Page 1 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA April 2007 202-10161-01 v1.0...
Page 2: Technical Support
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3 20cm (7.9 in.) from persons. Further, the antennas shall not be collocated with other transmitting structures. FCC Statement DECLARATION OF CONFORMITY We Netgear, 4500 Great America Parkway Santa Clara, CA 95054, USA Tel: +1 408 907 8000...
Page 4 Hereby, NETGEAR Inc., declares that this Radiolan is in compliance with the essential requirements and other relevant provisions of Directive 1999/5/EC. Español Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los [Spanish] requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE.
Page 5 [Swedish] väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv 1999/5/EG. Íslenska Hér með lýsir NETGEAR Inc. yfir því að Radiolan er í samræmi við grunnkröfur og aðrar [Icelandic] kröfur, sem gerðar eru í tilskipun 1999/5/EC. Norsk NETGEAR Inc. erklærer herved at utstyret Radiolan er i samsvar med de grunnleggende [Norwegian] krav og øvrige relevante krav i direktiv 1999/5/EF.
Page 6 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual European Spectrum Usage Rules - Effective April 11, 2006 5.25-5.35 5.47-5.725 (GHz) 5.15-5.25 (GHz) 2.4-2.4835 (GHz) (GHz) Channels: Channels: 1 to 13 Country Channels: Channels: 100,104,108,112,116, 36,40,44,48 (Except Where Noted) 52,56,60,64 120,124,128,132,136,140 ALL EC...
Page 7 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Additional Copyrights Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1.
Page 8 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1.
Page 9 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
Page 10 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Product and Publication Details DGFV338 Model Number: April 2007 Publication Date: Wireless Firewall Product Family: ProSafe Wireless ADSL Modem VPN Firewall Router Product Name: Business Home or Business Product: English Language: 202-10161-01 Publication Part Number:...
Page 11: Table Of Contents
How to Use This Manual ....................xviii How to Print this Manual ....................xviii Chapter 1 Introduction Key Features of the NETGEAR ProSafe DGFV338 ............1-1 Full Routing on Both the ADSL and 10/100 WAN Port ..........1-2 A Powerful, True Firewall with Content Filtering ............1-2 Security ........................1-3 Virtual Private Networking (VPN) ................1-3...
Page 12 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Selecting Advanced Options for your Ethernet or ADSL Connection ....2-10 Configuring the WAN Mode ..................2-14 Configuring Dynamic DNS (If Needed) ..............2-17 Programming the Traffic Meter ................2-20 Chapter 3 Wireless Configuration Implementing Wireless Security ..................3-1 Understanding Wireless Settings ...................3-3 Wireless LANs ......................3-4...
Page 13 VPN Policy .......................5-7 VPN Tunnel Connection Status ................5-8 Creating a VPN Connection: Between FVX538 and DGFV338 ........5-9 Configuring the ProSafe DGFV338 ................5-9 Configuring the FVX538 ..................5-14 Testing the Connection ...................5-15 Creating a VPN Client Connection: VPN Client to DGFV338 ........5-15 Configuring the DGFV338 ..................5-15...
Page 14 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Wireless Firewall Features That Reduce Traffic ............6-1 Wireless Firewall Features That Increase Traffic .............6-4 Using QoS to Shift the Traffic Mix ................6-6 Tools for Traffic Management ...................6-7 Administrator and Guest Access Authorization ..............6-7 Changing the Passwords and Login Time-out ............6-7 Enabling Remote Management Access ..............6-8 Command Line Interface ..................6-10...
Page 15 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Chapter 8 Troubleshooting Basic Functions ......................8-1 Power LED Not On ....................8-1 LEDs Never Turn Off ....................8-2 LAN or Internet Port LEDs Not On ................8-2 Troubleshooting the Web Configuration Interface ............8-2 Troubleshooting the ISP Connection ................8-3 Troubleshooting a TCP/IP Network Using a Ping Utility ..........8-5 Testing the LAN Path to Your Firewall ..............8-5...
Page 16 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual v1.0, March 2007...
Page 17: About This Manual
About This Manual The DGFV338 ProSafe™ Wireless ADSL Modem VPN Firewall Router Reference Manual describes how to install, configure and troubleshoot the ProSafe Wireless ADSL Modem VPN Firewall Router. The information is this manual is intended for readers with intermediate computer and Internet skills.
Page 18: How To Use This Manual
• button to access the full NETGEAR, Inc. online knowledge base for the product model. • Links to PDF versions of the full manual and individual chapters.
Page 19 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual – Click the PDF of This Chapter link at the top right of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window. –...
Page 20 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual v1.0, April 2007...
Page 21: Introduction
1-10. Key Features of the NETGEAR ProSafe DGFV338 The NETGEAR ProSafe DGFV338 with eight-port switch connects your local area network (LAN) to the Internet through an internal ADSL modem or through the Ethernet port via an external modem. It provides wireless LAN connectivity operating at 2.4GHz (802.11b/g).
Page 22: Full Routing On Both The Adsl And 10/100 Wan Port
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • Extensive Protocol Support. • SNMP for manageability. • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. • Auto Sensing and Auto Uplink™ Full Routing on Both the ADSL and 10/100 WAN Port You can install, configure, and operate the DGFV338 to take full advantage of a variety of routing options on both the DSL and broadband WAN ports, including:...
Page 23: Security
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Security The NETGEAR ProSafe DGFV338 is equipped with several features designed to maintain security, as described in this section. • PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network.
Page 24: Extensive Protocol Support
This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection. Extensive Protocol Support The NETGEAR ProSafe DGFV338 supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). •...
Page 25: Maintenance And Support
IP address or range of addresses, and you can choose a nonstandard port number. • Visual monitoring. The front panel LEDs of the NETGEAR ProSafe DGFV338 provide an easy way to monitor its status and activity. Maintenance and Support...
Page 26: Package Contents
• Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. Hardware Description This section describes the front and rear hardware functions of the wireless ADSL firewall.
Page 27 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 1-1 The table below describes each item on the front panel and its operation. Table 0-1. Object Descriptions Nos. LEDs Activity Description Power - 1 On (Green) Power is supplied to the gateway Power is not supplied to the gateway.
Page 28: Router Rear Panel
Figure 1-2 Viewed from left to right, the rear panel contains the following elements: 1. Wireless antenna. Two 2.4 GHz antennas attach to either end of the NETGEAR ProSafe DGFV338. 2. DC Power connection (12VDC, 1.5A). Provides power to the gateway when the power supply is attached.
Page 29: Router Login Factory Defaults
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Router Login Factory Defaults Check the label on the bottom of the DGFV338’s enclosure if you forget the following factory default information: • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN •...
Page 30: Placement Of Your Netgear Prosafe Dgfv338
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 1-5 For a complete list of the factory default settings of your NETGEAR ProSafe DGFV338, see Appendix A, “Default Settings and Technical Specifications” Placement of your NETGEAR ProSafe DGFV338 Note: Failure to follow these guidelines can result in significant performance degradation or inability to wirelessly connect to the wireless ADSL firewall.
Page 31: Basic Installation And Configuration
2-2 for instructions on using microfilters). For additional instructions on connecting your ProSafe DGFV338, refer to the DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Installation Guide on your Resource CD or to the NETGEAR Website for an online electronic copy.
Page 32: Using Adsl Microfilters (Optional)
You must use ADSL microfilters to filter out these signals before they reach your telephone. If you are planning on using the ADSL modem port, and an ADSL Microfilter is not included with your ProSafe DGFV338, you should acquire one.
Page 33: Logging In And Configuring Your Internet Connection
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Warning: Do not connect the wireless firewall to the ADSL line through a microfilter unless the microfilter is a combination ADSL microfilter/ splitter specifically designed for this purpose. Doing so will block your connection to the Internet.
Page 34: Configuring Your Internet Connection Using Auto Detect
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 3. Click Login. The ProSafe Wireless ADSL Modem VPN Firewall Router user interface will display. Note: You might want to enable remote management at this time so that you can log in remotely in the future to manage the gateway.
Page 35 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the Table 2-1., “Internet Service Connections”. Figure 2-4 Basic Installation and Configuration v1.0, April 2007...
Page 36: Manually Configuring Your Adsl Connection
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 2-5 Table 2-1. Internet Service Connections Connection Method Data Required PPPoE Login (Username, Password). PPPoA Login (Username, Password). DHCP (Dynamic IP) No data is required. Static (Fixed) IP Internet IP address, Subnet Mask and Gateway IP Address supplied by your ISP;...
Page 37 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual ISP. If your ISP requires a Static IP address, then you must provide the fixed addresses for Static IP. The types of data you will need are highlighted in Table 2-1 by connection method, and explained in more detail below.
Page 38: Manually Configuring Your Ethernet Connection
Gateway IP Address: IP address of your ISP’s gateway. This is usually provided by the ISP or your network administrator. 3. Select your Domain Name Servers (DNS). Domain name servers (DNS) convert Internet names such as www.google.com, www.netgear.com, etc. to Internet addresses called IP addresses. –...
Page 39 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual – Login. This is often the name that you use in your e-mail address (for example, if your main mail account is jdoe@aol.com, enter jdoe). Note: Some ISPs (for example, Earthlink) require that you use your full e-mail address when you log in.
Page 40: Selecting Advanced Options For Your Ethernet Or Adsl Connection
Gateway IP Address: IP address of your ISP’s gateway. This is usually provided by the ISP or your network administrator. 3. Select your Domain Name Servers (DNS). Domain name servers (DNS) convert Internet names such as www.google.com, www.netgear.com, etc. to Internet addresses called IP addresses. –...
Page 41 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • MTU Size. The normal MTU value for most networks is 1500 Bytes, or 1492 for PPPoE connections. For some ISPs, you may need to reduce the MTU size. However, this is rarely required and should not be attempted unless you are sure it is necessary for your ISP connection.
Page 42 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual b. VPI (Virtual Path Identifier) value: This is provided by your ISP to identify the ATM network (in conjunction with the VCI value). c. VCI (Virtual Channel Identifier) value: This is provided by your ISP (in conjunction with the VPI value) to identify the ATM network.
Page 43 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual The format for the MAC address is XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive). 4. Click Apply to save the settings. Click Reset to revert to the previous settings. To configure you Ethernet ISP Advanced options: 1.
Page 44: Configuring The Wan Mode
PC, you can choose Classical Routing. Or, you can use Classical Routing for routing private IP addresses within a campus environment. Otherwise, selecting this method will not allow Internet access through this Router. Depending on the WAN port configuration of the ProSafe DGFV338, you can select one of two options: •...
Page 45 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • Use Dedicated WAN port. – Dedicated ADSL. If you have configured only the ADSL ISP, then select this interface. In this mode the ADSL interface will always be active and all traffic will be sent over this link;...
Page 46 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 2-9 3. Select your WAN port configuration: • Select the Auto-Rollover radio button and designate the rollover port from the pull-down menu. Auto-Rollover is available only if you have connected and configured both an ADSL ISP and an Ethernet ISP connection.
Page 47: Configuring Dynamic Dns (If Needed)
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual The default time to roll over after the primary WAN interface fails is 2 minutes (e.g., a 30- second minimum test period, times a minimum of four tests). Configuring Dynamic DNS (If Needed) Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.
Page 48 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To configure Dynamic DNS: 1. Select Network Configuration from the main menu and Dynamic DNS from the submenu. The Dynamic DNS Configuration screen will display with the default None selected. Figure 2-10 Each DNS service provider requires its own parameters (Figure...
Page 49 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual DynDNS Service Screen Figure 2-11 2. Access the Web site of the Dynamic DNS service provider you have chosen and register for an account (for example, for dyndns.org, go to http://www.dyndns.org). 3.
Page 50: Programming The Traffic Meter
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Programming the Traffic Meter The traffic meter is useful when an ISP charges by traffic volume over a given period of time or if you want to look at traffic types over a period of time. The fields are described in Table 2-2 and are the same for both ADSL and Ethernet but are specific to each WAN interface and must be set...
Page 51 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Table 2-2. Traffic Meter Parameters Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port.WAN1 or WAN2 can be selected through the drop down menu, the entire configuration is specific to each wan interface.
Page 52 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To Program the Traffic Meter (if desired): 1. Select Monitoring from the main menu and Traffic Meter from the submenu. The default ADSL screen shown in Figure 2-12 will display. 2.
Page 53: Wireless Configuration
Chapter 3 Wireless Configuration This chapter describes how to configure the wireless features of your ProSafe DGFV338. In planning your wireless network, you should consider the level of security required. You should also select the physical placement of your DGFV338 in order to maximize the network speed (see Chapter 2, “Basic Installation and...
Page 54 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Unlike wired network data, your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment.
Page 55: Understanding Wireless Settings
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Understanding Wireless Settings Before configuring your wireless settings, you may want to review the Wireless Settings choices to determine what type of security is required for your wireless LAN network and to gather any security information that may be required.
Page 56: Wireless Lans
Any device you want to participate in the 802.11b/g wireless network will need to use this SSID for that network. The DGFV338 default SSID is: NETGEAR. •...
Page 57 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • Wireless Security Type. A number of security options are available to use on your Wireless Network: – None. No data encryption is used. – WEP. Enables WEP (Wired Equivalent Privacy) data encryption (64-, or 128-, or 152-bit) and requires at least one shared key and a WEP passphrase.
Page 58: Access Control List
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Note: Not all wireless adapters support WPA and WPA2. Client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA and WPA2. However, the wireless adapter hardware and driver must also support WPA and WPA2.
Page 59: Wireless Advanced Options
Advanced Wireless Router Settings The Wireless Advanced Options settings are intended for administrator use—and should be used with caution and only as directed by NETGEAR. The Advanced Settings menu controls the following: •...
Page 60: Wep And Wpa/Wpa2 Wireless Security Check List Form
• SSID. The Service Set Identification (SSID) identifies the wireless local area network. NETGEAR is the default DGFV338 SSID. However, you may customize it by using up to 32 alphanumeric characters. Write your customized SSID on the line below. ________________________________________________ Note: All wireless nodes in the same network must be configured with the same SSID: •...
Page 61: Configuring Your Wireless Settings
Figure 3-3). 2. Enter your Wireless Network Name (SSID). The default SSID is NETGEAR, but NETGEAR strongly recommends that you change your Network Name to a different value. It can be up to 32 alphanumeric characters and is case sensitive.
Page 62: Configuring Wep
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 1. Select the Wireless Security Type option you wish to use for your Wireless Network. The options are described in “Wireless LANs” on page 3-4. • None: No data encryption is used. •...
Page 63 See the document “Wireless Communications” for a full explanation of each of these options, as defined by the IEEE 802.11 wireless communication standard. A link to this document on the NETGEAR website is in Appendix B, “Related Documents.”...
Page 64: Configuring Wpa-Psk
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Note: If you use a wireless computer to configure WEP settings, you will be disconnected when you click Apply. Reconfigure your wireless adapter to match the new settings or access the wireless firewall from a wired computer to make any further changes.
Page 65: Configuring Wpa2-Psk
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 3-5 Configuring WPA2-PSK Not all wireless adapters support WPA2. Furthermore, client software is required on the client. Make sure your client card supports WPA2. Consult the product document for your wireless adapter and WPA2 client software for instructions on configuring WPA2 settings.
Page 66: Configuring Wpa-Psk And Wpa2-Psk
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 3-6 Configuring WPA-PSK and WPA2-PSK Not all wireless adapters support WPA and WPA2. Client software is required on the client: • Windows XP and Windows 2000 with Service Pack 3 or above do include the client software that supports WPA.
Page 67: Configuring Wpa With Radius
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 3-7 4. Click Apply to save your settings. Configuring WPA with RADIUS Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 or above do include the client software that supports WPA.
Page 68: Configuring Wpa2 With Radius
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 3-8 4. Click Apply to save your settings. Configuring WPA2 with RADIUS Not all wireless adapters support WPA2. Furthermore, client software is required on the client. Make sure your client card supports WPA2. Consult the product document for your wireless adapter and WPA2 client software for instructions on configuring WPA2 settings.
Page 69: Configuring Wpa And Wpa2 With Radius
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 3-9 Configuring WPA and WPA2 with RADIUS Not all wireless adapters support WPA and WPA2. Client software is required on the client: • Windows XP and Windows 2000 with Service Pack 3, or above, do include the client software that supports WPA.
Page 70: Restricting Wireless Access By Mac Address
Control List that can block the network access privilege of any specified stations through the ProSafe DGFV338. When you enable access control, the ProSafe DGFV338 only accepts connections from wireless PCs on the selected access control list. This provides an additional layer of security.
Page 71 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Note: If configuring the DGFV338 from a wireless computer whose MAC address is not in the Trusted Wireless Stations list, if you enable Turn Access Control, you will lose your wireless connection when you click Apply. You must then access the wireless firewall from a wired computer or from a wireless computer which is on the Trusted Wireless Stations list to make any further changes.
Page 72 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 6. Select the Available Wireless Stations tab to populate the Available Wireless Stations list with the MAC addresses of wireless stations found within range of this wireless gateway. 7. Click the Add to Trusted List icon adjacent to the MAC address for each wireless device you want to add to the Trusted Wireless Stations list.
Page 73: Security And Firewall Protection
Chapter 4 Security and Firewall Protection This chapter describes how to use the Security features of the ProSafe Wireless ADSL Modem VPN Firewall Router to protect your network. These features can be found by selecting Security from the main menu of the browser interface. Firewall Protection and Content Filtering Overview The ProSafe Wireless ADSL Modem VPN Firewall Router provides Web Content filtering—by Domain name (Web sites) and by Keyword Blocking.
Page 74: About Service Based Rules
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual About Service Based Rules The rules to block traffic are based on the traffic’s category of service. • Inbound rules (allow port forwarding). Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side.
Page 75: Outbound Rules (Service Blocking)
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 4-1 You may define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
Page 76 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • Filter: Defines an action to be taken on the enabled rule. It can be: – Block Always: Block selected service at all times. – Enable Always: Allow selected service to pass through at all times. –...
Page 77 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual – Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2.
Page 78 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To add a new Outbound Service: 1. Click the Add icon under the Outbound Services table. The Add LAN-WAN Outbound Service screen will display. Figure 4-2 2. Fill out the Outbound Service fields for this policy (based on the field explanations above). 3.
Page 79: Inbound Rules (Port Forwarding)
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 4-3 Outbound Rule Example: Blocking Instant Messenger Outbound rules let you prevent users from using applications such as Instant Messenger. If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
Page 80 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual However, by defining an inbound rule you can make a local server (for example, a Web server or game server) visible and available to the Internet. The rule tells the firewall to direct inbound traffic for a particular service to one local server.
Page 81 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual – Address Range: A range of IP addresses on the LAN will be affected by the rule. – Group: Computers that are part of the Group defined in the Network Database will be affected by the rule (groups are defined under the Network Configuration menu, LAN Groups page on the Edit Group Names tab).
Page 82 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual For example, if an inbound rule for a schedule is selected as Block Always, then for every packet that tries to make an outbound connection for that service, a message with the packet’s source and destination addresses, along with other information will be recorded in the log.
Page 83 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 2. Complete the Inbound Service screen and click Apply. The new rule will be listed in the Inbound Services table. Figure 4-6 To make changes to an existing inbound service rule: 1.
Page 84 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Inbound Rule Example: A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day.
Page 85 This application note describes how to configure multi-NAT to support multiple public IP addresses on one WAN interface of a NETGEAR ProSafe Wireless ADSL Modem VPN Firewall Router. By creating an inbound rule, we will configure the firewall to host an additional public IP addresses and associate this address with a Web server on the LAN.
Page 86 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 3. From the Device pull-down menu, (see Figure 4-9), select the HTTP service for a Web server. Figure 4-9 4. From the Action pull-down menu, select ALLOW always. 5. For Send to LAN Server, enter the local IP address of your Web server PC. 6.
Page 87 2. Place the rule below all other inbound rules by the clicking the Down icon adjacent to the rule. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Page 88 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 1. Select Any protocol and ALLOW Always (or Allow by Schedule) 2. Place rule below all other inbound rules by clicking the down icon Figure 4-11 Considerations for Inbound Rules The DHCP setup and how the PCs access the server’s LAN address impact the Inbound Rules.
Page 89: Order Of Precedence For Rules
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 4-12: Figure 4-12 For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the LAN WAN Rules Table, beginning at the top and proceeding to the default rules at the bottom.
Page 90 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Although the DGFV338 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
Page 91: Quality Of Service (Qos) Priorities
The QoS priority definition for a service determines the IP packets queue for outbound traffic passing through the ProSafe DGFV338 for this service. The priorities are defined by “Type of Service (TOS) in the Internet Protocol Suite” standards, RFC 1349. The router marks the Type Of Service (TOS) field as defined below: •...
Page 92: Attack Checks
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • Minimize-Delay: Used when the time required for the packet to reach the destination must be fast (low link latency). The IP packets for this service priority are marked with a TOS value of Attack Checks This screen allows you to specify if the router should be protected against common attacks from the LAN and WAN networks.
Page 93: Managing Groups And Hosts
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To enable Attack Checks: 1. Select Security from the main menu and Firewall Rules from the submenu. Then click the Attack Checks tab. 2. Check the radio box for the types of security measures you want to enable. (See the explanation above the various WAN and LAN Security Checks.) 3.
Page 94 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • No need to reserve an IP address for a PC in the DHCP Server. All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database, either by expiry (inactive for a long time) or by you.
Page 95 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 4-16 Security and Firewall Protection 4-23 v1.0, April 2007...
Page 96: Blocking Internet Sites
Web Components filtering and Key Word Blocking. By default, both are disabled; all requested traffic from any Web site is allowed. When enabled, if users try to access a blocked site, they see a “Blocked by NETGEAR” message. •...
Page 97 If you enter a domain name in the Trusted Domains box, keyword filtering will be bypassed. For example, if you entered www.netgear.com, keyword filtering will be bypassed for this domain; however, Web Components filtering still applies.
Page 98 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual The following screen (Figure 4-17) illustrates the use of Keyword Blocking and adding Trusted Domains. Figure 4-17 4-26 Security and Firewall Protection v1.0, April 2007...
Page 99: Enabling Source Mac Filtering
Add. The domain name must be exact; e.g., entering www.netgear.com would be allowed as a trusted domain exempt from filtering. The Trusted Domain will appear in the Trusted Domains table and will be exempt from filtering.
Page 100: Setting Up Port Triggering
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual A valid MAC address is 12 fields; 0 to 9 and a to f. For example: 00:e0:4c:69:0a:11. Figure 4-18 4. Click Apply. The outbound traffic from the specified MAC addresses will be dropped Note: For additional ways of restricting outbound traffic, see “Order of Precedence for Rules”...
Page 101 A PC makes an outgoing connection using a port number defined in the Outgoing Port Triggering table. • The ProSafe DGFV338 records this connection, opens the incoming port or ports associated with this entry in the Incoming Port Triggering table, and associates them with the PC. •...
Page 102 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 4-19 Table 4.2 Port triggering Item Description Port Triggering • Enable - Indicates if the rule is enabled or disabled. Generally, there is no Rules need to disable a rule unless it interferes with some other function such as Port Forwarding.
Page 103: Setting A Schedule To Block Or Allow Specific Traffic
The firewall allows you to specify when blocking will be enforced by configuring the Schedule 1, Schedule 2 or Schedule 3 screens. The ProSafe DGFV338 uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet.
Page 104: Event Logs And Alerts
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 4-20 Event Logs and Alerts Your router will log security-related events such as denied incoming service requests, hacker probes, and administrator logins, according to your settings on this screen in the Routing Logs section.
Page 105 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 4-21 To view the Logs and E-mail screen: 1. Select Monitoring from the main menu and Firewall Logs and E-mail from the submenu. The Firewall Logs and E-mail screen will display. The Log Options section will display the Log Identifier field.
Page 106 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 3. From the System Logs section, check the radio boxes of the System Log events you want to track and record: • Change of Time by NTP: Logs a message when the system time changes after a request from a Network Time server.
Page 107: Security And Administrator Management
“Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-1) is the basic or most typical way to manage the traffic through your system, you can further refine your control by using these features of the ProSafe DGFV338: – Groups and Hosts (see “Managing Groups and Hosts”...
Page 108 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 4-36 Security and Firewall Protection v1.0, April 2007...
Page 109: Virtual Private Networking
Dual WAN Port Systems The ADSL port and the Ethernet port of the ProSafe DGFV338 can be configured for auto-rollover mode for increased system reliability (if both ports are configured) or, if only one of the ports is configured, they can be configured as either Dedicated ADSL or Dedicated Ethernet. This WAN mode choice then impacts how the VPN features must be configured.
Page 110: Setting Up A Vpn Connection Using The Vpn Wizard
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Setting up a VPN Connection using the VPN Wizard Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard can assist in guiding you through the setup procedure by asking you a series of questions that will determine the IPSec keys and VPN policies it sets up.
Page 111 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 7. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway. The information entered here must match the Local LAN IP and Subnet Mask of the remote gateway;...
Page 112 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-2 You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen will display. Then view or edit the parameters of the “Offsite” policy by clicking Edit in the Action column adjacent to the policy.
Page 113: Vpn Tunnel Policies
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-3 VPN Tunnel Policies When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy are established and populated in both Policy Tables. The name you selected as the VPN Tunnel connection name during Wizard setup identifies both the VPN Policy and IKE Policy.
Page 114 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Managing IKE Policies IKE Policies are activated when: 1. The VPN Policy Selector determines that some traffic matches an existing VPN Policy. If the VPN policy is of type “Auto”, then the Auto Policy Parameters defined in the VPN Policy are accessed which specify which IKE Policy to use.
Page 115: Vpn Policy
To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix B, “Related Documents” for a link to the NETGEAR website. VPN Policy You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
Page 116: Vpn Tunnel Connection Status
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 4. The remote VPN Endpoint must have a matching SA, or it will refuse the connection. VPN Policy Table Only one Client Policy may configured at a time (noted by an “*” next to the policy name). The Policy Table contains the following fields: •...
Page 117: Creating A Vpn Connection: Between Fvx538 And Dgfv338
Action. Allows you to terminate or build the SA (connection), if required. Creating a VPN Connection: Between FVX538 and DGFV338 This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and the ProSafe Wireless ADSL Modem VPN Firewall Router.
Page 118 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 7. Enter the WAN IP address of the remote FVX538 and then enter the WAN IP address of the local DGFV338. (Both local and remote ends must define the address as either an IP address or a FQDN.
Page 119 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-5 To view the VPN Policy parameters: 1. Click Edit in the Action column adjacent to the “to_fvx” policy. The Edit VPN Policy screen will display. (It should not be necessary to make any changes. 2.
Page 120 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-6 To view the IKE Policy Configuration parameters: 1. Select the IKE Policies tab. The IKE Policies table will display. 5-12 Virtual Private Networking v1.0, April 2007...
Page 121 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 2. Select “to_FVX” and click Edit. It should not be necessary to make any changes) Figure 5-7 Note: When XAUTH is enabled as an Edge Device, incoming VPN connections are authenticated against the DGFV338 User Database first;...
Page 122: Configuring The Fvx538
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Configuring the FVX538 To configure the FVX538 VPN Wizard: 1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display. 2. Check the Gateway radio box for the type of VPN tunnel connection. 3.
Page 123: Testing The Connection
If more PCs are to be connected, an additional policy or policies must be created. Each PC will use Netgear's ProSafe VPN Client software. Since the PC's IP address is assumed to be unknown, the PC must always be the Initiator of the connection.
Page 124 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-9 6. Enter he remote WAN’s IP Address or Internet Name and then enter the local WAN’s IP Address or Internet Name. In this example, we are using their FQDNs. (Both the local and remote addresses must be of the same type—either both must be FQDN or both must be an IP address.) 7.
Page 125: Configuring The Vpn Client
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Configuring the VPN Client From a PC with the Netgear Prosafe VPN Client installed, you can configure a VPN client policy to connect to the DGFV338. To configure your VPN client: 1.
Page 126 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual to_dgfv dvfg_local.com Figure 5-11 7. In the left frame, click My Identity. 8. From the Select Certificate pull-down menu, select None. 9. From the ID Type pull-down menu, select Domain Name. The value entered under Domain Name is “.dvfg_remote.com”.
Page 127 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual to_dgfv dgfv_remote.com Figure 5-12 5. Before leaving the My Identity menu, click Pre-Shared Key. 6. Click Enter Key and then enter your preshared key, and click OK. This key will be shared by all users of the DGFV338 policy “home”.
Page 128 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 8. For the Phase 1 Negotiation Mode, check the Aggressive Mode radio box. 9. PFS should be enabled, and Enable Replay Detection should be enabled. Figure 5-14 10. In the left frame, expand Authentication (Phase 1) and select Proposal 1. The Proposal 1 fields should mirror those in the following figure.
Page 129: Testing The Connection
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 11. In the left frame, expand Key Exchange (Phase 2) and select Proposal 1. The fields in this proposal should also mirror those in the following figure. No changes should be necessary. 12.
Page 130: Certificate Authorities
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 2. For additional status and troubleshooting information, right-click on the VPN client icon Logs and Connection Status screens in the DGFV338. Figure 5-17 Certificate Authorities Digital Self Certificates are used to authenticate the identity of users and systems, and are issued by various CAs (Certification Authorities).
Page 131: Generating A Self Certificate Request
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual The Active Self Certificates table shows the Certificates issued to you by the various CAs (Certification Authorities), and available for use. For each Certificate, the following data is listed: • Name.
Page 132 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-18 • Domain Name – If you have a Domain name, you can enter it here. Otherwise, you should leave this field blank. • E-mail Address – Enter your e-mail address in this field. 4.
Page 133: Uploading A Trusted Certificate
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 6. Copy the contents of the Data to supply to CA text box into a file, including all of the data contained in “----BEGIN CERTIFICATE REQUEST---” and “---END CERTIFICATE REQUEST---”Click Done. You will return to the Certificate screen and your Request details will be displayed in the Self Certificates Requests table showing a Status of “Waiting for Certificate upload”...
Page 134: Extended Authentication (Xauth) Configuration
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • CA Identify – The official name of the CA which issued this CRL. • Last Update – The date when this CRL was released. • Next Update – The date when the next CRL will be released. To upload a Certificate Identify to the CRL: 1.
Page 135: Configuring Xauth For Vpn Clients
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • IPSec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway.
Page 136 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual – RADIUS–CHAP or RADIUS–PAP (depending on the authentication mode accepted by the RADIUS server) to add a RADIUS server. If RADIUS–PAP is selected, the router will first check in the User Database to see if the user credentials are available. If the user account is not present, the router will then connect to the RADIUS server (see “RADIUS Client Configuration”...
Page 137: User Database Configuration
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual User Database Configuration The User Database screen is used to configure and administer users when Extended Authentication is enabled as an Edge Device. Whether or not you use an external RADIUS server, you may want some users to be authenticated locally.
Page 138: Radius Client Configuration
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To edit the user name or password: 1. Click Edit opposite the user’s name. The Edit User screen will display. 2. Make the required changes to the User Name or Password and click Apply to save your settings or Reset to cancel your changes and return to the previous settings.
Page 139 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-22 3. Enter the Primary RADIUS Server IP address. 4. Enter a Secret Phrase. Transactions between the client and the RADIUS server are authenticated using a shared secret phrase, so the same Secret Phrase must be configured on both client and server.
Page 140: Manually Assigning Ip Addresses To Remote Users (Modeconfig)
In the following example, we configured the ProSafe DGFV338 using ModeConfig, and then configured a PC running ProSafe VPN Client software using these IP addresses.
Page 141: Configuring The Prosafe Dgfv338
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Configuring the ProSafe DGFV338 Two menus must be configured—the Mode Config menu and the IKE Policies menu. To configure the Mode Config menu: 1. From the main menu, select VPN, and then select Mode Config from the submenu. The Mode Config screen will display.
Page 142 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 5-23 To configure an IKE Policy: 1. From the main menu, select VPN. The IKE Policies screen will display showing the current policies in the List of IKE Policies Table. 2.
Page 143 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 4. In the General section: a. Enter a description name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b.
Page 144: Configuring The Prosafe Vpn Client For Modeconfig
Figure 5-24 Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon.
Page 145 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual b. From the ID Type pull-down menu, select IP Subnet. c. Enter the IP Subnet and Mask of the ProSafe DGFV338 (this is the LAN network IP address of the gateway).
Page 146 Enable Replay Detection should be checked. 4. Click on Authentication (Phase 1) on the left-side of the menu and select Proposal 1. Enter the Authentication values to match those in the ProSafe DGFV338 ModeConfig Record menu. 5-38 Virtual Private Networking...
Page 147 5. Click on Key Exchange (Phase 2) on the left-side of the menu and select Proposal 1. Enter the values to match your configuration of the ProSafe DGFV338 ModeConfig Record menu. (The SA Lifetime can be longer, such as 8 hours (28800 seconds)).
Page 148 2. Click on the connection. Within 30 seconds the message “Successfully connected to MyConnections/modecfg_test will display and the VPN client icon in the toolbar will read “On”. 3. From the client PC, ping a computer on the ProSafe DGFV338 LAN. 5-40 Virtual Private Networking...
Page 149: Router And Network Management
The ProSafe DGFV338 has the necessary features and tools to help the network manager accomplish these goals.
Page 150 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Service Blocking Note: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. You can control specific outbound traffic (i.e., from LAN to WAN and from DMZ to WAN). Outbound Services lists all existing rules for outbound traffic.
Page 151 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-1 for the procedure on how to use this feature. Services. The Rules menu contains a list of predefined Services for creating firewall rules. If a service does not appear in the predefined Services list, you can define the service.
Page 152: Wireless Firewall Features That Increase Traffic
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual You can bypass keyword blocking for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for which keyword blocking has been enabled will still be allowed without any blocking.
Page 153 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Each rule lets you specify the desired action for the connections covered by the rule: • BLOCK always • BLOCK by schedule, otherwise Allow • ALLOW always • ALLOW by schedule, otherwise Block You can also enable a check on special rules: •...
Page 154: Using Qos To Shift The Traffic Mix
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-1 for the procedure on how to use this feature. Port Triggering Port triggering allows some applications to function correctly that would otherwise be partially blocked by the firewall.
Page 155: Tools For Traffic Management
Administrator access is read/write and guest access is read-only. Changing the Passwords and Login Time-out The default passwords for the firewall’s Web Configuration Manager is password. NETGEAR recommends that you change this password to a more secure password.
Page 156: Enabling Remote Management Access
Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your ProSafe DGFV338. You must be logged in locally to enable remote management (see “Logging in and Configuring your Internet Connection” on page 2-3).
Page 157 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 7.2 shows the Remote Management screen that is invoked when you select Remote Management under Management on the main menu. Figure 6-2 To configure your firewall for Remote Management: 1.
Page 158: Command Line Interface
To access the CLI from a communications terminal when the ProSafe DGFV338 is still set to its factory defaults (or use your own settings if you have changed them), do the following: 1.
Page 159: Event Alerts
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 2. Enter admin and password when prompted for the login and password information (or enter guest and password to log in as a read-only guest). Note: No password protection exists when using the console port to access the unit. Any configuration changes made via the CLI are not preserved after a reboot or power cycle unless the user issues the CLI save command after making the changes.
Page 160: Monitoring
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Each WAN port is programmed separately. WAN port shuts down once the traffic limit is reached. An email alert can be sent when this shutdown happens. Figure 6-3 Monitoring You can view status information about the firewall, WAN ports, LAN ports, and VPN tunnels and program SNMP connections.
Page 161 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 6-4 Table 6-1. Router Status Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router.
Page 162: Wan Ports
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Table 6-1. Router Status (continued) Item Description LAN Port Information These are the current settings for MAC address, IP address, DHCP role and Subnet Mask that you set in the LAN IP Setup page. DHCP can be either Server or None. WAN Port This indicates whether rollover mode is enabled and which LAN connection is Information...
Page 163: Internet Traffic
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To check Dynamic DNS status: 1. Select Network Configuration from the main menu and Dynamic DNS from the submenu. The Dynamic DNS Configuration screen will display. 2. Check the DNS provider radio box on the WAN port for which you have service. 3.
Page 164 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 6-6 6-16 Router and Network Management v1.0, April 2007...
Page 165: Lan Ports And Attached Devices
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual LAN Ports and Attached Devices Known PCs and Devices The Known PCs and Devices table contains a table of all IP devices that the firewall has discovered on the local network. This screen is accessible from the Administration main menu and the LAN Groups submenu.
Page 166 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual The Known PCs and Devices table lists all current entries in the Network Database. For each PC or device, the following data is displayed. Table 6-2. Known PCs and Devices table Item Description Name...
Page 167: Firewall Security
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Port Triggering Status The Port Triggering Status screen is available from the Port Triggering screen accessible under Security on the main menu. Only one PC can use a Port Triggering application at any time. When the PC has finished using the application, a time-out period occurs before another PC can use the Port triggering.
Page 168 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Click to view logs Select the types of logs to email. Enable emailing of logs. Set a schedule to send email. logs. Enable Syslogs server. Figure 6-10 6-20 Router and Network Management v1.0, April 2007...
Page 169: Vpn Tunnels
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To invoke the Log screen, click the View Log link on the Logs and E-mail screen. Figure 6-11 VPN Tunnels You can view the VPN Logs by selecting Monitoring on the main menu and VPN Logs on the submenu.
Page 170: Using A Snmp Manager
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Select VPN from the main menu and Connection Status from the submenu to display the status of IPSec connections. You can change the status of a connection; to either establish or drop the Security Association (SA).
Page 171 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • IP Address: The IP address of the SNMP manager. • Port: The trap port of the configuration. • Community: The trap community string of the configuration. To create a new SNMP configuration entry: 1.
Page 172: Diagnostics
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 6-14 The SNMP System Info link displays the wireless firewall identification information available to the SNMP Manager: System Contact, System Location, and System name. To modify the SNMP System contact information: 1.
Page 173 Back to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to Lookup an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
Page 174: Configuration File Management
Configuration File Management The configuration settings of the ProSafe DGFV338 are stored within the firewall in a configuration file. This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings. You can also upgrade the firewall software with the latest version from NETGEAR.
Page 175 To restore settings from a backup file: 1. Click Browse. Locate and select the previously saved backup file (by default, netgear.cfg). 2. When you have located the file, click restore.
Page 176 Firmware Version will change to reflect the new version. To download a firmware version: 1. Go to the NETGEAR Web site at http://www.netgear.com/support and click on Downloads. 2. From the Product Selection pull-down menu, select your product. Select the software version and follow the To Install steps to download your software.
Page 177: Setting The Time Zone
3. Select a NTP Server option by checking one of the following radio boxes: • Use Default NTP Servers: If this is enabled, then the RTC (Real-Time Clock) is updated regularly by contacting a Default Netgear NTP Server on the Internet. Router and Network Management 6-29...
Page 178 Address field. If you select this option and leave either the Server 1 or Server 2 fields empty, they will be set to the Default Netgear NTP servers. 4. Click Apply to save your settings or click Cancel to revert to your previous settings.
Page 179: Lan Configuration
Chapter 7 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Wireless ADSL Modem VPN Firewall Router. These features can be found by selecting Network Configuration from the primary menu and LAN Setup from the submenu of the browser interface. Using the Firewall as a DHCP server By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to provide an IP address, DNS server address, WINS Server address, and default...
Page 180: Configuring The Lan Setup Options
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Configuring the LAN Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are suitable for most users and situations.
Page 181: Using Address Reservation
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 4. DHCP Server. By default, the router will function as a DHCP server, providing TCP/IP configuration for all computers connected to the router's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, select the Disable DHCP Server radio button.
Page 182: Configuring Multi Home Lan Ips
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 7-2 To reserve an IP address: 1. Select Network Configuration from the main menu and LAN Groups from the submenu. THe Groups and Hosts screen will display. 2. From the IP Address Type pull-down menu, select Reserve as the address type. 3.
Page 183 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual To add a secondary LAN IP address: 1. Enter the IP Address and the Subnet Mask in the respective fields of the Add Secondary LAN IP Address section. 2. Click Add. The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table.
Page 184 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 7-3 Note: Additional IP addresses cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP and DNS server IPs. LAN Configuration v1.0, April 2007...
Page 185: Configuring Static Routes
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Configuring Static Routes Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network.
Page 186: Routing Information Protocol (Rip)
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 5. Select Private if you want to limit access to the LAN only. The private static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network to which the route leads. 7.
Page 187 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • In Only – The router accepts RIP information from other routers, but does not broadcast its routing table. Figure 7-5 3. From the RIP Version pull-down menu, select the version: •...
Page 188: Static Route Example
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 5. Click Reset to discard any changes and revert to the previous settings. 6. Click Save to save your settings. Static Route Example For example, you may require a static route if: •...
Page 189 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual By default, UPnP is disabled. When disabled, the router will not allow any device to automatically control the resources of the router; for example, port forwarding. When enabled, you must set the Advertisement Period and the Advertisement Time to Live according to the following criteria: •...
Page 190 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Figure 7-6 To turn on and set up UPnP: 1. Select Security from the main menu and UPnP from the submenu. The UPnP screen will display. 2. Enable the UPnP radio by selecting the Yes radio box. 3.
Page 191: Basic Functions
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Page 192: Leds Never Turn Off
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: •...
Page 193: Troubleshooting The Isp Connection
IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1. Launch your browser and select an external site such as www.netgear.com Troubleshooting v1.0, April 2007...
Page 194 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual 2. Access the Main Menu of the firewall’s configuration at http://192.168.1.1 3. Under the Management heading, select Router Status 4. Check that an IP address is shown for the ADSL or Ethernet WAN Port (whichever port you configured.) If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.
Page 195: Troubleshooting A Tcp/Ip Network Using A Ping Utility
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring your ADSL Connection” on page 2-6 “Manually Configuring your Ethernet Connection” on page 2-8.
Page 196: Testing The Path From Your Pc To A Remote Device
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections – Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On”...
Page 197: Restoring The Default Configuration And Password
The E-Mail menu in the Content Filtering section displays the current date and time of day. The ProSafe DGFV338 uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day.
Page 198 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual • Time is off by one hour. Cause: The firewall does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings Time”.
Page 199: Default Settings And Technical Specifications
Appendix A Default Settings and Technical Specifications Default Factory Settings You can use the reset button located on the front of your device to reset all settings to their factory defaults. This is called a hard reset. • To perform a hard reset, push and hold the reset button for approximately 10 seconds (until the TEST LED blinks rapidly).
Page 200 Internet) Outbound (communications going out to Enabled (all) the Internet) Source MAC filtering Disabled Wireless Wireless Communication Disaabled SSID Name NETGEAR Security Disabled Broadcast SSID Enabled Transmission Speed Auto Country/Region Auto RF Channel 11 until the region is selected...
Page 201: Technical Specifications
DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Table A-1. Default Configuration Settings (continued) Feature Default Behavior Output Power Full Access Point Disabled Authentication Type Open System Wireless Card Access List All wireless stations allowed a. Maximum Wireless signal rate derived from IEEE Standard 802.11 specifications. Actual throughput will vary. Network conditions and environmental factors, including volume of network traffic, building materials and construction, and network overhead, lower actual data throughput rate.
Page 202 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Table A-2. Technical Specifications Specification Description Electromagnetic Emissions Meets requirements of: FCC Part 15 Class B VCCI Class B EN 55 022 (CISPR 22), Class B Interface Specifications LAN: 10BASE-T or 100BASE-Tx, RJ-45 WAN: 10BASE-T or 100BASE-Tx or ADSL Default Settings and Technical Specifications...
Page 203: Appendix B Related Documents
Appendix B Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product. Document Link Internet Networking and http://documentation.netgear.com/reference/enu/tcpip/index.htm TCP/IP Addressing: Wireless http://documentation.netgear.com/reference/enu/wireless/index.htm Communications: Preparing a Computer for http://documentation.netgear.com/reference/enu/wsdhcp/index.htm...
Page 204 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Related Documents v1.0, April 2007...
Page 205 Index Numerics 802.11a 3-4 Back up settings 6-26 802.11b 3-4 backup and restore settings 6-26 802.11g 3-4 Beacon Interval 3-7 Block Sites 4-24 reducing traffic 6-3 block traffic access with schedule 4-31 adminstrator and guest 6-7 remote management 6-8 Access Control List 3-6 Access Control screens 3-20 about 5-22 Active Self Certificates 5-22...
Page 206 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual TKIP 3-15 status 6-15 Date Dynamic DNS screen 2-17 setting 6-29 date troubleshooting 8-7 Edge Device 5-27 Daylight Savings Time XAUTH, with ModeConfig 5-35 adjusting for 6-29 Edit IKE Policy screen 5-4 Dedicated ADSL 2-15 Enable DHCP server 7-1 Dedicated Ethernet 2-15...
Page 207 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual load balancing 5-1 Login 2-7, 2-9 hosts, managing 4-21 login default 1-9, 2-3 logs IGP 7-8 sending 4-32 IKE Policies management of 5-6 IKE Policy MAC Address about 5-5 restricting wireless access 3-18 ModeConfig, configuring with 5-34 MAC address 3-18, 8-7 XAUTH, adding to 5-27...
Page 208 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Network Time Protocol 4-31, 8-7 port forwarding 4-7, 6-4 Network Time Protocol. See NTP. port numbers 4-17 newsgroup 4-25 Port Speed 2-11 NTP 4-31, 6-29, 8-7 port triggering 6-6 NTP Servers PPP over Ethernet 1-4 custom 6-30 PPPoE 1-4...
Page 209 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual versions of 7-9 security 1-3 RIP Configuration screen 7-8 Security Check List Form 3-8 rollover 5-1 Self Certificate Request generating 5-23 router upgrade software 6-29 service blocking 4-3 router broadcast service numbers 4-17 RIP, use with 7-8 Settings Backup &...
Page 210 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual daylight savings 8-8 username troubleshooting 8-7 default 2-3 Time Zone setting of 6-29 Time Zone screen 6-29 Virtual Private Netwoking. See VPN. TKIP 3-12, 3-15 Virtual Private Network Consortium 1-3 TKIP+AES 3-5 traffic about 1-3...
Page 211 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Network Authentication 3-10 Network Authentication screen 3-11 XAUTH WEP configuring 3-10 IPSec Host 5-27 Wireless Network Name. See SSID. types of 5-26 Wireless Security 3-1 wireless security options 3-2 MAC Address restricting 3-2 SSID off 3-2 WEP 3-2 WPA/WPA2 with RADIUS 3-2...
Page 212 DGFV338 ProSafe Wireless ADSL Modem VPN Firewall Router Reference Manual Index-8 v1.0, April 2007...

NETGEAR ProSafe DGFV338 Reference Manual

About this Manual

Chapter 1 Introduction

Chapter 2 Basic Installation and Configuration

Chapter 3 Wireless Configuration

Chapter 4 Security and Firewall Protection

Chapter 5 Virtual Private Networking

Chapter 6 Router and Network Management

Chapter 7 LAN Configuration

Chapter 8 Troubleshooting

Appendix A Default Settings and Technical Specifications

Appendix B Related Documents

Quick Links

Troubleshooting

Related Manuals for NETGEAR ProSafe DGFV338

Summary of Contents for NETGEAR ProSafe DGFV338

Table of Contents