Home
/
NETGEAR
/
DGFV338 - ProSafe Wireless ADSL Modem VPN Firewall Router
/
Reference Manual

NETGEAR DGFV338 - ProSafe Wireless ADSL Modem VPN Firewall Router, Reference Manual

Share

Page: 95 / 227

NETGEAR DGFV338 - ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Download Page 95

DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual

Security and Firewall Protection

4-19

v1.0, May 2008

•

Minimize-Delay

: Used when the time required for the packet to reach the destination must be

fast (low link latency). The IP packets for this service priority are marked with a TOS value of
8.

Attack Checks

This screen allows you to specify whether the DGFV338 should be protected against common
attacks from the LAN and WAN networks. The various types of attack checks are defined below.
Select the appropriate boxes to enable the required security measures.

•

WAN Security Checks

:

–

Respond To Ping On Internet Ports

—By default, the DGFV338 does not respond to an

ICMP Echo (ping) packet coming from the Internet or WAN side. We recommend that you
leave this option disabled to prevent hackers from easily discovering the DGFV338 via a
ping, but it can be enabled as a diagnostic tool for connectivity problems.

–

Enable Stealth Mode

—In stealth mode, the ProSafe DGFV338 will not respond to port

scans from the WAN or Internet, which makes it less susceptible to discovery and attacks.

–

Block TCP Flood

—A SYN flood is a form of denial of service attack in which an attacker

sends a succession of SYN requests to a target system. When the system responds, the
attacker doesn’t complete the connection, thus saturating the server with half-open
connections. No legitimate connections can then be made.

When blocking is enabled, the DGFV338 will limit the lifetime of partial connections and
will be protected from a SYN flood attack.

•

LAN Security Checks:

–

Block UDP flood—

A UDP flood is a form of denial of service attack in which the

attacking machine sends a large number of UDP packets to random ports to the victim
host. As a result, the victim host will check for the application listening at that port, see
that no application is listening at that port, and reply with an ICMP Destination
Unreachable packet.

When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker may also spoof the IP
address of the UDP packets, ensuring that the excessive ICMP return packets do not reach
him, making the attacker’s network location anonymous.

Note:

A firewall rule that directs ICMP ping requests to a computer on the LAN

will override this option.

«
...
93
94
95
96
97
...
»

Summary of Contents for DGFV338 - ProSafe Wireless ADSL Modem VPN Firewall Router

Page 1: ...May 2008 202 10161 03 v1 0 NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual ...

Page 2: ...s of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications ...

Page 3: ...ns may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cause harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try and correct the interference by one or more of the following measures Reorien...

Page 4: ... medio de la presente NETGEAR Inc declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999 5 CE ÅëëçíéêÞ Greek ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗΓΙΑΣ 1999 5 ΕΚ Français French Par la présente NETGEAR Inc déclare que l ...

Page 5: ...t allowed for operation in any European Community country The current setting for this feature is found in the 5GHz Radio Configuration Window as described in the user guide This device may be operated indoors or outdoors in all countries of the European Community using the 2 4GHz band Channels 1 13 except where noted below In Italy the end user must apply for a license from the national spectrum ...

Page 6: ...otified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interf...

Page 7: ...ce code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The copyright holder s name must not be used to endorse or promote any products derived from th...

Page 8: ...t openssl core openssl org 5 Products derived from this software may not be called OpenSSL nor may OpenSSL appear in their names without prior written permission of the OpenSSL Project 6 Redistributions of any form whatsoever must retain the following acknowledgment This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit http www openssl org THIS SOFTWARE IS ...

Page 9: ... the University may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING WITHOUT LIMITATION THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE Zlib zlib h interface of the zlib general purpose compression library version 1 1 ...

Page 10: ...Product and Publication Details Model Number DGFV338 Publication Date May 2008 Product Family Wireless Firewall Product Name ProSafe Wireless ADSL Modem VPN Firewall Router Home or Business Product Business Language English Publication Part Number 202 10161 03 Publication Version Number 1 0 ...

Page 11: ...e Networking VPN 1 3 Autosensing Ethernet Connections with Auto Uplink 1 3 Extensive Protocol Support 1 4 Easy Installation and Management 1 4 Maintenance and Support 1 5 System Requirements 1 5 Package Contents 1 6 Hardware Description 1 6 Router Front Panel 1 6 Router Rear Panel 1 8 Router Login Factory Defaults 1 9 Placement for Wireless Performance 1 10 Chapter 2 Basic Installation and Configu...

Page 12: ...peration 2 16 Choosing the WAN Failure Method 2 17 Configuring the WAN Mode Settings 2 18 Configuring Dynamic DNS 2 19 Programming the Traffic Meter 2 22 Chapter 3 Wireless Configuration Planning the Wireless Network 3 1 Understanding the Wireless Security Features 3 2 Understanding the Wireless Settings 3 4 Wireless Network 3 5 Wireless Access Point 3 5 Wireless Security Type 3 6 Configuring Your...

Page 13: ...et Sites 4 21 Configuring Source MAC Filtering 4 24 Configuring IP MAC Address Binding Alerts 4 25 Configuring Port Triggering 4 27 Enabling Universal Plug and Play UPnP 4 29 Setting a Schedule for Firewall Rules 4 31 Configuring a Bandwidth Profile 4 32 Configuring Session Limits 4 34 Event Logs and Alerts 4 35 Security and Administrator Management 4 38 Chapter 5 Virtual Private Networking Consid...

Page 14: ... Addresses to Remote VPN Users ModeConfig 5 32 Mode Config Operation 5 32 Configuring the ProSafe DGFV338 5 33 Configuring the ProSafe VPN Client for ModeConfig 5 36 Configuring Keepalives and Dead Peer Detection 5 40 Configuring Keepalive 5 40 Configuring Dead Peer Detection 5 41 Configuring NetBIOS Bridging with VPN 5 42 Chapter 6 Router and Network Management Performance Management 6 1 Features...

Page 15: ...Group 7 6 Changing the Group Names 7 7 Reserving an IP Address for a Host 7 8 Configuring LAN Multi Homing 7 9 Configuring Static Routes and RIP 7 11 Adding or Editing a Static Route 7 11 Routing Information Protocol RIP 7 13 Static Route Example 7 14 Chapter 8 Troubleshooting Basic Functions 8 1 Power LED Not On 8 2 LEDs Never Turn Off 8 2 LAN or Internet Port LEDs Not On 8 2 Troubleshooting the ...

Page 16: ...rewall Router Reference Manual xvi Contents v1 0 May 2008 Using the Diagnostics Utilities 8 8 Appendix A Default Settings and Technical Specifications Default Factory Settings A 1 Technical Specifications A 3 Appendix B Related Documents Index ...

Page 17: ...pographical Conventions This guide uses the following typographical conventions Formats This guide uses the following formats to highlight special messages Italics Emphasis books CDs URL names Bold User input Fixed Screen text file and server names extensions commands IP addresses Note This format is used to highlight information of importance or special interest Tip This format is used to highlig...

Page 18: ...ccess the full NETGEAR Inc online knowledge base for the product model Links to PDF versions of the full manual and individual chapters How to Print this Manual To print this manual you can choose one of the following several options according to your needs Your computer must have the free Adobe Acrobat Reader installed in order to view and print PDF files The Acrobat Reader is available on the Ad...

Page 19: ...the Full Manual Use the Complete PDF Manual link at the top left of any page Click the Complete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual opens in a browser window Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting this ...

Page 20: ...DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual xx About This Manual v1 0 May 2008 ...

Page 21: ...onnectivity operating at 2 4GHz 802 11b g With a built in Stateful Packet Inspection SPI firewall the ProSafe DGFV338 prevents Denial of Service DOS attacks and provides shared high speed cable DSL Internet access for a local network of up to 253 users The ProSafe DGFV338 provides you with multiple Web content filtering options plus browsing activity reporting and instant alerts both via e mail A ...

Page 22: ...kup connection via the secondary WAN connection A Powerful True Firewall with Content Filtering DGFV338 is a true firewall using stateful packet inspection to defend against attacks Its firewall features include DoS protection Automatically detects and thwarts DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocks unwanted traffic from the Internet to your LAN Blocks access...

Page 23: ...ss the traffic is a response to one of your local computers or a service for which you have configured an inbound rule Instead of discarding this traffic you can have it forwarded to one computer on your network Virtual Private Networking VPN The ProSafe DGFV338 provides a secure encrypted connection between your local area network LAN and remote networks or clients It includes the following VPN f...

Page 24: ...d domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network DNS Proxy When DHCP is enabled and no DNS addresses are specified the firewall provides its own address as a DNS server to the attached PCs The firewall obtains actual DNS addresses from the ISP during connection...

Page 25: ...cket Capture DNS lookup and remote reboot Remote management The firewall allows you to securely log in to the Web Management Interface from a remote location on the Internet For additional security you can limit remote management access to a specified remote IP address or range of addresses and you can choose a nonstandard port number Visual monitoring The front panel LEDs of the ProSafe DGFV338 p...

Page 26: ... UK only Category 5 Ethernet cable Telephone cable with RJ 11 connector Resource CD including Application Notes and other helpful information ProSafe VPN Client Software one user license Warranty and Support Information Card If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the firewa...

Page 27: ...etting to defaults The system has booted successfully 3 Internet LEDs Link Act LED On Green Blinking Green Off The WAN port has detected a link with a connected Ethernet device Data is being transmitted or received by the WAN port The WAN port has no link 100 LED On Green Off The WAN port is operating at 100 Mbps The WAN port is operating at 10 Mbps DSL LED On Green Blinking Green Off The DSL mode...

Page 28: ...An 8 port RJ 45 10 100 Mbps Fast Ethernet Switch N way automatic speed negotiation auto MDI MDIX 4 10 100 port An RJ 45 10 100 Mbps Fast Ethernet WAN port connection to an external modem One RJ 45 WAN port N way automatic speed negotiation Auto MDI MDIX 5 DSL port An RJ 11 port serves as the direct WAN DSL connection to the Internet from the internal ADSL modem via a telephone cable 5 Local LEDs L...

Page 29: ...ctory default information IP Address http 192 168 1 1 to reach the Web based GUI from the LAN User name admin Password password To log in to the DGFV338 from a PC connected to a LAN port 1 Open a Web browser 2 Enter http 192 168 1 1 as the URL 3 At the login screen Figure 1 5 enter the following information admin for User Name password for Password Figure 1 3 Figure 1 4 LAN IP Address User Name Pa...

Page 30: ...ults place your wireless firewall Near the center of the area in which your PCs will operate In an elevated location such as a high shelf where the wireless connected PCs have line of sight access even if through walls The best location is elevated such as wall mounted or on the top of a cubicle and at the center of your wireless coverage area for all the mobile devices Away from potential sources...

Page 31: ...gh an external broadband modem power off the modem and then connect the 10 100 Ethernet WAN port of the DGFV338 to the Ethernet port of the external broadband modem If connecting through the built in ADSL modem connect the DSL WAN port of the DGFV338 to a microfilter and then connect the microfilter to your phone jack see Using ADSL Microfilters optional on page 2 2 for instructions on using micro...

Page 32: ...gle WAN operation using either the ADSL ISP or the Ethernet ISP or you can configure Auto Rollover mode using both the ADSL and Ethernet ISPs You can also configure the dynamic DNS for the WAN ports if needed 6 Set up your wireless network connection Select the appropriate Country Region and Operating Mode for your wireless network Because the wireless interface is disabled by default the initial ...

Page 33: ...ack splitter ADSL Microfilter with Built In Splitter Use an ADSL microfilter with built in splitter when there is a single wall outlet which must provide connectivity for both the wireless firewall and the telephone equipment Logging In To log in to the wireless firewall Figure 2 1 Figure 2 2 Warning Do not connect the wireless firewall to the ADSL line through a microfilter unless the microfilter...

Page 34: ...Firewall Router user interface will display Configuring the ADSL Port Before your ADSL WAN port can establish a connection to the ADSL service you must configure the correct ADSL modem settings for your local ADSL service These settings are obtained from your ADSL provider and must be manually configured They are not auto detected by the DGFV338 Figure 2 3 Note You might want to enable remote mana...

Page 35: ...SL connection on the WAN interface a Multiplexing Method Both VC BASED multiplexing and LLC BASED multiplexing methods are supported b VPI Virtual Path Identifier value This is provided by your ISP to identify the ATM network in conjunction with the VCI value c VCI Virtual Channel Identifier value This is provided by your ISP in conjunction with the VPI value to identify the ATM network 4 Click Ap...

Page 36: ...nu option WAN Settings 2 Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support When Auto Detect successfully detects an active Internet service it reports which connection type was discovered The options are described in...

Page 37: ...ISP Settings tab to display the screen shown in Figure 2 6 2 Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support When Auto Detect successfully detects an active Internet service it reports which connection type it disc...

Page 38: ...formation every time you connect to the Internet select Yes Otherwise select No If your connection is PPTP PPPoE or BigPond Cable then you need to login Choose Yes and enter Login This is often the name that you use in your e mail address for example if your main mail account is jdoe example com enter jdoe Password Enter the password you use to log in to your ISP 2 Enter your ISP Type information ...

Page 39: ... ISP s gateway This is provided by the ISP or your network administrator 4 Select your Domain Name Servers DNS Domain name servers DNS convert Internet names such as www netgear com to numeric Internet addresses called IP addresses Select the Get Automatically from ISP radio button if you have not been assigned a static DNS IP address The ISP will automatically assign a DNS IP address to the DGFV3...

Page 40: ...e Password Enter the password you use to log in to your ISP 2 Enter your ISP Type information Austria PPTP If your ISP is Austria Telecom or any other ISP that uses PPTP to log in fill in the following fields Account Name also known as Host Name or System Name Valid account name for the PPTP connection This is usually your email ID assigned by your ISP the name before the symbol in your email addr...

Page 41: ...igpond asp 3 Enter your Internet IP Address Select the Get dynamically from ISP radio button if you have not been assigned any static IP address The ISP will automatically assign an IP address to the router using the DHCP network protocol If your ISP has assigned a fixed static IP address select Use Static IP Address and fill in the following fields IP Address Static IP address assigned to you Thi...

Page 42: ...ks continuously manually select the port speed If the Ethernet port on your broadband modem supports 100BaseT select 100M otherwise select 10M Use the half duplex settings unless you are sure your broadband modem supports full duplex Router MAC Address Each computer or router on your network has a unique 32 bit local Ethernet address known as the Media Access Control MAC address In most cases the ...

Page 43: ...ection on the WAN interface a Multiplexing Method Both VC BASED multiplexing and LLC BASED multiplexing methods are supported b VPI Virtual Path Identifier value This is provided by your ISP to identify the ATM network in conjunction with the VCI value c VCI Virtual Channel Identifier value This is provided by your ISP in conjunction with the VPI value to identify the ATM network 3 Click Apply to ...

Page 44: ...uter on your network has a unique 32 bit local Ethernet address known as the Media Access Control MAC address In most cases the default Use Default Address will suffice If your ISP requires MAC authentication and expects a specific MAC address then select either Use This Computer s MAC address where the DGFV338 will use the MAC address of the computer you are now using or Use This MAC Address wher...

Page 45: ...d of the Ethernet connection However if the Internet LED blinks continuously you may need to set the port speed manually This could occur with some older broadband modems If the Ethernet port of the broadband modem supports 100BaseT select 100BaseT otherwise select 10BaseT Use the half duplex settings if full duplex modes do not function properly 4 Enter the Router s MAC Address Each computer or r...

Page 46: ... address range and these IP addresses are not visible from the Internet If you have more than one public IP address you can configure multi NAT to assign the additional addresses to individual devices on your LAN Classical Routing In this mode the DGFV338 performs routing but without NAT To gain Internet access each PC on your LAN must have a public IP address If your ISP has allocated many IP add...

Page 47: ...If you have configured only the Ethernet ISP then select Ethernet as the Dedicated WAN port In this mode the 10 100 Ethernet WAN interface will always be active and all traffic will be sent over this link the other link will always be down No link failure detection will occur Choosing the WAN Failure Method When Auto Rollover is configured the DGFV338 detects WAN failure by sending DNS queries to ...

Page 48: ...bmenu Click the WAN Mode tab and the WAN Mode screen will display 2 Select either the NAT or Classical Routing radio button If you have a single Internet address you must use NAT 3 Select your WAN port configuration Select the Auto Rollover radio button and designate the primary port from the pull down menu Auto Rollover is available only if you have connected and configured both an ADSL ISP and a...

Page 49: ...uently In this case you can use a commercial dynamic DNS service which allows you to register an extension to its domain and resolves DNS requests for the resulting FQDN to your frequently changing IP address For Auto Rollover WAN mode you will need a fully qualified domain name FQDN to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or ...

Page 50: ...section reports the currently configured WAN mode For example Single Port ADSL or Auto rollover Only those options that match the configured WAN Mode will be accessible 2 Select the tab for the DDNS service provider you will use 3 Click the information or registration link in the upper right corner for registration information Access the Web site of the DDNS service provider and register for an ac...

Page 51: ... in resolving your URL you may select the Use wildcards check box to activate this feature For example the wildcard feature will cause yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org c If your WAN IP address does not change often you may need to force a periodic update to the DDNS service to prevent your account from expiring If it appears you can select the Update ...

Page 52: ...n an ISP charges by traffic volume over a given period of time or if you want to look at traffic types over a period of time The fields are described in Table 2 2 Although the fields are the same for both ADSL and Ethernet they are specific to each WAN interface and must be set individually Figure 2 12 displays the traffic meter screen for the ADSL connection Figure 2 12 Traffic Meter ADSL ...

Page 53: ...increase The checkbox will automatically be cleared when saved so the increase is only applied once This month s limit This displays the limit for the current month Restart traffic counter This determines when the traffic counter restarts Choose the desired time and day of the month Restart Counter Now Click this button to restart the Traffic Counter immediately Send E mail Report before restartin...

Page 54: ...will display 2 Fill in the fields from the descriptions in Table 2 2 3 Click Apply to save your settings 4 Click Traffic by Protocol to view the traffic details for each interface You can also choose to monitor both interfaces since the configuration is specific to each connected WAN interface 5 Click Apply to save your settings 6 Select the WAN Ethernet Traffic Meter tab and repeat the process to...

Page 55: ...ices to Select a wireless network mode and options that are compatible with your wireless network devices Select a wireless security method that is appropriate for your wireless network and is supported by your wireless network devices You should also select the physical placement of your DGFV338 in order to maximize the network speed see Placement for Wireless Performance on page 1 10 For further...

Page 56: ...from eavesdropping on your wireless data Turn off the broadcast of the wireless network name SSID The service set identifier SSID is a name you give to your wireless network to allow wireless devices to identify your network among any other wireless networks in the area If you disable broadcast of the SSID only devices that already know the correct SSID can connect This defeats the wireless networ...

Page 57: ...ith Service Pack 3 do not include the client software that supports WPA2 Make sure your wireless adapter hardware and driver support WPA2 With each of these data encryption methods you have the choice of using one of these authentication methods PSK With pre shared key PSK all wireless devices on your network must know a special passphrase in order to join the network Because all users share the s...

Page 58: ...reless Settings menu appears as shown in Figure 3 2 The Wireless Settings menu consists of six frames The two frames at the top Wireless Network and Wireless Access Point configure the wireless mode channels region and other settings for the basic wireless LAN connection The next frame Wireless Security Type selects the wireless security method to be used Your choice of wireless security method de...

Page 59: ...Channel No This read only field displays the wireless channel being used by the DGFV338 Mode Selects which IEEE 802 11 wireless protocol your wireless network will support b only All 802 11b wireless devices can be used 802 11g wireless devices can be used if they can operate in 802 11b mode The 802 11b protocol operates at data rates up to 11 Mbit sec g only Only 802 11g wireless devices can be u...

Page 60: ... key and a WEP passphrase When selecting WEP you can also select Auto Supports clients using either Open System or Shared Key Open System No authentication handshake is required but no data can be passed without the WEP key Shared Key An authentication handshake based on the WEP key is required WPA with PSK Wi Fi Protected Access Pre Shared Key WPA PSK can use TKIP or AES standard encryption WPA2 ...

Page 61: ...in menu and Wireless Settings from the submenu The Wireless Settings screen will display as shown in Figure 3 3 2 Enter your Wireless Network Name SSID The default SSID is NETGEAR but NETGEAR strongly recommends that you change your Network Name to a different value It can be up to 32 alphanumeric characters and is case sensitive 3 Select the correct Country Region setting to comply with local reg...

Page 62: ...except for temporary network testing WEP See Configuring WEP on page 3 9 WPA PSK See Configuring WPA PSK on page 3 10 WPA2 PSK See Configuring WPA2 PSK on page 3 11 WPA PSK and WPA2 PSK See Configuring WPA PSK and WPA2 PSK on page 3 12 WPA with RADIUS See Configuring WPA PSK on page 3 10 WPA2 with RADIUS See Configuring WPA2 with RADIUS on page 3 14 WPA and WPA2 with RADIUS See Configuring WPA and...

Page 63: ...a WEP Passphrase a word or group of printable characters in the Passphrase box and click Generate Keys to automatically configure the WEP Key s You can manually or automatically program the four data encryption keys These values must be identical on all PCs and devices in your network Choose either Automatic Click Generate The four key boxes will be automatically populated with key values Manual E...

Page 64: ...ta transmissions are always encrypted using the default key For a full explanation of WEP options as defined by the IEEE 802 11 wireless communication standard see the document Wireless Communications on the NETGEAR website A link to this document can be found in Appendix B Related Documents 4 Click Apply to save your settings Configuring WPA PSK To configure WPA PSK on the DGFV338 Figure 3 4 ...

Page 65: ...the Data Encryption mode AES or TKIP TKIP is the default 3 Enter the Passphrase Network Key The 256 bit key used for encryption is generated from the Passphrase 4 Enter the Key Lifetime in minutes This setting determines how often the encryption key is changed Shorter periods give better security but adversely affect performance 5 Click Apply to save your settings Configuring WPA2 PSK To configure...

Page 66: ...ed and Encryption will be set to AES 2 Enter the preshared Passphrase Network Key The 256 bit key used for encryption is generated from the Passphrase 3 Enter the Key Lifetime in minutes This determines how often the encryption key is changed Shorter periods give better security but adversely affect performance 4 Click Apply to save your settings Configuring WPA PSK and WPA2 PSK To configure WPA P...

Page 67: ...nd Encryption will be set to TKIP AES 2 Enter the Passphrase Network Key The 256 bit key used for encryption is generated from the Passphrase 3 Enter the Key Lifetime in minutes This setting determines how often the encryption key is changed Shorter periods give better security but adversely affect performance 4 Click Apply to save your settings Configuring WPA with RADIUS To configure WPA with RA...

Page 68: ...t 3 Enter the following in the RADIUS Server Settings section a Enter the RADIUS Server Name or IP Address This is the name or IP address of the primary RADIUS server on your LAN required field b Enter the RADIUS port number for connecting to the RADIUS server c Enter the Shared Key The value must match the value used on the RADIUS server 4 Click Apply to save your settings Configuring WPA2 with R...

Page 69: ... will be set to AES 3 Enter the following RADIUS Server Settings a Enter the RADIUS Server Name or IP Address This is the name or IP address of the primary RADIUS server on your LAN required field b Enter the RADIUS port number for connecting to the RADIUS server c Enter the Shared Key The value must match the value used on the RADIUS server 4 Click Apply to save your settings Configuring WPA and ...

Page 70: ...ll down menu By default Data Encryption will be set to TKIP AES 3 Enter the following RADIUS Server Settings a Enter the RADIUS Server Name or IP Address This is the name or IP address of the primary RADIUS server on your LAN required field b Enter the RADIUS port number for connecting to the RADIUS server c Enter the Shared Key The value must match the value used on the RADIUS server 4 Click Appl...

Page 71: ...vices whose MAC addresses appear on the trusted access control list This provides an additional layer of security The default is disabled To configure and enable the Access Control List follow these steps 1 At the top of the Wireless Settings screen click the Setup Access List link to display the Access Control List screen Note The MAC address of a wireless device is a unique number that can usual...

Page 72: ...ithin range of this DGFV338 To copy an available address a Click the Available Wireless Stations tab at the top of the menu to view the list b Use your cursor to highlight the desired MAC address c Use your browser s copy function to copy the MAC address d Click the Access Control List tab at the top of the menu to return to Access Control List menu e Use your browser s paste function to paste the...

Page 73: ...ick the Advanced link at the top of the Wireless Settings screen The Wireless Advanced Options menu contains two frames Wireless Settings and SuperG Settings The Wireless Router Settings menu frame allows the configuration of these functions Warning The ProSafe DGFV338 is already configured with the optimum advanced wireless settings Do not alter these settings unless directed by NETGEAR support I...

Page 74: ...h beacon transmission The range is 20ms to 1000ms and the default is 100ms Preamble Type A long transmit preamble may provide a more reliable connection or a slightly longer range A short transmit preamble gives better performance Auto will automatically handle both long and short preambles The default is Auto The SuperG Settings menu frame allows the configuration of these settings Enable 108Mbps...

Page 75: ... If you selected any of the secure settings Shared Key or above the other devices in the network will not connect unless they are set to same Security and Authentication type and have the other required mandatory fields correctly enabled as described previously WEP Encryption Keys For all four 802 11b keys choose the Key Size Circle one 64 128 or 152 bits Key 1 ___________________________________ ...

Page 76: ...DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 3 22 Wireless Configuration v1 0 May 2008 ...

Page 77: ...ile on page 4 32 Configuring Session Limits on page 4 34 Event Logs and Alerts on page 4 35 Security and Administrator Management on page 4 38 Firewall Protection and Content Filtering Overview A firewall is a special category of router that protects one network the trusted network such as your LAN from another the untrusted network such as the Internet while allowing communication between the two...

Page 78: ...s on page 4 16 Setting Quality of Service QoS Priorities on page 4 18 Attack Checks on page 4 19 Firewall rules are used to block or allow specific traffic passing through from one side to the other Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside...

Page 79: ...ce must be added Default Outbound Policy Allow all traffic from the LAN to pass through to the Internet Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the WAN You can change the default outbound policy to block all outbound traffic and then define rules to allow specific outbound traffic The LAN WAN Rules table of the Firewall sub menu under Se...

Page 80: ... are only useful if the traffic is already covered by a BLOCK rule That is you wish to allow a subset of traffic that is currently blocked by another rule Action Select Schedule Select the desired time schedule Schedule1 Schedule2 or Schedule3 that will be used by this rule This drop down menu gets activated only when BLOCK by schedule otherwise Allow or ALLOW by schedule otherwise Block is select...

Page 81: ... page 4 18 Log Specifies whether packets covered by this rule are logged Select the desired action Always always log traffic considered by this rule whether it matches or not This is useful when debugging your rules Never never log traffic considered by this rule whether it matches or not Bandwidth Profile Specifies the name of a bandwidth limiting profile Using a bandwidth profile bandwidth consu...

Page 82: ...you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the firewall log any attempt to use Instant Messenger during that blocked period Figure 4 3 Note See Blocking Internet Sites o...

Page 83: ...ort based on the destination port number This is also known as port forwarding This following lists all the existing rules for incoming traffic Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network An inbound rule is defined by the following fields Figure 4 4 Table 0 1 Inbound Rules Item Description Service Select the desir...

Page 84: ... by the rule based on their IP addresses Select the desired option Any All Internet IP address are covered by this rule Single address Enter the required address in the start field Address range If this option is selected you must enter the start and end fields LAN users This field appears only with Classical Routing not NAT Specifies which computers on your network are affected by this rule Selec...

Page 85: ...ege levels if provided To create a new inbound service rule 1 Click Add under the Inbound Services table The Add LAN WAN Inbound Service appears 2 Configure the parameters based on the descriptions in Table 0 1 on page 4 7 Note Some residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for serv...

Page 86: ...e selected rule to a new position in the table Delete to delete the selected rule 2 Check the box adjacent to the rule then do any of the following Click Enable to enable the rule The Status icon will turn green Click Disable to disable the policy A rule can be disabled if not in use and enabled as needed Disabling a rule does not delete the configuration but merely de activates the rule The statu...

Page 87: ...from any outside IP address to the IP address of your Web server at any time of day This rule is shown in Figure 4 7 Inbound Rule Example Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown below CU SeeMe con...

Page 88: ...ress with a Web server on the LAN IP Address Requirements If you arrange with your ISP to have more than one public IP address for your use you can use the additional public IP addresses to map to servers on your LAN or DMZ One of these public IP addresses will be used as the primary IP address of the router This address will be used to provide Internet access to your LAN PCs through NAT The other...

Page 89: ...HTTP service for a Web server 4 From the Action pull down menu select ALLOW always 5 For Send to LAN Server enter the local IP address of your Web server PC 6 From the Public Destination IP Address pull down menu select Other Public IP Address and enter one of your public Internet addresses that will be used by clients on the Internet to reach your Web server 7 Click Apply Figure 4 9 ...

Page 90: ... home page of your Web server Inbound Rule Example Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you haven t defined To expose one of the PCs on your LAN as this host see Figure 4 11 1 Create an inbound rule that allows all protocols 2 Place the rule below all other inbound rules by the clicking the D...

Page 91: ...yamic DNS feature in the Advanced menus so that external users can always find your network If the IP address of the local server PC is assigned by DHCP it may change when the PC is rebooted To avoid this use the Reserved IP address feature in the LAN IP menu to keep the PC s IP address constant Local PCs must access the local server using the PC s local LAN address Attempts by local PCs to access...

Page 92: ...o a new position in the table Customized Services Services are functions performed by server computers at the request of client computers For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified by a ser...

Page 93: ...or from user groups or newsgroups When you have the port number information you can enter it on the Services screen You can configure up to 125 custom services To add a custom service 1 Select Security from the main menu and Services from the submenu The Services screen will display 2 In the Add Custom Services section enter a descriptive name for the service this name is for your convenience 3 Se...

Page 94: ...ternet Protocol Suite standards RFC 1349 A ToS priority for traffic passing through the VPN firewall is one of the following Normal Service No special priority is given to the traffic The IP packets for services with this priority are marked with a ToS value of 0 Minimize Cost Used when the data must be transferred over a link that has a low transmission cost The IP packets for this service priori...

Page 95: ...usceptible to discovery and attacks Block TCP Flood A SYN flood is a form of denial of service attack in which an attacker sends a succession of SYN requests to a target system When the system responds the attacker doesn t complete the connection thus saturating the server with half open connections No legitimate connections can then be made When blocking is enabled the DGFV338 will limit the life...

Page 96: ... gateway on the LAN side of the DGFV338 wants to connect to another VPN endpoint on the WAN with the DGFV338 between the two VPN end points all encrypted packets will be sent to the DGFV338 Since the DGFV338 filters the encrypted packets through NAT the packets become invalid IPSec PPTP and L2TP represent different types of VPN tunnels that can pass through the DGFV338 To allow the VPN traffic to ...

Page 97: ...that is not blocked by the rule rendering the restriction ineffective Enabling this feature blocks proxy servers Java Blocks java applets from being downloaded from pages that contain them Java applets are small programs embedded in web pages that enable dynamic functionality of the page A malicious applet can be used to compromise or infect computers Enabling this setting blocks Java applets from...

Page 98: ... in the Trusted Domains box keyword filtering will be bypassed For example if you entered www netgear com keyword filtering will be bypassed for this domain however Web Components filtering still applies Keyword application examples If the keyword XXX is specified the URL http www badstuff com xxx html is blocked as is the newsgroup alt pictures XXX If the keyword com is specified only Web sites w...

Page 99: ...rence Manual Security and Firewall Protection 4 23 v1 0 May 2008 To block keywords or Internet domains 2 Select Yes to enable Content Filtering 3 Click Apply to activate the menu controls 4 Select any Web Components you wish to block and click Apply Figure 4 16 ...

Page 100: ...ames by clicking Select All and then Delete Configuring Source MAC Filtering Source MAC Filter will drop or allow the Internet bound traffic received from PCs with specified MAC addresses By default the source MAC address filter is disabled outbound traffic is not filtered by MAC address When the source MAC address filter is enabled outbound Internet traffic will be filtered using the MAC Addresse...

Page 101: ...te or Click select all to select all the MAC Addresses and click Delete Configuring IP MAC Address Binding Alerts You can configure the DGFV338 to drop packets and generate an alert when a device appears to have hijacked or spoofed another device s IP address An IP address can be bound to a specific MAC address either by using a DHCP reserved address see Reserving an IP Address for a Host on page ...

Page 102: ...dd a manual binding entry enter the following data in the Add IP MAC Bindings section a Enter a Name for the bound host device b Enter the MAC Address and IP Address to be bound A valid MAC address is six colon separated pairs of hexadecimal digits 0 to 9 and a to f For example 01 23 45 ab cd ef c From the pull down list select whether dropped packets should be logged to a special counter To view ...

Page 103: ...nd request from the private network on one of the defined outgoing ports It then automatically sets up forwarding to the IP address that sent the request When the application ceases to transmit data over the port the router waits for a timeout interval and then closes the port or range of ports making them available to other computers on the private network Once configured port triggering operates...

Page 104: ...Triggering from the submenu The Port Triggering screen will display 2 Enter a user defined name for this rule in the Name field 3 From the Enable pull down menu indicate if the rule is enabled or disabled 4 From the Protocol pull down menu choose either TCP or UDP transport protocol 5 In the Outgoing Trigger Port Range fields a Enter the Start Port range 1 65534 b Enter the End Port range 1 65534 ...

Page 105: ...Cs The timer is reset whenever incoming or outgoing traffic is received Enabling Universal Plug and Play UPnP Universal Plug and Play UPnP can improve the overall networking experience through automatic discovery and device interoperability UPnP helps devices such as Internet appliances and computers access the network and connect to other devices as needed UPnP devices can automatically discover ...

Page 106: ...esses and other settings of UPnP devices that have accessed this wireless gateway These settings are described in the following Portmap table To enable and configure UPnP 1 Select Security from the main menu and UPnP from the submenu The UPnP screen will display 2 Enable the UPnP radio by selecting the Yes radio box Table 4 2 UPnP Portmap Table settings Settings Description Active Yes or No indica...

Page 107: ...d or inbound rule to use a schedule you can set up a schedule for when blocking occurs or when access is restricted The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules Schedule 1 Schedule 2 or Schedule 3 The ProSafe DGFV338 uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on the Interne...

Page 108: ...new inbound or outbound connection is established the DGFV338 searches for a firewall rule that applies to the connection If an applicable rule specifies a bandwidth profile then the DGFV338 will enforce the bandwidth limits of the profile If the bandwidth profile is a Class type the bandwidth limits will apply to the aggregate of all connections corresponding to the same firewall rule If the band...

Page 109: ...the following data in the Bandwidth Profile section a Enter a Profile Name This name will become available in the firewall rules definition menus b Enter the Minimum Bandwidth and Maximum Bandwidth to be allowed c From the Type pull down box select whether the bandwidth limits will apply to the total of all connections matching the firewall rule Group or to each connection matching the rule Indivi...

Page 110: ...ession Limits To prevent one user or group from using excessive system resources you can limit the total number of IP sessions allowed through the DGFV338 for an individual or group You can specify the maximum number of sessions by either a percentage of maximum sessions or an absolute number of maximum sessions Session limiting is disabled by default To configure session limits 1 Select Security ...

Page 111: ...rvice requests hacker probes and administrator logins according to your settings on this screen in the Routing Logs section For example if the Default Outbound Policy is Block Always and Accept Packets from LAN to WAN is enabled then if there is a firewall rule to allow ssh traffic from the LAN whenever a LAN machine tries to make an ssh connection those packets will be accepted and a message will...

Page 112: ...wall Protection v1 0 May 2008 The Log Options section will display the Log Identifier field a mandatory field to identify the log messages This ID is appended to log messages 2 From the Routing Logs section check the boxes of the Accepted Packets and or Dropped packets you want to log Figure 4 25 ...

Page 113: ...gged WAN Status Changes in WAN link status are logged Resolved DNS Names Successful DNS lookups are logged 4 From the Other Event Logs section check the boxes of the events you want to log Source MAC Filter Logs a message when a host is blocked by the source MAC filter Session Limit Logs a message when the session limit is applied to a host or group Bandwidth Limit Logs a message when the bandwidt...

Page 114: ...save your settings Security and Administrator Management Consider the following operational items 1 If you need to manage the DGFV338 from a distant location you can enable Remote Management see Enabling Remote Management Access on page 6 9 2 In addition to using Rules see Using Rules to Block or Allow Specific Kinds of Traffic on page 4 2 to manage the traffic through your system you can further ...

Page 115: ...es to Remote VPN Users ModeConfig on page 5 32 Configuring Keepalives and Dead Peer Detection on page 5 40 Configuring NetBIOS Bridging with VPN on page 5 42 Considerations for Dual WAN Port Systems If both the ADSL port and the Ethernet port of the ProSafe DGFV338 are configured you can enable Auto rollover mode for increased system reliability If only one port is configured you will operate as e...

Page 116: ...el to a Gateway To set up a Gateway to Gateway VPN tunnel using the VPN Wizard 1 Select Gateway as your VPN tunnel connection The Wizard needs to know whether you are planning to connect to a remote gateway LAN or to a remote client PC 2 Select a Connection Name Enter an appropriate name for the connection This name is not supplied to the remote VPN Endpoint It is used to help you manage the VPN s...

Page 117: ...d be defined as either IP addresses or Internet Names FQDN A combination of IP address and Internet Name is not permissible 6 Enter the Local WAN IP Address or Internet Name of your gateway The Local WAN IP address is used in the IKE negotiation phase Automatically the WAN IP or FQDN address assigned by your ISP may display You can modify the WAN IP address to use your FQDN required if the WAN Mod...

Page 118: ...nce Manual 5 4 Virtual Private Networking v1 0 May 2008 9 Click Apply to save your settings The VPN Policies screen will display showing the policy Offsite as enabled Click Edit in the Action column adjacent to the policy to confirm your policy settings Figure 5 1 ...

Page 119: ... 5 v1 0 May 2008 You can also view the status of your IKE Policies by clicking the IKE Policies tab The IKE Policies screen will display Then view or edit the parameters of the Offsite policy by clicking Edit in the Action column adjacent to the policy The Edit IKE Policy screen will display Figure 5 2 ...

Page 120: ...l connection name during Wizard setup identifies both the VPN Policy and IKE Policy You can edit existing policies or add new VPN and IKE policies directly in the Policy Tables IKE Policy The IKE Internet Key Exchange protocol performs negotiations between the two VPN gateways and provides automatic management of the Keys used in IPSec It is important to remember that Auto generated VPN policies m...

Page 121: ...ameters specified in a matching IKE Policy Keys and other parameters are exchanged An IPSec SA Security Association is established using the parameters in the VPN Policy The VPN tunnel is then available for data transfer IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel an IKE Policy is established and populated in the Policy Table and is given the same name as the new VPN connec...

Page 122: ...et Key Exchange protocol to perform negotiations between the two VPN Endpoints the Local ID Endpoint and the Remote ID Endpoint In addition a CA Certificate Authority can also be used to perform authentication see Certificate Authorities on page 5 23 To use a CA each VPN gateway must have a Certificate from the CA For each Certificate there is both a Public Key and a Private Key The Public Key is ...

Page 123: ...t IP address when using the VPN Wizard Remote IP address or address range of the remote network Traffic must be to or from these addresses to be covered by this policy The VPN Wizard default requires the remote LAN IP address and subnet mask Auth Specifies the authentication hashing method to be used either SHA 1 or MD5 Encr Specifies the encryption protocol used for the VPN data VPN Wizard defaul...

Page 124: ... locations with fixed IP addresses Either firewall can initiate the connection To graphically illustrate this process we will assume the following NETGEAR ProSafe DGFV338 with WAN IP address is 10 1 32 40 LAN IP address subnet is 192 168 1 1 255 255 255 0 NETGEAR FVX538 VPN Firewall with WAN IP address is 10 1 1 150 LAN IP address subnet is 192 168 2 1 255 255 255 0 Configuring the ProSafe DGFV338...

Page 125: ... of the local DGFV338 Both local and remote ends must define the address as either an IP address or a FQDN A combination of IP address and FQDN is not permissible 8 Enter the LAN IP address and subnet mask of the remote FVX538 9 Click Apply to create the to_fvx IKE and VPN policies The VPN Policies screen will display showing the to_fvx policy as enabled in the List of VPN Policies table Figure 5 ...

Page 126: ...ay 2008 To view the VPN Policy parameters 1 Click Edit in the Action column adjacent to the to_fvx policy The Edit VPN Policy screen will display as shown in Figure 5 6 It should not be necessary to make any changes 2 View the IKE Policy statistics associated with this policy by clicking View Selected Figure 5 5 ...

Page 127: ...ess ADSL Modem VPN Firewall Router Reference Manual Virtual Private Networking 5 13 v1 0 May 2008 To view the IKE Policy Configuration parameters 1 Select the IKE Policies tab The IKE Policies table will display Figure 5 6 ...

Page 128: ...dem VPN Firewall Router Reference Manual 5 14 Virtual Private Networking v1 0 May 2008 2 Select to_fvx and click Edit It should not be necessary to make any changes Configuring the FVX538 To configure the FVX538 VPN Wizard Figure 5 7 ...

Page 129: ...button for the type of VPN tunnel connection 3 Give the new connection a name such as to_dgfv 4 Enter a value for the pre shared key 5 Enter the WAN IP address of the remote DGFV338 6 Enter the WAN IP address of the FVX538 7 Enter the LAN IP address and subnet mask of the remote DGFV338 8 Click Apply to create the to_dgfv IKE and VPN policies The VPN Policies screen will display Testing the Connec...

Page 130: ...0 remote PCs to connect from locations in which their IP addresses are unknown in advance The PCs may be directly connected to the Internet or may be behind NAT routers If more PCs are to be connected an additional policy or policies must be created Each PC will use the NETGEAR ProSafe VPN Client software Since the PC s IP address is assumed to be dynamic and unknown the PC must always be the init...

Page 131: ...e home VPN Client The VPN Policies screen will display showing the VPN Client policy as enabled 8 Click the IKE Policies tab to display the IKE Policies table and click Edit adjacent to the home policy to view the home policy details You can also augment user authentication security by enabling the XAUTH server by selecting the Edge Device radio button and then adding users to the User Database se...

Page 132: ...or 2 In the upper left of the Policy Editor window click the New Document icon to open a New Connection Give the New Connection a name such as to_dgfv 3 From the ID Type pull down menu select IP Subnet 4 Enter the LAN IP Subnet Address and Subnet Mask of the DGFV338 LAN Check the Connect using box and select Secure Gateway Tunnel from the pull down menu 5 From the first ID Type pull down menus sel...

Page 133: ...tificate pull down menu select None 9 From the ID Type pull down menu select Domain Name The value entered under Domain Name is dgfv_local com In this example we have entered dgfv_local com Up to 50 users can be served by one policy 10 Leave Virtual Adapter disabled and select your computer s Network Adapter Your current IP address will appear Figure 5 11 dgfv_local com to_dgfv ...

Page 134: ...ing v1 0 May 2008 5 Before leaving the My Identity menu click Pre Shared Key 6 Click Enter Key and then enter your preshared key and click OK This key will be shared by all users of the DGFV338 policy home 7 In the left frame select Security Policy Figure 5 12 Figure 5 13 dgfv_remote com to_dgfv to_dgf ...

Page 135: ...ase 1 Negotiation Mode check the Aggressive Mode radio button 9 PFS should be enabled and Enable Replay Detection should be enabled 10 In the left frame expand Authentication Phase 1 and select Proposal 1 The Proposal 1 fields should mirror those in the following figure No changes should be necessary Figure 5 14 Figure 5 15 to_dgfv ...

Page 136: ... in the following figure No changes should be necessary 12 In the upper left of the window click the disk icon to save the policy Testing the Connection 1 From your PC right click on the VPN client icon in your Windows toolbar and select Connect then My Connections to_dgfv Within 30 seconds you should receive the message Successfully connected to My Connections to_dgfv and the VPN client icon in t...

Page 137: ... a CA Identity certificate shown in the Trusted Certificates CA Certificates table This Certificate is required in order to validate communication with the CA It is a three step process First you generate a CA request then when the request is granted you upload the Self Certificate shown in the Active Self Certificates table and then you upload the CA Identity certificate shown in the Trusted Cert...

Page 138: ...f Certificate Request To use a Certificate you must first request the certificate from the CA then download and activate the certificate on your system To request a Certificate from the CA 1 From the main menu under VPN select the Certificates submenu The Certificates screen will display 2 In the Generate Self Certificate Request enter the required data Name Enter a name that will identify this Ce...

Page 139: ...n Name If you have a Domain name you can enter it here Otherwise you should leave this field blank E mail Address Enter your e mail address in this field 4 Click Generate A new certificate request is created and added to the Self Certificate requests table 5 Click View under the Action column to view the request Figure 5 18 ...

Page 140: ...rusted Certificates To upload your new certificate 1 From the main menu under VPN select Certificates The Certificates screen will display Scroll down to the Self Certificate Requests section 2 Click Browse and locate the certificate file on your PC Select the file name in the File to upload field and click Upload The certificate file will be uploaded to this device 3 Scroll back to the Active Sel...

Page 141: ...the CRL Table If you had a previous CA Identity from the same CA it will be deleted Configuring Extended Authentication XAUTH When connecting many VPN clients to a VPN gateway router an administrator may want a unique user authentication method beyond relying on a single common preshared key for all clients Although the administrator could configure a unique VPN policy for each user it is more con...

Page 142: ...uthenticated against XAUTH or you must enable a RADIUS CHAP or RADIUS PAP server To enable and configure XAUTH 1 Select VPN from the main menu and Policies from the submenu The IKE Policies screen will display 2 Click the Edit button adjacent to the existing IKE Policy to be modified or click Add to create a new IKE Policy incorporating XAUTH The Edit IKE Policy menu appears as shown in Figure 5 7...

Page 143: ...ntials are available If the user account is not present the DGFV338 will then connect to the RADIUS server see RADIUS Client Configuration on page 5 30 Select IPSec Host if you want to be authenticated by the remote gateway In the adjacent Username and Password fields type in the information user name and password associated with the IKE policy for authenticating to the remote gateway 5 Click Appl...

Page 144: ...IUS server will store a database of user information and can validate a user at the request of a gateway or server in the network when a user requests access to network resources During the establishment of a VPN connection the VPN gateway can interrupt the process with an XAUTH eXtended AUTHentication request At that point the remote user must provide authentication information such as a username...

Page 145: ...s Server allowing network access to external users after verifying their authentication information In a RADIUS transaction the NAS must provide some NAS Identifier information to the RADIUS server Depending on the configuration of the RADIUS server the router s IP address may be sufficient as an identifier or the server may require a name which you would enter here This name would also be configu...

Page 146: ... software using these IP addresses NETGEAR ProSafe Wireless ADSL Modem VPN Firewall Router WAN IP address 172 21 4 1 LAN IP address subnet 192 168 2 1 255 255 255 0 NETGEAR ProSafe VPN Client software IP address 192 168 1 2 Mode Config Operation After IKE Phase 1 is complete the VPN connection initiator remote user client asks for IP configuration parameters such as IP address subnet mask and name...

Page 147: ... DNS Server IP addresses to be used by remote VPN clients 7 If you enable Perfect Forward Secrecy PFS select DH Group 1 or 2 This setting must match exactly the configuration of the remote VPN client 8 Specify the Local IP Subnet to which the remote client will have access Typically this is your router s LAN subnet such as 192 168 2 1 255 255 255 0 If not specified it will default to the LAN subne...

Page 148: ...icies Table 2 Click Add to configure a new IKE Policy The Add IKE Policy screen will display 3 Enable Mode Config by checking the Yes radio button and selecting the Mode Config record you just created from the pull down menu You can view the parameters of the selected record by clicking the View selected box Mode Config works only in Aggressive Mode and Aggressive Mode requires that both ends of t...

Page 149: ...at will also be configured in the VPN client 8 XAUTH is disabled by default To enable XAUTH select Edge Device to use this router as a VPN concentrator where one or more gateway tunnels terminate If selected you must specify the Authentication Type to be used in verifying credentials of the remote VPN gateways IPsec Host if you want this gateway to be authenticated by the remote gateway Enter a Us...

Page 150: ... v1 0 May 2008 10 Click Apply The new policy will appear in the IKE Policies Table a sample policy is shown below Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software configure the remote VPN client connection To configure the client PC Figure 5 24 ...

Page 151: ...ing radio button and select Secure Gateway Tunnel from the pull down menu e From the ID Type pull down menu select Domain name and enter the FQDN of the ProSafe DGFV338 in this example it is local_id com f Select Gateway IP Address from the second pull down menu and enter the WAN IP address of the ProSafe DGFV338 in this example it is 172 21 4 1 2 From the left side of the menu click My Identity a...

Page 152: ...gotiation Mode check the Aggressive Mode radio button b Check the Enable Perfect Forward Secrecy PFS radio button and select the Diffie Hellman Group 2 from the PFS Key Group pull down menu c Enable Replay Detection should be checked 4 Click on Authentication Phase 1 on the left side of the menu and select Proposal 1 Enter the Authentication values to match those in the ProSafe DGFV338 ModeConfig ...

Page 153: ...ey Exchange Phase 2 on the left side of the menu and select Proposal 1 Enter the values to match your configuration of the ProSafe DGFV338 ModeConfig Record menu The SA Lifetime can be longer such as 8 hours 28800 seconds 6 Click the Save icon to save the Security Policy and close the VPN ProSafe VPN client Figure 5 27 Figure 5 28 ...

Page 154: ...ent server applications over the tunnel cannot tolerate the tunnel establishment time If you require your VPN tunnel to remain connected you can use the keepalive and Dead Peer Detection features to prevent the tunnel from dropping and to force a reconnection if the tunnel drops for any reason For Dead Peer Detection to function the peer VPN device on the other end of the tunnel must also support ...

Page 155: ...nds 7 In Reconnect after failure count set the number of consecutive missed responses that will be considered a tunnel connection failure The default is 3 missed responses When the DGFV338 senses a tunnel connection failure it forces a reestablishment of the tunnel 8 Click Apply at the bottom of the menu Configuring Dead Peer Detection The Dead Peer Detection feature maintains the IKE SA by exchan...

Page 156: ...hen the DGFV338 senses an IKE connection failure it deletes the IPSec and IKE Security Association and forces a reestablishment of the connection 7 Click Apply at the bottom of the menu Configuring NetBIOS Bridging with VPN Windows networks use the Network Basic Input Output System NetBIOS for several basic network services such as naming and neighborhood device discovery Because VPN routers do no...

Page 157: ...rewall Router Reference Manual Virtual Private Networking 5 43 v1 0 May 2008 3 In the General menu frame of the Edit VPN Policy menu click the Enable NetBIOS check box as shown in Figure 5 31 4 Click Apply at the bottom of the menu Figure 5 31 ...

Page 158: ...DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 5 44 Virtual Private Networking v1 0 May 2008 ...

Page 159: ...Line Interface on page 6 11 Event Alerts on page 6 11 Monitoring on page 6 12 Using an SNMP Manager on page 6 22 Configuration File Management on page 6 24 Upgrading the Router and DSL Firmware on page 6 26 Configuring Date and Time Service on page 6 28 Performance Management Performance management consists of controlling the traffic through the ProSafe DGFV338 so that the necessary traffic gets t...

Page 160: ...ine their application according to the following criteria LAN users These settings determine which computers on your network are affected by this rule Select the desired options Any All PCs and devices on your LAN Single address The rule will be applied to the address of a particular PC Address range The rule is applied to a range of addresses Groups The rule is applied to a Group You use the Netw...

Page 161: ... methods DHCP Client Request By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database Because of this leaving the DHCP Server feature on the LAN screen enabled is strongly recommended Scanning the Network The local network is scanned using standard method...

Page 162: ...h keyword blocking has been enabled will still be allowed without any blocking Web component blocking You can block the following Web component types Proxy Java ActiveX and Cookies Sites on the Trusted Domains list are still subject to Web component blocking when the blocking of a particular Web component has been enabled See Blocking Internet Sites on page 4 21 for the procedure on how to use thi...

Page 163: ...W by schedule otherwise Block You can also enable a check on special rules VPN Passthrough Enable this to pass the VPN traffic without any filtering specially used when this firewall is between two VPN tunnel end points Drop fragmented IP packets Enable this to drop the fragmented IP packets UDP Flooding Enable this to limit the number of UDP sessions created from one LAN machine TCP Flooding Enab...

Page 164: ...r the procedure on how to use this feature Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall Using this feature requires that you know the port numbers used by the Application Once configured operation is as follows A PC makes an outgoing connection using a port number defined in the Port Triggering table This R...

Page 165: ... The QoS priority settings conform to the IEEE 802 1D 1998 formerly 802 1p standard for class of service tag You will not change the WAN bandwidth used by changing any QoS priority settings But you will change the mix of traffic through the WAN ports by granting some services a higher priority than others The quality of a service is impacted by its QoS setting however See Setting Quality of Servic...

Page 166: ...esired 3 First enter the old password and then enter the new password twice Click Apply 4 Change the login idle time out by changing the number of minutes Click Apply Note You can change the Administrator account name however you cannot change it to root as this is a Telnet account that already exists on the system Figure 6 1 Note If you make the administrator login time out value too large you wi...

Page 167: ...to enable remote management see Logging In on page 2 3 To configure your firewall for Remote Management 1 Select Administration from the main menu and Remote Management from the submenu The Remote Management screen will display 2 Click Yes to Allow Secure HTTP Management Note Be sure to change the firewall default configuration password to a very secure password The ideal password should contain n...

Page 168: ...mon alternate for HTTP 5 To enable remote management by the command line interface CLI over Telnet click Yes to Allow Telnet Management and configure the external IP addresses that will be allowed to connect 6 Click Apply to have your changes take effect When accessing your firewall from the Internet the Secure Sockets Layer SSL will be enabled Enter https and type your firewall WAN IP address int...

Page 169: ...password information or enter guest and password to log in as a read only guest 3 Enter exit to end the CLI session Any configuration changes made via the CLI are not preserved after a reboot or power cycle unless the user issues the CLI save command after making the changes Event Alerts You can be alerted to important events such as WAN port auto rollover WAN traffic limits reached and login fail...

Page 170: ... is reached when this feature is enabled Monitoring You can view status information about the firewall WAN ports LAN ports and VPN tunnels and program SNMP connections Router Status The Router Status menu provides status and usage information on the LAN port the ADSL configuration and the Ethernet configuration From the main menu of the browser interface under Management select Router Status to vi...

Page 171: ...nd Network Management 6 13 v1 0 May 2008 Figure 6 4 Table 6 1 Router Status Item Description System Name This is the Account Name that you entered in the Basic Settings page Firmware Version This is the current software the router is using This will change if you upgrade your router ...

Page 172: ...nt connection status for the selected connection will display LAN Port Information These are the current settings for MAC address IP address DHCP role and Subnet Mask that you set in the LAN IP Setup page DHCP can be either Server or None WAN Port Information This indicates whether rollover mode is enabled and which LAN connection is primary and which is secondary It also notes whether NAT is Enab...

Page 173: ...service you want to access Click Show Status The Status screen for the selected service will display Internet Traffic The Internet Traffic screen provides the following information Internet Traffic Statistics Displays statistics on Internet Traffic via the WAN port If you have not enabled the Traffic Meter these statistics are not available Traffic by Protocol Clicking Traffic by Protocol will sho...

Page 174: ...DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 6 16 Router and Network Management v1 0 May 2008 Figure 6 6 ...

Page 175: ...s an automatically maintained list of all known PCs and network devices PCs and devices become known by the following methods DHCP Client Requests By default the DHCP server in this Router is enabled and will accept and respond to DHCP client requests from PCs and other network devices These requests also generate an entry in the Network Database Because of this leaving the DHCP Server feature on ...

Page 176: ...entry to add a meaningful name IP Address The current IP address For DHCP clients where the IP address is allocated by the DHCP Server in this device this IP address will not change Where the IP address is set on the PC as a fixed IP address you may need to update this entry manually if the IP address on the PC is changed MAC Address The MAC address of the PC The MAC address is a low level network...

Page 177: ...he following field descriptions in Table 6 3 Firewall Security A log of the firewall activities can be viewed saved to a syslog server and sent to an email address Figure 6 10 shows the Log screen that is invoked by clicking Logs and Email under Security on the Main Menu bar Figure 6 9 Table 6 3 Port Triggering Status data Item Description Rule The name of the Rule LAN IP Address The IP address of...

Page 178: ...dem VPN Firewall Router Reference Manual 6 20 Router and Network Management v1 0 May 2008 Figure 6 10 Select the types Enable emailing Enable Syslogs server Set a schedule to send email logs of logs to email of logs Click to view logs ...

Page 179: ...he View Log link on the Logs and E mail screen VPN Tunnels You can view the VPN Logs by selecting Monitoring on the main menu and VPN Logs on the submenu The VPN Logs screen displays the log contents generated by all VPN policies Click Refresh to view entries made after this screen was invoked Click Clear Log to delete all entries Figure 6 11 Figure 6 12 ...

Page 180: ...des a remote means to monitor and control network devices and to manage configurations statistics collection performance and security Figure 6 13 Table 6 4 VPN Status Data Item Description Policy Name The name of the VPN policy associated with this SA Endpoint The IP address on the remote VPN Endpoint Tx KBytes The amount of data transmitted over this SA Tx Packets The number of packets transmitte...

Page 181: ...n the Subnet Mask field To allow only the host address to access the wireless firewall and receive traps enter an IP Address of for example 192 168 1 101 with a Subnet Mask of 255 255 255 255 To allow a subnet access to the wireless firewall through SNMP enter an IP address of for example 192 168 1 101 with a Subnet Mask of 255 255 255 0 The traps will still be received on 192 168 1 101 but the en...

Page 182: ...display 2 Modify any of the contact information that you want the SNMP Manager to use 3 Click Apply to save your settings Configuration File Management The configuration settings of the ProSafe DGFV338 are stored within the firewall in a configuration file This file can be saved backed up to a user s PC retrieved restored from the user s PC or cleared to factory default settings Once you have inst...

Page 183: ...e Upgrade screen will display 2 Click backup to save a copy of your current settings If your browser isn t set up to save downloaded files automatically locate where you want to save the file specify file name and click Save If you have your browser set up to save downloaded files automatically the file will be saved to your browser s download location on the hard disk To restore settings from a b...

Page 184: ...ng the Router and DSL Firmware The latest versions of firewall and DSL firmware are available on the NETGEAR website You can install router firmware or DSL firmware from the Settings Backup and Firmware Upgrade screen To view the current version of the firmware that your wireless firewall is running select Monitoring from the main menu In the displayed Router Status screen the System Info frame sh...

Page 185: ...s rebooted check the firmware version in the Router Status screen to verify that your router now has the new firmware installed DSL Firmware Upgrade You can use the same procedure to upgrade the DSL firmware Download the ADSL firmware browse for the upgrade file name in the DSL Firmware Upgrade menu frame then click upload Note The router firmware and the DSL firmware are separate files Be sure to...

Page 186: ... the main menu and Time Zone from the submenu The Time Zone screen is displayed 2 From the Date Time pull down menu select the Local Time Zone This is required in order for scheduling to work correctly The wireless firewall includes a Real Time Clock RTC which it uses for scheduling 3 If supported in your region select Automatically Adjust for Daylight Savings Time 4 Select a NTP Server option by ...

Page 187: ... a backup NTP server in the Server 2 Name IP Address field If you select this option and leave either the Server 1 or Server 2 fields empty they will be set to the default Netgear NTP servers 5 Click Apply to save your settings Note If you select the default NTP servers or if you enter a custom server FQDN the DGFV338 must determine the IP address of the NTP server by a DNS lookup You must configu...

Page 188: ...DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 6 30 Router and Network Management v1 0 May 2008 ...

Page 189: ...ill be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings of the DGFV338 are satisfactory See the link to Preparing a Computer for Network Access in Appendix B Related Documents for an explanation of DHCP and information abou...

Page 190: ...ation of lease To force the DHCP server to always assign the same IP address to a specific LAN device see Reserving an IP Address for a Host on page 7 8 Configuring the LAN Setup Options The LAN Setup menu allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or multi home LAN IP setup in the LAN The default values are suitable for most users and situations T...

Page 191: ...addresses in the IP address pool 192 168 1 2 is the default start address c Ending IP Address The last of the contiguous addresses in the IP address pool 192 168 1 254 is the default ending address d Primary DNS Server Optional The last of the contiguous addresses in the IP address pool 192 168 1 254 is the default ending address e Secondary DNS Server Optional T f WINS Server Optional The IP addr...

Page 192: ...nstead you can just select the desired PC or device No need to reserve an IP address for a PC in the DHCP Server All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database either by expiry inactive for a long time or by you No need to use a Fixed IP on PCs Because the address allocated by the DHCP Server will never change you don t nee...

Page 193: ...0 May 2008 The Network Database is managed from the LAN Groups menu To reach this menu select Network Configuration from the main menu and LAN Setup from the submenu then click the LAN Groups tab Figure 7 2 shows the LAN Groups menu Table 7 1 describes the contents of the LAN Groups menu Figure 7 2 ...

Page 194: ...he IP address on the PC is changed MAC Address The MAC address of the PC The MAC address is a low level network identifier which is fixed at manufacture Group Each PC or device must be in a single group The Group column indicates which group each entry is in By default all entries are in Group 1 Operations Group Assignment You can assign an existing entry to a group by selecting Edit When the Edit...

Page 195: ...le 1 Click the Edit button next to the device entry in the Known PCs and Devices table The Edit Groups and Hosts menu appears 2 From the Group pull down list choose the group that this host will be assigned to 3 Click Apply Changing the Group Names Rather than using the default names for example Group2 you can change the group names to be more descriptive for example Marketing To change a group na...

Page 196: ...will be automatically updated in the Group column of the Known PCs and Devices table Reserving an IP Address for a Host When you specify a reserved IP address for a PC on the LAN that PC will always receive the same IP address each time it access the DGFV338 s DHCP server Reserved IP addresses should be assigned to servers that require permanent IP settings For example if you have configured any i...

Page 197: ...s list 2 Click the Save Binding button Configuring LAN Multi Homing If you have computers on your LAN using different IP address ranges for example 172 16 2 0 or 10 0 0 0 you can add multiple alias IP addresses to the LAN port allowing computers on those networks to access the DGFV338 This multi homing feature of the DGFV338 s LAN port allows the DGFV338 to act as a gateway for additional logical ...

Page 198: ...bnet containing this address Subnet Mask The subnet mask of the subnet containing the secondary IP address To add a secondary LAN IP address 1 Enter the IP Address and the Subnet Mask in the respective fields of the Add Secondary LAN IP Address section 2 Click Add The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table To delete any or all entries in the Available Sec...

Page 199: ...ional static routes You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network Adding or Editing a Static Route To add or edit a static route 1 Select Network Configuration from the main menu and Routing from the submenu The Routing screen will display 2 Click Add The Add Static Route menu shown below will display 3 Enter a route...

Page 200: ...ace which is the physical network interface ADSL WAN Ethernet or LAN through which the destination host or network is accessible 9 Enter the Gateway IP Address through which the destination host or network can be reached must be a router on the same LAN segment as the DGFV338 10 Enter the Metric priority for this route If multiple routes to the same destination exit the route with the lowest metri...

Page 201: ...ng information automatically with other routers and allows it to dynamically adjust its routing tables and adapt to changes in the network RIP is disabled by default To configure RIP parameters 1 Select Network Configuration from the main menu and Routing from the submenu Click RIP Configuration at the top of the Routing menu The RIP Configuration screen will display 2 From the RIP Direction pull ...

Page 202: ...data in RIP 2 format and uses multicasting 4 Authentication for RIP2B 2M required If you selected RIP 2B or RIP 2M you can optionally check the Yes radio button to enable the authentication feature Input the First Key Parameters and Second Key Parameters MD 5 keys to authenticate between routers 5 Click Save to save your settings Static Route Example For example you may require a static route if Y...

Page 203: ... 192 168 1 100 In this example The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 172 16 x x addresses The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192 168 1 100 A Metric value of 1 will work since the ISDN firewall is on the LAN Private is selected only as a precautionary secu...

Page 204: ...DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 7 16 LAN Configuration v1 0 May 2008 ...

Page 205: ... 8 7 Problems with Date and Time on page 8 8 Using the Diagnostics Utilities on page 8 8 Basic Functions After you turn on power to the firewall the following sequence of events should occur 1 When power is first applied verify that the PWR LED is on 2 After approximately 60 to 90 seconds verify that a The TEST LED is not lit b The LAN port LEDs are lit for any local ports that are connected c The...

Page 206: ...er power up Cycle the power to see if the firewall recovers Clear the firewall s configuration to factory defaults This will set the firewall s IP address to 192 168 1 1 This procedure is explained in Restoring the Default Configuration and Password on page 8 7 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either th...

Page 207: ...ring the Default Configuration and Password on page 8 7 Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure the Java applet is loaded Try quitting the browser and launching it again Make sure you are using the correct login information The factory default login name is admin and the password is password Make sure that CAPS LOCK ...

Page 208: ...an IP address from your ISP If your firewall is unable to obtain an IP address from the ISP on the Ethernet port you may need to force your cable or DSL modem to recognize your new firewall by performing the following procedure 1 Turn off power to the cable or DSL modem 2 Turn off power to your firewall 3 Wait 5 minutes and reapply power to the cable or DSL modem 4 When the modem s LEDs indicate t...

Page 209: ... Connection on page 2 8 or Manually Configuring the Ethernet ISP Connection on page 2 9 If your firewall can obtain an IP address but your PC is unable to load any Web pages from the Internet Your PC may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www addresses to numeric IP addresses Typically your ISP will provide the addre...

Page 210: ...rt LED is on If the LED is off follow the instructions in LAN or Internet Port LEDs Not On on page 8 2 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and firewall Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC...

Page 211: ...f a single PC connected to that modem If this is the case you must configure your firewall to clone or spoof the MAC address from the authorized PC Refer to Manually Configuring the ADSL ISP Connection on page 2 8 or Manually Configuring the Ethernet ISP Connection on page 2 9 Restoring the Default Configuration and Password This section explains how to restore the factory default configuration se...

Page 212: ... shown is January 1 2000 Cause The firewall has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the firewall wait at least five minutes and check the date and time again Time is off by one hour Cause The firewall does not automatically sense Daylight Savings Time In the E Mail menu check or ...

Page 213: ...ng results will be displayed in a new screen click Back to return to the Diagnostics screen Trace Often called Trace Route this will list all Routers between the source this device and the destination IP address The Trace Route results will be displayed in a new screen click Back to return to the Diagnostics screen Ping through VPN tunnel When this box is checked ping requests to an IP address on ...

Page 214: ...able or is not operating normally Note Rebooting will break any existing connections either to the Router such as this one or through the Router for example LAN users accessing the Internet However connections to the Internet will automatically be re established when possible Packet Trace Click Packet Trace button to select the interface and start the packet capture on that interface Table 8 1 Dia...

Page 215: ...configuration settings shown in Table A 1 below Pressing the Reset button for a shorter period of time will simply cause your device to reboot Table A 1 Default Configuration Settings Feature Default Behavior Router Login User Login URL http 192 168 1 1 User Name case sensitive admin Login Password case sensitive password ADSL Modem Settings Multiplexing Method LLC based Virtual Path Identifier VP...

Page 216: ...led Time Zone GMT Time Zone Adjusted for Daylight Saving Time Disabled SNMP Disabled Firewall Inbound communications coming in from the Internet Disabled except traffic on port 80 the http port Outbound communications going out to the Internet Enabled all Source MAC filtering Disabled Wireless Wireless Communication Disabled SSID Name NETGEAR Security Disabled Broadcast SSID Enabled Transmission S...

Page 217: ...e of network traffic building materials and construction and network overhead lower actual data throughput rate Table A 2 Technical Specifications Specification Description Network Protocol and Standards Compatibility Data and Routing Protocols TCP IP RIP 1 RIP 2 DHCP PPP over Ethernet PPPoE PPP over ATM PPPoA Power Adapter North America 120V 60 Hz input United Kingdom Australia 240V 50 Hz input E...

Page 218: ...Technical Specifications v1 0 May 2008 Electromagnetic Emissions Meets requirements of FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B Interface Specifications LAN 10BASE T or 100BASE Tx RJ 45 WAN 10BASE T or 100BASE Tx or ADSL Table A 2 Technical Specifications Specification Description ...

Page 219: ...nd TCP IP Addressing http documentation netgear com reference enu tcpip index htm Wireless Communications http documentation netgear com reference enu wireless index htm Preparing a Computer for Network Access http documentation netgear com reference enu wsdhcp index htm Virtual Private Networking VPN http documentation netgear com reference enu vpn index htm Glossary http documentation netgear co...

Page 220: ...DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual B 2 Related Documents v1 0 May 2008 ...

Page 221: ...olicy 5 8 Auto Detect 2 6 2 7 Auto Uplink 1 4 Auto Rollover 2 17 enabling 2 5 B Back up settings 6 24 backup and restore settings 6 25 Beacon Interval 3 20 Block Sites 4 21 reducing traffic 6 3 Block Sites screen 4 22 Block TCP Flood 4 19 block traffic with schedule 4 31 C CA about 5 23 Certificate Authority See CA Channel 3 5 Classical Routing 2 16 CLI management by Telnet 6 10 command line inter...

Page 222: ... DNS Serve public 2 17 DNS Server configuring 2 17 DNS service provider DynDNS screen 2 20 Oray screen 2 20 TZO screen 2 20 Domain Name Blocking 4 21 DSL firmware upgrade 6 26 dual WAN ports 5 1 Dynamic DNS configuration of 2 19 configuring 2 19 status 6 15 Dynamic DNS screen 2 20 DynDNS screen 2 20 E Edge Device 5 29 XAUTH with ModeConfig 5 35 Edit IKE Policy screen 5 5 Enable DHCP server 7 1 Ena...

Page 223: ...e connection types 2 6 2 7 IP address 2 3 IP addresses auto generated 8 3 DHCP address pool 7 1 how to assign 7 1 multi home LAN 7 9 reserved 7 8 IPSec Host 5 28 5 29 IPsec Host XAUTH with ModeConfig 5 35 ISP connection troubleshooting 8 4 K keepalive VPN 5 40 Keyword Blocking 4 21 applying 4 24 L LAN configuration 7 1 using LAN IP setup options 7 2 LEDs explanation of 1 6 troubleshooting 8 2 load...

Page 224: ...8 NTP servers setting 6 28 O Open System 3 9 Open Systems 3 8 Oray screen 2 20 Outbound Rules 4 3 field descriptions 4 4 outbound rules 4 4 4 16 example 4 6 Outbound Services field descriptions 4 4 P package contents 1 6 Password 2 8 2 10 password 1 9 default 1 9 2 4 passwords and login timeout changing 6 8 passwords restoring 8 7 performance degradation causes of 1 10 performance management 6 1 P...

Page 225: ...uter rear panel 1 8 Router Upgrade about 6 26 Routing Information Protocol 1 4 Routing Information Protocol See RIP Routing screen 7 11 RTS Threshold 3 20 Rules Inbound 4 3 Outbound 4 3 screen 4 3 rules blocking traffic 4 2 inbound 4 7 inbound example 4 11 4 12 4 14 order of precedence 4 16 outbound 4 4 4 16 outbound example 4 6 service blocking 4 4 services based 4 2 S save binding button 7 6 sch...

Page 226: ...n 6 28 TKIP 3 11 3 14 TKIP AES 3 7 ToS See QoS traffic increasing 6 4 reducing 6 1 traffic management 6 7 Traffic Meter field descriptions 2 23 programming 2 22 traffic meter programming 2 24 Traffic Meter screen ADSL screen 2 22 Ethernet screen 2 22 Troubleshooting 8 4 troubleshooting 8 1 ISP connection 8 4 Web configuration 8 3 Trusted Certificates 5 23 Trusted Wireless Stations 3 18 TZO screen ...

Page 227: ...eb configuration troubleshooting 8 3 WEP description 3 3 Network Authentication 3 9 Network Authentication screen 3 9 WEP configuring 3 9 Wireless Network Name See SSID Wireless Security 3 2 wireless security options 3 2 MAC Address restricting 3 2 SSID off 3 2 WEP 3 3 WPA WPA2 with RADIUS 3 3 Wireless Settings description 3 4 screen 3 4 WPA description 3 3 WPA and WPA2 with RADIUS 3 8 configurati...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands