings Note If your region uses Daylight Savings Time you must manually select Adjust for Daylight Savings Time on the first day of Daylight Savings Time and clear it at the end Enabling Daylight Savings Time will cause one hour...

Page 58: ...you have chosen for the modem router 2 Select the Schedule link of the Security menu to display menu shown above in Figure 4 11 3 To block Internet services based on a schedule select Every Day or select one or more days If you want to limit access completely for the selected days select All Day Otherwise to limit access during certain times for the selected days enter Start Blocking and End Block...

Page 59: ...or reverted to factory default settings The procedures below explain how to do these tasks How to Back Up the Configuration to a File 1 Log in to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Maintenance heading of t...

Page 60: ...tore the modem router to the factory default settings This can be done by using the Erase function 1 To erase the configuration from the Maintenance menu Settings Backup link click the Erase button on the screen 2 The modem router will then reboot automatically After an erase the modem router s password will be password the LAN IP address will be 192 168 0 1 and the modem router s DHCP client will...

Page 61: ... under the Maintenance heading select the Modem Router Upgrade heading to display the menu shown in Figure 5 2 4 In the Modem Router Upgrade menu click the Browse to locate the binary BIN or IMG upgrade file 5 Click Upload Note NETGEAR recommends that you back up your configuration before doing a firmware upgrade After the upgrade is complete you may need to restore your configuration settings Fig...

Page 62: ...ides a variety of status and usage information which is discussed below Viewing Modem Router Status and Usage Statistics From the Main Menu under Maintenance select Modem Router Status to view the screen in Figure 5 3 The Modem Router Status menu provides status and usage information This screen shows the following parameters Figure 5 3 ...

Page 63: ...eing used by the modem router These addresses are usually obtained dynamically from the ISP LAN Port These parameters apply to the Local ADSL port of the modem router MAC Address Displays the Ethernet MAC address being used by the Local LAN port of the modem router IP Address Displays the IP address being used by the Local LAN port of the modem router The default is 192 168 0 1 DHCP If OFF the mod...

Page 64: ...s port since reset or manual clear RxPkts The number of packets received on this port since reset or manual clear Collisions The number of collisions on this port since reset or manual clear Tx B s The current line utilization percentage of current bandwidth used on this port Rx B s The average line utilization for this port Up Time The time elapsed since the last power cycle or reset ADSL Link Do...

Page 65: ...measure of the quality of the signal on the line Poll Interval Specifies the interval at which the statistics are updated in this window Click Stop to freeze the display Figure 5 5 Table 5 1 Connection Status Fields for PPPoA Field Description Connection Time The time elapsed since the last connection to the Internet via the ADSL port Connecting to Sender The connection status Negotiation ON or OF...

Page 66: ...that if the modem router is rebooted the table data is lost until the modem router rediscovers the devices To force the modem router to look for attached devices click the Refresh button Viewing Selecting and Saving Logged Information The modem router will log security related events such as denied incoming service requests hacker probes and administrator logins If you enabled content filtering in...

Page 67: ...Reference Manual for the ADSL Modem Router DG834 Managing Your Network 5 9 v2 3 May 2007 An example of the logs file is shown below Log entries are described in Table 5 1 below Figure 5 7 ...

Page 68: ...ion Date and Time The date and time the log entry was recorded Description or Action The type of event and what action was taken if any Source IP The IP address of the initiating device for this log entry Source port and interface The service port number of the initiating device and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or Web site D...

Page 69: ...0 2 This entry shows an administrator logging in and out from IP address 192 168 0 2 Tue 2002 05 21 19 00 06 Login screen timed out IP 192 168 0 2 This entry shows a time out of the administrator login Wed 2002 05 22 22 00 19 Log emailed This entry shows when the log was emailed Dropped Packets Wed 2002 05 22 07 15 15 TCP packet dropped Source 64 12 47 28 4787 WAN Destination 134 177 0 11 21 LAN I...

Page 70: ...subheading Turn e mail notification on Select this check box if you want to receive e mail logs and alerts from the modem router Send alerts and logs via email Send To This E mail Address Enter the e mail address where you want to send the alerts and logs Use a full e mail address such as ChrisXY myISP com Outgoing Mail Server Enter the name or IP address of the outgoing SMTP mail server of your I...

Page 71: ...ly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent it is cleared from the modem router s memory If the modem router cannot e mail the log file the log buffer may fill up In this case the modem router overwrites the log and discards its contents Running Diagnostic Utilities an...

Page 72: ...er the Maintenance heading select the Modem Router Diagnostics heading to display the menu shown in Figure 5 9 Enabling Remote Management Using the Remote Management page you can allow a user or users on the Internet to configure upgrade and check the status of your DG834 ADSL Modem Router Figure 5 9 Note Be sure to change the modem router s default password to a very secure password The ideal pas...

Page 73: ...Remote Management On check box 4 Specify what external addresses will be allowed to access the modem router s remote management For security restrict access to as few external IP addresses as practical To allow access from any IP address on the Internet select Everyone To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to de...

Page 74: ... use the number of any common service port The default is 8080 which is a common alternate for HTTP 6 Click Apply to have your changes take effect When accessing your modem router from the Internet you will type your modem router s WAN IP address in your browser s Address in IE or Location in Netscape box followed by a colon and the custom port number For example if your external address is 134 17...

Page 75: ...ADSL Modem Router provides a variety of advanced features such as Setting up a Demilitarized Zone DMZ Server Connecting Automatically as Required Disabling Port Scan and DOS Protection Responding to a Ping on the Internet WAN Port MTU Size Flexibility on configuring your LAN TCP IP settings Using the Router as a DHCP Server Configuring Dynamic DNS Configuring Static Routes These features are discu...

Page 76: ...se to one of your local computers or a service that you have configured in the Ports menu Instead of discarding this traffic you can have it forwarded to one computer on your network This computer is called the Default DMZ Server How to Configure a Default DMZ Server To assign a computer or server to be a Default DMZ server follow these steps 1 Log in to the modem router at its default LAN address...

Page 77: ... Click Apply to save your changes Connect Automatically as Required Normally this option should be enabled so that an Internet connection will be made automatically whenever Internet bound traffic is detected If this causes high connection costs you can disable this setting If disabled you must connect manually using the sub screen accessed from the Connection Status button on the Status screen If...

Page 78: ...ce it allows your modem router to be discovered Do not select this box unless you have a specific reason to do so MTU Size The normal MTU Maximum Transmit Unit value for most Ethernet networks is 1500 Bytes or 1492 Bytes for PPPoE connections For some ISPs you may need to reduce the MTU But this is rarely required and should not be done unless you are sure it is necessary for your ISP connection C...

Page 79: ...bnet Mask of the modem router Combined with the IP address the IP Subnet Mask allows a device to know which other addresses are local to it and which must be reached through a gateway or modem router RIP Direction RIP Router Information Protocol allows a modem router to exchange routing information with other routers The RIP Direction selection controls how the Modem Router sends and receives RIP ...

Page 80: ...pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings of the router are satisfactory See Internet Networking and TCP IP Addressing in Appendix C for an explanation of DHCP and information about how to assign IP addresses for your network Use Router as DHCP server If another device on your network will be the ...

Page 81: ... Neighborhood feature of Windows Reserved IP addresses When you specify a reserved IP address for a computer on the LAN that computer will always receive the same IP address each time it access the router s DHCP server Reserved IP addresses should be assigned to servers that require permanent IP settings To reserve an IP address 1 Click the Add button 2 In the IP Address box type the IP address to...

Page 82: ... the TCP IP DHCP or Reserved IP parameters 4 Click Apply to save your changes Configuring Dynamic DNS If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be an...

Page 83: ...dmin default password of password or using whatever User Name Password and LAN address you have chosen for the router 2 From the Main Menu of the browser interface under Advanced select Dynamic DNS to display the page below 3 Access the Web site of one of the dynamic DNS service providers whose names appear in the Service Provider box and register for an account For example for dyndns org go to ww...

Page 84: ...imary Internet access is through a cable modem to an ISP You have an ISDN router on your home network for connecting to the company where you are employed This router s address on your LAN is 192 168 0 100 Your company s network is 134 177 0 0 When you first configured your router two implicit static routes were created A default route was created with your ISP as the modem router and a second sta...

Page 85: ... is on the LAN This represents the number of routers between your network and the destination This is a direct connection so it is set to 1 Private is selected only as a precautionary security measure in case RIP is activated How to Configure Static Routes 1 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using...

Page 86: ...e LAN only The static route will not be reported in RIP d Select Active to make this route effective e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the destination is a single host type 255 255 255 255 g Type the Gateway IP Address which must be a router on the same LAN segment as the router h Type a number between 1 and 15 as the Metri...

Page 87: ...d The Advertisement Period is how often the Router will advertise broadcast its UPnP information This value can range from 1 to 1440 minutes The default period is for 30 minutes Shorter durations will ensure that control points have current device status at the expense of additional network traffic Longer durations may compromise the freshness of the device status but can significantly reduce netw...

Page 88: ...ch ports Internal and External that device has opened The UPnP Portmap Table also displays what type of port is opened and if that port is still active for each IP address 3 To save cancel or refresh the table a Click Apply to save the new settings to the Router b Click Cancel to disregard any unsaved changes c Click Refresh to update the portmap table and to show the active ports that are current...

Page 89: ...ient to Gateway VPN Configuration on page 7 6 provides the steps needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client How to Set Up a Gateway to Gateway VPN Configuration on page 7 20 provides the steps needed to configure a VPN tunnel between two network gateways using the VPN Wizard VPN Tunnel Control on page 7 27 prov...

Page 90: ...e Internet In this case the remote PC is one tunnel endpoint running the VPN client software The DG834 ADSL Modem Router on your network is the other tunnel endpoint See How to Set Up a Client to Gateway VPN Configuration on page 7 6 to set up this configuration Gateway to Gateway VPN Tunnels Gateway to Gateway VPN Tunnels provide secure access between networks such as a branch or home office and ...

Page 91: ... to plan the network configuration and record the configuration parameters on a worksheet To set up a VPN connection you must configure each endpoint with specific identification and connection information describing the other endpoint You must configure the outbound VPN settings on one end to match the inbound VPN settings on other end and vice versa Table 7 1 VPN Tunnel Configuration Worksheet C...

Page 92: ...ress must always be the initiator What method will you use to configure your VPN tunnels The VPN Wizard using VPNC defaults see Table 7 2 The typical automated Internet Key Exchange IKE setup see Using Auto Policy to Configure VPN Tunnels on page 7 36 A Manual Keying setup in which you must specify each phase of the connection see Using Manual Policy to Configure VPN Tunnels on page 7 46 What leve...

Page 93: ...ot appropriate for your special circumstances but you want to automate the Internet Key Exchange IKE setup See Using Manual Policy to Configure VPN Tunnels on page 7 46 when the VPN Wizard and its VPNC defaults see Table 7 2 on page 7 4 are not appropriate for your special circumstances and you must specify each phase of the connection You manually enter all the authentication and key parameters Y...

Page 94: ...R ProSafe VPN Client on the Remote PC on page 7 11 configures the NETGEAR ProSafe VPN Client endpoint Step 1 Configuring the Client to Gateway VPN Tunnel on the DG834 v3 The worksheet below identifies the parameters used in the following procedure A blank worksheet is at Planning a VPN on page 7 3 Figure 7 3 Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default para...

Page 95: ...Key 12345678 Secure Association Main Mode or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP WAN IP Ad...

Page 96: ...he VPN Wizard link in the main menu to display this screen Click Next to proceed 2 Fill in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Figure 7 4 Note The Connection Name is arbitrary and not relevant to how the configuration functions Figure 7 5 Enter the new Connection Name e g RoadWarrior Enter the pre shared key e g 12345678 Select t...

Page 97: ...Reference Manual for the ADSL Modem Router DG834 Virtual Private Networking Advanced Feature 7 9 v2 3 May 2007 The Summary screen below displays Figure 7 6 ...

Page 98: ...ded authentication and encryption settings used by the VPN Wizard click the here link see Figure 7 6 Click Back to return to the Summary screen 3 Click Done on the Summary screen see Figure 7 6 to complete the configuration procedure The VPN Policies menu below displays showing that the new tunnel is enabled Figure 7 7 Figure 7 8 1 hour ...

Page 99: ... complete the installation If you do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary ...

Page 100: ...hat it matches the Connection Name you entered in the VPN Settings of the DG834 v3 on LAN A Note In this example the Connection Name used on the client side of the VPN tunnel is toDG834 and it does not have to match the RoadWarrior Connection Name used on the gateway side of the VPN tunnel see Figure 7 5 because Connection Names are arbitrary to how the VPN tunnel functions Tip Choose Connection N...

Page 101: ...traffic through the VPN tunnel h Select the Connect using Secure Gateway Tunnel check box i Select IP Address in the ID Type menu below the check box j Enter the public WAN IP Address of the DG834 v3 in the field directly below the ID Type menu In this example 22 23 24 25 would be used k The resulting Connection Settings are shown in Figure 7 10 3 Configure the Security Policy in the NETGEAR ProSa...

Page 102: ...urity Policy menu c Select the Main Mode in the Select Phase 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide the Pre Shared Key that you configured in the DG834 v3 and either a fixed IP address or a fixed virtual IP address of the VPN client PC Figure 7 11 ...

Page 103: ... Address box Otherwise leave this box empty d In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter in the Name menu if you have a dial up Internet account Select your Ethernet adapter if you have a dedicated Cable or DSL line You may also choose Any if you will be switching between adapters or if you have only one adapter e Click the Pre Shared Key but...

Page 104: ...entication subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Authentication c In the Authentication Method menu select Pre Shared key d In the Encrypt Alg menu select the type of encryption to correspond with what was configured for the Encryption Protocol in the DG834 v3 in Table 7 1 on page 7 In this example use Triple DES e In the Hash Alg menu select...

Page 105: ...on to correspond with what was configured for the Encryption Protocol in the DG834 v3 in Table 7 1 on page 7 In this example use Triple DES f In the Hash Alg menu select SHA 1 g In the Encapsulation menu select Tunnel h Leave the Authentication Protocol AH checkbox unchecked 7 Save the VPN Client Settings From the File menu at the top of the Security Policy Editor window select Save After you have...

Page 106: ...test using our example start from the remote PC a Establish an Internet connection from the PC b On the Windows taskbar click the Start button and then click Run c Type ping t 192 168 3 1 and then click OK This will cause a continuous ping to be sent to the first DG834 v3 After between several seconds and two minutes the ping response should change from timed out to reply Once the connection is es...

Page 107: ...o launch this function click on the Windows Start button then select Programs then NETGEAR ProSafe VPN Client then Log Viewer 2 The Log Viewer screen for a successful connection is shown below 3 The Connection Monitor screen for this connection is shown below Figure 7 18 Note Use the active VPN tunnel information and pings to determine whether a failed connection is due to the VPN tunnel or some r...

Page 108: ... to Set Up a Gateway to Gateway VPN Configuration Follow this procedure to configure a gateway to gateway VPN tunnel using the VPN Wizard Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the VPN connection in order to have normal Internet access Note This section uses the VPN Wizard to set up the VPN ...

Page 109: ...t Forward Secrecy Enabled or Disabled Disabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP WAN IP Address DG834 v3_A GW_A 192 168 0 1 255 255 255 0 14 15 16 17 DG834 v3...

Page 110: ...ault LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed 2 Fill in the Connection Name and the pre shared key select the type of target end point and click Next to proceed Figure 7 21 Figure 7 22 Enter the new Connection Name e g GtoG Enter the pre shared key e g 1234567...

Page 111: ...or the target VPN endpoint WAN connection and click Next 4 Identify the IP addresses at the target endpoint which can use this tunnel and click Next Figure 7 23 Figure 7 24 Enter the WAN IP address of the remote VPN gateway e g 22 23 24 25 Enter the LAN IP settings of the remote VPN gateway IP Address e g 192 168 3 1 Subnet Mask e g 255 255 255 0 ...

Page 112: ...Reference Manual for the ADSL Modem Router DG834 7 24 Virtual Private Networking Advanced Feature v2 3 May 2007 The Summary screen below displays Figure 7 25 ...

Page 113: ...ck the here link see Figure 7 25 Click Back to return to the Summary screen 5 Click Done on the Summary screen see Figure 7 25 to complete the configuration procedure The VPN Settings menu below displays showing that the new tunnel is enabled Figure 7 26 Figure 7 27 Note Refer to Using Auto Policy to Configure VPN Tunnels on page 7 36 to enable the IKE keepalive capability on an existing VPN tunne...

Page 114: ...P settings of the remote VPN gateway IP Address e g 192 168 0 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps a Open the DG834 v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 7 28 Note The VPN Status screen is only one of three ways to active a VPN tunnel See ...

Page 115: ...nt to activate c Look at the VPN Status Log screen Figure 7 28 to verify that the tunnel is connected VPN Tunnel Control Activating a VPN Tunnel There are three ways to activate a VPN tunnel Use the VPN Status page Activate the VPN tunnel by pinging the remote endpoint Start using the VPN tunnel Figure 7 29 Note Refer to Using Auto Policy to Configure VPN Tunnels on page 7 36 to enable the IKE kee...

Page 116: ...PN Status screen to activate a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834 v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 7 30 3 Click on VPN Status Figure 7 30 to get the Current VPN Tunnels SAs screen Figure 7 31 Click on Connect for the VPN tunnel you want to activate Figure 7 30 Figure 7 31 ...

Page 117: ... NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our example start from the remote PC a Establish an Internet connection from the PC b On the Windows taskbar click the Start button and then click Run c Type ping t 192 168 3 1 ...

Page 118: ...remote network from a PC attached to the DG834 v3 a Open command prompt i e Start Run cmd b ping 192 168 3 1 Start Using a VPN Tunnel to Active It To use a VPN tunnel use a Web browser to go to a URL whose IP address or range is covered by the policy for that VPN tunnel Verifying the Status of a VPN Tunnel To use the VPN Status page to determine the status of a VPN tunnel perform the following ste...

Page 119: ...ent VPN Tunnels SAs screen Figure 7 31 This table lists the following data for each active VPN Tunnel SPI each SA has a unique SPI Security Parameter Index for traffic in each direction For Manual key exchange the SPI is specified in the Policy definition For Automatic key exchange the SPI is generated by the IKE protocol Policy Name the name of the VPN policy associated with this SA Remote Endpoi...

Page 120: ...ifetime for this SA in seconds When the Hard Lifetime becomes zero the SA Security Association will be terminated It will be re established if required Deactivating a VPN Tunnel Sometimes a VPN tunnel must be deactivated for testing purposes There are two ways to deactivate a VPN tunnel Policy table on VPN Policies page VPN Status page Figure 7 36 ...

Page 121: ...teps 1 Log in to the Modem Router 2 Open the DG834 v3 management interface and click on VPN Policies to get the VPN Policies screen Figure 7 38 3 Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel ...

Page 122: ... Open the DG834 v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 7 38 3 Click VPN Status Figure 7 38 to get the Current VPN Tunnels SAs screen Figure 7 39 Click Drop for the VPN tunnel you want to deactivate Deleting a VPN Tunnel To delete a VPN tunnel Figure 7 38 Figure 7 39 ...

Page 123: ...ng Advanced Feature 7 35 v2 3 May 2007 1 Log in to the Modem Router 2 Open the DG834 v3 management interface and click VPN Policies to display the VPN Policies screen Figure 7 40 Select the radio button for the VPN tunnel to be deleted and click the Delete button Figure 7 40 ...

Page 124: ...cess is more complex and there are more opportunities for errors or configuration mismatches between your DG834 v3 and the corresponding VPN endpoint gateway or client workstation Using Auto Policy to Configure VPN Tunnels You need to configure matching VPN settings on both VPN endpoints The outbound VPN settings on one end must match to the inbound VPN settings on other end and vice versa See Exa...

Page 125: ...Reference Manual for the ADSL Modem Router DG834 Virtual Private Networking Advanced Feature 7 37 v2 3 May 2007 Figure 7 41 ...

Page 126: ...dress will be pinged periodically to generate traffic for the VPN tunnel The remote keep alive IP address must be covered by the remote LAN IP range and must correspond to a device that can respond to ping The range should be made as narrow as possible to meet this objective Local LAN This identifies which PCs on your LAN are covered by this policy For each selection data must be provided as follo...

Page 127: ...PN connection to the remote VPN endpoint Please be sure you want this option before selecting it The remote VPN endpoint must have these IP addresses entered as its Local addresses IKE Direction Type this setting is used when determining if the IKE policy matches the current traffic Select the desired option Responder only incoming connections are allowed but outgoing connections will be blocked I...

Page 128: ...thm authentication Algorithm used for both IKE and IPSec This setting must match the setting used on the remote VPN Gateway Auto MD5 and SHA 1 are supported Auto negotiates with the remote VPN endpoint and is not available in responder only mode MD5 128 bits faster but less secure SHA 1 default 160 bits slower but more secure Pre shared Key the key must be entered both here and on the remote VPN G...

Page 129: ...Association Main Mode or Manual Keys Main Perfect Forward Secrecy Enabled or Disabled Disabled Encryption Protocol DES or 3DES 3DES Authentication Protocol MD5 or SHA 1 SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Group 2 Key Life in seconds 28800 8 hours IKE Life Time in seconds 3600 1 hour VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask FQDN or Gateway IP WAN IP Address DG834 v3 A LAN...

Page 130: ...oint Address Type Fixed IP Address Remote VPN Endpoint Address Data 22 23 24 25 Local LAN use default setting Remote LAN IP Address select Subnet address from the pulldown menu Start IP address 192 168 3 1 Subnet Mask 255 255 255 0 IKE Direction Initiator and Responder Exchange Mode Main Mode Diffie Hellman DH Group Group 2 1024 Bit Local Identity Type use default setting Remote Identity Type use ...

Page 131: ...Reference Manual for the ADSL Modem Router DG834 Virtual Private Networking Advanced Feature 7 43 v2 3 May 2007 Pre shared Key 12345678 Figure 7 44 ...

Page 132: ...lowing network settings as appropriate General Remote Address Data e g 14 15 16 17 Remote LAN Start IP Address IP Address e g 192 168 0 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps Figure 7 45 Note The VPN Status screen is only one of three ways to active a VPN tunnel See Activating a VPN Tunnel ...

Page 133: ...nt interface and click on VPN Status to display the VPN Status Log screen Figure 7 46 b Click VPN Status Figure 7 46 to display the Current VPN Tunnels SAs screen Figure 7 47 Click on Connect for the VPN tunnel you want to activate c Review the VPN Status Log screen Figure 7 46 to verify that the tunnel is connected Figure 7 46 Figure 7 47 ...

Page 134: ...uires all settings for the VPN tunnel to be manually input at each end both VPN endpoints Click the VPN Policies link of the main menu and then click the Add Manual Policy radio button to display the Manual Keys menu shown in Figure 7 48 General The DG834 v3 VPN tunnel network connection fields are defined as follows Policy Name enter a unique name to identify this policy This name is not supplied...

Page 135: ... LAN This identifies which PCs on the remote LAN are covered by this policy For each selection data must be provided as follows Single PC no Subnet select this option if there is no LAN only a single PC at the remote endpoint If this option is selected no additional data is required Single address enter an IP address in the Single Start IP address field This must be an address on the remote LAN Ty...

Page 136: ...processes input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys Authentication select the desired SHA 1 or MD5 Authentication Algorithm and enter the key in the field provided For MD5 the keys should be 16 ASCII c...

Page 137: ...Reference Manual for the ADSL Modem Router DG834 Virtual Private Networking Advanced Feature 7 49 v2 3 May 2007 ...

Page 138: ...Reference Manual for the ADSL Modem Router DG834 7 50 Virtual Private Networking Advanced Feature v2 3 May 2007 ...

Page 139: ...bleshooting the ISP Connection on page 8 4 I can t remember the router s configuration password Go to Restoring the Default Configuration and Password on page 8 9 I want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 8 9 Basic Functioning After you turn on power to the router the following sequence of events should occur 1 When power ...

Page 140: ...r Test LED Stays On When the router is turned on the Test LED turns on for about 10 seconds and then turns off If the Test LED does not turn on or if it stays on there is a fault within the router If you experience problems with the Test LED Cycle the power to see if the router recovers and the LED blinks for the correct amount of time If all LEDs including the Test LED are still on one minute aft...

Page 141: ...r the router s configuration to factory defaults This will set the router s IP address to 192 168 0 1 This procedure is explained in Using the Reset button on page 8 9 Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure the Java applet is loaded Try quitting the browser and launching it again Make sure you are using the correct ...

Page 142: ...a good ADSL connection You can be confident that the service provider has connected your line correctly and that your wiring is correct Internet LED Blinking Amber If your Internet LED is blinking amber then your modem router is attempting to make an ADSL connection with the service provider The LED should turn green within several minutes If the Internet LED does not turn green disconnect all tel...

Page 143: ...hether the modem router is able to obtain an IP address from the ISP Unless you have been assigned a static IP address your modem router must request an IP address from the ISP You can determine whether the request was successful using the browser interface To check the WAN IP address from the browser interface 1 Launch your browser and select an external site such as www netgear com 2 Access the ...

Page 144: ...or details see Table 3 1 on page 3 1 Troubleshooting PPPoE or PPPoA The PPPoA or PPPoA connection can be debugged as follows 1 Access the Main Menu of the router at http 192 168 0 1 2 Under the Maintenance heading select the Router Status link 3 Click the Connection Status button 4 If all of the steps indicate OK then your PPPoE or PPPoA connection is up and working 5 If any of the steps indicates...

Page 145: ...red as its TCP IP modem router If your computer obtains its information from the modem router by DHCP reboot the computer and verify the modem router address as described in Preparing a Computer for Network Access in Appendix C Troubleshooting a TCP IP Network Using the Ping Utility Most TCP IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated ...

Page 146: ...rom Your Computer to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 IP address where IP address is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies Check that your...

Page 147: ...ore the factory default configuration settings changing the router s administration password to password and the IP address to 192 168 0 1 You can erase the current configuration and restore factory defaults in two ways Use the Erase function of the Web Configuration Manager see Backing Up Restoring or Erasing Your Settings on page 5 1 Use the Default Reset button on the rear panel of the router U...

Page 148: ...y in the log is stamped with the date and time of day Problems with the date and time function can include Date shown is January 1 2000 Cause The router has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the router wait at least five minutes and check the date and time again Time is off by ...

Page 149: ...ted Kingdom Australia 240V 50 Hz input Europe 230V 50 Hz input Japan 100V 50 60 Hz input All regions output 12 V DC 1 0A output Physical Specifications Dimensions 6 9 x 4 7 x 1 1 175 mm x 119 mm x 28 mm Weight 0 7 lbs 0 3 kg Environmental Specifications Operating temperature 0 to 40 C 32º to 104º F Operating humidity 90 maximum relative humidity noncondensing Electromagnetic Emissions Meets requir...

Page 150: ...Reference Manual for the ADSL Modem Router DG834 A 2 Technical Specifications v2 3 May 2007 ...

Page 151: ...dressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Check that there are no firewall restrictions Table B 1 Profile Summary VPN Consortium Scenario Scenario 1 ...

Page 152: ...1 enter toFVL328 for the Connection Name b In Step 2 enter 22 23 24 25 for the remote WAN s IP address a In Step 3 enter the following IP Address 172 23 9 1 Subnet Mask 255 255 255 0 Figure B 1 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834 v3 asp Device WAN IP Address LAN IP Address LAN Subnet Mask DG834 v3 14 15 16 17 10 5 6 1 255 255 255 0 FVL3...

Page 153: ...l for the ADSL Modem Router DG834 NETGEAR VPN Configuration B 3 v2 3 May 2007 Figure B 2 toFVL328 10 5 6 1 172 23 9 1 toFVL328 22 23 24 25 10 10 5 6 172 23 9 Click VPN Policies under Advanced VPN to invoke this screen ...

Page 154: ...res for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 7 20 being certain to use appropriate network addresses for the environment a In Step 1 enter toDG834 for the Connection Name b In Step 2 enter 14 15 16 17 for the remote WAN s IP address c In Step 3 enter the following IP Address 10 5 6 1 Subnet Mask 255 255 255 0 ...

Page 155: ...ion B 5 v2 3 May 2007 Figure B 3 toDG834 toDG834 toDG834 toDG834 toDG834 22 23 24 25 14 15 16 17 14 15 16 17 22 23 24 25 14 15 16 17 172 23 9 1 10 5 6 1 172 23 9 10 5 6 1 Click IKE Policies under VPN to invoke this screen Click VPN Policies under VPN to invoke this screen ...

Page 156: ...h routers This case study follows the VPN Consortium interoperability profile guidelines found at http www vpnc org InteropProfiles Interop 01 html Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up ...

Page 157: ...with Preshared Secret Key not Certificate based IP Addressing NETGEAR Gateway A Fully Qualified Domain Name FQDN NETGEAR Gateway B FDQN Figure B 5 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834 v3 asp Gateway A fvl328 dyndns org dg834 dyndns org 10 5 6 0 24 172 23 9 0 24 172 23 9 1 10 5 6 1 WAN IP WAN IP LAN IP LAN IP Gateway B VPNC Example Networ...

Page 158: ...ed using an example FQDN provided by a DDNS Service provider In this case we established the hostname dg834 dyndns org for gateway A using the DynDNS service Gateway B will use the DDNS Service Provider when establishing a VPN tunnel In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS and Gateway B must be configured to use a DNS hostname to find Gateway A provid...

Page 159: ...tings and then click Apply Check the box Use a Dynamic DNS Service Host Name dg834 dyndns org User Name user s account username Password user s account password c Click Show Status The resulting screen should show Update OK good see Figure B 7 4 On the FVL328 configure the Dynamic DNS settings Assume a properly configured DynDNS account Figure B 6 Figure B 7 ...

Page 160: ...wse to the Dynamic DNS Setup Screen see Figure B 8 in the Advanced menu b Select the DynDNS org radio button see Figure B 8 configure with appropriate account and hostname settings see Figure B 9 and then click Apply Host and Domain Name fvl328 dyndns org User Name user s account username Figure B 8 ...

Page 161: ...Reference Manual for the ADSL Modem Router DG834 NETGEAR VPN Configuration B 11 v2 3 May 2007 Password user s account password Figure B 9 ...

Page 162: ...onment The LAN Addresses used in this example are as follows a In Step 1 enter toFVL328 for the Connection Name b In Step 2 enter fvl328 dyndns org for the remote WAN s IP address a In Step 3 enter the following IP Address 172 23 9 1 Subnet Mask 255 255 255 0 6 Configure the FVL328 as in the Gateway to Gateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration o...

Page 163: ...g834 dyndns org for the remote WAN s IP address c In Step 3 enter the following IP Address 10 5 6 1 Subnet Mask 255 255 255 0 7 Test the VPN tunnel by pinging the remote network from a PC attached to the DG834 v3 a Open the command prompt Start Run cmd b ping 172 23 9 1 Figure B 11 Note The pings may fail the first time If this happens try the pings a second time ...

Page 164: ...eed to be set on both sides Assure that there are no firewall restrictions Table B 1 Configuration summary telecommuter example VPN Consortium Scenario Scenario 1 Type of VPN PC client to gateway with client behind NAT router Security Scheme IKE with Preshared Secret Key not Certificate based IP Addressing Gateway Fully Qualified Domain Name FQDN Client Dynamic Figure B 12 Gateway A ntgr dyndns or...

Page 165: ...uring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter s Home Office configures the NETGEAR ProSafe VPN Client endpoint Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office Follow this procedure to configure a client to gateway VPN tunnel by filling out the VPN Auto Policy screen 1 Log in to the VPN router at its LAN address of http...

Page 166: ...834G com in this example fromDG834G in the example Dynamic IP address Subnet address Single address 192 168 0 1 in this example 255 255 255 0 192 168 2 3 in this example IKE Keep Alive is optional must match Remote LAN IP Address when enabled Main Mode remote PC must respond to pings 3DES 12345678 in this example 3600 Remote NAT router must have Address Reservation set and VPN Passthrough enabled ...

Page 167: ...Sec in this case study the NETGEAR VPN ProSafe Client is used Go to the NETGEAR website http www netgear com and select VPN01L_VPN05L in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client 1 Install the NETGEA ProSafe VPN Client on the remote PC and reboot a You may need to insert your Windows CD to complete the installation b If you do not have ...

Page 168: ...and create a VPN Connection b From the Edit menu of the Security Policy Editor click Add then Connection A New Connection listing appears in the list of policies Rename the New Connection so that it matches the Connection Name you entered in the VPN Settings of the DG834 v3 on Gateway A Note In this example the Connection Name used on the client side of the VPN tunnel is toDG834G and it does not h...

Page 169: ...all traffic through the VPN tunnel h Select the Connect using Secure Gateway Tunnel check box i Select Domain Name in the ID Type menu below the check box and enter fromDG834G com in this example j Select Gateway Hostname and enter ntgr dyndns org in this example k The resulting Connection Settings are shown in Figure B 16 3 Configure the Security Policy in the DG834 ADSL Modem Router software a I...

Page 170: ...icy menu c Select the Main Mode in the Select Phase 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide the Pre Shared Key that you configured in the DG834 v3 and either a fixed IP address or a fixed virtual IP address of the VPN client PC Figure B 17 ...

Page 171: ... b Choose None in the Select Certificate menu c Select Domain Name in the ID Type menu and enter toDG834G com in this example in the box below it Choose Disabled in the Virtual Adapter menu d In the Internet Interface box select Intel PRO 100VE Network Connection in this example your Ethernet adapter may be different in the Name menu and enter 192 168 2 3 in this example in the IP Addr box Figure ...

Page 172: ...45678 is entered This field is case sensitive 5 Configure the VPN Client Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration a In the Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by doub...

Page 173: ...select Pre Shared key d In the Encrypt Alg menu select the type of encryption In this example use Triple DES e In the Hash Alg menu select SHA 1 f In the SA Life menu select Unspecified g In the Key Group menu select Diffie Hellman Group 2 6 Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection ...

Page 174: ...kbox e In the Encrypt Alg menu select the type of encryption In this example use Triple DES f In the Hash Alg menu select SHA 1 g In the Encapsulation menu select Tunnel h Leave the Authentication Protocol AH checkbox unchecked 7 Save the VPN Client settings From the File menu at the top of the Security Policy Editor window select Save After you have configured and saved the VPN client information...

Page 175: ...itiate the request a Right click the system tray icon to open the popup menu b Select Connect to open the My Connections list c Choose toDG834G The DG834 ADSL Modem Router will report the results of the attempt to connect Once the connection is established you can access resources of the network connected to the VPN router To perform a ping test using our example start from the remote PC a Establi...

Page 176: ...timed out to reply Once the connection is established you can open the browser of the PC and enter the LAN IP address of the VPN router After a short wait you should see the login screen of the VPN router unless another PC already has the VPN router management interface open Figure B 23 Figure B 24 Note You can use the VPN router diagnostic utilities to test the VPN connection from the VPN router ...

Page 177: ...his function click on the Windows Start button then select Programs then DG834 ADSL Modem Router then Log Viewer 2 The Connection Monitor screen is shown below While the connection is being established the Connection Name field in this menu will show SA before the name of the connection When the connection is successful the SA will change to the yellow key symbol Note Use the active VPN tunnel inf...

Page 178: ...VPN Status screen by following the steps below 1 To view this screen click the Router Status link of the VPN router s main menu then click the VPN Status button The VPN Status Log screen for a connection is shown below Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the VPN connection in order to hav...

Page 179: ...al for the ADSL Modem Router DG834 NETGEAR VPN Configuration B 29 v2 3 May 2007 2 To view the VPN tunnels status click the VPN Status link on the right side of the main menu Current VPN Tunnels SAs screen Figure B 27 ...

Page 180: ...Reference Manual for the ADSL Modem Router DG834 B 30 NETGEAR VPN Configuration v2 3 May 2007 ...

Page 181: ...working and TCP IP Addressing http documentation netgear com reference enu tcpip index htm Wireless Communications http documentation netgear com reference enu wireless index htm Preparing a Computer for Network Access http documentation netgear com reference enu wsdhcp index htm Virtual Private Networking VPN http documentation netgear com reference enu vpn index htm Glossary http documentation n...

Page 182: ...Reference Manual for the ADSL Modem Router DG834 C 2 Related Documents v2 3 May 2007 ...

Reviews: