NETGEAR Printer FWG114P v2 User Manual

Reference Manual for the  
ProSafe Wireless 802.11g  
Firewall/Print Server  
Model FWG114P v2  
NETGEAR, Inc.  
4500 Great America Parkway  
Santa Clara, CA 95054 USA  
201-10301-02  
May 2005  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Bestätigung des Herstellers/Importeurs  
Es wird hiermit bestätigt, daß das ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2 gemäß der im  
BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben  
einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die  
Anmerkungen in der Betriebsanleitung.  
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt  
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.  
Certificate of the Manufacturer/Importer  
It is hereby certified that the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2 has been suppressed  
in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some  
equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain  
restrictions. Please refer to the notes in the operating instructions.  
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market  
and has been granted the right to test the series for compliance with the regulations.  
Voluntary Control Council for Interference (VCCI) Statement  
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area  
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing  
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.  
When used near a radio or TV receiver, it may become the cause of radio interference.  
Read instructions for correct handling.  
Product and Publication Details  
Model Number:  
FWG114P v2  
Publication Date:  
Product Family:  
May 2005  
wireless access point  
Product Name:  
ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Home or Business Product:  
Language:  
Business  
English  
Publication Part Number:  
201-10301-02  
iii  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
iv  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Contents  
Chapter 1  
About This Manual  
Chapter 2  
Introduction  
Chapter 3  
Connecting the FWG114P v2 to the Internet  
Contents  
v
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 4  
Wireless Configuration  
Chapter 5  
Serial Port Configuration  
vi  
Contents  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 6  
Content Filtering  
Chapter 7  
Print Server  
Contents  
vii  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 8  
Virtual Private Networking  
Chapter 9  
Maintenance  
viii  
Contents  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 10  
Advanced Configuration  
Chapter 11  
Troubleshooting  
Appendix A  
Technical Specifications  
Appendix B  
Networks, Routing, and Firewall Basics  
Contents  
ix  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Appendix C  
Preparing Your Network  
x
Contents  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Appendix D  
Firewall Log Formats  
Appendix E  
Wireless Networking Basics  
WPA Authentication: Enterprise-level User  
Authentication via 802.1x/EAP and RADIUS .................................................. E-12  
Contents  
xi  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Appendix F  
Virtual Private Networking  
Appendix G  
FVS318 or FVM318 to FWG114P v2  
xii  
Contents  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
xiv  
Contents  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 1  
About This Manual  
This chapter describes the intended audience, scope, conventions, and formats of this manual.  
Audience, Scope, Conventions, and Formats  
This reference manual assumes that the reader has basic to intermediate computer and Internet  
skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial  
information is provided in the Appendices and on the Netgear website.  
This guide uses the following typographical conventions:  
Table 1-1.  
Typographical Conventions  
italics  
bold  
Emphasis, books, CDs, URL names  
User input  
fixed  
Screen text, file and server names, extensions, commands, IP addresses  
This guide uses the following formats to highlight special messages:  
Note: This format is used to highlight information of importance or special interest.  
This manual is written for the FWG114P v2 Wireless Firewall/Print Server according to these  
specifications:  
Table 1-2.  
Manual Scope  
Product Version  
ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
May 2005  
Manual Publication Date  
Note: Product updates are available on the NETGEAR, Inc. Web site at  
About This Manual  
1-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
How to Use This Manual  
The HTML version of this manual includes the following:  
Buttons,  
at a time  
and  
, for browsing forwards or backwards through the manual one page  
A
button that displays the table of contents and an  
button. Double-click on a  
link in the table of contents or index to navigate directly to where the topic is described in the  
manual.  
A
button to access the full NETGEAR, Inc. online knowledge base for the  
product model.  
Links to PDF versions of the full manual and individual chapters.  
1-2  
About This Manual  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
How to Print this Manual  
To print this manual you can choose one of the following several options, according to your needs.  
Printing a Page in the HTML View.  
Each page in the HTML version of the manual is dedicated to a major topic. Use the Print  
button on the browser toolbar to print the page contents.  
Printing a Chapter.  
Use the PDF of This Chapter link at the top left of any page.  
Click the PDF of This Chapter link at the top right of any page in the chapter you want to  
print. The PDF version of the chapter you were viewing opens in a browser window.  
Note: Your computer must have the free Adobe Acrobat reader installed in order to view  
and print PDF files. The Acrobat reader is available on the Adobe Web site at  
Click the print icon in the upper left of the window.  
Tip: If your printer supports printing two pages on a single sheet of paper, you can save  
paper and printer ink by selecting this feature.  
Printing the Full Manual.  
Use the Complete PDF Manual link at the top left of any page.  
Click the Complete PDF Manual link at the top left of any page in the manual. The PDF  
version of the complete manual opens in a browser window.  
Click the print icon in the upper left of the window.  
Tip: If your printer supports printing two pages on a single sheet of paper, you can save  
paper and printer ink by selecting this feature.  
About This Manual  
1-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
1-4  
About This Manual  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 2  
Introduction  
This chapter describes the features of the NETGEAR ProSafe Wireless 802.11g Firewall/Print  
Server Model FWG114P v2.  
Key Features of the FWG114P v2  
The ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2, with a 4-port switch,  
connects your LAN to the Internet through a broadband modem. With auto fail-over connectivity  
through the serial port, the FWG114P v2 provides highly reliable Internet access.  
The FWG114P v2 is a complete security solution that protects your network from attacks and  
intrusions and enables secure communications using Virtual Private Networks (VPNs). Unlike  
simple Internet sharing routers that rely on Network Address Translation (NAT) for security, the  
FWG114P v2 uses Stateful Packet Inspection for Denial of Service attack (DoS) attack protection  
and intrusion detection. The FWG114P v2 allows Internet access for up to 253 users. It provides  
multiple Web content filtering options, plus browsing activity reporting and instant alerts via  
e-mail. Parents or network administrators can establish restricted access policies based on  
time-of-day, Web site addresses and address keywords, and share high-speed cable/DSL Internet  
access for up to 253 personal computers.  
With minimum setup, you can install and use the router within minutes. The FWG114P v2  
Wireless Firewall/Print Server provides the following features:  
802.11g and 802.11b standards-based wireless networking.  
Easy, Web-based setup for installation and management.  
Supports two VPN tunnels, Content Filtering, and Site Blocking Security.  
Wireless Multimedia (WMM) support.  
Built-in 4-port 10/100 Mbps Switch and USB 2.0 Printer Port.  
Ethernet and Serial ports for connection to a WAN device, such as a broadband modem.  
Extensive Protocol Support.  
Login capability.  
Front panel LEDs for easy monitoring of status and activity.  
Introduction  
2-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Flash memory for firmware upgrade.  
NAT off (classical routing).  
Full Routing on Both the Broadband and Serial Ports  
You can install, configure, and operate the FWG114P v2 to take full advantage of a variety of  
routing options on both the serial and broadband WAN ports, including:  
Internet access via either the serial or broadband port.  
Auto fail-over connectivity through an analog or ISDN modem connected to the serial port.  
If the broadband Internet connection fails, after waiting for an amount of time you specify, the  
FWG114P v2 can automatically establish a backup ISDN or dial-up Internet connection via  
the serial port on the firewall.  
Remote Access Server (RAS) that allows you to log in remotely through the serial port to  
access a server on your LAN, other LAN resources, or the Internet, based on a user name and  
password you define.  
LAN-to-LAN access between two FWG114P v2 wireless firewall/print servers through the  
serial port, with the option of enabling auto-failover Internet access across the serial  
LAN-to-LAN connection.  
802.11g and 802.11b Wireless Networking  
The FWG114P v2 Wireless Firewall/Print Server includes an 802.11g-compliant wireless access  
point. The access point provides:  
802.11b standards-based wireless networking at up to 11 Mbps.  
802.11g wireless networking at up to 54 Mbps, which conforms to the 802.11g standard.  
WPA and WPA2 enterprise class strong security with RADIUS and certificate authentication  
as well as dynamic encryption key generation.  
WPA-PSK and WPA2-PSK pre-shared key authentication without the overhead of RADIUS  
servers but with all of the strong security of WPA and WPA2.  
64-bit and 128-bit WEP encryption security.  
WEP keys can be generated manually or by passphrase.  
Wireless access can be restricted by MAC Address.  
2-2  
Introduction  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Wireless network name broadcast can be turned off so that only devices that have the network  
name (SSID) can connect.  
Virtual Private Networking  
The FWG114P v2 Wireless Firewall/Print Server provides a secure encrypted connection between  
your local network and remote networks or clients. Its VPN features include:  
Support for up to 2 simultaneous VPN connections.  
Support for industry standard VPN protocols.  
The ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2 supports standard  
keying methods (Manual or IKE), standard authentication methods (MD5 and SHA-1), and  
standard encryption methods (DES, 3DES). It is compatible with many other VPN products.  
Support for up to 168 bit encryption (3DES) for maximum security.  
Support for VPN Main Mode, Aggressive mode, or Manual Keying.  
Support for Fully Qualified Domain Name (FQDN) configuration when the Dynamic DNS  
feature is enabled with one of the supported service providers.  
Wireless Multimedia (WMM) Support  
WMM is a subset of the 802.11e standard. WMM allows wireless traffic to have a range of  
priorities, depending on the kind of data. Time-dependent information such as video or audio will  
have a higher priority than normal traffic. For WMM to function correctly, wireless clients must  
also support WMM.  
A Powerful, True Firewall with Content Filtering  
Unlike simple Internet sharing NAT routers, the FWG114P v2 is a true firewall, using stateful  
packet inspection to defend against hacker attacks. Its firewall features include:  
DoS protection.  
Automatically detects and thwarts DoS attacks, such as Ping of Death, SYN Flood, LAND  
Attack, and IP Spoofing.  
Blocks unwanted traffic from the Internet to your LAN.  
Blocks access from your LAN to Internet locations or services that you specify as off-limits.  
Introduction  
2-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Logs security incidents.  
The FWG114P v2 will log security events, such as blocked incoming traffic, port scans,  
attacks, and administrator logins. You can configure the router to e-mail the log to you at  
specified intervals. You can also configure the router to send immediate alert messages to your  
e-mail address or e-mail pager whenever a significant event occurs.  
With its content filtering feature, the FWG114P v2 prevents objectionable content from  
reaching your PCs. The router allows you to control access to Internet content by screening for  
keywords within Web addresses. You can configure the router to log and report attempts to  
access objectionable Internet sites.  
Security  
The FWG114P v2 Wireless Firewall/Print Server is equipped with several features designed to  
maintain security, as described in this section:  
PCs hidden by NAT.  
NAT opens a temporary path to the Internet for requests originating from the local network.  
Requests originating from outside the LAN are discarded, preventing users outside the LAN  
from finding and directly accessing the PCs on the LAN.  
Port forwarding with NAT.  
Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the  
router allows you to direct incoming traffic to specific PCs based on the service port number  
of the incoming request, or to one designated “DNS” host computer. You can specify  
forwarding of single ports or ranges of ports.  
Autosensing Ethernet Connections with Auto Uplink  
With its internal 8-port 10/100 switch, the FWG114P v2 can connect to either a 10 Mbps standard  
Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are  
autosensing and capable of full-duplex or half-duplex operation.  
The router incorporates Auto UplinkTM technology. Each Ethernet port will automatically sense  
whether the Ethernet cable plugged into the port should have a ‘normal’ connection, such as to a  
computer, or an ‘uplink’ connection, such as to a switch or hub. That port will then configure itself  
to the correct configuration. This feature also eliminates the need to worry about crossover cables,  
as Auto Uplink will accommodate either type of cable to make the right connection.  
2-4  
Introduction  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Extensive Protocol Support  
The FWG114P v2 Wireless Firewall/Print Server supports the Transmission Control Protocol/  
Internet Protocol (TCP/IP) and Routing Information Protocol (RIP).  
The ability to enable or disable IP address sharing by NAT.  
The FWG114P v2 allows several networked PCs to share an Internet account using only a  
single IP address, which may be statically or dynamically assigned by your Internet service  
provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user  
ISP account. This feature can also be turned off completely for using the FWG114P v2 in  
settings where you want to manage the IP address scheme of your organization.  
Automatic configuration of attached PCs by DHCP.  
The FWG114P v2 Wireless Firewall/Print Server dynamically assigns network configuration  
information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs  
on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly  
simplifies configuration of PCs on your local network.  
DNS Proxy.  
When DHCP is enabled and no DNS addresses are specified, the router provides its own  
address as a DNS server to the attached PCs. The router obtains actual DNS addresses from  
the ISP during connection setup and forwards DNS requests from the LAN.  
PPP over Ethernet (PPPoE).  
PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by  
simulating a dial-up connection. This feature eliminates the need to run a login program, such  
as Entersys or WinPOET on your computer.  
PPTP login support for European ISPs, BigPond login for Telstra cable in Australia.  
Classical IP (RFC 1577).  
Some Internet service providers, in Europe for example, use Classical IP in their ADSL  
services. In such cases, the firewall is able to use the Classical IP address from the ISP.  
Introduction  
2-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Easy Installation and Management  
You can install, configure, and operate the ProSafe Wireless 802.11g Firewall/Print Server Model  
FWG114P v2 within minutes after connecting it to the network. The following features simplify  
installation and management tasks:  
Automatic fail-over connectivity through an analog or ISDN modem connected to the serial  
port. If the broadband modem Internet connection fails, after waiting for an amount of time  
you specify, the FWG114P v2 can automatically establish a backup ISDN or dial-up Internet  
connection via the serial port on the firewall.  
Browser-based management.  
Browser-based configuration allows you to easily configure your router from almost any type  
of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is  
provided and online help documentation is built into the browser-based Web Management  
Interface.  
Smart Wizard.  
The FWG114P v2 Wireless Firewall/Print Server automatically senses the type of Internet  
connection, asking you only for the information required for your type of ISP account.  
Diagnostic functions.  
The firewall incorporates built-in diagnostic functions, such as Ping, DNS lookup, and remote  
reboot.  
Remote management.  
The firewall allows you to log in to the Web Management Interface from a remote location on  
the Internet. For security, you can limit remote management access to a specified remote IP  
address or range of addresses, and you can choose a nonstandard port number.  
Visual monitoring.  
The FWG114P v2 Wireless Firewall/Print Server’s front panel LEDs provide an easy way to  
monitor its status and activity.  
Regional support, including ISPs like Telstra DSL and BigPond, or Deutsche Telekom.  
Flash memory for firmware upgrades.  
NETGEAR Related Products  
The following NETGEAR products are related to the ProSafe Wireless 802.11g Firewall/Print  
Server Model FWG114P v2:  
ProSafe™ Dual Band Wireless PC Card Model WAG511  
ProSafe™ Dual Band Wireless PCI Adapter Model WAG311  
2-6  
Introduction  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
54 Mbps Wireless PC Card Model WG511  
54 Mbps Wireless PCI Card Model WG311  
54 Mbps Wireless USB 2.0 Adapter Model WG121  
ProSafe™ Indoor 5 dBi Omni-directional Antenna Model ANT24O5  
ProSafe™ Indoor/Outdoor 18 dBi Patch Panel Directional Antenna Model ANT24D18  
ProSafe™ Indoor/Outdoor 9 dBi Omni-directional Antenna Model ANT2409  
Low-loss Antenna Cables  
Package Contents  
The product package should contain the following items:  
ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2.  
AC power adapter.  
Category 5 (Cat 5) Ethernet cable.  
FWG114P Installation Guide (201-10301-01).  
Resource CD for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P  
(SW-10023-03), including:  
— This manual.  
— Application Notes and other helpful information.  
Registration and Warranty Card.  
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the  
carton, including the original packing materials, in case you need to return the router for repair.  
The FWG114P v2 Front Panel  
The front panel of the FWG114P v2 contains the status LEDs. Use the LEDs to verify various  
operations. Viewed from left to right, Table 2-1 describes the LEDs on the front of the router.  
Broadband ProSafe 802.11g Wireless Firewall/Print Server  
MODEL  
FWG114P  
ACT  
ACT  
100  
100  
1
2
3
4
PWR  
TEST  
ALERT  
LINK  
LNK/ACT  
IN TER N ET  
LNK/ACT  
P R IN TER  
M O DEM  
LO CA L  
W
LA N  
Figure 2-1: FWG114P v2 Front Panel  
Introduction  
2-7  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 2-1.  
Label  
LED Descriptions  
Activity  
Description  
POWER  
TEST  
On  
Power is supplied to the firewall.  
On  
Off  
The system is initializing.  
The system is ready and running.  
PRINTER  
ACT  
On  
The printer is connected and powered on.  
Blinking  
Data is being transmitted or received by the Printer port.  
ALERT  
On (Amber) The printer has a problem, such as out of paper, out of ink, or a  
paper jam.  
MODEM  
ACT  
Blinking  
Data is being transmitted or received by the Modem port.  
LINK  
On (Amber) The port has detected a link with an attached device.  
INTERNET  
Note: The operation of these LEDs depends on how the WAN port is configured.  
100 (100 Mbps)  
On  
Off  
The Internet (WAN) port is operating at 100 Mbps.  
The Internet (WAN) port is operating at 10 Mbps.  
LINK/ACT  
(Link/Activity)  
On  
Blinking  
The Internet port has detected a link with an attached device.  
Data is being transmitted or received by the Internet port.  
LOCAL  
100 (100 Mbps)  
On  
Off  
The Local port is operating at 100 Mbps.  
The Local port is operating at 10 Mbps.  
LINK/ACT  
(Link/Activity)  
On  
Blinking  
The Local port has detected a link with an attached device.  
The Local port is transmitting or receiving data.  
WLAN  
On  
The Wireless (WLAN) port is operating.  
Blinking  
The Wireless (WLAN) port is transmitting or receiving data.  
The FWG114P v2 Rear Panel  
The rear panel of the FWG114P v2 Wireless Firewall/Print Server contains the port connections  
listed below.  
2-8  
Introduction  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
LO CA L  
10/100M  
USB  
4
3
2
1
IN TER N ET  
MODEM  
12VDC, 1.0A  
Figure 1-2: FWG114P v2 Rear Panel  
Viewed from left to right, the rear panel contains the following features:  
Wireless antenna.  
DB-9 serial port for modem connection.  
USB 2.0 Printer Port.  
Factory Default Reset push button.  
Four Ethernet LAN ports.  
Internet Ethernet WAN port for connecting the router to a broadband modem.  
AC power adapter outlet.  
Introduction  
2-9  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2-10  
Introduction  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 3  
Connecting the FWG114P v2 to the Internet  
This chapter describes how to set up the router on your local area network (LAN) and connect to  
the Internet. You will find out how to configure your ProSafe Wireless 802.11g Firewall/Print  
Server Model FWG114P v2 for Internet access using the Setup Wizard, or how to manually  
configure your Internet connection.  
What You Will Need Before You Begin  
You need to prepare these three things before you begin:  
1. An active Internet service, such as those provided by a cable or DSL broadband account.  
2. Locate the Internet Service Provider (ISP) configuration information for your broadband  
account.  
3. Connect the router to a broadband modem and a computer as explained below.  
Cabling and Computer Hardware Requirements  
To use the FWG114P v2 Wireless Firewall/Print Server on your network, each computer must  
have an installed Ethernet Network Interface Card (NIC) and an Ethernet cable. If the computer  
will connect to your network at 100 Mbps, you must use a Category 5 (CAT5) cable, such as the  
one provided with your router.  
Computer Network Configuration Requirements  
The FWG114P v2 includes a built-in Web Configuration Manager. To access the configuration  
menus on the FWG114P v2, you must use a Java-enabled Web browser program that supports  
HTTP uploads, such as Microsoft Internet Explorer or Netscape Navigator. Use Internet Explorer  
or Netscape Navigator versions 4.0 or above. Free browser programs are readily available for  
Windows, Macintosh, or UNIX/Linux.  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-1  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
For the initial connection to the Internet and configuration of your router, you will need to connect  
a computer to the router that is set to automatically get its TCP/IP configuration from the router via  
DHCP.  
The cable or DSL modem broadband access device must provide a standard 10 Mbps (10BASE-T)  
Ethernet interface.  
Internet Configuration Requirements  
Depending on how your ISP set up your Internet account, you might need one or more of these  
configuration parameters to connect your router to the Internet:  
Host and Domain Names.  
ISP login name and password.  
ISP Domain Name Server (DNS) Addresses.  
Fixed IP address which is also known as static IP address.  
Where Do I Get the Internet Configuration Parameters?  
There are several ways you can gather the required Internet connection information:  
Your ISP provides all the information needed to connect to the Internet. If you cannot locate  
this information, you can ask your ISP to provide it or you can try one of the options below.  
If you have a computer already connected using the active Internet access account, you can  
gather the configuration information from that computer.  
— For Windows 95/98/ME, open the Network control panel, select the TCP/IP entry for the  
Ethernet adapter, and click Properties. Record all the settings for each tab page.  
— For Windows 2000/XP, open the Local Area Network Connection, select the TCP/IP entry  
for the Ethernet adapter, and click Properties. Record all the settings for each tab page.  
— For Macintosh computers, open the TCP/IP or Network control panel. Record all the  
settings for each section.  
You may also refer to the FWG114P v2 Resource CD for the NETGEAR Router ISP Guide  
which provides Internet connection information for many ISPs.  
Once you locate your Internet configuration parameters, you may want to record them on the  
following form:  
3-2  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Record Your Internet Connection Information  
Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP).  
ISP Login Name: The login name and password are case sensitive and must be entered exactly as  
given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs  
use your full e-mail address as the login name. The Service Name is not required by all ISPs. If  
you connect using a login name and password, then fill in the following:  
Login Name: ______________________________ Password: ____________________________  
Service Name: _____________________________  
Fixed or Static IP Address: If you have a static IP address, record the following information. For  
example, 169.254.141.148 could be a valid IP address.  
Fixed or Static Internet IP Address: ______.______.______.______  
Gateway IP Address: ______.______.______.______  
Subnet Mask: ______.______.______.______  
ISP DNS Server Addresses: If you were given DNS server addresses, fill in the following:  
Primary DNS Server IP Address: ______.______.______.______  
Secondary DNS Server IP Address: ______.______.______.______  
Host and Domain Names: Some ISPs use a specific host or domain name like CCA7324-A or  
home. If you have not been given host or domain names, you can use the following examples as a  
guide:  
If your main e-mail account with your ISP is aaa@yyy.com, then use aaa as your host name.  
Your ISP might call this your account, user, host, computer, or system name.  
If your ISP’s mail server is mail.xxx.yyy.com, then use xxx.yyy.com as the domain name.  
ISP Host Name: _________________________ ISP Domain Name: _______________________  
Serial Port Internet Access: If you use a dial-up account, record the following:  
Account/User Name: _________________________ Password: _________________________  
Telephone number: ______________________ Alternative number: ______________________  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-3  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Connecting the FWG114P v2 Wireless Firewall/Print Server  
This section provides instructions for connecting the FWG114P v2 Wireless Firewall/Print Server.  
Also, the Resource CD for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P  
(SW-10023-03), included with your router, contains an animated Installation Assistant to help you  
through this procedure.  
Verify That Basic Requirements Are Met  
Assure that the following requirements are met:  
You have your broadband Internet service settings handy.  
The computer is configured to obtain an IP address automatically via DHCP. For instructions  
on how to do this, please see the Reference Manual on the Resource CD for the ProSafe  
Wireless 802.11g Firewall/Print Server Model FWG114P (SW-10023-03).  
1. CONNECT THE WIRELESS FIREWALL/PRINT SERVER  
a. Turn off your computer and cable or DSL modem.  
b. Disconnect the Ethernet cable (A) from your computer which connects to the broadband  
modem.  
Disconnect A  
from  
computer  
&DEOHꢀRUꢀ'6/ꢀPRGHP  
Figure 3-1: Disconnect the broadband modem  
3-4  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
c. Securely insert the Ethernet cable from your broadband modem into the Internet port (B)  
on the FWG114P v2.  
Internet Port  
USB  
1
I
N
TER  
N
ET  
MODEM  
12VDC, 1.0A  
B
Broadband modem  
Figure 3-2: Connect the broadband modem to the router  
d. Securely insert one end of the Ethernet cable that came with your wireless firewall/print  
server into a Local port on the router, such as Local port 4 (C), and the other end into the  
Ethernet port of your computer (D).  
C
D
LO  
C
A
L
10/100M  
4
3
2
1
I
N
TER  
N
ET  
MODEM  
12VDC, 1.0A  
Broadband modem  
Local Port 4  
Figure 3-3: Connect the computers on your network to the router  
Note: The FWG114P v2 incorporates Auto UplinkTM technology which eliminates the  
need to worry about crossover cables by automatically adjusting to the cable type.  
Connecting the FWG114P v2 to the Internet  
3-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. RESTART YOUR NETWORK IN THE CORRECT SEQUENCE  
Warning: Failure to restart your network in the correct sequence could prevent you from  
connecting to the Internet.  
a. First, turn on the broadband modem and wait 2 minutes.  
b. Now, turn on your wireless firewall/print server.  
c. Last, turn on your computer.  
Note: If software usually logs you in to the Internet, do not run that software, or cancel it if  
it starts automatically.  
Broadband ProSafe 802.11g Wireless Firewall/Print Server  
MODEL  
FWG114P  
ACT  
ALERT  
IN TER  
ACT  
100  
100  
1
2
3
4
PWR  
TEST  
LINK  
LNK/ACT  
LNK/ACT  
P
R
M
O
DEM  
IN TER  
N
ET  
LO CA  
L
W
LA  
N
Local Port 4  
Internet Port  
Power  
Test  
Figure 3-4: Verify the connections to the firewall  
d. Check the status lights and verify the following:  
Power: The power light goes on when your turn the wireless firewall/print server on.  
Test: The test light turns on, then goes off after less than a minute.  
Local: A Local light on the router is lit. If no Local lights are lit, check that the  
Ethernet cable connecting the powered on computer to the router is securely attached  
at both ends.  
Internet: The Internet light on the wireless firewall/print server is lit. If the Internet  
light is not lit, make sure the Ethernet cable is securely attached to the wireless  
firewall/print server Internet port and the powered on modem.  
3-6  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
3. LOG IN TO THE WIRELESS FIREWALL/PRINT SERVER  
a. From your PC, launch your Internet browser. Because you are not yet connected to the  
Internet, your browser will display a page not found message.  
b. Connect to the wireless firewall/print server by typing http://192.168.0.1 in the address  
field of Internet Explorer or Netscape® Navigator.  
Figure 3-5: Log in to the firewall  
c. Enter admin for the router user name and password for the router password, both in  
lower case letters.A login window opens as shown here:  
Figure 3-6: Login window  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-7  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
d. After logging in to the router, you will see the login result page.  
Figure 3-7: Login Result page  
3-8  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
4. RUN THE SETUP WIZARD TO CONNECT TO THE INTERNET  
Figure 3-8: Setup Wizard  
a. You are now connected to the router. If you do not see the menu above, click the Setup  
Wizard link on the upper left of the main menu.  
b. Choose NAT or Classical Routing. Typically, NAT is used. NAT automatically assigns  
private IP addresses (192.168.0.x) to LAN connected devices. Classical routing lets you  
directly manage the IP addresses the FWG114P v2 uses.  
Note: If you choose not to use NAT, each computer on the LAN connected to the  
FWG114P v2 must have a valid public IP address in the same subnet as the Wan port of  
the FWG114P v2. For more information on NAT, please see “Single IP Address Operation  
Using NAT” on page B-7. Furthermore, if you turn NAT off and plan to use VPN, you will  
have to open UDP port 500 in the Security settings according to the instructions at  
c. Click Next to proceed. Input your ISP settings, as needed.  
d. At the end of the Setup Wizard, click the Test button to verify your Internet connection  
and register your product. If you have trouble connecting to the Internet, use the  
Troubleshooting Tips below to correct basic problems, or refer to the Reference Manual  
on the CD.  
If you were unable to connect to the firewall, please refer to Basic Functioning “Basic  
You are now connected to the Internet!  
Note: For wireless placement and range guidelines, and wireless configuration instructions, please  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-9  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Basic Setup Troubleshooting Tips  
Here are some tips for correcting simple problems that prevent with you from connecting to the  
Internet or connecting to the wireless firewall/print server.  
Be sure to restart your network in the correct sequence.  
Follow this sequence. Turn off the modem, wireless firewall/print server, and computer. Turn  
on the modem first and wait two minutes. Next, turn on the wireless firewall/print server, and  
finally the computer.  
Make sure the Ethernet cables are securely plugged in.  
For each powered on computer connected to the wireless firewall/print server with a securely  
plugged in Ethernet cable, the corresponding wireless firewall/print server Local port status  
light will be lit. The label on the bottom of the wireless firewall/print server identifies the  
number of each Local port.  
The Internet port status light on the wireless firewall/print server will be lit if the Ethernet  
cable from the wireless firewall/print server to the modem is plugged in securely and the  
modem and wireless firewall/print server are turned on.  
Make sure the network settings of the computer are correct.  
LAN connected computers must be configured to obtain an IP address automatically via  
DHCP, unless you have turned NAT off and are managing the IP addresses directly. For  
instructions on these configuration settings, please see the Reference Manual on the Resource  
CD for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P (SW-10023-03).  
FWG114P v2 Setup Wizard Auto Detection  
There are two ways you can configure your firewall to connect to the Internet:  
Let the FWG114P v2 auto-detect the type of Internet connection you have and configure it.  
Manually choose which type of Internet connection you have and configure it.  
These options are described below. Unless your ISP uses DHCP, you will need the parameters  
The Setup Wizard will can check for the following connection types:  
Dynamic IP assignment  
A login protocol, such as PPPoE  
3-10  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Fixed IP address assignment  
Next, the Setup Wizard will report which connection type it has discovered, and then display  
the appropriate configuration menu. If the Setup Wizard finds no connection, you will be  
prompted to check the physical connection between your firewall and the cable or DSL  
modem. When the connection is properly made, the firewall’s Internet LED should be on.  
The procedures for filling in the configuration menu for each type of connection follow below.  
Wizard-Detected Login Account Setup  
If the Setup Wizard determines that your Internet service account uses a login protocol, such as  
PPP over Ethernet (PPPoE), you will be directed to a menu like the PPPoE menu in Figure 3-9:  
Figure 3-9: Setup Wizard menu for PPPoE login accounts  
1. Enter your Account Name (may also be called Host Name) and Domain Name. These  
parameters may be necessary to access your ISP’s services, such as mail or news servers. If  
you leave the Domain Name field blank, the firewall will attempt to learn the domain  
automatically from the ISP. If this is not successful, you may need to enter it manually.  
2. Enter the PPPoE login user name and password provided by your ISP. These fields are case  
sensitive. If you wish to change the idle timeout, enter a new value in minutes.  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-11  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Note: You will no longer need to launch the ISP’s login program on your computer in order to  
access the Internet. When you start an Internet application, your firewall will automatically log  
you in.  
3. The Idle Timeout setting determines how long to wait after there is no activity before  
disconnecting from the Internet. This is useful in countries where Internet service charges are  
based on the amount of time connected to the Internet. Whenever a computer on the network  
requests access to the Internet the FWG114P v2 will automatically reconnect.  
4. Domain Name Server (DNS) Address: If you know that your ISP does not automatically  
transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter  
the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is  
available, enter it also.  
Note: If you enter an address here, after you finish configuring the firewall, reboot your PCs  
so that the settings take effect.  
5. Click Apply to save your settings.  
6. Click Test to test your Internet connection. If the NETGEAR Web site does not appear within  
one minute, refer to Chapter 11, “Troubleshooting”.  
3-12  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Wizard-Detected Dynamic IP Account Setup  
If the Setup Wizard determines that your Internet service account uses Dynamic IP assignment,  
you will be directed to the menu shown in Figure 3-10 below:  
Figure 3-10: Setup Wizard menu for Dynamic IP address  
1. Enter your Account Name (may also be called Host Name) and Domain Name. These  
parameters may be necessary to access your ISP’s services, such as mail or news servers. If  
you leave the Domain Name field blank, the firewall will attempt to learn the domain  
automatically from the ISP. If this is not successful, you may need to enter it manually.  
2. If you know that your ISP does not automatically transmit DNS addresses to the firewall  
during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary  
DNS Server. If a Secondary DNS Server address is available, enter it also.  
Note: DNS servers are required to perform the function of translating an Internet name, such  
as www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must  
obtain DNS server addresses from your ISP and enter them manually here. You should reboot  
your PCs after configuring the firewall for these settings to take effect.  
3. The Router’s MAC Address is the Ethernet MAC address that will be used by the firewall on  
the Internet port.  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-13  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
If your ISP allows access from only one specific computer’s Ethernet MAC address, select  
“Use this MAC address.” The firewall will then capture and use the MAC address of the  
computer that you are now using. You must be using the one computer that is allowed by the  
ISP. Otherwise, you can type in a MAC address.  
Note: Some ISPs will register the Ethernet MAC address of the network interface card in your  
computer when your account is first opened. They will then only accept traffic from the MAC  
address of that computer. This feature allows your firewall to masquerade as that computer by  
using its MAC address.  
4. Click Apply to save your settings.  
5. Click Test to test your Internet connection. If the NETGEAR Web site does not appear within  
one minute, refer to Chapter 11, “Troubleshooting”.  
Wizard-Detected Fixed IP Account Setup  
If the Setup Wizard determines that your Internet service account uses Fixed IP assignment, you  
will be directed to the menu shown in Figure 3-11 below:  
Figure 3-11: Setup Wizard menu for Fixed IP address  
3-14  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
1. Enter your assigned IP Address, Subnet Mask, and the IP Address of your ISP’s gateway  
router. This information should have been provided to you by your ISP. You will need the  
configuration parameters from your ISP you recorded in “Record Your Internet Connection  
2. Enter the IP address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is  
available, enter it also.  
Note: DNS servers are required to perform the function of translating an Internet name, such  
as www.netgear.com to a numeric IP address. For a fixed IP address configuration, you must  
obtain DNS server addresses from your ISP and enter them manually here. You should reboot  
your PCs after configuring the firewall for these settings to take effect.  
3. Click Apply to save the settings.  
4. Click Test to test your Internet connection. If the NETGEAR Web site does not appear within  
one minute, refer to Chapter 11, “Troubleshooting.  
How to Configure the Serial Port as the Primary Internet  
Connection  
Use the procedure below to configure an Internet connection via the serial port of your firewall.  
There are three steps to configuring the serial port of your firewall for an Internet connection:  
1. Connect the firewall to your ISDN or dial-up analog modem.  
2. Configure the firewall.  
3. Connect to the Internet.  
Follow the steps below to configure a serial port Internet connection on your firewall.  
1. Connect the Firewall to your ISDN or dial-up modem  
a. Turn off your modem and connect the cable from the serial port of the FWG114P v2 to the  
modem.  
b. Turn on the modem and wait about 30 seconds for the lights to stop blinking.  
2. Configure the Serial Port of the Firewall.  
a. Use a browser to log in to the firewall at http://192.168.0.1 with its default User Name of  
admin and default Password of password, or using whatever Password you have set up.  
b. From the Setup Basic Settings menu, click Serial Port.  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-15  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 3-12: Serial Internet Connection configuration menu  
c. Fill in the ISDN or analog ISP Internet configuration parameters as appropriate:  
For a Dial-up Account, enter the Account information. Check “Connect as required”  
to enable the firewall to automatically dial the number. To enable Idle Time  
disconnect, check the box and enter a time in minutes.  
To configure the Internet IP settings, fill in the address parameters your ISP provided.  
d. Configure the Modem parameters.  
3-16  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Note: You can validate modem string settings by first connecting the modem directly to a  
computer, establishing a connection to your ISP, and then copying the modem string  
settings from the computer configuration and pasting them into the FWG114P v2 Modem  
Properties Initial String field. For more information on this procedure, please refer to the  
support area of the NETGEAR Web site.  
Select the Serial Line Speed. This is the maximum speed the modem will attempt to  
use. For ISDN permanent connections, the speeds are typically 64000 or 128000 bps.  
For dial-up modems, 56000 bps would be a typical setting.  
Select the Modem Type:  
For ISDN, select “Permanent connection (leased line).”  
For dial-up, select your modem from the list. “Standard Modem” should work in  
most cases.  
If your modem is not on the list, select “User Defined” and enter the Modem  
Properties.  
Note: If you are using the “User Defined” Modem Type, you must first use the Serial Port  
menu Modem link to fill in the Modem Properties settings for your modem.  
e. Click Apply to save your settings.  
3. Connect to the Internet to test your configuration.  
a. If you have a broadband connection, disconnect it.  
b. From a workstation, open a browser and test your serial port Internet connection.  
Note: The response time of your serial port Internet connection will be slower than a  
broadband Internet connection.  
Testing Your Internet Connection  
After completing the Internet connection configuration, your can test your Internet connection.  
Log in to the firewall, then, from the Setup Basic Settings link, click the Test button. If the  
NETGEAR Web site does not appear within one minute, refer to Chapter 11, “Troubleshooting.”  
Note: Popup blocking software may block the test page from opening. Alternately, you can just  
open a new browser window and browse the Internet.  
To access the Internet from any computer connected to your firewall, launch a browser, such as  
Microsoft Internet Explorer or Netscape Navigator. You should see the firewall’s Internet LED  
blink, indicating communication to the ISP. The browser should begin to display a Web page.  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-17  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Manually Configuring Your Internet Connection  
You can manually configure your firewall using the menu below, or you can allow the Setup  
Wizard to determine your configuration as described in the previous section.  
ISP Does Not Require Login  
ISP Does Require Login  
Figure 3-13: Browser-based configuration Basic Settings menu  
3-18  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
How to Manually Configure the Primary Internet Connection  
Use these steps to manually configure the primary Internet connection in the Basic Settings menu.  
1. Select your Internet connection type (broadband with or without login, or serial).  
Note: If you are a Telstra BigPond broadband customer, or if you are in an area, such as  
Austria that uses broadband PPTP, login is required. If so, select BigPond or PPTP from the  
Internet Service Type drop down box.  
2. Enter your Account Name (may also be called Host Name) and Domain Name. These  
parameters may be necessary to access your ISP’s services, such as mail or news servers.  
3. If needed, enter the PPPoE login user name and password provided by your ISP. These fields  
are case sensitive. To change the login timeout, enter a new value in minutes.  
Note: You will no longer need to run the ISP’s login program on your computer in order to  
access the Internet. When you start an Internet application, your firewall automatically logs  
you in.  
4. You should only disable NAT if you are sure you do not require it. NAT automatically assigns  
private IP addresses (for example, 192.168.0.x) to LAN connected devices. When NAT is  
disabled, only standard routing is performed by this router.  
Note: Disabling NAT will reboot the router and reset all the FWG114P v2 configuration  
settings to the factory default. Disable NAT only if you plan to install the FWG114P v2 in a  
setting where you will be manually administering the IP address space on the LAN side of the  
router.  
5. Internet IP Address: If your ISP assigned you a permanent, fixed IP address for your computer,  
select “Use Static IP Address.” Enter the IP address your ISP assigned. Also enter the IP  
Subnet Mask and the Gateway IP address. The Gateway is the ISP’s router to which your  
firewall will connect.  
6. Domain Name Server (DNS) Address: If your ISP does not automatically transmit DNS  
addresses to the firewall during login, select “Use These DNS Servers” and enter the IP  
address of your ISP’s Primary DNS Server. If a Secondary DNS Server address is available,  
enter it.  
Note: A DNS server is a host on the Internet that translates Internet names (such as  
www.netgear.com) to numeric IP addresses. Typically your ISP transfers the IP address of one  
or two DNS servers to your firewall during login. If the ISP does not transfer an address, you  
must obtain it from the ISP and enter it manually here. If you enter an address here, you should  
reboot your PCs after configuring the firewall.  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
3-19  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
7. Router’s MAC Address: This section determines the Ethernet MAC address that will be used  
by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the  
network interface card in your computer when your account is first opened. They will then  
only accept traffic from the MAC address of that computer. This feature allows your firewall  
to masquerade as that computer by “cloning” its MAC address. To change the MAC address,  
select “Use This Computer’s MAC Address.” The firewall will then capture and use the MAC  
address of the computer that you are now using. You must be using the one computer that is  
allowed by the ISP. Or, select “Use This MAC Address” and enter it.  
8. Click Apply to save your settings.  
9. Click Test to test your Internet connection. If the NETGEAR Web site does not appear within  
one minute, refer to Chapter 11, “Troubleshooting.”  
The remaining chapters in this manual describe how to configure the Advanced features of your  
firewall, and how to troubleshoot problems that may occur.  
3-20  
Connecting the FWG114P v2 to the Internet  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 4  
Wireless Configuration  
This chapter describes how to configure the wireless features of your FWG114P v2 Wireless  
Firewall/Print Server.  
Observing Performance, Placement, and Range Guidelines  
In planning your wireless network, you should consider the level of security required. You should  
also select the physical placement of your FWG114P v2 in order to maximize the network speed.  
For further information on wireless networking, refer to in Appendix E, “Wireless Networking  
Basics.”  
Note: Failure to follow these guidelines can result in significant performance  
degradation or inability to wirelessly connect to the wireless firewall/print server. For  
complete range and performance specifications, please see Appendix A, “Technical  
The operating distance or range of your wireless connection can vary significantly based on the  
physical placement of the FWG114P v2 Wireless Firewall/Print Server. The latency, data  
throughput performance, and notebook power consumption also vary depending on your  
configuration choices. For best results, place your wireless firewall/print server:  
Near the center of the area in which your PCs will operate.  
In an elevated location, such as a high shelf where the wirelessly connected PCs have  
line-of-sight access (even if through walls). The best location is elevated, such as wall  
mounted or on the top of a cubicle, and at the center of your wireless coverage area for all the  
mobile devices.  
Away from sources of interference, such as PCs, microwaves, and 2.4 GHz cordless phones.  
Away from large metal surfaces.  
Be aware that the time it takes to establish a wireless connection can vary depending on both your  
security settings and placement. WEP connections can take slightly longer to establish. Also, WEP  
encryption can consume more battery power on a notebook computer.  
Wireless Configuration  
4-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Implementing Appropriate Wireless Security  
Note: Indoors, computers can connect to wireless networks at ranges of 300 feet or  
more. Such distances allow others outside of your area to access your network.  
Unlike wired network data, your wireless data transmissions can extend beyond your walls and  
can be received by anyone with a compatible adapter. For this reason, use the security features of  
your wireless equipment. The FWG114P v2 Wireless Firewall/Print Server provides highly  
effective security features which are covered in detail in this chapter.  
ꢀꢀꢀꢀꢀꢀꢀꢀꢀꢀꢀꢀ:LUHOHVVꢀ'DWDꢀ  
ꢀꢀꢀꢀꢀꢀꢀꢀꢀꢀ6HFXULW\ꢀ2SWLRQV  
5DGLXVꢁꢀ8SꢀWRꢀꢂꢃꢃꢀ)HHWꢀ  
ꢀ .O 3ECURITYꢁ %ASY BUT NO SECURITY  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
 #ꢁꢂꢃ  
ꢀ8ꢄ¤¤|+  
ꢂ -!# !CCESS ,ISTꢁ .O DATA SECURITY  
$&7  
$&7  
ꢀꢁꢁ  
ꢀꢁꢁ  
3:5  
7(67  
$/(57  
$/(57  
/1.ꢅ$&7  
).4%2.%4  
/1.ꢅ$&7  
02).4%2  
-/$%-  
,/#!,  
7,!.  
ꢃ 7%0ꢁ 3ECURITY BUT SOME  
FWG114P  
PERFORMANCE IMPACT  
ꢄ 70! OR 70!ꢅ03+ꢁ 6ERY STRONG SECURITY  
Figure 4-1: FWG114P v2 wireless data security options  
There are several ways you can enhance the security of your wireless network:  
Restrict Access Based on MAC Address. You can allow only trusted PCs to connect so that  
unknown PCs cannot wirelessly connect to the FWG114P v2. Restricting access by MAC  
address adds an obstacle against unwanted access to your network, but the data broadcast over  
the wireless link is fully exposed.  
Turn Off the Broadcast of the Wireless Network Name SSID. If you disable broadcast of  
the SSID, only devices that have the correct SSID can connect. This nullifies wireless network  
‘discovery’ feature of some products, such as Windows XP, but the data is still exposed.  
WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP Shared  
Key authentication and WEP data encryption will block all but the most determined  
eavesdropper.  
4-2  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
WPA/WPA2 with Radius or WPA/WPA2-PSK. Wi-Fi Protected Access (WPA and WPA2)  
data encryption provides data security. The very strong authentication along with dynamic per  
frame rekeying of WPA and WPA2 make it virtually impossible to compromise. Because this  
is a new standard, wireless device driver and software availability may be limited.  
Understanding Wireless Settings  
To configure the wireless settings of your FWG114P v2, click the Wireless link in the Setup  
section of the main menu. The wireless settings menu will appear, as shown below.  
Figure 4-2: Wireless Settings menu  
Note: The 802.11b and 802.11g wireless networking protocols are configured in exactly  
the same fashion. The FWG114P v2 will automatically adjust to the 802.11g or 802.11b  
protocol as the device requires without compromising the speed of the other devices.  
Wireless Configuration  
4-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Wireless Network. The station name of the FWG114P v2.  
Wireless Network Name (SSID). The SSID is also known as the wireless network name.  
Enter a value of up to 32 alphanumeric characters. In a setting where there is more than  
one wireless network, different wireless network names provide a means for separating the  
traffic. Any device you want to participate in the 802.11b/g wireless network will need to  
use this SSID for that network. The FWG114P v2 default SSID is: NETGEAR.  
Region. This field identifies the region where the FWG114P v2 can be used. It may not be  
legal to operate the wireless features of the wireless firewall/print server in a region other  
than one of those identified in this field. Unless you select a region, you will only be able  
to use Channel 11.  
Channel. This field determines which operating frequency will be used. It should not be  
necessary to change the wireless channel unless you notice interference problems with  
another nearby access point. For more information on the wireless channel frequencies,  
Mode. Select the desired wireless mode. The options are:  
g & b - Both 802.11g and 802.11b wireless stations can be used.  
g only - Only 802.11g wireless stations can be used.  
b only - All 802.11b wireless stations can be used. 802.11g wireless stations can still  
be used if they can operate in 802.11b mode.  
The default is “g & b” which allows both 802.11g and 802.11b wireless stations to access  
this device.  
Wireless Access Point  
— Enable Wireless Access Point. Enables the wireless radio. When disabled, there are no  
wireless communications through the FWG114P v2.  
Allow Broadcast of Name (SSID). The default setting is to enable SSID broadcast. If you  
disable broadcast of the SSID, only devices that have the correct SSID can connect.  
Disabling SSID broadcast somewhat hampers the wireless network ‘discovery’ feature of  
some products.  
Wireless Card Access List  
Lets you restrict wireless connections according to a list of Trusted PCs MAC addresses.  
When the Trusted PCs Only radio button is selected, the FWG114P v2 checks the MAC  
address of the wireless station and only allows connections to PCs identified on the trusted  
PCs list.  
4-4  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
To restrict access based on MAC addresses, click the Set up Access List button and update the  
MAC access control list.  
Security Options  
Disable: No data encryption is used.  
WEP (Wired Equivalent Privacy): Use WEP 64 or 128 bit data encryption.  
WPA with Radius: This version of WPA requires the use of a Radius server for  
authentication. Each user (Wireless Client) must have a "user" login on the Radius Server  
- normally done via a digital certificate. Also, this device must have a "client" login on the  
Radius server. Data transmissions are encrypted using a key which is automatically  
generated.  
WPA2 with Radius: WPA2 is a later version of WPA. Only select this if all clients  
support WPA2. If selected, you must use AES encryption, and configure the Radius Server  
Settings. Each user (Wireless Client) must have a "user" login on the Radius Server -  
normally done via a digital certificate. Also, this device must have a "client" login on the  
Radius server. Data transmissions are encrypted using a key which is automatically  
generated.  
WPA and WPA2 with Radius: This selection allows clients to use either WPA (with AES  
encryption) or WPA2 (with TKIP encryption). If selected, encryption must be TKIP +  
AES. If selected, you must configure the Radius Server Settings.  
WPA-PSK (Wi-Fi Protected Access Pre-Shared Key): Use WPA-PSK standard  
encryption  
WPA2-PSK: WPA2 is a later version of WPA. Only select this if all clients support  
WPA2. If selected, you must use AES encryption, and enter the WPA passphrase  
(Network key).  
WPA-PSK and WPA2-PSK: This selection allows clients to use either WPA (with AES  
encryption) or WPA2 (with TKIP encryption). If selected, encryption must be TKIP +  
AES.  
Wireless Configuration  
4-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Default Factory Settings  
The FWG114P v2 default factory settings shown below. You can restore these defaults with the  
Factory Default Restore button on the rear panel as seen in the illustration “FWG114P v2 Rear  
Panel” on page 2-9. After you install the FWG114P v2 Wireless Firewall/Print Server, use the  
procedures below to customize any of the settings to better meet your networking needs.  
FEATURE  
DEFAULT FACTORY SETTINGS  
NETGEAR  
SSID  
RF Channel  
11 until the region is selected  
Enabled  
Access Point  
SSID broadcast  
Enabled  
Wireless Card Access List for  
Access Point Connections  
All wireless stations allowed  
WEP Security  
Disabled  
Authentication Type  
Open System  
4-6  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Before You Change the SSID and WEP Settings  
Take the following steps:  
For a new wireless network, print or copy this form and fill in the configuration parameters. For an  
existing wireless network, the person who set up or is responsible for the network will be able to  
provide this information. Be sure to set the Regulatory Domain correctly as the first step.  
SSID: The Service Set Identification (SSID) identifies the wireless local area network.  
Wireless is the default FWG114P v2 SSID. However, you may customize it by using up to 32  
alphanumeric characters. Write your customized SSID on the line below.  
Note: The SSID in the wireless firewall/print server is the SSID you configure in the wireless  
adapter card. All wireless nodes in the same network must be configured with the same SSID:  
Authentication  
Circle one: Open System or Shared Key. Choose “Shared Key” for more security.  
Note: If you select shared key, the other devices in the network will not connect unless they  
are set to Shared Key as well and have the same keys in the same positions as those in the  
FWG114P v2.  
WEP Encryption Keys  
For all four 802.11b keys, choose the Key Size. Circle one: 64 or 128 bits  
Key 1: ___________________________________  
Key 2: ___________________________________  
Key 3: ___________________________________  
Key 4: ___________________________________  
WPA-PSK or WPA2-PSK (Pre-Shared Key)  
Record the WPA-PSK or WPA2-PSK key:  
Key: ___________________________________  
WPA or WPA2 RADIUS Settings  
For WPA or WPA2, record the following RADIUS settings:  
Server Name/IP Address: Primary _________________ Secondary __________________  
Port: ___________________________________  
Shared Key: ___________________________________  
Use the procedures described in the following sections to configure the FWG114P v2. Store this  
information in a safe place.  
Wireless Configuration  
4-7  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
How to Set Up and Test Basic Wireless Connectivity  
Follow the instructions below to set up and test basic wireless connectivity. Once you have  
established basic wireless connectivity, you can enable security settings appropriate to your needs.  
1. Log in using the default LAN address of http://192.168.0.1 with the default user name of  
admin and default password of password, or using whatever LAN address and password you  
have set up.  
Figure 4-3: Wireless Settings menu  
2. Set the Regulatory Domain correctly.  
3. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box,  
enter a value of up to 32 alphanumeric characters. The default SSID is NETGEAR.  
Note: The characters are case sensitive. An access point always functions in infrastructure  
mode. The SSID for any wireless device communicating with the access point must match the  
SSID configured in the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2.  
If they do not match, you will not get a wireless connection to the FWG114P v2.  
4. Set the Channel.  
It should not be necessary to change the wireless channel unless you notice interference  
problems with another nearby wireless router or access point. Select a channel that is not being  
used by any other wireless networks within several hundred feet of your wireless firewall/print  
server. For more information on the wireless channel frequencies please refer to “Wireless  
5. Depending on the types of wireless adapters you have in your computers, choose from the  
Mode drop-down list.  
6. For initial configuration and test, leave the Wireless Card Access List set to “All Wireless  
Stations” and the Encryption Strength set to “Disable.”  
4-8  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
7. Click Apply to save your changes.  
Note: If you are configuring the FWG114P v2 from a wireless computer and you  
change the wireless firewall/print server’s SSID, channel, or security settings, you will  
lose your wireless connection when you click on Apply. You must then change the  
wireless settings of your computer to match the FWG114P v2’s new settings.  
8. Configure and test your PCs for wireless connectivity.  
Program the wireless adapter of your PCs to have the same SSID that you configured in the  
FWG114P v2. Check that they have a wireless link and are able to obtain an IP address by  
DHCP from the wireless firewall/print server.  
Once your PCs have basic wireless connectivity to the wireless firewall/print server, then you can  
configure the advanced options and wireless security functions.  
How to Restrict Wireless Access by MAC Address  
To restrict access based on MAC addresses, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin  
and default password of password.  
2. Click Wireless in the main menu of the FWG114P v2. From the Wireless Settings menu, click  
Setup Access List.  
Figure 4-4: Wireless Station Access menu  
3. Click the Turn Access Control On checkbox to enable MAC filtering.  
Wireless Configuration  
4-9  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
4. Click Add to open the Wireless Card Access Setup menu. You can select a device from the list  
of available wireless cards the FWG114P v2 has discovered in your area, or you can manually  
enter the MAC address and Device Name (usually the NetBIOS name).  
5. Click Add to add this device to your MAC access control list.  
Note: When configuring the FWG114P v2 from a wireless computer whose MAC  
address is not in the access control list, if you select Turn Access Control On, you will  
lose your wireless connection when you click Apply. You must then access the wireless  
firewall/print server from a wired computer or from a wireless computer which is on the  
access control list to make any further changes.  
6. Be sure to click Apply to save your trusted wireless PCs list settings. Now, only devices on  
this list will be allowed to wirelessly connect to the FWG114P v2.  
To remove a MAC address from the table, click to select it, then click the Delete button.  
How to Configure WEP  
Note: When changing the wireless settings from a wireless computer, you will lose your  
wireless connection when you click Apply. You must then either configure your wireless  
adapter to match the new wireless settings or access the wireless firewall/print server  
from a wired computer to make any further changes.  
To configure WEP data encryption, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin  
and default password of password, or using whatever LAN address and password you set up.  
4-10  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. Click Wireless Settings in the main menu of the FWG114P v2.  
Figure 4-5: Wireless Settings menu (WEP)  
3. Select WEP on the pulldown menu. The WEP options menu will open.  
4. Choose the Authentication Type and Encryption Strength options. You can manually or  
automatically program the four data encryption keys. These values must be identical on all  
PCs and Access Points in your network.  
Authentication Type: Normally this can be left at the default value of "Automatic." If set  
to "Open System" or "Shared Key", wireless stations must use the same method.  
Encryption: Select the desired WEP Encryption:  
64-bit (sometimes called 40-bit) encryption  
128-bit encryption  
Wireless Configuration  
4-11  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
WEP Keys: If using WEP, you can manually or automatically program the four data  
encryption keys. These values must be identical on all PCs and Access Points in your  
network.  
Automatic Key Generation (Passphrase): Enter a word or group of printable  
characters (this phrase is case sensitive) in the Passphrase box and click the "Generate  
Keys" button to automatically configure the WEP Key(s).  
If encryption is set to 64 bit, then each of the four key boxes will automatically be  
populated with key values.  
If encryption is set to 128 bit, then only the selected WEP key box will  
automatically be populated with a key value.  
Manual Entry Mode: Enter ten hexadecimal digits (any combination of 0-9, a-f, or  
A-F). These hex values are not case sensitive. Select which of the four keys will be  
used and enter the matching WEP key information for your network in the selected  
key box.  
For 64 bit WEP: Enter ten hexadecimal digits (any combination of 0-9, A-F).  
For 128 bit WEP: Enter twenty-six hexadecimal digits (any combination of 0-9,  
A-F).  
Please refer to “Overview of WEP Parameters” on page E-5 for a full explanation of each of  
these options, as defined by the IEEE 802.11b wireless communication standard.  
5. Click Apply to save your settings.  
How to Configure WPA with Radius  
Note: Not all wireless adapters support WPA. Furthermore, client software is required on the  
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that  
supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA.  
Consult the product document for your wireless adapter and WPA client software for instructions  
on configuring WPA settings.  
To configure WPA with Radius, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin  
and default password of password, or using whatever LAN address and password you have  
set up.  
4-12  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. Click Wireless Settings in the main menu of the FWG114P v2.  
Figure 4-6: Wireless Settings menu (WPA with Radius)  
3. Select WPA with Radius on the pulldown menu. The WPA with Radius menu will open.  
Encryption: There is no choice for encryption; this is displayed for your information. For  
WPA with Radius, TKIP is used.  
4. Enter the Radius settings.  
Primary Server Name/IP Address: This field is required. Enter the name or IP address  
of the primary Radius Server on your LAN.  
Secondary Radius Server Name/IP Address: This field is optional. If you have a  
Secondary Radius Server on your LAN, enter its name or IP address here.  
Wireless Configuration  
4-13  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Radius Port: Enter the port number used for connecting to the Radius Server.  
Shared Key: Enter the desired value for the Shared Key. This must match the value used  
on the Radius server.  
Radius Accounting: Enable Radius Accounting  
Enable this if you want to use the Radius Accounting system. If enabled, the following  
fields must be correct:  
Radius Accounting Port: Enter the port number used for Accounting data on the Radius  
Server.  
Update Report: Enable this if you wish to have this AP send Accounting update  
messages to the Radius accounting server periodically.  
If enabled, enter the desired Update Report interval in the field provided.  
5. Click Apply to save your settings.  
How to Configure WPA2 with Radius  
Note: Not all wireless adapters support WPA2. Furthermore, client software is required on the  
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that  
supports WPA2. Nevertheless, the wireless adapter hardware and driver must also support WPA2.  
Consult the product document for your wireless adapter and WPA2 client software for instructions  
on configuring WPA2 settings.  
To configure WPA2 with Radius, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin  
and default password of password, or using whatever LAN address and password you have  
set up.  
4-14  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. Click Wireless Settings in the main menu of the FWG114P v2.  
Figure 4-7: Wireless Settings menu (WPA2 with Radius)  
3. Select WPA2 with Radius on the pulldown menu. The WPA2 with Radius menu will open.  
Encryption: There is no choice for encryption; this is displayed for your information. For  
WPA2 with Radius, AES is used.  
4. Enter the Radius settings.  
Primary Server Name/IP Address: This field is required. Enter the name or IP address  
of the primary Radius Server on your LAN.  
Wireless Configuration  
4-15  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Secondary Radius Server Name/IP Address: This field is optional. If you have a  
Secondary Radius Server on your LAN, enter its name or IP address here.  
Radius Port: Enter the port number used for connecting to the Radius Server.  
Shared Key: Enter the desired value for the Shared Key. This must match the value used  
on the Radius server.  
Radius Accounting: Enable Radius Accounting  
Enable this if you want to use the Radius Accounting system. If enabled, the following  
fields must be correct:  
Radius Accounting Port: Enter the port number used for Accounting data on the Radius  
Server.  
Update Report: Enable this if you wish to have this AP send Accounting update  
messages to the Radius accounting server periodically.  
If enabled, enter the desired Update Report interval in the field provided.  
5. Click Apply to save your settings.  
How to Configure WPA and WPA2 with Radius  
Note: Not all wireless adapters support WPA and WPA2. Furthermore, client software is required  
on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software  
that supports WPA and WPA2. Nevertheless, the wireless adapter hardware and driver must also  
support WPA and WPA2. Consult the product document for your wireless adapter and WPA and  
WPA2 client software for instructions on configuring WPA and WPA2 settings.  
To configure WPA and WPA2 with Radius, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1 with the default user name of admin  
and default password of password, or using whatever LAN address and password you have  
set up.  
4-16  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. Click Wireless Settings in the main menu of the FWG114P v2.  
Figure 4-8: Wireless Settings menu (WPA and WPA2 with Radius)  
3. Select WPA and WPA2 with Radius on the pulldown menu. The WPA and WPA2 with  
Radius menu will open.  
Encryption: There is no choice for encryption; this is displayed for your information. For  
WPA and WPA2 with Radius, WPA clients must use TKIP, and WPA2 clients must use AES.  
4. Enter the Radius settings.  
Primary Server Name/IP Address: This field is required. Enter the name or IP address  
of the primary Radius Server on your LAN.  
Wireless Configuration  
4-17  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Secondary Radius Server Name/IP Address: This field is optional. If you have a  
Secondary Radius Server on your LAN, enter its name or IP address here.  
Radius Port: Enter the port number used for connecting to the Radius Server.  
Shared Key: Enter the desired value for the Shared Key. This must match the value used  
on the Radius server.  
Radius Accounting: Enable Radius Accounting  
Enable this if you want to use the Radius Accounting system. If enabled, the following  
fields must be correct:  
Radius Accounting Port: Enter the port number used for Accounting data on the Radius  
Server.  
Update Report: Enable this if you wish to have this AP send Accounting update  
messages to the Radius accounting server periodically.  
If enabled, enter the desired Update Report interval in the field provided.  
5. Click Apply to save your settings.  
How to Configure WPA-PSK  
Note: Not all wireless adapters support WPA. Furthermore, client software is required on the  
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that  
supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA.  
Consult the product document for your wireless adapter and WPA client software for instructions  
on configuring WPA settings.  
To configure WPA-PSK, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1, with the default user name of admin  
and default password of password, or using whatever LAN address and password you have  
set up.  
4-18  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. Click Wireless Settings in the main menu of the FWG114P v2.  
Figure 4-9: Wireless Settings menu (WPA-PSK)  
3. Select WPA-PSK on the pulldown menu. The WPA-PSK menu will open.  
4. Select the desired Encryption method. For WPA-PSK, you can choose TKIP or AES.  
5. Enter the pre-shared key in the Passphrase field. Enter a word or group of printable characters  
in the Passphrase box. The Passphrase must be 8 to 63 characters in length. The 256 Bit key  
used for encryption is generated from this passphrase.  
6. Enter the Key Lifetime. This setting determines how often the encryption key is changed.  
Shorter periods provide greater security, but adversely affect performance. If desired, you can  
change the default value.  
7. Click Apply to save your settings.  
Wireless Configuration  
4-19  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
How to Configure WPA2-PSK  
Note: Not all wireless adapters support WPA2. Furthermore, client software is required on the  
client. Windows XP and Windows 2000 with Service Pack 3 do include the client software that  
supports WPA2. Nevertheless, the wireless adapter hardware and driver must also support WPA2.  
Consult the product document for your wireless adapter and WP2 client software for instructions  
on configuring WPA2 settings.  
To configure WPA2-PSK, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1, with the default user name of admin  
and default password of password, or using whatever LAN address and password you have  
set up.  
2. Click Wireless Settings in the main menu of the FWG114P v2.  
Figure 4-10: Wireless Settings menu (WPA2-PSK)  
3. Select WPA2-PSK on the pulldown menu. The WPA2-PSK menu will open.  
4-20  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
4. Select the desired Encryption method. For WPA2-PSK, the only option is AES.  
5. Enter the pre-shared key in the Passphrase field. Enter a word or group of printable characters  
in the Passphrase box. The Passphrase must be 8 to 63 characters in length. The 256 Bit key  
used for encryption is generated from this passphrase.  
6. Enter the Key Lifetime. This setting determines how often the encryption key is changed.  
Shorter periods provide greater security, but adversely affect performance. If desired, you can  
change the default value.  
7. Click Apply to save your settings.  
How to Configure WPA-PSK and WPA2-PSK  
Note: Not all wireless adapters support WPA and WPA2. Furthermore, client software is required  
on the client. Windows XP and Windows 2000 with Service Pack 3 do include the client software  
that supports WPA and WPA2. Nevertheless, the wireless adapter hardware and driver must also  
support WPA and WPA2. Consult the product document for your wireless adapter and WPA and  
WPA2 client software for instructions on configuring WPA and WPA2 settings.  
To configure WPA-PSK and WPA2-PSK, follow these steps:  
1. Log in at the default LAN address of http://192.168.0.1, with the default user name of admin  
and default password of password, or using whatever LAN address and password you have  
set up.  
Wireless Configuration  
4-21  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. Click Wireless Settings in the main menu of the FWG114P v2.  
Figure 4-11: Wireless Settings menu (WPA-PSK and WPA2-PSK)  
3. Select WPA-PSK and WPA2-PSK on the pulldown menu. The WPA-PSK and WPA2-PSK  
menu will open.  
4. Select the desired Encryption method. For WPA-PSK and WPA2-PSK, the only option is  
TKIP + AES. WPA clients must use TKIP, and WPA2 clients must use AES.  
5. Enter the pre-shared key in the Passphrase field. Enter a word or group of printable characters  
in the Passphrase box. The Passphrase must be 8 to 63 characters in length. The 256 Bit key  
used for encryption is generated from this passphrase.  
6. Enter the Key Lifetime. This setting determines how often the encryption key is changed.  
Shorter periods provide greater security, but adversely affect performance. If desired, you can  
change the default value.  
7. Click Apply to save your settings.  
4-22  
Wireless Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 5  
Serial Port Configuration  
This chapter describes how to configure the serial port options of your ProSafe Wireless 802.11g  
Firewall/Print Server Model FWG114P v2. The FWG114P v2 serial port lets you share the  
broadband connection of another FWG114P v2, share resources between two LANs, and take  
advantage of the routing functions on the broadband (WAN), LAN, and serial network interfaces.  
Note: If you configure the serial port of the FWG114P v2 as the primary Internet connection, you  
will not be able to configure the other serial port options. For instructions on configuring the serial  
port as the primary Internet connection, please see “How to Configure the Serial Port as the  
The FWG114P v2 provides these serial port configuration options:  
Modem  
Use this option to configure the serial modem settings for any of the features below.  
Auto-Rollover  
Use this option to provide a backup connection for your broadband service. If the broadband  
service you configured in the Basic Settings menu fails, the FWG114P v2 will automatically  
connect to the Internet through the serial port. However, you will then be accessing the  
Internet at a slower speed than you would through your broadband service.  
Dial-in  
Dial-in lets a single remote computer connect to the FWG114P v2 through the serial port to  
gain access to LAN resources or a remote access server.  
LAN-to-LAN  
LAN-to-LAN enables direct communications between two FWG114P v2 wireless firewall/  
print servers to:  
— Share resources on the two LANs.  
— Let users on one FWG114P v2 share the Internet connection of the other FWG114P v2.  
— Let users on one FWG114P v2 connect to the Internet through the second FWG114P v2 in  
case the broadband connection of the first FWG114P v2 fails.  
The procedures for these configuration options are presented below.  
Serial Port Configuration  
5-1  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Configuring a Serial Port Modem  
You can configure a serial port modem for any of the features described above.  
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.  
Basic Requirements for Serial Port Modem Configuration  
Configuring a serial port modem requires these elements:  
1. A serial analog or ISDN modem.  
2. A serial modem cable with a DB9 connector.  
3. An active phone or ISDN line.  
How to Configure a Serial Port Modem  
Follow the steps below to configure a serial port modem.  
1. From the main menu, click Modem in the Serial Port section.  
Figure 5-1: Serial Port Modem configuration menu  
2. Select the Serial Line Speed.  
This is the maximum speed the modem will attempt to use. For ISDN permanent connections,  
the speeds are typically 64000 or 128000 bps. For dial-up modems, 56000 bps would be a  
typical setting.  
3. Select the Modem Type:  
— For ISDN, select “Permanent connection (leased line).”  
5-2  
Serial Port Configuration  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
— For dial-up, “Standard Modem” should work in most cases. Otherwise, select your modem  
from the list.  
— If your modem is not on the list, select “User Defined” and enter the Modem Properties.  
If you are using the “User Defined” selection and configuring your own modem stings, fill  
in the Modem Properties settings.  
Note: You can validate modem string settings by first connecting the modem directly to a  
computer, establishing a connection to your ISP, and then copying the modem string  
settings from the computer configuration and pasting them into the FWG114P v2 Modem  
Properties Initial String field. For more information on this procedure, please refer to the  
support area of the NETGEAR Web site.  
4. Click Apply to save your settings.  
Configuring Auto-Rollover  
You can configure the serial port of the FWG114P v2 to provide an auto-rollover backup  
connection for your broadband service.  
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.  
Basic Requirements for Auto-Rollover  
Auto-Rollover requires these elements:  
1. A broadband connection to the FWG114P v2.  
2. An ISDN or analog phone line with an active ISDN or dial-up ISP account.  
3. A serial modem properly configured and attached to the DB9 connector on the serial port.  
4. The Auto-Rollover settings configured and applied to the FWG114P v2.  
How to Configure Auto-Rollover  
Follow the steps below to configure a serial port auto-rollover connection.  
1. Configure a serial port modem according to the instructions above.  
2. From the main menu, click Auto-rollover in the Serial Port section.  
Serial Port Configuration  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
5-3  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 5-2: Auto-Rollover configuration menu  
3. Configure the Auto-Rollover settings.  
4. Click Apply for the changes to take effect.  
Configuring Dial-in on the Serial Port  
Dial-in lets a single remote computer connect to the FWG114P v2 through the serial port to gain  
access to LAN resources or a remote access server.  
Be sure you have prepared the basic requirements listed below, then follow the ‘how to’ procedure.  
5-4  
Serial Port Configuration  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Basic Requirements for Dial-in  
Dial-in requires these elements:  
1. A broadband connection to the FWG114P v2.  
2. An analog phone line.  
3. A serial modem properly configured and attached to the DB9 connector on the serial port.  
4. The Dial-in settings configured and applied to the FWG114P v2.  
How to Configure Dial-in  
Follow the steps below to configure a serial port dial-in connection.  
1. Configure a serial port modem according to the instructions above.  
2. From the Serial Port section of the main menu, click Dial-in.  
Figure 5-3: Serial Port Dial-in settings screen  
3. Configure the Dial-in settings.  
4. Click Apply for the changes to take effect.  
Serial Port Configuration  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
5-5  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Configuring LAN-to-LAN Settings  
LAN-to-LAN enables direct communications between two FWG114P v2 wireless firewall/print  
servers.  
6HULDOꢀ&RQQHFWLRQꢀ  
)LUHZDOOꢀ%  
)LUHZDOOꢀ$  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
 #ꢁꢂꢃ  
ꢀ8ꢄ¤¤|+  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
 #ꢁꢂꢃ  
ꢀ8ꢄ¤¤|+  
$&7  
$&7  
ꢁꢁ  
/1.ꢅ$&7  
).4%2.%4  
ꢁꢁ  
$&7  
$&7  
ꢁꢁ  
/1.ꢅ$&7  
).4%2.%4  
ꢁꢁ  
3:5  
7(67  
$/(57  
$/(57  
/1.ꢅ$&7  
3:5  
7(67  
$/(57  
$/(57  
/1.ꢅ$&7  
02).4%2  
-/$%-  
,/#!,  
7,!.  
02).4%2  
-/$%-  
,/#!,  
7,!.  
ꢁꢂꢃꢄꢁꢅꢆꢄꢇꢄꢁ  
ꢁꢂꢃꢄꢁꢅꢆꢄꢈꢄꢁ  
Figure 5-4: LAN-to-LAN network configuration  
Basic Requirements for LAN-to-LAN Connections  
Serial port LAN-to-LAN configurations require these elements:  
1. An ISDN or analog phone line with an active ISDN or dial-up ISP account.  
2. A serial modem properly configured and attached to the DB9 connector on the serial port.  
3. A broadband connection to one FWG114P v2 for LAN-to-LAN auto-rollover Internet access.  
4. The LAN-to-LAN settings configured and applied to the two FWG114P v2 wireless firewall/  
print servers.  
How to Configure LAN-to-LAN Connections  
Follow these steps to configure a serial port LAN-to-LAN connection.  
1. Configure a serial port modem.  
2. From the main menu, click LAN-to-LAN in the Serial Port section.  
5-6  
Serial Port Configuration  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 5-5: LAN-to-LAN configuration menu  
3. Configure the LAN-to-LAN settings.  
Note: The LAN subnet address of each FWG114P v2 must be different.  
4. Click Apply for the changes to take effect.  
Serial Port Configuration  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
5-7  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
5-8  
Serial Port Configuration  
201-10301-02, May 2005M-10207-01, Reference Manual v2  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 6  
Firewall Protection and  
Content Filtering  
This chapter describes how to use the content filtering features of the ProSafe Wireless 802.11g  
Firewall/Print Server Model FWG114P v2 to protect your network. These features can be found by  
clicking on the Content Filtering heading in the Main Menu of the browser interface.  
Firewall Protection and Content Filtering Overview  
The ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2 provides you with Web  
content filtering options, plus browsing activity reporting and instant alerts via e-mail. Parents and  
network administrators can establish restricted access policies based on time-of-day, Web  
addresses, and Web address keywords. You can also block Internet access by applications and  
services, such as chat or games.  
A firewall is a special category of router that protects one network (the “trusted” network, such as  
your LAN) from another (the “untrusted” network, such as the Internet), while allowing  
communication between the two. A firewall incorporates the functions of a NAT (Network  
Address Translation) router, while adding features for dealing with a hacker intrusion or attack,  
and for controlling the types of traffic that can flow between the two networks. Unlike simple  
Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect  
your network from attacks and intrusions. NAT performs a very limited stateful inspection in that  
it considers whether the incoming packet is in response to an outgoing request, but true Stateful  
Packet Inspection goes far beyond NAT.  
To configure these features of your router, click on the subheadings under the Content Filtering  
heading in the Main Menu of the browser interface. The subheadings are described below:  
Using the Block Sites Menu to Screen Content  
The FWG114P v2 allows you to restrict access based on the following categories:  
Use of a proxy server  
Type of file (Java, ActiveX, Cookie)  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
6-1  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Web addresses  
Web address keywords  
These options are discussed below.  
The Keyword Blocking menu is shown here.  
Figure 6-1: Block Sites menu  
To enable filtering, click the checkbox next to the type of filtering you want to enable. The filtering  
choices are:  
Proxy: blocks use of a proxy server  
Java: blocks use of Java applets  
ActiveX: blocks use of ActiveX components (OCX files) used by IE on Windows  
Cookies: blocks all cookies  
To enable keyword blocking, check “Turn keyword blocking on”, then click Apply.  
To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply.  
6-2  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.  
Keyword application examples:  
If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,  
as is the newsgroup alt.pictures.XXX.  
If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or  
.gov) can be viewed.  
If you want to block all Internet browsing access, enter the keyword “.”.  
Up to 255 entries are supported in the Keyword list.  
To specify a Trusted User, enter that computer’s IP address in the Trusted User box and click  
Apply. You may specify one Trusted User, which is a computer that will be exempt from blocking  
and logging. Since the Trusted User will be identified by an IP address, you should configure that  
computer with a fixed or reserved IP address.  
Services and Rules Regulate Inbound and Outbound Traffic  
The ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2 firewall lets you  
regulate what ports are available to the various TCP/IP protocols. Follow these two steps to  
configure inbound or outbound traffic:  
1. Define a Service  
2. Set up an Inbound or Outbound Rule that uses the Service  
These steps are discussed below.  
Defining a Service  
Services are functions performed by server computers at the request of client computers. For  
example, Web servers serve Web pages, time servers serve time and date information, and game  
hosts serve data about other players’ moves. When a computer on the Internet sends a request for  
service to a server computer, the requested service is identified by a service or port number. This  
number appears as the destination port number in the transmitted IP packets. For example, a packet  
that is sent with destination port number 80 is an HTTP (Web server) request.  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
6-3  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
The service numbers for many common protocols are defined by the Internet Engineering Task  
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other  
applications are typically chosen from the range 1024 to 65535 by the authors of the application.  
Although the FWG114P v2 already holds a list of many service port numbers, you are not limited  
to these choices. Use the Services menu to add additional services and applications to the list for  
use in defining firewall rules. The Services menu shows a list of services that you have defined.  
To define a new service, first you must determine which port number or range of numbers is used  
by the application. This information can usually be determined by contacting the publisher of the  
application or from user groups of newsgroups. When you have the port number information, go  
the Services menu and click on the Add Custom Service button. The Add Services menu will  
appear.  
To add a service,  
1. Enter a descriptive name for the service so that you will remember what it is.  
2. Select whether the service uses TCP or UDP as its transport protocol.  
If you can’t determine which is used, select both.  
3. Enter the lowest port number used by the service.  
4. Enter the highest port number used by the service.  
If the service only uses a single port number, enter the same number in both fields.  
5. Click Apply.  
The new service will now appear in the Services menu, and in the Service name selection box in  
the Rules menu.  
Using Inbound/Outbound Rules to Block or Allow Services  
Firewall rules are used to block or allow specific traffic passing through from one side of the  
wireless firewall/print server to the other. Inbound rules (WAN to LAN) restrict access by  
outsiders to private resources, selectively allowing only specific outside users to access specific  
resources. Outbound rules (LAN to WAN) determine what outside resources local users can have  
access to.  
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of  
the FWG114P v2 are:  
Inbound: Block all access from outside except responses to requests from the LAN side.  
Outbound: Allow all access from the LAN side to the outside.  
6-4  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
These default rules are shown in the Rules table of the Rules menu in Figure 6-2:  
Figure 6-2: Rules menu  
You can define additional rules that will specify exceptions to the default rules. By adding custom  
rules, you can block or allow access based on the service or application, source or destination IP  
addresses, and time of day. You can also choose to log traffic that matches or does not match the  
rule you have defined.  
To create a new rule, click the Add button.  
To edit an existing rule, select its button on the left side of the table and click Edit.  
To delete an existing rule, select its button on the left side of the table and click Delete.  
To move an existing rule to a different position in the table, select its button on the left side of the  
table and click Move. At the script prompt, enter the number of the desired new position and click  
OK.  
An example of the menu for defining or editing a rule is shown in Figure 6-3. The parameters are:  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
6-5  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Service. From this list, select the application or service to be allowed or blocked. The list  
already displays many common services, but you are not limited to these choices. Use the  
Services menu to add any additional services or applications that do not already appear.  
Action. Choose how you would like this type of traffic to be handled. You can block or allow  
always, or you can choose to block or allow according to the schedule you have defined in the  
Schedule menu.  
Source Address. Specify traffic originating on the LAN (outbound) or the WAN (inbound),  
and choose whether you would like the traffic to be restricted by source IP address. You can  
select Any, a Single address, or a Range. If you select a range of addresses, enter the range in  
the start and finish boxes. If you select a single address, enter it in the start box.  
Destination Address.The Destination Address will be assumed to be from the opposite (LAN  
or WAN) of the Source Address. As with the Source Address, you can select Any, a Single  
address, or a Range unless NAT is enabled and the destination is the LAN. In that case, you  
must enter a Single LAN address in the start box.  
Log. You can select whether the traffic will be logged. The choices are:  
Never - no log entries will be made for this service.  
Match - traffic of this type which matches the parameters and action will be logged.  
Examples of Using Services and Rules to Regulate Traffic  
Use the examples to see how you combine Services and Rules to regulate how the TCP/IP  
protocols are used on your firewall to enable either blocking or allowing specific Internet traffic on  
your wireless firewall/print server.  
Inbound Rules (Port Forwarding)  
Because the FWG114P v2 uses Network Address Translation (NAT), your network presents only  
one IP address to the Internet, and outside users cannot directly address any of your local  
computers. However, by defining an inbound rule, also known as port forwarding, you can make a  
local server (for example, a Web server or game server) visible and available to the Internet. The  
rule tells the router to direct inbound traffic for a particular service to one local server based on the  
destination port number. This is also known as port forwarding.  
6-6  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Note: Some home broadband accounts do not allow you to run any server processes  
(such as a Web or FTP server). Your ISP may check for servers and suspend your  
account if it discovers active servers at your location. If you are unsure, refer to the  
Acceptable Use Policy of your ISP.  
Follow these guidelines when setting up port forwarding inbound rules:  
If your external IP address is assigned dynamically by your ISP, the IP address may change  
periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the  
Advanced menus so that external users can always find your network.  
If the IP address of the local server computer is assigned by DHCP, it may change when the  
computer is rebooted. To avoid this, use the Reserved IP address feature in the LAN IP menu  
to keep the computer’s IP address constant.  
Local computers must access the local server using the local LAN address of the computer.  
Attempts by local computers to access the server using the external WAN IP address will fail.  
Remember that allowing inbound services opens holes in your FWG114P v2 Wireless Firewall/  
Print Server. Only enable those ports that are necessary for your network. Following are two  
application examples of inbound rules:  
Example: Port Forwarding to a Local Public Web Server  
If you host a public Web server on your local network, you can define a rule to allow inbound Web  
(HTTP) requests from any outside IP address to the IP address of your Web server any time of day.  
Figure 6-3: Rule example: A Local Public Web Server  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
6-7  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
This rule is shown in Figure 6-3.  
Example: Port Forwarding for Videoconferencing  
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside  
IP addresses, such as from a branch office, you can create an inbound rule. In the example shown  
in Figure 6-4, CU-SeeMe is a predefined service and its connections are allowed only from a  
specified range of external IP addresses. In this case, we have also specified logging of any  
incoming CU-SeeMe requests that do not match the allowed parameters.  
Figure 6-4: Rule example: Videoconference from Restricted Addresses  
Example: Port Forwarding for VPN Tunnels when NAT is Off  
If you want to allow incoming VPN IPSec tunnels to be initiated from outside IP addresses  
anywhere on the Internet when NAT is off, first create a service and then an inbound rule.  
6-8  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
       
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 6-5: Service example: port forwarding for VPN when NAT is Off  
In the example shown in Figure 6-5, UDP port 500 connections are defined as the IPSec service.  
Figure 6-6: Inbound rule example: VPN IPSec when NAT is off  
In the example shown in Figure 6-6, VPN IPSec connections are allowed for any internal LAN IP  
address.  
Outbound Rules (Service Blocking or Port Filtering)  
The FWG114P v2 allows you to block the use of certain Internet services by computers on your  
network. This is called service blocking or port filtering. You can define an outbound rule to block  
Internet access from a local computer based on:  
IP address of the local computer (source address)  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
6-9  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
IP address of the Internet site being contacted (destination address)  
Time of day  
Type of service being requested (service port number)  
Outbound Rule Example: Blocking Instant Messaging  
If you want to block Instant Messenger usage by employees during working hours, you can create  
an outbound rule to block that application from any internal IP address to any external address  
according to the schedule that you have created in the Schedule menu. You can also have the router  
log any attempt to use Instant Messenger during that blocked period.  
Figure 6-7: Rule example: Blocking Instant Messenger  
Other Rules Considerations  
The order of precedence of rules is determined by the position of the rule on a list of many rules.  
Also, there are optional Rules settings you can configure. These topics are presented here.  
6-10  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Order of Precedence for Rules  
As you define new rules, they are added to the tables in the Rules menu. For any traffic attempting  
to pass through the firewall, the packet information is subjected to the rules in the order of the  
entries in the Rules Table, beginning at the top and proceeding to the default rules at the bottom. In  
some cases, the order of precedence of two or more rules may be important in determining the  
disposition of a packet. The Move button allows you to relocate a defined rule to a new position in  
the table.  
Rules Menu Options  
Use the Options checkboxes to enable the following:  
Enable VPN Passthrough (IPSec, PPTP, L2TP)  
If LAN users need to use VPN (Virtual Private Networking) software on their computer, and  
connect to remote sites or servers, enable this checkbox. This will allow the VPN protocols  
(IPSec, PPTP, L2TP) to be used. If this checkbox is not checked, these protocols are blocked.  
Drop fragmented IP packets  
If checked, all fragmented IP packets will be dropped (discarded). Normally, this should NOT  
be checked.  
Block TCP flood  
If checked, when a TCP flood attack is detected, the port used will be closed, and no traffic  
will be able to use that port.  
Block UDP flood  
If checked, when a UDP flood attack is detected, all traffic from that IP address will be  
blocked.  
Block non-standard packets  
If checked, only known packet types will be accepted; other packets will be blocked. The  
known packet types are TCP, UDP, ICMP, ESP, and GRE. Note that these are packet types, not  
protocols.  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
6-11  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Using a Schedule to Block or Allow Content or Traffic  
If you enabled content filtering in the Block Sites menu, or if you defined an outbound rule to use  
a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The  
router allows you to specify when blocking will be enforced by configuring the Schedule tab  
shown below.  
Figure 6-8: Schedule menu  
To block keywords or Internet domains based on a schedule, select Every Day or select one or  
more days. If you want to limit access completely for the selected days, select All Day. Otherwise,  
If you want to limit access during certain times for the selected days, type a Start Time and an End  
Time.  
6-12  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Note: Enter the values in 24-hour time format. For example, 10:30 am would be 10 hours and 30  
minutes and 10:30 pm would be 22 hours and 30 minutes.  
Be sure to click Apply when you have finished configuring this menu.  
Setting the Time Zone  
The FWG114P v2 Wireless Firewall/Print Server uses the Network Time Protocol (NTP) to obtain  
the current time and date from one of several Network Time Servers on the Internet. In order to  
localize the time for your log entries, you must specify your Time Zone:  
Time Zone. Select your local time zone. This setting will be used for the blocking schedule  
and for time-stamping log entries.  
Daylight Savings Time. Select this check box for daylight savings time.  
Note: If your region uses Daylight Savings Time, you must manually select Adjust for  
Daylight Savings Time on the first day of Daylight Savings Time, and unselect it at the end.  
Enabling Daylight Savings Time will add one hour to the standard time.  
Be sure to click Apply when you have finished configuring this menu.  
Getting E-Mail Notifications of Event Logs and Alerts  
In order to receive logs and alerts by e-mail, you must provide your e-mail information in the  
E-Mail subheading:  
Firewall Protection and Content Filtering  
6-13  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 6-9: E-mail menu  
Turn e-mail notification on. Select this check box if you want to receive e-mail logs and  
alerts from the router.  
Send alerts and logs by e-mail. If you enable e-mail notification, these boxes cannot be  
blank. Enter the name or IP address of your ISP’s outgoing (SMTP) mail server (such as  
mail.myISP.com). You may be able to find this information in the configuration menu of your  
e-mail program. Enter the e-mail address to which logs and alerts will be sent. This e-mail  
address will also be used as the From address. If you leave this box blank, log and alert  
messages will not be sent via e-mail. Check “My Mail Server requires authentication” if you  
need to log in to your SMTP server in order to send e-mail. If this is checked, you must enter  
the login name and password for your mail server.  
Tip: You used this information when you set up your e-mail program. If you cannot remember  
it, check the settings in your e-mail program.  
Send E-mail alerts immediately. You can specify that logs are immediately sent to the  
specified e-mail address when any of the following events occur:  
6-14  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
If a Denial of Service attack is detected.  
If a Port Scan is detected.  
If a user on your LAN attempts to access a website that you blocked using Keyword  
blocking.  
Send logs according to this schedule. You can specify that logs are sent to you according to a  
schedule. Select whether you would like to receive the logs Hourly, Daily, Weekly, When Full,  
or None for no logs. Depending on your selection, you may also need to specify:  
Day for sending log  
Relevant when the log is sent weekly or daily.  
Time for sending log  
Relevant when the log is sent daily or weekly.  
If the Weekly, Daily or Hourly option is selected and the log fills up before the specified  
period, the log is automatically e-mailed to the specified e-mail address. After the log is sent,  
the log is cleared from the router’s memory. If the router cannot e-mail the log file, the log  
buffer may fill up. In this case, the router overwrites the log and discards its contents.  
Be sure to click Apply when you have finished configuring this menu.  
Firewall Protection and Content Filtering  
6-15  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Viewing Logs of Web Access or Attempted Web Access  
The router will log security-related events, such as denied incoming and outgoing service requests,  
hacker probes, and administrator logins. If you enable content filtering in the Block Sites menu,  
the Log page will also show you when someone on your network tries to access a blocked site. If  
you enabled e-mail notification, you will receive these logs in an e-mail message. If you do not  
have e-mail notification enabled, you can view the logs here.  
Figure 6-10: Logs menu  
See Appendix D, “Firewall Log Formats” for a full explanation of log entry formats.  
6-16  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Log action buttons are described in Table 6-1.  
Table 6-1.  
Log action buttons  
Field  
Description  
Refresh  
Clear Log  
Send Log  
Refreshes the log screen.  
Clears the log entries.  
E-mails the log immediately.  
What to Include in the Event Log  
Use these checkboxes to determine which events are included in the log. Checking all options will  
increase the size of the log, so it is good practice to disable any events which are not really  
required.  
All Websites and news groups visited - If checked, all visited websites and newsgroups are  
logged.  
All Incoming TCP/UDP/ICMP traffic - If checked, all incoming TCP/UDP/ICMP connections  
and traffic is logged.  
All Outgoing TCP/UDP/ICMP traffic - If checked, all outgoing TCP/UDP/ICMP connections  
and traffic is logged.  
Other IP traffic - If checked, all other traffic (IP packets which are not TCP, UDP, or ICMP) is  
logged.  
Router operation (start up, get time, etc.) - If checked, Router operations, such as starting up  
and getting the time from the Internet Time Server, are logged.  
Connection to the Web-based interface of this Router - If checked, Administrator connections  
to the Web-based interface will be logged.  
Other connections and traffic to this Router - If checked, this will log traffic sent to this Router  
(rather than through this Router to the Internet).  
Allow duplicate log entries - If checked, then events or packets which fall within more than  
one (1) category above will have a log entry for each category in which they belong. This will  
generate a large number of log entries. If unchecked, then events or packets will only be  
logged once. Usually, this should be left unchecked.  
Logging programs are available for Windows, Macintosh, and Linux computers.  
Firewall Protection and Content Filtering  
6-17  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Enable one of these three options, as required:  
Disable - select this if you do not have a Syslog server.  
Broadcast on LAN - the Syslog data is broadcast, rather than sent to a specific Syslog server.  
Use this if your Syslog Server does not have a fixed IP address.  
Send to this Syslog server IP address - If your Syslog server has a fixed IP address, select this  
option, and enter the IP address of your Syslog server.  
6-18  
Firewall Protection and Content Filtering  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 7  
Print Server  
This chapter describes how to install and configure the print server in your ProSafe Wireless  
802.11g Firewall/Print Server Model FWG114P v2.  
Printing Options  
The FWG114P v2 supports these methods for printing:  
For Windows XP and 2000 Only: TCP/IP Line Printer Remote (LPR) Printing  
— No software needs to be installed  
— Windows XP or 2000 users can print directly to the firewall. Print jobs are spooled  
(queued) on each computer. The computer sends the print job directly to the LAN IP  
address of the FWG114P v2.  
For Windows 95/98/Me, NT4.0, 2000, and XP: Netgear Printer Port Driver  
— Install the Netgear Printer Port Driver on Each computer.  
— After installing the Print Port Driver from the Resource CD for the ProSafe Wireless  
802.11g Firewall/Print Server Model FWG114P (SW-10023-03) Windows users can print  
directly to the firewall. Print jobs are spooled (queued) on each computer.  
For Macintosh computers: LPR printing  
— No software needs to be installed  
— LPR printing can be set up on any Macintosh that has Desktop Printing installed or  
available. Desktop Printing is supported on MacOS versions beginning from 8.1.  
LaserWriter8 version 8.5.1 or higher is also required.  
For Windows NT 4.0 Server or 2000 Server: LPD/LPR Printing  
— No software needs to be installed  
— If using Windows NT 4.0 Server or Windows 2000 Server, LPD/LPR printing can be used.  
No software needs to be installed on either the Windows Server or each client computer.  
Print jobs will be spooled (queued) on the Windows Server, and can be managed using the  
standard Windows Server tools.  
Print Server  
7-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
For Windows XP and 2000, Use TCP/IP LPR Printing  
Follow these instructions to set up TCP/IP printing on your Windows XP and 2000 PCs.  
Install the FWG114P v2, connect your  
printer to the USB port on the FWG114P v2,  
and run the Windows Add Printer Wizard.  
a. Follow the instructions in the printed  
Installation Guide or this manual to  
install your FWG114P v2. Connect your  
printer to the USB port on the back of the  
FWG114P v2.  
Add Printer Wizard  
b. From the Windows Start menu of a  
computer connected to the FWG114P  
v2, click Printers and Faxes.  
c. Click Add a printer. Click Next to  
proceed.  
d. Be sure to choose the Local printer  
attached to this computer option.  
Local or Network Printer screen  
Click Next to proceed.  
e. On the Select a Printer Port screen, be  
sure to choose the Create a new port:  
option.  
From the Type of port: drop-down list,  
be sure to select Standard TCP/IP  
Port.  
Select a Printer Port screen  
Click Next to proceed.  
This will start the Add Standard TCP/IP  
Printer Port Wizard.  
7-2  
Print Server  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Complete the Add Standard TCP/IP Printer  
Port Wizard.  
a. Click Next to proceed with the Add  
Standard TCP/IP Printer Port Wizard.  
The Add Port screen will display.  
b. From the Add Port screen, enter  
192.168.0.1, the FWG114P v2 default  
LAN IP address, in the IP Address field.  
Add Standard TCP/IP Printer Port Wizard  
Note: If you changed the default LAN IP  
Address of the FWG114P v2, be sure to  
use the address you assigned here. The  
Port Name is automatically filled in.  
Add Port Screen  
Click Next to proceed.  
c. In the Device Type section of the  
Additional Port Information Required  
screen, select Custom.  
Additional Port Information Required  
d. In the Custom selection, click Settings.  
e. The Port Settings tab page opens. In the  
Protocol section, select the LPR radio  
button, and enter FWG114P as the  
Queue Name in the LPR Settings  
section. Click OK to close this tab page.  
Click Next to proceed.  
The Add Printer Wizard will now  
prompt you to install the software for the  
printer you attached to the FWG114P v2.  
Additional Port Information Required  
Print Server  
7-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Identify the printer connected to FWG114P  
v2 USB printer port.  
a. From the Install Printer Software screen  
selection lists, find the manufacturer and  
model of the printer you connected to the  
USB port on the FWG114P v2.  
Click Next to proceed.  
If the printer software is already installed  
Add Printer Wizard Install Printer Software page  
on this computer, the Add Printer  
Wizard will inform you and let you keep  
the existing driver.  
If you do not see your make and model  
printer in the lists, and you are connected  
to the Internet, you can click the  
Windows Update button to download  
additional printer software from the  
Microsoft Web site, or you can click the  
Have Disk button to install the printer  
software from a disk you have.  
b. The Name Your Printer screen prompts  
for a descriptive name and if you want it  
to be the default. Enter your choices.  
Click Next to proceed.  
c. On the Printer Sharing screen, accept the  
“Do not share this printer” option and  
click Next to proceed.  
Print a test page to verify successful printing on your network.  
a. Upon completion of the Add Printer Wizard, you will be prompted to print a test page.  
b. Check the printer attached to the FWG114P v2 to see that the test page printed  
successfully.  
If you are unable to print a test page, see “Troubleshooting the Print Server“ on page -12.  
7-4  
Print Server  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Note: If two long files are sent to the printer at once, Windows will pop up a print failure  
error message. This message can be ignored. The file will print once the printer finishes  
printing the first file.  
Print Server  
7-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
For Windows 95/98/Me, Use the Netgear Printer Port Driver  
Follow these instructions to set up the Netgear Printer Port Drive on Windows 9x PCs.  
Warning: If you are installing the Netgear  
printer port driver on a Windows computer  
where an Epson printer had been installed,  
you must disable the Epson Spool  
Manager. Failure to disable Epson Spool  
Install the Netgear Printer Port Driver and  
configuration utility software.  
Manager software will prevent the Netgear  
printer port driver from operating.  
a. Follow the instructions in the printed  
Installation Guide or this manual to  
install your FWG114P v2.  
To disable the Epson Spool Manager, run the  
Epson Spool Manager, select Queue Setup  
from the menu, click Use Print Manager  
for this port, and click OK to exit.  
b. Connect your printer to the USB port on  
the back of the FWG114P v2.  
c. Insert the Resource CD for the  
FWG114P v2 into the CD-ROM drive of  
a computer connected to the FWG114P  
v2.  
The CD main page shown at the right  
will load.  
d. Click the Print Server button.  
Follow the instructions for running the  
setup utility.  
FWG114P v2 Resource CD  
e. Click Next to proceed through the  
Netgear Printer Port Installation Wizard  
steps.  
Note: Windows 2000 or XP may require  
you to be logged on with administrator  
rights.  
Netgear Printer Port Installation Wizard  
Print Server  
7-6  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Set up the Netgear printer port driver.  
a. Click Finish when the Installation  
Wizard is done.  
Netgear Printer Port Installation Wizard  
The Printer Port Setup utility displays,  
and queries the network to locate the  
print server in the FWG114P v2.  
Note: Under Windows 95, you may  
receive an error message stating that  
SETUPAPI.DLL was not found. In this  
case, you should upgrade your Internet  
Explorer to version 5 or later.  
After a short delay, the Printer Port  
Setup utility will display the port it finds  
in the FWG114P v2 print server.  
b. Click Add to add this printer port to your  
computer.  
The Printer Port Setup utility will report  
that Port FWG114P_P1 has been added  
to the computer.  
c. Click Exit to exit the Printer Port Setup  
utility.  
The Windows Add Printer Wizard  
automatically runs.  
Netgear Printer Port Setup Utility  
Print Server  
7-7  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Identify the printer connected to the  
FWG114P v2 USB printer port.  
a. From the Add Printer Wizard screen  
selection lists, find the manufacturer and  
model of the printer you connected to the  
USB port on the FWG114P v2.  
Click Next to proceed.  
Windows Add Printer Wizard  
If the printer software is already installed  
on this PC, the Add Printer Wizard will  
inform you and let you keep the existing  
driver.  
If you do not see your make and model printer in  
the lists, and you are connected to the Internet,  
you can click the Windows Update button to  
download additional printer software from the  
Microsoft Web site, or you can click the Have Disk  
button to install the printer software from a disk  
you have.  
b. Be sure to select the FWG114P_P1 port  
in the Add Printer Wizard.  
Click Next.  
c. The Name Your Printer screen prompts  
for a descriptive name and if you want it  
to be the default. Enter your choices.  
If prompted about Sharing, do not enable  
Sharing.  
Click Next to proceed and finish the Add  
Printer Wizard steps.  
Windows Add Printer Wizard  
7-8  
Print Server  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Print a test page to verify successful printing on your network.  
a. Upon completion of the Add Printer Wizard, print a test page.  
From the Windows Start menu, select Setup > Printers.  
Highlight the printer you just added.  
Right-click and the select Properties.  
The printer properties dialog box opens to the General tab page.  
On the General tab page, click Print Test Page.  
b. Check the printer attached to the FWG114P v2 to see that the test page printed  
successfully.  
If you are unable to print a test page, see “Troubleshooting the Print Server“ on page -12.  
Printing from the Macintosh  
Macintosh computers can connect to a TCP/IP network printer using the Line Printer Remote  
(LPR) protocol. LPR printing can be set up on any Macintosh that has Desktop Printing installed  
or available. Desktop Printing is supported on MacOS versions beginning from 8.1. LaserWriter8  
version 8.5.1 or higher is also required.  
To configure the Macintosh to use the print server, follow these steps:  
1. From the Apple Extras folder, under Apple LaserWriter Software, launch the Desktop Printing  
Utility. A new window titled New Desktop Printer appears.  
2. Select LaserWriter 8 in the “With” drop-down menu.  
3. Select Printer (LPR) and click OK. A new window called Untitled 1 will open.  
4. If the PostScript Printer Description does not match your printer, click Change... and select  
your actual printer.  
If your printer model does not appear, click the Generic button.  
5. Click OK to return to the Untitled 1 window.  
Print Server  
7-9  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
6. In the LPR Printer Selection box, click Change...  
7. In the Printer Address field, type the name or IP address of the FWG114P v2 Wireless  
Firewall/Print Server.  
The IP address will usually be 192.168.0.1.  
You can leave the Queue Name blank.  
Click Verify to make sure your computer can see the printer.  
You should see the IP address displayed above the button. If no IP Address appears, check that  
you have correctly typed the queue name or IP Address.  
Click OK to return to the Untitled 1 window.  
8. At the bottom of the Untitled 1 dialog box, click Create....  
When prompted, rename the printer with a descriptive name and click Save.  
A printer icon should now appear on your desktop.  
9. Quit the Desktop Printer Utility.  
Windows Printer Port Management  
Print jobs can be managed from Windows. Open the Printers folder (Start -> Settings ->  
Printers) and double-click any printer to see the current print jobs.  
To delete a port created by this setup program, use the Windows Delete Port facility:  
a. Right-click any printer in the Printers folder, and select Properties.  
b. Highlight the port you want to delete.  
c. Use the Delete Port button to delete the port. This button is on either the Details or Ports  
tab, depending on your version of Windows.  
If you change the printer attached to the FWG114P v2, run the Add Port program again and  
select the new printer.  
The options for the Print Port Driver are accessed via the Windows Port Settings button.  
Use Start -> Settings -> Printers to open the Printers folder, then right-click the Printer and select  
Properties. The Port Settings button is on either the Details or Port tab, depending on your version  
of Windows. An example screen is shown below:  
7-10  
Print Server  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 7-1: Print Port Configuration menu  
Items shown on this screen are as follows:  
Port  
If desired, click Browse Device to select a different device. The Select Device Port button  
supports multi-port models, but the FWG114P v2 Wireless Firewall/Print Server is a  
single-port print server. The Port Name is shown in the Printer's Properties.  
Banner  
Check this option to print a banner page before each print job. The User Name you enter will  
be printed on the banner page. If using a PostScript Printer, check the PostScript box.  
Retry Interval  
Determines how often Windows will poll the print server to establish a connection when the  
printer is busy.  
Print Server  
7-11  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Troubleshooting the Print Server  
Note: When the TCP/IP LPR configuration is used, if two long files are sent to the  
printer at once, Windows will pop up a print failure error message. This message can be  
ignored. The file will print once the printer finishes printing the first file. This does not  
happen when the Netgear Printer Port driver is used.  
Question: When I tried to install the Printer Driver for Peer-to-Peer printing, I received an error  
message and the installation was aborted.  
Answer: This may be caused by an existing installation of the printer port software. Before  
attempting another installation, remove the existing installation and restart your PC.  
To remove an existing printer port installation:  
a. Open Start -> Settings -> Control Panel -> Add/Remove Programs.  
b. Look for an entry with a name like “NETGEAR ProSafe Firewall Router”, “NETGEAR  
Print Server”, "Print Server Driver" or "Print Server Port".  
c. Select this item, click Add/Remove, and confirm the deletion.  
Question: I am using Windows 95. The Printer Driver installed and ran, but when I selected a port  
and clicked Add, the printer was not installed.  
Answer: Try installing the printer using the standard Windows tools, as follows:  
a. From Start -> Settings, open the Printers folder, and start the Add Printer Wizard.  
b. When prompted, select Network Printer and click Next.  
7-12  
Print Server  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
c. For Network Path or Queue, enter a dummy value, such as \\123, as shown below.  
Select NO for “Do you print from MS-DOS-based programs?”.  
d. Click Next.  
Figure 7-2: Windows Add Printer Wizard  
e. The printer wizard will display a message stating that "The Network Printer is off-line".  
This is OK. Continue the Add Printer Wizard until finished.  
f. When finished, go to Start -> Settings -> Printers. The new printer icon will be grayed out  
indicating the printer is not ready.  
Print Server  
7-13  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
g. Right-click the new printer and select Properties. Then select the Details tab, as shown  
below.  
Figure 7-3: Windows Printer Properties  
h. Click the Add Port button. On the resulting screen, select Other, then select the  
NETGEAR Print Server Port as the port to add.  
i. Click OK to see the Print Port Configuration screen.  
j. Click the Browse Device button, select the firewall, and click OK.  
7-14  
Print Server  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
k. Click OK to return to the Printers folders, and right-click on the new printer. Make sure  
that the Work Offline option is NOT checked.  
l. From the printer Properties page, General tab, print a test page to confirm that the settings  
work.  
m. The new printer icon should no longer be grayed out, and the printer is ready for use.  
Print Server  
7-15  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
7-16  
Print Server  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 8  
Virtual Private Networking  
This chapter describes how to use the virtual private networking (VPN) features of the FWG114P  
v2 Wireless Firewall/Print Server. VPN tunnels provide secure, encrypted communications  
between your local network and a remote network or computer. The FWG114P v2 supports 2 VPN  
tunnels.  
Overview of FWG114P v2 Policy-Based VPN Configuration  
The FWG114P v2 uses state-of-the-art firewall and security technology to facilitate controlled and  
actively monitored VPN connectivity. Since the FWG114P v2 strictly conforms to IETF standards,  
it is interoperable with devices from major network equipment vendors.  
7HOHFRPPXWHUꢀZLWK  
FOLHQWꢀVRIWZDUH  
931ꢀWXQQHOV  
HQFU\SWꢀGDWD  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
 #ꢁꢂꢃ  
ꢀ8ꢄ¤¤|+  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
 #ꢁꢂꢃ  
ꢀ8ꢄ¤¤|+  
$&7  
$&7  
ꢁꢁ  
/1.ꢅ$&7  
).4%2.%4  
ꢁꢁ  
$&7  
$&7  
ꢁꢁ  
/1.ꢅ$&7  
).4%2.%4  
ꢁꢁ  
3:5  
(67  
$/(57  
$/(57  
/1.ꢅ$&7  
3:5  
7(67  
$/(57  
$/(57  
/1.ꢅ$&7  
02).4%2  
-/$%-  
,/#!,  
7,!.  
02).4%2  
-/$%-  
,/#!,  
7,!.  
#OMPUTERS  
3ERVER  
#OMPUTERS  
Figure 8-1: Secure access through FWG114P v2 VPN routers  
Virtual Private Networking  
8-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Using Policies to Manage VPN Traffic  
You create policy definitions to manage VPN traffic on the FWG114P v2. There are two kinds of  
policies:  
IKE Policies: Define the authentication scheme and automatically generate the encryption  
keys. As an alternative option, to further automate the process, you can create an IKE policy  
which uses a trusted certificate authority to provide the authentication while the IKE policy  
still handles the encryption.  
VPN Policies: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you  
can create a VPN policy which does not use an IKE policy but in which you manually enter all  
the authentication and key parameters.  
Since the VPN policies use the IKE policies, you define the IKE policy first. The FWG114P v2  
also allows you to manually input the authentication scheme and encryption key values. In the case  
of manual key management there will not be any IKE policies.  
In order to establish secure communication over the Internet with the remote site you need to  
configure matching VPN policies on both the local and remote FWG114P v2 Wireless Firewall/  
Print Servers. The outbound VPN policy on one end must match to the inbound VPN policy on  
other end, and vice versa.  
When the network traffic enters into the FWG114P v2 from the LAN network interface, if there is  
no VPN policy found for a type of network traffic, then that traffic passes through without any  
change. However, if the traffic is selected by a VPN policy, then the IPSec authentication and  
encryption rules will be applied to it as defined in the VPN policy.  
By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy  
table.  
Using Automatic Key Management  
The most common configuration scenarios will use IKE policies to automatically manage the  
authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel  
are generated automatically. The IKE protocols perform negotiations between the two VPN  
endpoints to automatically generate required parameters.  
Some organizations will use an IKE policy with a Certificate Authority (CA) to perform  
authentication. Typically, CA authentication is used in large organizations which maintain their  
own internal CA server. This requires that each VPN gateway has a certificate from the CA. Using  
CAs reduces the amount of data entry required on each VPN endpoint.  
8-2  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
IKE Policies’ Automatic Key and Authentication Management  
Click the IKE Policies link from the VPN section of the main menu, and then click the Add button  
of the IKE Policies screen to display the IKE Policy Configuration menu shown in Figure 8-2.  
Figure 8-2: IKE - Policy Configuration Menu  
Virtual Private Networking  
8-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
The IKE Policy Configuration fields are defined in the following table.  
Table 8-1.  
IKE Policy Configuration Fields  
Description  
Field  
General  
These settings identify this policy and determine its major characteristics.  
Policy Name  
The descriptive name of the IKE policy. Each policy should have a unique  
policy name. This name is not supplied to the remote VPN endpoint. It is  
only used to help you identify IKE policies.  
Direction/Type  
This setting is used when determining if the IKE policy matches the current  
traffic. The drop-down menu includes the following:  
• Initiator – Outgoing connections are allowed, but incoming are blocked.  
• Responder – Incoming connections are allowed, but outgoing are  
blocked.  
• Both Directions – Both outgoing and incoming connections are allowed.  
• Remote Access – This is to allow only incoming client connections,  
where the IP address of the remote client is unknown.  
If Remote Access is selected, the “Exchange Mode” MUST be  
“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST  
be “Name.” On the matching VPN Policy, the IP address of the remote  
VPN endpoint should be set to 0.0.0.0.  
Exchange Mode  
Main Mode or Aggressive Mode. This setting must match the setting used  
on the remote VPN endpoint.  
• Main Mode is slower but more secure. Also, the “Identity” below must be  
established by IP address.  
• Aggressive Mode is faster but less secure. The “Identity” below can be by  
name (host name, domain name, e-mail address, and so on) instead of  
by IP address.  
Local  
These parameters apply to the Local FWG114P v2 Wireless Firewall/Print  
Server.  
Local Identity Type  
Use this field to identify the local FWG114P v2. You can choose one of the  
following four options from the drop-down list:  
• By its Internet (WAN) port IP address.  
• By its Fully Qualified Domain Name (FQDN) -- your domain name.  
• By a Fully Qualified User Name -- your name, E-mail address, or  
other ID.  
• By DER ASN.1 DN -- the binary DER encoding of your ASN.1 X.500  
Distinguished Name.  
Local Identity Data  
This field lets you identify the local FWG114P v2 by name.  
Virtual Private Networking  
8-4  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 8-1.  
IKE Policy Configuration Fields  
Description  
Field  
Remote  
These parameters apply to the target remote FWG114P v2, VPN gateway,  
or VPN client.  
Remote Identity Type  
Use this field to identify the remote FWG114P v2. You can choose one of  
the following four options from the drop-down list:  
• By its Internet (WAN) port IP address.  
• By its Fully Qualified Domain Name (FQDN) — your domain name.  
• By a Fully Qualified User Name — your name, e-mail address, or  
other ID.  
• By DER ASN.1 DN — the binary DER encoding of your ASN.1 X.500  
Distinguished Name.  
Remote Identity Data  
This field lets you identify the target remote FWG114P v2 by name.  
IKE SA Parameters  
These parameters determine the properties of the IKE Security  
Association.  
Encryption Algorithm  
Choose the encryption algorithm for this IKE policy:  
• DES is the default.  
• 3DES is more secure.  
Authentication Algorithm  
If you enable Authentication Header (AH), this menu lets you to select from  
these authentication algorithms:  
• MD5 is the default.  
• SHA-1 is more secure.  
Authentication Method  
Pre-Shared Key  
You may select Pre-Shared Key or RSA Signature.  
Specify the key according to the requirements of the Authentication  
Algorithm you selected.  
• For MD5, the key length should be 16 bytes.  
• For SHA-1, the key length should be 20 bytes.  
RSA Signature  
RSA Signature requires a certificate.  
Diffie-Hellman (D-H) Group  
The DH Group setting determines the bit size used in the key exchange.  
This must match the value used on the remote VPN gateway or client.  
SA Life Time  
The amount of time in seconds before the Security Association expires;  
over an hour (3600) is common.  
Virtual Private Networking  
8-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
VPN Policy Configuration for Auto Key Negotiation  
An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN  
Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.  
Figure 8-3: VPN - Auto Policy Menu  
8-6  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
The VPN Auto Policy fields are defined in the following table.  
Table 8-1.  
Field  
VPN Auto Policy Configuration Fields  
Description  
General  
These settings identify this policy and determine its major characteristics.  
Policy Name  
The descriptive name of the VPN policy. Each policy should have a unique  
policy name. This name is not supplied to the remote VPN endpoint. It is  
only used to help you identify VPN policies.  
IKE Policy  
The existing IKE policies are presented in a drop-down list.  
Note: Create the IKE policy BEFORE creating a VPN - Auto policy.  
Remote VPN Endpoint  
The address used to locate the remote VPN firewall or client to which you  
wish to connect. The remote VPN endpoint must have this FWG114P v2’s  
Local IP values entered as its “Remote VPN Endpoint.”  
• By its Fully Qualified Domain Name (FQDN) — your domain name.  
• By its IP Address.  
Address Type The address type used to locate the remote VPN firewall or client to which  
you wish to connect.  
• By its Fully Qualified Domain Name (FQDN) — your domain name.  
• By its IP Address.  
Address Data The address used to locate the remote VPN firewall or client to which you  
wish to connect. The remote VPN endpoint must have this FWG114P v2’s  
Local Identity Data entered as its “Remote VPN Endpoint.”  
• By its Fully Qualified Domain Name (FQDN) — your domain name.  
• By its IP Address.  
SA Life Time  
IPSec PFS  
The duration of the Security Association before it expires.  
• Seconds - the amount of time before the SA expires. Over an hour is  
common (3600).  
• Kbytes - the amount of traffic before the SA expires.  
One of these can be set without setting the other.  
If enabled, security is enhanced by ensuring that the key is changed at  
regular intervals. Also, even if one key is broken, subsequent keys are no  
easier to break. Each key has no relationship to the previous key.  
PFS Key Group  
If PFS is enabled, this setting determines the DH group bit size used in the  
key exchange. This must match the value used on the remote gateway.  
Virtual Private Networking  
8-7  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 8-1.  
VPN Auto Policy Configuration Fields  
Description  
Field  
Traffic Selector  
These settings determine if and when a VPN tunnel will be established. If  
network traffic meets all criteria, then a VPN tunnel will be created.  
Local IP  
The drop-down menu allows you to configure the source IP address of the  
outbound network traffic for which this VPN policy will provide security.  
Usually, this address will be from your network address space. The  
choices are:  
• Default: ANY for all valid IP addresses in the Internet address space  
Note: Selecting ANY means all traffic goes through the IPSec tunnel  
and prevents access to the Internet.  
• Single IP Address  
• Range of IP Addresses  
• Subnet Address  
Remote IP  
The drop-down menu allows you to configure the destination IP address of  
the outbound network traffic for which this VPN policy will provide security.  
Usually, this address will be from the remote site's corporate network  
address space. The choices are:  
• ANY for all valid IP addresses in the Internet address space  
Note: Selecting ANY means all traffic goes through the IPSec tunnel  
and prevents access to the Internet.  
• Single IP Address  
• Range of IP Addresses  
• Subnet Address  
Authenticating Header (AH)  
Configuration  
AH specifies the authentication protocol for the VPN header. These  
settings must match the remote VPN endpoint.  
Enable Authentication  
Use this checkbox to enable or disable AH for this VPN policy.  
Authentication  
Algorithm  
If you enable AH, then select the authentication algorithm:  
• MD5 is the default.  
• SHA1 is more secure.  
Encapsulated Security  
ESP provides security for the payload (data) sent through the VPN tunnel.  
Payload (ESP) Configuration Generally, you will want to enable both Encryption and Authentication.  
Two ESP modes are available:  
• Plain ESP encryption  
• ESP encryption with authentication  
These settings must match the remote VPN endpoint.  
8-8  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 8-1.  
Field  
Enable Encryption  
VPN Auto Policy Configuration Fields  
Description  
Use this checkbox to enable or disable ESP Encryption.  
Encryption  
Algorithm  
If you enable ESP encryption, then select the encryption algorithm:  
• DES is the default.  
• 3DES is more secure.  
Enable Authentication  
Use this checkbox to enable or disable ESP transform for this VPN policy.  
You can also select the ESP mode with this menu.  
Two ESP modes are available:  
• Plain ESP  
• ESP with authentication  
Authentication  
Algorithm  
If you enable AH, then use this menu to select which authentication  
algorithm will be employed.  
The choices are:  
• MD5 is the default.  
• SHA1 is more secure.  
NETBIOS Enable  
Check this if you wish NETBIOS traffic to be forwarded over the VPN  
tunnel. The NETBIOS protocol is used by Microsoft Networking for such  
features as Network Neighborhood.  
VPN Policy Configuration for Manual Key Exchange  
With Manual Key Management, you will not use an IKE policy. You must manually type in all the  
required key information. Click the VPN Policies link from the VPN section of the main menu to  
display the menu shown below.  
Virtual Private Networking  
8-9  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 8-4: VPN - Manual Policy Menu  
8-10  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
The VPN Manual Policy fields are defined in the following table.  
Table 8-1.  
Field  
VPN Manual Policy Configuration Fields  
Description  
General  
These settings identify this policy and determine its major characteristics.  
Policy Name  
The name of the VPN policy. Each policy should have a unique policy  
name. This name is not supplied to the remote VPN Endpoint. It is used to  
help you identify VPN policies.  
Remote VPN Endpoint  
The WAN Internet IP address of the remote VPN firewall or client to which  
you wish to connect. The remote VPN endpoint must have this FWG114P  
v2’s WAN Internet IP address entered as its “Remote VPN Endpoint.”  
Traffic Selector  
These settings determine if and when a VPN tunnel will be established. If  
network traffic meets all criteria, then a VPN tunnel will be created.  
Local IP  
The drop down menu allows you to configure the source IP address of the  
outbound network traffic for which this VPN policy will provide security.  
Usually, this address will be from your network address space. The  
choices are:  
• ANY for all valid IP addresses in the Internet address space  
Note: Selecting ANY means all traffic goes through the IPSec tunnel  
and prevents access to the Internet.  
• Single IP Address  
• Range of IP Addresses  
• Subnet Address  
Remote IP  
The drop down menu allows you to configure the destination IP address of  
the outbound network traffic for which this VPN policy will provide security.  
Usually, this address will be from the remote site's corporate network  
address space. The choices are:  
• ANY for all valid IP addresses in the Internet address space  
Note: Selecting ANY means all traffic goes through the IPSec tunnel  
and prevents access to the Internet.  
• Single IP Address  
• Range of IP Addresses  
• Subnet Address  
Authenticating Header (AH)  
Configuration  
AH specifies the authentication protocol for the VPN header. These  
settings must match the remote VPN endpoint.  
Note: The "Incoming" settings here must match the "Outgoing" settings on  
the remote VPN endpoint, and the "Outgoing" settings here must match  
the "Incoming" settings on the remote VPN endpoint.  
Virtual Private Networking  
8-11  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 8-1.  
Field  
VPN Manual Policy Configuration Fields  
Description  
SPI - Incoming  
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the  
remote VPN endpoint has the same value in its "Outgoing SPI" field.  
SPI - Outgoing  
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the  
remote VPN endpoint has the same value in its "Incoming SPI" field.  
Enable Authentication  
Use this checkbox to enable or disable AH. Authentication is often not  
used. In this case, leave the checkbox unchecked.  
Authentication  
Algorithm  
If you enable AH, then select the authentication algorithm:  
• MD5 is the default.  
• SHA1 is more secure.  
Enter the keys in the fields provided. For MD5, the keys should be 16  
characters. For SHA-1, the keys should be 20 characters.  
Key - In  
Enter the keys.  
• For MD5, the keys should be 16 characters.  
• For SHA-1, the keys should be 20 characters.  
Any value is acceptable, provided the remote VPN endpoint has the same  
value in its Authentication Algorithm "Key - Out" field.  
Key - Out  
Enter the keys in the fields provided.  
• For MD5, the keys should be 16 characters.  
• For SHA-1, the keys should be 20 characters.  
Any value is acceptable, provided the remote VPN endpoint has the same  
value in its Authentication Algorithm "Key - In" field.  
Encapsulated Security  
ESP provides security for the payload (data) sent through the VPN tunnel.  
Payload (ESP) Configuration Generally, you will want to enable both encryption and authentication  
when you use ESP. Two ESP modes are available:  
• Plain ESP encryption  
• ESP encryption with authentication  
These settings must match the remote VPN endpoint.  
SPI - Incoming  
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the  
remote VPN endpoint has the same value in its "Outgoing SPI" field.  
SPI - Outgoing  
Enter a Hex value (3 - 8 chars). Any value is acceptable, provided the  
remote VPN endpoint has the same value in its "Incoming SPI" field.  
Enable Encryption  
Use this checkbox to enable or disable ESP Encryption.  
8-12  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 8-1.  
Field  
VPN Manual Policy Configuration Fields  
Description  
Encryption  
Algorithm  
If you enable ESP Encryption, then select the Encryption Algorithm:  
• DES is the default.  
• 3DES is more secure.  
Key - In  
Enter the key in the fields provided.  
• For DES, the key should be 8 characters.  
• For 3DES, the key should be 24 characters.  
Any value is acceptable, provided the remote VPN endpoint has the same  
value in its Encryption Algorithm "Key - Out" field.  
Key - Out  
Enter the key in the fields provided.  
• For DES, the key should be 8 characters.  
• For 3DES, the key should be 24 characters.  
Any value is acceptable, provided the remote VPN endpoint has the same  
value in its Encryption Algorithm "Key - In" field.  
Enable Authentication  
Use this checkbox to enable or disable ESP authentication for this VPN  
policy.  
Authentication  
Algorithm  
If you enable authentication, then use this menu to select the algorithm:  
• MD5 is the default.  
• SHA1 is more secure.  
Key - In  
Enter the key.  
• For MD5, the key should be 16 characters.  
• For SHA-1, the key should be 20 characters.  
Any value is acceptable, provided the remote VPN endpoint has the same  
value in its Authentication Algorithm "Key - Out" field.  
Key - Out  
Enter the key in the fields provided.  
• For MD5, the key should be 16 characters.  
• For SHA-1, the key should be 20 characters.  
Any value is acceptable, provided the remote VPN endpoint has the same  
value in its Authentication Algorithm "Key - In" field.  
NETBIOS Enable  
Check this if you wish NETBIOS traffic to be forwarded over the VPN  
tunnel. The NETBIOS protocol is used by Microsoft Networking for such  
features as Network Neighborhood.  
Virtual Private Networking  
8-13  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Using Digital Certificates for IKE Auto-Policy Authentication  
Digital certificates are strings generated using encryption and authentication schemes which  
cannot be duplicated by anyone without access to the different values used in the production of the  
string. They are issued by Certification Authorities (CAs) to authenticate a person or a workstation  
uniquely. The CAs are authorized to issue these certificates by Policy Certification Authorities  
(PCAs), who are in turn certified by the Internet Policy Registration Authority (IPRA). The  
FWG114P v2 is able to use certificates to authenticate users at the end points during the IKE key  
exchange process.  
The certificates can be obtained from a certificate server an organization might maintain internally  
or from the established public CAs. The certificates are produced by providing the particulars of  
the user being identified to the CA. The information provided may include the user's name, e-mail  
ID, domain name, and so on.  
Each CA has its own certificate. The certificates of a CA are added to the FWG114P v2 and can  
then be used to form IKE policies for the user. Once a CA certificate is added to the FWG114P v2  
and a certificate is created for a user, the corresponding IKE policy is added to the FWG114P v2.  
Whenever the user tries to send traffic through the FWG114P v2, the certificates are used in place  
of pre-shared keys during initial key exchange as the authentication and key generation  
mechanism. Once the keys are established and the tunnel is set up the connection proceeds  
according to the VPN policy.  
Certificate Revocation List (CRL)  
Each Certification Authority (CA) maintains a list of the revoked certificates. The list of these  
revoked certificates is known as the Certificate Revocation List (CRL).  
Whenever an IKE policy receives the certificate from a peer, it checks for this certificate in the  
CRL on the FWG114P v2 obtained from the corresponding CA. If the certificate is not present in  
the CRL it means that the certificate is not revoked. IKE can then use this certificate for  
authentication. If the certificate is present in the CRL it means that the certificate is revoked, and  
the IKE will not authenticate the client.  
You must manually update the FWG114P v2 CRL regularly in order for the CA-based  
authentication process to remain valid.  
8-14  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Walk-Through of Configuration Scenarios on the FWG114P  
v2  
There are a variety of configurations you might implement with the FWG114P v2. The scenarios  
listed below illustrate typical configurations you might use in your organization.  
In order to help make it easier to set up an IPsec system, the following two scenarios are provided.  
These scenarios were developed by the VPN Consortium (http://www.vpnc.org). The goal is to  
make it easier to get the systems from different vendors to interoperate. NETGEAR is providing  
you with both of these scenarios in the following two formats:  
VPN Consortium Scenarios without Any Product Implementation Details as presented in  
VPN Consortium Scenarios Based on the FWG114P v2 User Interface as presented in  
The purpose of providing these two versions of the same scenarios is to help you determine where  
the two vendors use different vocabulary. Seeing the examples presented in these different ways  
will reveal how systems from different vendors do the same thing.  
How to Use the VPN Wizard to Configure a VPN Tunnel  
Note: If you have turned NAT off, before configuring VPN IPSec tunnels you must first  
open UDP port 500 for inbound traffic as explained in “Example: Port Forwarding for  
Follow this procedure to configure a VPN tunnel using the VPN Wizard.  
Note: The LAN IP address ranges of each VPN endpoint must be different. The connection will  
fail if both are using the NETGEAR default address range of 192.168.0.x.  
1. Log in to the FVS318 on LAN A at its default LAN address of http://192.168.0.1 with its  
default user name of admin and password of password. Click the VPN Wizard link in the  
main menu to display this screen. Click Next to proceed.  
Virtual Private Networking  
8-15  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 8-5: VPN Wizard Start Screen  
2. Fill in the Connection Name, pre-shared key, and select the type of target end point, and click  
Next to proceed.  
Figure 8-6: Connection Name and Remote IP Type  
8-16  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
3. Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next.  
Figure 8-7: Remote IP  
4. Identify the IP addresses at the target endpoint which can use this tunnel, and click Next.  
Figure 8-8: Secure Connection Remote Accessibility  
The Summary screen below displays.  
Virtual Private Networking  
8-17  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 8-9: VPN Wizard Summary  
To view the VPNC recommended authentication and encryption Phase 1 and Phase 2 settings  
the VPN Wizard used, click the “here” link.  
5. Click Done to complete the configuration procedure. The VPN Settings menu displays  
showing that the new tunnel is enabled  
To view or modify the tunnel settings, select the radio button next to the tunnel entry and click  
Edit.  
8-18  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
VPNC Scenario 1: Gateway to Gateway with Preshared Secrets  
The following is a typical gateway-to-gateway VPN that uses a preshared secret for authentication.  
10.5.6.0/24  
172.23.9.0/24  
Gateway A  
Internet  
Gateway B  
10.5.6.1  
14.15.16.17  
22.23.24.25  
172.23.9.1  
Figure 8-10: VPN Consortium Scenario 1  
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has  
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.  
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)  
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used  
for testing IPsec but is not needed for configuring Gateway A.  
The IKE Phase 1 parameters used in Scenario 1 are:  
Main mode  
TripleDES  
SHA-1  
MODP group 2 (1024 bits)  
pre-shared secret of "hr5xb84l6aa9r6"  
SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying  
The IKE Phase 2 parameters used in Scenario 1 are:  
TripleDES  
SHA-1  
ESP tunnel mode  
MODP group 2 (1024 bits)  
Perfect forward secrecy for rekeying  
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying  
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4  
subnets  
Virtual Private Networking  
8-19  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Scenario 1: FWG114P v2 to FWG114P v2 with Preshared Secrets  
Note: This scenario assumes all ports are open on the FWG114P v2. You can verify this by  
reviewing the security settings as seen in the “Rules menu” on page 6-5.  
6FHQDULRꢀꢁ  
*DWHZD\ꢀ%  
*DWHZD\ꢀ$  
ꢁꢉꢄꢁꢊꢄꢁꢅꢄꢁꢋ  
:$1ꢀ,3  
ꢃꢃꢄꢃꢇꢄꢃꢉꢄꢃꢊ  
:$1ꢀ,3  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
 #ꢁꢂꢃ  
 #ꢁꢂꢃ  
ꢀ8ꢄ¤¤|+  
ꢀ8ꢄ¤¤|+  
$&7  
$&7  
ꢁꢁ  
/1.ꢅ$&7  
).4%2.%4  
ꢁꢁ  
$&7  
$&7  
ꢁꢁ  
/1.ꢅ$&7  
).4%2.%4  
ꢁꢁ  
ꢁꢈꢄꢊꢄꢅꢄꢁꢌꢃꢉ  
/$1ꢀ,3  
ꢁꢋꢃꢄꢃꢇꢄꢂꢄꢁꢌꢃꢉ  
/$1ꢀ,3  
3:5  
7(67  
$/(57  
$/(57  
/1.ꢅ$&7  
3:5  
7(67  
$/(57  
$/(57  
/1.ꢅ$&7  
02).4%2  
-/$%-  
,/#!,  
7,!.  
02).4%2  
-/$%-  
,/#!,  
7,!.  
Figure 8-11: LAN to LAN VPN access from an FWG114P v2 to an FWG114P v2  
Use this scenario illustration and configuration screens as a model to build your configuration.  
1. Log in to the FWG114P v2 labeled Gateway A as in the illustration.  
Log in at the default address of http://192.168.0.1 with the default user name of admin and  
default password of password, or using whatever password and LAN address you have  
chosen.  
2. Configure the WAN (Internet) and LAN IP addresses of the FWG114P v2.  
a. From the main menu Setup section, click on the Basic Setup link.  
WAN IP  
addresses  
ISP provides  
these addresses  
Figure 8-12: FWG114P v2 Internet IP Address menu  
b. Configure the WAN Internet Address according to the settings above and click Apply to  
save your settings. For more information on configuring the WAN IP settings in the Basic  
8-20  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
c. From the main menu Advanced section, click on the LAN IP Setup link.  
Figure 8-13: LAN IP configuration menu  
d. Configure the LAN IP address according to the settings above and click Apply to save  
your settings. For more information on LAN TCP/IP setup topics, please see “Using the  
Note: After you click Apply to change the LAN IP address settings, your workstation will  
be disconnected from the FWG114P v2. You will have to log on with http://10.5.6.1,  
which is now the address you use to connect to the built-in web-based configuration  
manager of the FWG114P v2.  
Virtual Private Networking  
8-21  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
3. Set up the IKE Policy illustrated below on the FWG114P v2.  
a. From the main menu VPN section, click on the IKE Policies link, and then click the Add  
button to display the screen below.  
Figure 8-14: Scenario 1 IKE Policy  
b. Configure the IKE Policy according to the settings in the illustration above and click  
Apply to save your settings. For more information on IKE Policy topics, please see “IKE  
8-22  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
4. Set up the FWG114P v2 VPN -Auto Policy illustrated below.  
a. From the main menu VPN section, click on the VPN Policies link, and then click on the  
Add Auto Policy button.  
WAN IP  
address  
LAN IP  
addresses  
Figure 8-15: Scenario 1 VPN - Auto Policy  
b. Configure the IKE Policy according to the settings in the illustration above and click  
Apply to save your settings. For more information on IKE Policy topics, please see “IKE  
Note: Selecting ANY for the Traffic Selectors means all traffic goes through the IPSec  
tunnel and prevents access to the Internet.  
5. After applying these changes, all traffic from the range of LAN IP addresses specified on  
FWG114P v2 A and FWG114P v2 B will flow over a secure VPN tunnel.  
Virtual Private Networking  
8-23  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
How to Check VPN Connections  
You can test connectivity and view VPN status information on the FWG114P v2.  
1. To test connectivity between the Gateway A FWG114P v2 LAN and the Gateway B LAN,  
follow these steps:  
a. Using our example, from a PC attached to the FWG114P v2 on LAN A, on a Windows PC  
click the Start button on the taskbar and then click Run.  
b. Enter ping -t 172.23.9.1, and then click OK.  
c. This will cause a continuous ping to be sent to the LAN interface of Gateway B. After  
between several seconds and two minutes, the ping response should change from “timed  
out” to “reply.”  
d. At this point the connection is established.  
2. To test connectivity between the FWG114P v2 Gateway A and Gateway B WAN ports, follow  
these steps:  
a. Using our example, log in to the FWG114P v2 on LAN A, go to the main menu  
Maintenance section and click the Diagnostics link.  
b. To test connectivity to the WAN port of Gateway B, enter 22.23.24.25, and then click  
Ping.  
c. This will cause a ping to be sent to the WAN interface of Gateway B. After between  
several seconds and two minutes, the ping response should change from “timed out” to  
“reply.” You may have to run this test several times before you get the “reply” message  
back from the target FWG114P v2.  
d. At this point the connection is established.  
Note: If you want to ping the FWG114P v2 as a test of network connectivity, be sure the  
FWG114P v2 is configured to respond to a ping on the Internet WAN port by checking the  
checkbox seen in “Rules menu” on page 6-5. However, to preserve a high degree of security,  
you should turn off this feature when you are finished with testing.  
3. To view the FWG114P v2 event log and status of Security Associations, follow these steps:  
a. Go to the FWG114P v2 main menu VPN section and click the VPN Status link.  
b. The log screen will display a history of the VPN connections, and the IPSec SA and IKE  
SA tables will report the status and data transmission statistics of the VPN tunnels for each  
policy.  
8-24  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
VPNC Scenario 2: Gateway-to-Gateway with Certificates  
The following is a typical gateway-to-gateway VPN that uses PKIX certificates for authentication.  
10.5.6.0/24  
172.23.9.0/24  
Gateway A  
Internet  
Gateway B  
10.5.6.1  
14.15.16.17  
22.23.24.25  
172.23.9.1  
Figure 8-16: VPN Consortium Scenario 2  
Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has  
the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17.  
Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet)  
interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used  
for testing IPsec but is not needed for configuring Gateway A.  
The IKE Phase 1 parameters used in Scenario 2 are:  
Main mode  
TripleDES  
SHA-1  
MODP group 2 (1024 bits)  
Authentication with signatures authenticated by PKIX certificates; both Gateway A and  
Gateway B have end-entity certificates that chain to a root authority called "Trusted Root CA."  
SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying  
The IKE Phase 2 parameters used in Scenario 2 are:  
TripleDES  
SHA-1  
ESP tunnel mode  
MODP group 2 (1024 bits)  
Perfect forward secrecy for rekeying  
SA lifetime of 3600 seconds (one hour) with no kbytes rekeying  
Virtual Private Networking  
8-25  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4  
subnets  
Scenario 2: FWG114P v2 to FWG114P v2 with Certificates  
The following is a typical gateway-to-gateway VPN that uses Public Key Infrastructure x.509  
(PKIX) certificates for authentication. The network setup is identical to the one given in scenario  
1. The IKE Phase 1 and Phase 2 parameters are identical to the ones given in scenario 1, with the  
exception that the identification is done with signatures authenticated by PKIX certificates.  
Note: Before completing this configuration scenario, make sure the correct Time Zone is set on the  
FWG114P v2. For instructions on this topic, please see, “Setting the Time Zone” on page 6-13.  
1. Obtain a root certificate.  
a. Obtain the root certificate (which includes the public key) from a Certificate Authority  
(CA)  
Note: The procedure for obtaining certificates differs from a CA like Verisign and a CA,  
such as a Windows 2000 certificate server, which an organization operates for providing  
certificates for its members. For example, an administrator of a Windows 2000 certificate  
server might provide it to you via e-mail.  
b. Save the certificate as a text file called trust.txt.  
2. Install the trusted CA certificate for the Trusted Root CA.  
a. Log in to the FWG114P v2.  
b. From the main menu VPN section, click on the CA’s link.  
c. Click Add to add a CA.  
d. Click Browse to locate the trust.txt file.  
e. Click Upload.  
3. Create a certificate request for the FWG114P v2.  
a. From the main menu VPN section, click the Certificates link.  
8-26  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
b. Click the Generate Request button to display the screen illustrated in Figure 8-17 below.  
.
FWG114P  
Figure 8-17: Generate Self Certificate Request menu  
c. Fill in the fields on the Add Self Certificate screen.  
Required  
Name. Enter a name to identify this certificate.  
Subject. This is the name which other organizations will see as the holder (owner)  
of this certificate. This should be your registered business name or official  
company name. Generally, all certificates should have the same value in the  
Subject field.  
Hash Algorithm. Select the desired option: MD5 or SHA1.  
Signature Algorithm. Select the desired option: DSS or RSA.  
Signature Key Length. Select the desired option: 512, 1024, or 2048.  
Optional  
IP Address. If you use “IP type” in the IKE policy, you should input the IP  
Address here. Otherwise, you should leave this blank.  
Domain Name. If you have a domain name, you can enter it here. Otherwise, you  
should leave this blank.  
Virtual Private Networking  
8-27  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
E-mail Address. You can enter your e-mail address here.  
d. Click the Next button to continue. The FWG114P v2 generates a Self Certificate Request  
as shown below.  
Highlight, copy and  
paste this data into  
a text file.  
Figure 8-18: Self Certificate Request data  
4. Transmit the Self Certificate Request data to the Trusted Root CA.  
a. Highlight the text in the Data to supply to CA area, copy it, and paste it into a text file.  
b. Give the certificate request data to the CA. In the case of a Windows 2000 internal CA,  
you might simply e-mail it to the CA administrator. The procedures of a CA like Verisign  
and a CA, such as a Windows 2000 certificate server administrator will differ. Follow the  
procedures of your CA.  
8-28  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
c. When you have finished gathering the Self Certificate Request data, click the Done button.  
You will return to the Certificates screen where your pending “FWG114P v2” Self  
Certificate Request will be listed, as illustrated in Figure 8-19 below.  
FWG114P  
Figure 8-19: Self Certificate Requests table  
5. Receive the certificate back from the Trusted Root CA and save it as a text file.  
Note: In the case of a Windows 2000 internal CA, the CA administrator might simply e-mail it  
to back to you. Follow the procedures of your CA. Save the certificate you get back from the  
CA as a text file called final.txt.  
6. Upload the new certificate.  
a. From the main menu VPN section, click on the Certificates link.  
b. Click the radio button of the Self Certificate Request you want to upload.  
c. Click the Upload Certificate button.  
d. Browse to the location of the file you saved in step 5 above which contains the certificate  
from the CA.  
e. Click the Upload button.  
Virtual Private Networking  
8-29  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
f. You will now see the “FWG114P v2” entry in the Active Self Certificates table and the  
pending “FWG114P v2” Self Certificate Request is gone, as illustrated below.  
FWG1  
Figure 8-20: Self Certificates table  
7. Associate the new certificate and the Trusted Root CA certificate on the FWG114P v2.  
a. Create a new IKE policy called Scenario_2 with all the same properties of Scenario_1  
(see “Scenario 1 IKE Policy” on page 8-22) except now use the RSA Signature instead of  
the shared key.  
Figure 8-21: IKE policy using RSA Signature  
b. Create a new VPN Auto Policy called scenario2a with all the same properties as  
scenario1a except that it uses the IKE policy called Scenario_2.  
8-30  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Now, the traffic from devices within the range of the LAN subnet addresses on FWG114P v2  
A and Gateway B will be authenticated using the certificates rather than via a shared key.  
8. Set up Certificate Revocation List (CRL) checking.  
a. Get a copy of the CRL from the CA and save it as a text file.  
Note: The procedure for obtaining a CRL differs from a CA like Verisign and a CA, such  
as a Windows 2000 certificate server, which an organization operates for providing  
certificates for its members. Follow the procedures of your CA.  
b. From the main menu VPN section, click on the CRL link.  
c. Click Add to add a CRL.  
d. Click Browse to locate the CRL file.  
e. Click Upload.  
Now expired or revoked certificates will not be allowed to use the VPN tunnels managed by  
IKE policies which use this CA.  
Note: You must update the CRLs regularly in order to maintain the validity of the  
certificate-based VPN policies.  
Virtual Private Networking  
8-31  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Netgear VPN Client to FWG114P v2  
Follow these procedures to configure a VPN tunnel from a NETGEAR ProSafe VPN Client to an  
FWG114P v2. This case study follows the Virtual Private Network Consortium (VPNC)  
interoperability profile guidelines. The menu options for the FVS328, FVL328, FWAG114, and  
FWG114P v2 are the same.  
Configuration Profile  
The configuration in this document follows the addressing and configuration mechanics defined  
by the VPN Consortium. Gather all the necessary information before you begin the configuration  
process. Verify whether the firmware is up to date, all of the addresses that will be necessary, and  
all of the parameters that need to be set on both sides. Check that there are no firewall restrictions.  
Table 8-1.  
Summary  
VPN Consortium Scenario: Scenario 1  
Type of VPN  
Security Scheme:  
Date Tested:  
Model/Firmware Tested:  
Gateway  
PC/Client-to-Gateway  
IKE with Preshared Secret/Key (not Certificate-based)  
December 2003  
FWG114P firmware v 2.2  
Client  
NETGEAR ProSafe VPN Client v10.1  
IP Addressing:  
Gateway  
Static IP address  
Dynamic  
Client  
8-32  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
ꢀ1HWZRUNꢀ$GGUHVVHV  
ꢀ*DWHZD\  
ꢀ&OLHQW  
:$1ꢀ,3  
:$1ꢀ,3  
/$1ꢀ,3  
Á?aM?™a +Á.?wjËoåÔ±¤¤~Ë8‰ÁjjÄÄËꢀ‰ÁjÝ?Ê+Á‰™ÍË.jÁÜjÁ  
 #ꢁꢂꢃ  
ꢀ8ꢄ¤¤|+  
$&7  
$&7  
ꢁꢁ  
/1.ꢅ$&7  
).4%2.%4  
ꢁꢁ  
3:5  
7(67  
$/(57  
$/(57  
/1.ꢅ$&7  
02).4%2  
-/$%-  
,/#!,  
7,!.  
ꢁꢂꢃꢄꢁꢅꢆꢄꢈꢄꢈ  
ꢅꢅꢄꢁꢃꢈꢄꢁꢆꢆꢄꢁꢊꢇ  
ꢈꢄꢈꢄꢈꢄꢈ  
3&ꢀZLWKꢀ1(7*($5ꢀ  
ꢀ):*ꢁꢁꢉ3  
3UR6DIHꢀ931ꢀFOLHQW  
Figure 8-22: Addressing and Subnet Used for Examples  
Step-By-Step Configuration of FWG114P v2 Gateway  
1. Log in to the FWG114P v2 gateway as in the illustration.  
Out of the box, the FWG114P v2 is set for its default LAN address of http://192.168.0.1, with  
its default user name of admin and default password of password.  
Virtual Private Networking  
8-33  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
2. Click IKE Policies under the VPN menu and click Add on the IKE Policies Menu.  
Figure 8-23: NETGEAR FWG114P v2 IKE Policy Configuration  
Enter a descriptive name for the policy in the Policy Name field. This name is not supplied  
to the remote VPN endpoint. It is used to help you manage the IKE policies. In our  
example, we used VPNclient as the Policy Name.  
From the Direction/Type drop-down box, select Remote Access.  
From the Exchange Mode drop-down box, select Aggressive Mode. This will also be  
selected in the VPN Client My Identity ID Type fields, as seen in “Security Policy” on  
From the Local Identity drop-down box, select Fully Qualified Domain Name (the actual  
WAN IP address of the FWG114P v2 will also be used in the Connection ID Type fields of  
For this example we typed FWG114P v2 in the Local Identity Data field.  
8-34  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
From the Remote Identity drop-down box, select Fully Qualified Domain Name.  
Type VPNclient in the Remote Identity Data. This will also be entered in the VPN Client  
My Identity ID Type fields, as seen in “My Identity” on page 8-40.  
From the Encryption Algorithm drop-down box, select 3DES. This will also be selected in  
the VPN Client Security Policy Authentication Phase 1 Proposal 1 Encrypt Alg field, as  
From the Authentication Algorithm drop-down box, select SHA-1.This will also be  
selected in the VPN Client Security Policy Authentication Phase 1 Proposal 1 Hash Alg  
From the Authentication Method radio button, select Pre-shared Key. This will also be  
selected in the VPN Client Security Policy Authentication Phase 1 Proposal 1  
Authentication Method field, as seen in “Connection Security Policy Authentication  
In the Pre-Shared Key field, type hr5xb84l6aa9r6. You must make sure the key is the  
same for both the client and the FWG114P v2 Wireless Firewall/Print Server. This will  
also be selected in the VPN client Security Policy Authentication Phase 1 Proposal 1  
From the Diffie-Hellman (DH) Group drop-down box, select Group 2 (1024 Bit). This  
will also be selected in the VPN Client Security Policy Authentication Phase 1 Proposal 1  
In the SA Life Time field, type 86400.  
Click Apply. This will bring you back to the IKE Policies Menu.The FWG114P v2 IKE Policy  
is now displayed in the IKE Policies page.  
Virtual Private Networking  
8-35  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
3. Click the VPN Policies link under the VPN category on the left side of the main menu. This  
will take you to the VPN Policies Menu page. Click Add Auto Policy. This will open a new  
screen titled VPN – Auto Policy.  
Figure 8-24: VPN – Auto Policy settings  
Enter a unique name to identify this policy. This name is not supplied to the remote VPN  
endpoint. In our example, we use VPNclient as the Policy Name.  
From the IKE policy drop-down box, select VPNclient which is the IKE Policy that was  
set up in the earlier step.  
8-36  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
From the Remote VPN Endpoint Address Type drop-down box, select IP Address.  
Type 0.0.0.0 as the Address Data of the client because we are assuming the remote PC will  
have a dynamically assigned IP address. This will also be entered in the VPN Client  
Internal Network IP Address field, as seen in “My Identity” on page 8-40.  
Type 86400 in the SA Life Time (Seconds) field.  
Type 0 in the SA Life Time (Kbytes) field.  
Check the IPSec PFS check box to enable Perfect Forward Secrecy. This will also be  
entered in the VPN Client Security Policy Enable Perfect Forward Secrecy check box, as  
From the PFS Key Group drop-down box, select Group 2 (1024 Bit). This will also be  
entered in the VPN Client Security Policy PFS Key Group drop-down selection box, as  
From the Traffic Selector Local IP drop-down box, select Subnet addresses. This will  
also be entered in the VPN Client Connection Remote Party Identity and Addressing ID  
Note: Selecting ANY for the Traffic Selectors means all traffic goes through the IPSec  
tunnel and prevents access to the Internet.  
Type the starting LAN IP Address of the FWG114P v2 in the Local IP Start IP Address  
field. For this example, we used 192.168.0.0 which is the default LAN IP address of the  
FWG114P v2. This will also be entered in the VPN Client Connection Remote Party  
Type the LAN Subnet Mask of the FWG114P v2 (255.255.255.0 in our example) in the  
Local IP Subnet Mask field. This will also be entered in the VPN Client Connection  
Remote Party Identity and Addressing Mask field, as seen in “Security Policy Editor New  
From the Traffic Selector Remote IP drop-down box, select Single addresses.  
Type 0.0.0.0 as the start IP Address of the in the Remote IP Start IP Address field because  
we are assuming the remote PC will have a dynamically assigned IP address. This will  
also be entered in the VPN Client My Identity Internal Network IP Address field, as seen  
Select the Enable Encryption check box. This will also be selected in the VPN Client  
Security Policy Key Exchange (Phase 2) Encapsulation Protocol (ESP) check box, as seen  
From the ESP Configuration Encryption Algorithm drop-down box, select 3DES. This  
will also be entered in the VPN Client Security Policy Key Exchange (Phase 2) Encrypt  
Virtual Private Networking  
8-37  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Select Enable Authentication in the ESP Configuration Enable Authentication check  
box.  
Note: Do not confuse this with the Authentication Protocol (AH) option. Using the AH  
option will prevent clients behind a home NAT router from connecting.  
From the ESP Configuration Authentication Algorithm drop-down box, select SHA-1.  
This will also be entered in the VPN Client Security Policy Key Exchange (Phase 2) Hash  
Select the NETBIOS Enable check box to enable networking features like Windows  
Network Neighborhood.  
Click Apply to save your changes. You will be taken back to the VPN Policies Menu page.  
4. When the screen returns to the VPN Policies, make sure the Enable check box is selected.  
Click Apply to save your changes.  
Step-By-Step Configuration of the Netgear VPN Client  
Note: The Netgear ProSafe VPN Client has the ability to “Import” a predefined  
configuration profile. The FWG114P V2.SPD file on the ProSafe Wireless 802.11g  
Firewall/Print Server Model FWG114P v2 Resource CD for the ProSafe Wireless  
802.11g Firewall/Print Server Model FWG114P (SW-10023-03) includes all the  
settings identified in this procedure.  
Whenever importing policy settings, you should first export any existing settings you  
may have configured to prevent the new imported settings from replacing an existing  
working configuration.  
To import this policy, use the Security Policy Editor File menu to select Import Policy,  
and select the FWG114P v2.SPD file at D:\Software\Policies where D is the drive letter  
of your CD-ROM drive.  
This procedure describes linking a remote PC and a LAN. The LAN will connect to the Internet  
using an FWG114P v2 with a static IP address. The PC can be directly connected to the Internet  
through dialup, cable or DSL modem, or other means, and we will assume it has a dynamically  
assigned IP address.  
8-38  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
1. Install the Netgear VPN Client Software on the PC.  
Note: Before installing the Netgear VPN Client software, be sure to turn off any virus  
protection or firewall software you may be running on your PC.  
You may need to insert your Windows CD to complete the installation.  
Reboot your PC after installing the client software.  
2. Configure the Connection Network Settings.  
Figure 8-25: Security Policy Editor New Connection  
a. Run the Security Policy Editor program and create a VPN Connection.  
Figure 8-26: Security Policy Editor Options menu  
Virtual Private Networking  
8-39  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Note: If the configuration settings on this screen are not available for editing, go to the  
Options menu, select Secure, and Specified Options to enable editing these settings.  
From the Edit menu of the Security Policy Editor, click Add, then Connection. A “New  
Connection” listing appears. Rename the “New Connection” to FWG114P v2.  
b. Ensure that the following settings are configured:  
In the Connection Security box, Secure is selected.  
In the Protocol menu, All is selected.  
The Connect using Secure Gateway Tunnel check box is selected.  
c. In this example, select IP Subnet as the ID Type, 192.168.0.0 in the Subnet field (the  
Subnet address is the LAN IP Address of the FWG114P v2 with 0 as the last number), and  
255.255.255.0 in the Mask field, which is the LAN Subnet Mask of the FWG114P v2.  
d. In the ID Type menus, select Domain Name and Gateway IP Address. Enter FWG114P  
v2 in the Domain Name field. In this example, 66.120.188.153 would be used for the  
Gateway IP Address, which is the static IP address for the FWG114P v2 WAN port.  
3. Configure the Connection Identity Settings.  
a. In the Network Security Policy list, click the My Identity subheading.  
Figure 8-27: My Identity  
In this example, select Domain Name as the ID Type, and enter VPNclient. Also, accept  
the default Internal Network IP Address of 0.0.0.0.  
Figure 8-28: My Identity Pre-Shared Key  
8-40  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
b. Click Pre-Shared Key.  
In this example, enter this  
pre-shared key in this field:  
hr5xb84l6aa9r6  
Figure 8-29: Connection Identity Pre-Shared Key  
c. Enter hr5xb84l6aa9r6, which is the same Pre-Shared Key entered in the FWG114P v2.  
d. Click OK.  
4. Configure the Connection Identity Settings.  
a. In the Network Security Policy list, click the Security Policy subheading.  
Figure 8-30: Security Policy  
b. For this example, ensure that the following settings are configured:  
In the Select Phase 1 Negotiation Mode menu, select Aggressive Mode.  
Select the Enable Perfect Forward Secrecy (PFS) check box.  
In the PFS Key Group drop-down list, Diffie-Hellman Group 2.  
Select the Enable Replay Detection check box.  
Virtual Private Networking  
8-41  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
5. Configure the Connection Security Policy  
In this step, you will provide the authentication (IKE Phase 1) settings, and the key exchange  
(Phase 2) settings. The setting choices in this procedure follow the VPNC guidelines.  
Figure 8-31: Connection Security Policy Authentication (Phase 1)  
a. Configure the Authentication (Phase 1) Settings.  
Expand the Security Policy heading, then expand the Authentication (Phase 1)  
heading, and click on Proposal 1.  
For this example, ensure that the following settings are configured:  
In the Encrypt Alg menu, select Triple DES.  
In the Hash Alg, select SHA-1.  
In the SA Life, select Unspecified.  
In the Key Group menu, select Diffie-Hellman Group 2.  
8-42  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 8-32: Connection Security Policy Key Exchange (Phase 2)  
b. Configure the Key Exchange (Phase 2).  
Expand the Key Exchange (Phase 2) heading, and click on Proposal 1.  
For this example, ensure that the following settings are configured:  
In the SA Life menu, select Unspecified.  
In the Compression menu, select None.  
Check the Encapsulation Protocol (ESP) check box.  
In the Encrypt Alg menu, select Triple DES.  
In the Hash Alg, select SHA-1.  
In the Encapsulation menu, select Tunnel.  
Virtual Private Networking  
8-43  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
6. Configure the Global Policy Settings.  
a. From the Options menu at the top of the Security Policy Editor window, select Global  
Policy Settings.  
Figure 8-33: Security Policy Editor Global Policy Options  
b. Increase the Retransmit Interval period to 45 seconds.  
c. Select the Allow to Specify Internal Network Address check box and click OK.  
7. Save the VPN Client Settings.  
From the File menu at the top of the Security Policy Editor window, select Save.  
After you have configured and saved the VPN client information, your PC will automatically  
open the VPN connection when you attempt to access any IP addresses in the range of the  
remote VPN router’s LAN.  
Note: Whenever you make changes to a Security Policy, save them first, then deactivate  
the security policy, reload the security policy, and finally activate the security policy.  
This ensures that your new settings will take effect.  
8-44  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Testing the VPN Connection  
You can test the VPN connection in several ways:  
From the client PC to the FWG114P v2  
From the FWG114P v2 to the client PC  
These procedures are explained below.  
Note: Virus protection or firewall software can interfere with VPN communications. Be  
sure such software is not running on the remote PC with the Netgear ProSafe VPN  
Client and that the firewall features of the FWG114P v2 are not set in such a way as to  
prevent VPN communications.  
From the Client PC to the FWG114P v2  
To check the VPN Connection, you can initiate a request from the remote PC to the FWG114P v2  
by using the “Connect” option of the FWG114P v2 Wireless Firewall/Print Server popup menu.  
1. Open the popup menu by right-clicking on the system tray icon.  
2. Select Connect to open the My Connections list.  
3. Choose FWG114P v2.  
The FWG114P v2 Wireless Firewall/Print Server will report the results of the attempt to  
connect.  
Once the connection is established, you can access resources of the network connected to the  
FWG114P v2.  
Another method is to ping from the remote PC to the LAN IP address of the FWG114P v2. To  
perform a ping test using our example, start from the remote PC:  
1. Establish an Internet connection from the PC.  
2. On the Windows taskbar, click the Start button, and then click Run.  
3. Type ping -t 192.168.0.1and click OK.  
This will cause a continuous ping to be sent to the first FWG114P v2. After a period of up to  
two minutes, the ping response should change from “timed out” to “reply.”  
Virtual Private Networking  
8-45  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
To test the connection to a computer connected to the FWG114P v2, simply ping the IP  
address of that computer.  
Once connected, you can open a browser on the remote PC and enter the LAN IP Address of the  
FWG114P v2, which is http://192.168.0.1 in this example. After a short wait, you should see the  
login screen of the FWG114P v2.  
From the FWG114P v2 to the Client PC  
You can use the FWG114P v2 Diagnostic utilities to test the VPN connection from the FWG114P  
v2 to the client PC. Run ping tests from the Diagnostics link of the FWG114P v2 main menu.  
Monitoring the PC VPN Connection  
Information on the progress and status of the VPN client connection can be viewed by opening the  
Netgear ProSafe VPN Client Connection Monitor or Log Viewer. To launch these functions, click  
on the Windows Start button, then select Programs, then Netgear ProSafe VPN Client, then either  
the Connection Monitor or Log Viewer.  
The Log Viewer screen for a successful connection is similar to the one shown below:  
Figure 8-34: Log Viewer screen  
8-46  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
A sample Connection Monitor screen for a different connection is shown below:  
Figure 8-35: Connection Monitor screen  
In this example the following connection options apply:  
The FWG114P v2 has a public IP WAN address of 66.120.188.153  
The FWG114P v2 has a LAN IP address of 192.168.0.1  
The VPN client PC is behind a home NAT router and has a dynamically assigned address  
of 192.168.0.3  
While the connection is being established, the Connection Name field in this menu will say “SA”  
before the name of the connection. When the connection is successful, the “SA” will change to the  
yellow key symbol shown in the illustration above.  
Viewing the FWG114P v2 VPN Status and Log Information  
Information on the status of the VPN client connection can be viewed by opening the FWG114P  
v2 VPN Status screen. To view this screen, click the VPN Status link on the FWG114P v2 main  
menu.  
Virtual Private Networking  
8-47  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
The FWG114P v2 VPN Status screen for a successful connection is shown below:  
Figure 8-36: FWG114P v2 VPN Status screen  
8-48  
Virtual Private Networking  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 9  
Maintenance  
This chapter describes how to use the maintenance features of your ProSafe Wireless 802.11g  
Firewall/Print Server Model FWG114P v2. These features are accessed via the Main Menu  
Maintenance heading.  
Viewing Wireless Firewall/Print Server Status Information  
The Router Status menu provides status and usage information. From the main menu of the  
browser interface, click on Maintenance, then select Router Status to view this screen.  
Maintenance  
9-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 9-1: Router Status screen  
The Router Status screen shows the following parameters:  
Table 9-1.  
Field  
Status Fields  
Description  
System Name  
The System Name assigned to the router.  
The router firmware version.  
Firmware Version  
9-2  
Maintenance  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 9-1.  
Status Fields  
Field  
Description  
Printer Status  
WAN Port  
The printer status.  
These parameters apply to the Internet (WAN) port of the router.  
MAC Address  
This field displays the MAC address being used by the Internet (WAN)  
port of the router.  
IP Address  
This field displays the IP address being used by the Internet (WAN) port  
of the router. If no address is shown, the router cannot connect to the  
Internet.  
DHCP  
This field if the WAN port DHCP settings are dynamic or static.  
IP Subnet Mask  
This field displays the IP Subnet Mask being used by the Internet (WAN)  
port of the router.  
Domain Name Server  
Identifies the IP address of the DNS server(s).  
LAN Port  
MAC Address  
IP Address  
DHCP  
The Media Access Control address being used by the LAN port of the  
router.  
The IP address being used by the Local (LAN) port of the router. The  
default is 192.168.0.1.  
Identifies if the router’s built-in DHCP server is active for the LAN  
attached devices.  
IP Subnet Mask  
The IP Subnet Mask being used by the Local (LAN) port of the router.  
The default is 255.255.255.0.  
Wireless Port  
Name (SSID)  
This field displays the wireless network name (SSID) being used by the  
wireless port of the router. The default is Wireless.  
Region  
This field displays the MAC address being used by the wireless port of  
the router.  
Channel/Frequency  
Mode  
Identifies the channel the wireless port is using. See “Wireless  
Channels” on page E-7 for the frequencies used on each channel.  
Identifies if the channel the wireless port is set for 802.11b, 802.11g, or  
both.  
Wireless AP  
Identifies if the wireless access point is on or off.  
Identifies if the Name (SSID) is being broadcast.  
Broadcast Name  
Serial Port  
Status  
The status of the serial port. Click the Details button to view the Serial  
Port Log, Port Status, Physical Link, PPP Link, PPP IP Address, Phone  
Line Speed, and Serial Line Speed.  
Maintenance  
9-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 9-1.  
Field  
Status Fields  
Description  
Modem  
Dial-In  
The status of the modem port.  
The status of the Dial-In port.  
Internet Access  
Lan-to-LAN  
The status of the serial Internet connection.  
The status of the serial LAN-to-LAN connection.  
Click “WAN Status” to display the WAN connection status.  
Figure 9-2: Connection Status screen  
This screen shows the following statistics:.  
Table 9-1.  
Connection Status Fields  
Description  
Field  
Connection Time  
The length of time the router has been connected to your Internet service provider’s  
network.  
Connection Method The method used to obtain an IP address from your Internet service provider.  
IP Address  
The WAN (Internet) IP Address assigned to the router.  
The WAN (Internet) Subnet Mask assigned to the router.  
The WAN (Internet) default gateway the router communicates with.  
Network Mask  
Default Gateway  
9-4  
Maintenance  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Log action buttons are described in Table 9-2.  
Table 9-2.  
Connection Status action buttons  
Field  
Description  
Renew  
Click the Renew button to renew the DHCP lease.  
Click “Show Statistics” to display router usage statistics.  
Figure 9-3: Router Statistics screen  
This screen shows the following statistics:  
Table 9-1.  
Router Statistics Fields  
Description  
Field  
interface  
The statistics for the WAN (Internet), LAN (local), Wireless, and Serial interfaces. For  
each interface, the screen displays:  
Status  
The link status of the interface.  
TxPkts  
RxPkts  
Collisions  
Tx B/s  
The number of packets transmitted on this interface since reset or manual clear.  
The number of packets received on this interface since reset or manual clear.  
The number of collisions on this interface since reset or manual clear.  
The current transmission (outbound) bandwidth used on the interfaces.  
The current reception (inbound) bandwidth used on the interfaces.  
The amount of time since the router was last restarted.  
Rx B/s  
Up Time  
Maintenance  
9-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Table 9-1.  
Field  
Router Statistics Fields (continued)  
Description  
Serial Up Time  
Poll Interval  
The time elapsed since this port acquired the link.  
Specifies the intervals at which the statistics are updated in this window. Click on Stop  
to freeze the display.  
WAN Status action buttons are described in Table 9-2.  
Table 9-2.  
Field  
Connection Status action buttons  
Description  
Set Interval  
Stop  
Enter a time and click the button to set the polling frequency.  
Click the Stop button to freeze the polling information.  
Viewing a List of Attached Devices  
The Attached Devices menu contains a table of all IP devices that the router has discovered on the  
local network. From the Main Menu of the browser interface, under the Maintenance heading,  
select Attached Devices to view the table shown below:  
Figure 9-4: Attached Devices menu  
For each device, the table shows the IP address, Device Name (if available), and Ethernet MAC  
address. Note that if the router is rebooted, the table data is lost until the router rediscovers the  
devices. To force the router to look for attached devices, click the Refresh button.  
9-6  
Maintenance  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Upgrading the Router Software  
The routing software of the FWG114P v2 Wireless Firewall/Print Server is stored in FLASH  
memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be  
downloaded from Netgear's Web site. If the upgrade file is compressed (.ZIP file), you must first  
extract the binary file before sending it to the router. The upgrade file can be sent to the router  
using your browser.  
Note: The Web browser used to upload new firmware into the FWG114P v2 Wireless Firewall/  
Print Server must support HTTP uploads. NETGEAR recommends using Microsoft Internet  
Explorer or Netscape Navigator 3.0, or above.  
From the Main Menu of the browser interface, under the Maintenance heading, select the Router  
Upgrade heading.  
To upload new firmware:  
1. Download and unzip the new software file from NETGEAR.  
2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary  
(.IMG) upgrade file.  
3. Click Upload.  
Note: When uploading software to the FWG114P v2, it is important not to interrupt the Web  
browser by closing the window, clicking a link, or loading a new page. If the browser is  
interrupted, it may corrupt the software. When the upload is complete, your router will  
automatically restart. The upgrade process will typically take about one minute.  
In some cases, you may need to reconfigure the router after upgrading.  
Configuration File Management  
The configuration settings of the FWG114P v2 Wireless Firewall/Print Server are stored within the  
router in a configuration file. This file can be saved (backed up) to a user’s computer, retrieved  
(restored) from the user’s computer, or cleared to the factory default settings.  
Maintenance  
9-7  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
From the Main Menu of the browser interface, under the Maintenance heading, select the Settings  
Backup heading to bring up the menu shown below.  
Figure 9-5: Settings Backup menu  
Three options are available, and are described in the following sections.  
Restoring and Backing Up the Configuration  
The Restore and Backup options in the Settings Backup menu allow you to save and retrieve a file  
containing your router’s configuration settings.  
To save your settings, click Backup. Your browser will extract the configuration file from the  
router and will prompt you for a location on your computer to store the file. You can give the file a  
meaningful name at this time, such as SBC.cfg.  
To restore your settings from a saved configuration file, enter the full path to the file on your  
computer or click the Browse button to locate the file. When you have located it, click the Restore  
button to send the file to the router. The router will then reboot automatically.  
9-8  
Maintenance  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Erasing the Configuration  
It is sometimes desirable to restore the router to a known blank condition. This can be done by  
using the Erase function, which will restore all factory settings. After an erase, the router's  
password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client  
will be enabled.  
To erase the configuration, click the Erase button.  
To restore the factory default configuration settings without knowing the login password or IP  
address, you must use the Default Reset button on the rear panel of the router. See “Restoring the  
Changing the Administrator Password  
The default password for the router’s Web Configuration Manager is password. Netgear  
recommends that you change this password to a more secure password.  
From the main menu of the browser interface, under the Maintenance heading, select Set Password  
to bring up this menu.  
Figure 9-6: Set Password menu  
To change the password, first enter the old password, and then enter the new password twice. Click  
Apply. To change the login idle timeout, change the number of minutes and click Apply.  
Maintenance  
9-9  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
9-10  
Maintenance  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 10  
Advanced Configuration  
This chapter describes how to configure the advanced features of your ProSafe Wireless 802.11g  
Firewall/Print Server Model FWG114P v2. These features can be found under the Advanced  
heading in the Main Menu of the browser interface.  
Using the WAN Setup Options  
The first feature category under the Advanced heading is WAN Setup. This menu allows  
configuration of a DMZ server, MTU size, port speed, and so on. From the Main Menu of the  
browser interface, under Advanced, click on WAN IP Setup to view the WAN IP Setup menu,  
shown below.  
Figure 10-1: WAN Setup Menu  
The WAN Setup options let you configure a DMZ server, change the MTU size, and set the WAN  
port speed. These options are discussed below.  
Connect Automatically, as Required  
Advanced Configuration  
10-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Normally, this option is Enabled, so that an Internet connection will be made automatically  
whenever Internet-bound traffic is detected. In locations where Internet access is billed by the  
minute, if this causes high connection costs, you can disable this setting.  
If disabled, you must connect manually, using the sub-screen accessed from the Router Status  
menu “Show WAN Status” screen.  
Setting Up a Default DMZ Server  
Note: DMZ servers pose a security risk. A computer designated as the default DMZ  
server loses much of the protection of the firewall, and is exposed to attacks from the  
Internet. If compromised, the DMZ server can be used to attack your network.  
The use of the term ‘DMZ’ has become common, although it is a misnomer. In traditional  
firewalls, a DMZ is actually a separate physical network port. A true DMZ port is for  
connecting servers that require greater access from the outside, and will therefore be provided  
with a different level of security by the firewall. A better term for our application is Exposed  
Host.  
The default DMZ server feature is helpful when using some online games and  
videoconferencing applications that are incompatible with NAT. The router is programmed to  
recognize some of these applications and to work properly with them, but there are other  
applications that may not function well. In some cases, one local computer can run the  
application properly if that computer’s IP address is entered as the default DMZ server.  
Incoming traffic from the Internet is normally discarded by the router unless the traffic is a  
response to one of your local computers or a service that you have configured in the Ports  
menu. Instead of discarding this traffic, you can have it forwarded to one computer on your  
network. This computer is called the Default DMZ Server.  
The WAN Setup menu lets you configure a Default DMZ Server.  
To assign a computer or server to be a Default DMZ server, follow these steps:  
1. Click WAN Setup link on the Advanced section of the main menu.  
2. Type the IP address for that server. To remove the default DMZ server, replace the IP  
address numbers with all zeros.  
3. Click Apply.  
Respond to Ping on Internet WAN Port  
If you want the router to respond to a 'ping' from the Internet, click the ‘Respond to Ping on  
Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows  
your router to be discovered. Do not check this box unless you have a specific reason to do so.  
10-2  
Advanced Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Setting the MTU Size  
The default MTU size is usually fine. The normal MTU (Maximum Transmit Unit) value for  
most Ethernet networks is 1500 Bytes. For some ISPs, particularly those using PPPoE, you  
may need to reduce the MTU. This should not be done unless you are sure it is necessary for  
your ISP.  
Any packets sent through the router that are larger than the configured MTU size will be  
repackaged into smaller packets to meet the MTU requirement. To change the MTU size,  
under MTU Size, enter a new size between 64 and 1500. Then, click Apply to save the new  
configuration.  
Setting the WAN Port Speed  
In most cases, your router can automatically determine (AutoSense) the connection speed of  
the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED  
blinks continuously, you may need to manually select the port speed.  
If you know that the Ethernet port on your broadband modem supports 100BaseT, select  
100M; otherwise, select 10M.  
How to Configure Dynamic DNS  
If your network has a permanently assigned IP address, you can register a domain name and have  
that name linked with your IP address by public Domain Name Servers (DNS). However, if your  
Internet account uses a dynamically assigned IP address, you will not know in advance what your  
IP address will be, and the address can change frequently. In this case, you can use a commercial  
dynamic DNS service, which will allow you to register your domain to their IP address, and will  
forward traffic directed to your domain to your frequently-changing IP address.  
The router contains a client that can connect to a dynamic DNS service provider. To use this  
feature, you must select a service provider and obtain an account with them. After you have  
configured your account information in the router, whenever your ISP-assigned IP address  
changes, your router will automatically contact your dynamic DNS service provider, log in to your  
account, and register your new IP address.  
1. Log in to the router at its default LAN address of http://192.168.0.1, with its default user name  
of admin, default password of password, or using whatever password and LAN address you  
have chosen for the router.  
2. From the Main Menu of the browser interface, under Advanced, click on Dynamic DNS.  
Advanced Configuration  
10-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
3. Access the website of one of the dynamic DNS service providers whose names appear in the  
‘Select Service Provider’ box, and register for an account.  
For example, for dyndns.org, go to www.dyndns.org.  
4. Select the “Use a dynamic DNS service” check box.  
5. Select the name of your dynamic DNS Service Provider.  
6. Type the host name that your dynamic DNS service provider gave you.  
The dynamic DNS service provider may call this the domain name. If your URL is  
myName.dyndns.org, then your host name is “myName.”  
7. Type the user name for your dynamic DNS account.  
8. Type the password (or key) for your dynamic DNS account.  
9. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may  
select the Use wildcards check box to activate this feature.  
For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same  
IP address as yourhost.dyndns.org  
10. Click Apply to save your configuration.  
Note: If your ISP assigns a private WAN IP address, such as 192.168.x.x or 10.x.x.x,  
the dynamic DNS service will not work because private addresses will not be routed on  
the Internet.  
10-4  
Advanced Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Using the LAN IP Setup Options  
The second feature category under the Advanced heading is LAN IP Setup. This menu allows  
configuration of LAN IP services, such as DHCP and RIP. From the Main Menu of the browser  
interface, under Advanced, click on LAN IP Setup to view the LAN IP Setup menu, shown below.  
Figure 10-2: LAN IP Setup Menu  
Configuring LAN TCP/IP Setup Parameters  
The router is shipped preconfigured to use private IP addresses on the LAN side, and to act as a  
DHCP server. The router’s default LAN IP configuration is:  
LAN IP addresses—192.168.0.1  
Subnet mask—255.255.255.0  
Advanced Configuration  
10-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
These addresses are part of the IETF-designated private address range for use in private networks,  
and should be suitable in most applications. If your network has a requirement to use a different IP  
addressing scheme, you can make those changes in this menu.  
The LAN IP parameters are:  
IP Address  
This is the LAN IP address of the router.  
IP Subnet Mask  
This is the LAN Subnet Mask of the router. Combined with the IP address, the IP Subnet Mask  
allows a device to know which other addresses are local to it, and which must be reached  
through a gateway or router.  
RIP Direction  
RIP (Router Information Protocol) allows a router to exchange routing information with other  
routers. The RIP Direction selection controls how the router sends and receives RIP packets.  
Both is the default.  
— When set to Both or Out Only, the router will broadcast its routing table periodically.  
— When set to Both or In Only, it will incorporate the RIP information that it receives.  
— When set to None, it will not send any RIP packets and will ignore any RIP packets  
received.  
RIP Version  
This controls the format and the broadcasting method of the RIP packets that the router sends.  
(It recognizes both formats when receiving.) By default, this is set for RIP-1.  
— RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you  
have an unusual network setup.  
— RIP-2 carries more information. RIP-2B uses subnet broadcasting.  
Note: If you change the LAN IP address of the router while connected through the  
browser, you will be disconnected. You must then open a new connection to the new IP  
address and log in again.  
10-6  
Advanced Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Using the Router as a DHCP server  
By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server,  
allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to  
the router's LAN. The assigned default gateway address is the LAN address of the router. IP  
addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.  
Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.  
For most applications, the default DHCP and TCP/IP settings of the router are satisfactory.  
If another device on your network will be the DHCP server, or if you will manually configure the  
network settings of all of your computers, clear the ‘Use router as DHCP server’ check box.  
Otherwise, leave it checked.  
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP  
Address. These addresses should be part of the same IP address subnet as the router’s LAN IP  
address. Using the default addressing scheme, you should define a range between 192.168.0.2 and  
192.168.0.253, although you may wish to save part of the range for devices with fixed addresses.  
The router will deliver the following parameters to any LAN device that requests DHCP:  
An IP Address from the range you have defined.  
Subnet Mask.  
Gateway IP Address (the router’s LAN IP address).  
Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu;  
otherwise, the router’s LAN IP address).  
Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu).  
Using Address Reservation  
When you specify a reserved IP address for a computer on the LAN, that computer will always  
receive the same IP address each time it access the router’s DHCP server. Reserved IP addresses  
should be assigned to servers that require permanent IP settings.  
To reserve an IP address:  
1. Click the Add button.  
2. In the IP Address box, type the IP address to assign to the computer or server.  
(choose an IP address from the router’s LAN subnet, such as 192.168.0.X)  
Advanced Configuration  
10-7  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
3. Type the MAC Address of the computer or server.  
(Tip: If the computer is already present on your network, you can copy its MAC address from  
the Attached Devices menu and paste it here.)  
4. Click Apply to enter the reserved address into the table.  
Note: The reserved address will not be assigned until the next time the computer contacts the  
router's DHCP server. Reboot the computer or access its IP configuration and force a DHCP  
release and renew.  
To edit or delete a reserved address entry:  
1. Click the button next to the reserved address you want to edit or delete.  
2. Click Edit or Delete.  
Configuring Static Routes  
Static Routes provide additional routing information to your router. Under normal circumstances,  
the router has adequate routing information after it has been configured for Internet access, and  
you do not need to configure additional static routes. You must configure static routes only for  
unusual cases, such as multiple routers or multiple IP subnets located on your network.  
From the Main Menu of the browser interface, under Advanced, click on Static Routes to view the  
Static Route menu.  
To add or edit a Static Route:  
1. Click the Add button to open the Static Routes menu.  
10-8  
Advanced Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Figure 10-3.  
Static Route Entry and Edit Menu  
2. Type a route name for this static route in the Route Name box.  
(This is for identification purpose only.)  
3. Select Active to make this route effective.  
4. Select Private if you want to limit access to the LAN only. The static route will not be reported  
in RIP.  
5. Type the Destination IP Address of the final destination.  
6. Type the IP Subnet Mask for this destination.  
If the destination is a single host, type 255.255.255.254.  
7. Type the Gateway IP Address, which must be a router on the same LAN segment as the router.  
8. Type a number between 1 and 15 as the Metric value.  
This represents the number of routers between your network and the destination. Usually, a  
setting of 2 or 3 works, but if this is a direct connection, set it to 1.  
9. Click Apply to have the static route entered into the table.  
As an example of when a static route is needed, consider the following case:  
Your primary Internet access is through a cable modem to an ISP.  
You have an ISDN router on your home network for connecting to the company where  
you are employed. This router’s address on your LAN is 192.168.0.100.  
Advanced Configuration  
10-9  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Your company’s network is 134.177.0.0.  
When you first configured your router, two implicit static routes were created. A default route was  
created with your ISP as the gateway, and a second static route was created to your local network  
for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the  
134.177.0.0 network, your router will forward your request to the ISP. The ISP forwards your  
request to the company where you are employed, and the request will likely be denied by the  
company’s firewall.  
In this case you must define a static route, telling your router that 134.177.0.0 should be accessed  
through the ISDN router at 192.168.0.100. The static route would look like Figure 10-3.  
In this example:  
The Destination IP Address and IP Subnet Mask fields specify that this static route applies to  
all 134.177.x.x addresses.  
The Gateway IP Address fields specifies that all traffic for these addresses should be  
forwarded to the ISDN router at 192.168.0.100.  
A Metric value of 1 will work since the ISDN router is on the LAN.  
Private is selected only as a precautionary security measure in case RIP is activated.  
Enabling Remote Management Access  
Using the Remote Management page, you can allow a user or users on the Internet to configure,  
upgrade and check the status of your FWG114P v2 Wireless Firewall/Print Server.  
Note: Be sure to change the router's default configuration password to a very secure  
password. The ideal password should contain no dictionary words from any language,  
and should be a mixture of letters (both upper and lower case), numbers, and symbols.  
Your password can be up to 30 characters.  
To configure your router for Remote Management:  
1. Select the Turn Remote Management On check box.  
2. Specify what external addresses will be allowed to access the router’s remote management.  
Note: For enhanced security, restrict access to as few external IP addresses as practical.  
a. To allow access from any IP address on the Internet, select Everyone.  
10-10  
Advanced Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
b. To allow access from a range of IP addresses on the Internet, select IP address range.  
Enter a beginning and ending IP address to define the allowed range.  
c. To allow access from a single IP address on the Internet, select Only this computer.  
Enter the IP address that will be allowed access.  
3. Specify the Port Number that will be used for accessing the management interface.  
Web browser access normally uses the standard HTTP service port 80. For greater security,  
you can change the remote management Web interface to a custom port by entering that  
number in the box provided. Choose a number between 1024 and 65535, but do not use the  
number of any common service port. The default is 8080, which is a common alternate for  
HTTP.  
4. Click Apply to have your changes take effect.  
Note: When accessing your router from the Internet, you will type your router's WAN IP address  
into your browser's Address (in IE) or Location (in Netscape) box, followed by a colon (:) and the  
custom port number. For example, if your external address is 134.177.0.123 and you use port  
number 8080, you must enter in your browser: http://134.177.0.123:8080  
Using Universal Plug and Play (UPnP)  
Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access  
the network and connect to other devices as needed. UPnP devices can automatically discover the  
services from other registered UPnP devices on the network.  
Figure 10-4.  
UPnP Menu  
Advanced Configuration  
10-11  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Turn UPnP On: UPnP can be enabled or disabled for automatic device configuration. The default  
setting for UPnP is enabled. If disabled, the router will not allow any device to automatically  
control the resources, such as port forwarding (mapping), of the router.  
Advertisement Period: The Advertisement Period is how often the router will broadcast its UPnP  
information. This value can range from 1 to 1440 minutes. The default period is 30 minutes.  
Shorter durations will ensure that control points have current device status at the expense of  
additional network traffic. Longer durations may compromise the freshness of the device status but  
can significantly reduce network traffic.  
Advertisement Time To Live: The time to live for the advertisement is measured in hops (steps)  
for each UPnP packet sent. The time to live hop count is the number of steps a broadcast packet is  
allowed to propagate for each UPnP advertisement before it disappears. The number of hops can  
range from 1 to 255. The default value for the advertisement time to live is 4 hops, which should  
be fine for most home networks. If you notice that some devices are not being updated or reached  
correctly, then it may be necessary to increase this value a little.  
UPnP Portmap Table: The UPnP Portmap Table displays the IP address of each UPnP device that  
is currently accessing the router and which ports (Internal and External) that device has opened.  
The UPnP Portmap Table also displays what type of port is opened and if that port is still active for  
each IP address.  
Advanced Wireless Settings  
Note: Incorrectly changing these settings can prevent the wireless functions from working.  
Figure 10-5: Advanced Wireless Settings menu  
10-12  
Advanced Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
These settings normally do not need to be changed.  
WMM support  
WMM (Wireless Multimedia) is a subset of the 802.11e standard. WMM allows wireless  
traffic to have a range of priorities, depending on the kind of data. Time-dependent  
information, like video or audio, will have a higher priority than normal traffic. For WMM to  
function correctly, wireless clients must also support WMM. The default is Disable.  
RTS Threshold  
Request to Send Threshold. The packet size that is used to determine if it should use the  
CSMA/CD (Carrier Sense Multiple Access with Collision Detection) mechanism or the  
CSMA/CA define the mechanism for packet transmission. With the CSMA/CD transmission  
mechanism, the transmitting station sends out the actual packet as soon as it has waited for the  
silence period. With the CSMA/CA transmission mechanism, the transmitting station sends  
out an RTS packet to the receiving station, and waits for the receiving station to send back a  
CTS (Clear to Send) packet before sending the actual packet data.  
Fragmentation Length  
This is the maximum packet size used for fragmentation. Packets larger than the size  
programmed in this field will be fragmented. The Fragment Threshold value must be larger  
than the RTS Threshold value.  
Beacon Interval  
Specifies the data beacon rate between 20 and 1000.  
DTIM  
The Delivery Traffic Indication Message. Specifies the data beacon rate between 1 and 255.  
Preamble Type  
A long transmit preamble may provide a more reliable connection or slightly longer range. A  
short transmit preamble gives better performance.  
Advanced Configuration  
10-13  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
10-14  
Advanced Configuration  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Chapter 11  
Troubleshooting  
This chapter gives information about troubleshooting your ProSafe Wireless 802.11g Firewall/  
Print Server Model FWG114P v2. After each problem description, instructions are provided to  
help you diagnose and solve the problem.  
Basic Functioning  
After you turn on power to the router, the following sequence of events should occur:  
1. When power is first applied, verify that the PWR LED is on.  
2. After approximately 10 seconds, verify that:  
a. The TEST LED is not lit.  
b. The LAN port LEDs are lit for any local ports that are connected.  
If a port’s LED is lit, a link has been established to the connected device. If a LAN port is  
connected to a 100 Mbps device, verify that the port’s LED is green. If the port is 10  
Mbps, the LED will be OFF.  
c. The Internet port LED is lit.  
If any of these conditions does not occur, refer to the appropriate following section.  
Power LED Not On  
If the Power and other LEDs are off when your router is turned on:  
Make sure that the power cord is properly connected to your router and that the power supply  
adapter is properly connected to a functioning power outlet.  
Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product.  
If the error persists, you have a hardware problem and should contact technical support.  
Troubleshooting  
11-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
LEDs Never Turn Off  
When the router is turned on, the LEDs turns on for about 10 seconds and then turns off. If all the  
LEDs stay on, there is a fault within the router.  
If all LEDs are still on one minute after power up:  
Cycle the power to see if the router recovers.  
Clear the router’s configuration to the factory defaults. This will set the router’s IP address to  
192.168.0.1. This procedure is explained in “Restoring the Default Configuration and  
If the error persists, you might have a hardware problem and should contact technical support.  
LAN or Internet Port LEDs Not On  
If either the LAN LEDs or the Internet LED do not light when the Ethernet connection is made,  
check the following:  
Make sure that the Ethernet cable connections are secure at the router and at the hub or  
workstation.  
Make sure that power is turned on to the connected hub or workstation.  
Be sure you are using the correct cable:  
When connecting the router’s Internet port to a broadband modem, use the cable that was  
supplied with the broadband modem. This cable could be a standard straight-through Ethernet  
cable or an Ethernet crossover cable.  
11-2  
Troubleshooting  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Troubleshooting the Web Configuration Interface  
If you are unable to access the router’s Web Configuration interface from a computer on your local  
network, check the following:  
Check the Ethernet connection between the computer and the router as described in the  
previous section.  
Make sure your computer’s IP address is on the same subnet as the router. If you are using the  
recommended addressing scheme, your computer’s address should be in the range of  
192.168.0.2 to 192.168.0.254.  
Note: If your computer’s IP address is shown as 169.254.x.x: Recent versions of Windows  
and MacOS will generate and assign an IP address if the computer cannot reach a DHCP  
server. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in  
this range, check the connection from the computer to the router and reboot your computer.  
If your router’s IP address has been changed and you do not know the current IP address, clear  
the router’s configuration to the factory defaults. This will set the router’s IP address to  
192.168.0.1. This procedure is explained in “Restoring the Default Configuration and  
Make sure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet  
Explorer, click Refresh to be sure the Java applet is loaded.  
Try quitting the browser and launching it again.  
Make sure you are using the correct login information. The factory default login name is  
admin and the password is password. Make sure that CAPS LOCK is off when entering this  
information.  
If the router does not save changes you have made in the Web Configuration Interface, check the  
following:  
When entering configuration settings, be sure to click the APPLY button before moving to  
another menu or tab, or your changes will be lost.  
Click the Refresh or Reload button in the Web browser. The changes may have occurred, but  
the Web browser may be caching the old configuration.  
Troubleshooting  
11-3  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Troubleshooting the ISP Connection  
If your router is unable to access the Internet, you should first determine whether the router is able  
to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your  
router must request an IP address from the ISP. You can determine whether the request was  
successful using the Web Configuration Manager.  
To check the WAN IP address:  
1. Launch your browser and select an external site, such as www.netgear.com.  
2. Access the Main Menu of the router’s configuration at http://192.168.0.1.  
3. Under the Maintenance heading, select Router Status.  
4. Check that an IP address is shown for the WAN Port.  
If 0.0.0.0 is shown, your router has not obtained an IP address from your ISP.  
If your router is unable to obtain an IP address from the ISP, you may need to force your  
broadband modem to recognize your new router by performing the following procedure:  
1. Turn off power to the broadband modem.  
2. Turn off power to your router.  
3. Wait five minutes and reapply power to the broadband modem.  
4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to  
your router.  
If your router is still unable to obtain an IP address from the ISP, the problem may be one of the  
following:  
Your ISP may require a login program.  
Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login.  
If your ISP requires a login, you may have incorrectly set the login name and password.  
Your ISP may check for your computer's host name.  
Assign the computer Host Name of your ISP account as the Account Name in the Basic  
Settings menu.  
Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for  
your computer’s MAC address. In this case:  
Inform your ISP that you have bought a new network device and ask them to use the router’s  
MAC address.  
11-4  
Troubleshooting  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
OR  
Configure your router to spoof your computer’s MAC address. This can be done in the Basic  
If your router can obtain an IP address, but your computer is unable to load any Web pages from  
the Internet:  
Your computer may not recognize any DNS server addresses.  
A DNS server is a host on the Internet that translates Internet names (such as www addresses)  
to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS  
servers for your use. Alternatively, you may configure your computer manually with DNS  
addresses, as explained in your operating system documentation.  
Your computer may not have the router configured as its TCP/IP gateway.  
If your computer obtains its information from the router by DHCP, reboot the computer and  
verify the gateway address.  
Troubleshooting a TCP/IP Network Using a Ping Utility  
Most TCP/IP terminal devices and routers contain a ping utility that sends an echo request packet  
to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP  
network is made very easy by using the ping utility in your computer or workstation.  
Testing the LAN Path to Your Router  
You can ping the router from your computer to verify that the LAN path to your router is set up  
correctly.  
To ping the router from a computer running Windows 95 or later:  
1. From the Windows toolbar, click on the Start button and select Run.  
2. In the field provided, type Ping followed by the IP address of the router, as in this example:  
ping 192.168.0.1  
3. Click on OK.  
You should see a message like this one:  
Pinging <IP address> with 32 bytes of data  
If the path is working, you see this message:  
Troubleshooting  
11-5  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Reply from < IP address >: bytes=32 time=NN ms TTL=xxx  
If the path is not working, you see this message:  
Request timed out  
If the path is not functioning correctly, you could have one of the following problems:  
Wrong physical connections  
— Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN  
— Check that the corresponding Link LEDs are on for your network interface card and  
for the hub ports (if any) that are connected to your workstation and router.  
Wrong network configuration  
Verify that the Ethernet card driver software and TCP/IP software are both installed  
and configured on your computer or workstation.  
Verify that the IP address for your router and your workstation are correct and that the  
addresses are on the same subnet.  
Testing the Path from Your Computer to a Remote Device  
After verifying that the LAN path works correctly, test the path from your computer to a remote  
device. From the Windows run menu, type:  
PING -n 10 <IP address>  
where <IP address> is the IP address of a remote device, such as your ISP’s DNS server.  
If the path is functioning correctly, replies as in the previous section are displayed. If you do not  
receive replies:  
— Check that your computer has the IP address of your router listed as the default gateway. If  
the IP configuration of your computer is assigned by DHCP, this information will not be  
visible in your computer’s Network Control Panel. Verify that the IP address of the router  
is listed as the default gateway.  
— Check to see that the network address of your computer (the portion of the IP address  
specified by the netmask) is different from the network address of the remote device.  
— Check that your broadband modem is connected and functioning.  
— If your ISP assigned a host name to your computer, enter that host name as the Account  
Name in the Basic Settings menu.  
11-6  
Troubleshooting  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
 
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many  
broadband ISPs restrict access by only allowing traffic from the MAC address of your  
broadband modem, but some ISPs additionally restrict access to the MAC address of a  
single computer connected to that modem. If this is the case, you must configure your  
router to “clone” or “spoof” the MAC address from the authorized computer. Refer to  
Restoring the Default Configuration and Password  
This section explains how to restore the factory default configuration settings, changing the  
router’s administration password to password and the IP address to 192.168.0.1. You can erase the  
current configuration and restore factory defaults in two ways:  
Use the Erase function of the router (see “Erasing the Configuration” on page 9-9).  
Use the Default Reset button on the rear panel of the router. Use this method for cases when  
the administration password or IP address is not known.  
To restore the factory default configuration settings without knowing the administration password  
or IP address, you must use the Default Reset button on the rear panel of the router.  
1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).  
2. Release the Default Reset button and wait for the router to reboot.  
Problems with Date and Time  
The E-Mail menu in the Content Filtering section displays the current date and time of day. The  
FWG114P v2 Wireless Firewall/Print Server uses the Network Time Protocol (NTP) to obtain the  
current time from one of several Network Time Servers on the Internet. Each entry in the log is  
stamped with the date and time of day. Problems with the date and time function can include:  
Date shown is January 1, 2000. Cause: The router has not yet successfully reached a Network  
Time Server. Check that your Internet access settings are configured correctly. If you have just  
completed configuring the router, wait at least five minutes and check the date and time again.  
Time is off by one hour. Cause: The router does not automatically sense Daylight Savings  
Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings  
Time”.  
Troubleshooting  
11-7  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
     
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
11-8  
Troubleshooting  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Appendix A  
Technical Specifications  
This appendix provides technical specifications for the ProSafe Wireless 802.11g Firewall/Print  
Server Model FWG114P v2.  
Network Protocol and Standards Compatibility  
Data and Routing  
Protocols:  
TCP/IP, RIP-1, RIP-2, DHCP  
PPP over Ethernet (PPPoE)  
VPN  
Protocols:  
IPSec, SHA-1, MD5, DES, 3DES, ESP, DH1, DH2  
2 IPSec Tunnels  
Tunnels:  
Power Adapter  
North America:  
120V, 60 Hz, input  
240V, 50 Hz, input  
United Kingdom,  
Australia:  
Europe:  
230V, 50 Hz, input  
Japan:  
100V, 50/60 Hz, input  
All regions (output):  
Physical Specifications  
Dimensions:  
Weight:  
12 V DC @ 1.2 A output, 18W maximum  
H: 32 x L: 188 x W: 124 mm (1.25 x 7.4 x 4.9 in.)  
0.64 kg (1.4 lb)  
Environmental  
Specifications  
Operating temperature:  
Operating humidity:  
0° to 40° C (32º to 104º F)  
90% maximum relative humidity, noncondensing  
Technical Specifications  
A-1  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Electromagnetic  
Emissions  
For North America and  
Australia  
FCC Part 15 Class B  
For Japan  
VCCI Class B  
For Europe  
Interface Specifications  
LAN:  
EN 300 328, EN 301 489-17, EN 301 489-1, EN 60950  
10BASE-T or 100BASE-Tx, RJ-45  
10BASE-T or 100BASE-Tx  
USB v1.1  
WAN:  
Printer:  
Serial:  
RS-232 male DB-9 connector  
Wireless  
Data Encoding:  
802.11b: Direct Sequence Spread Spectrum (DSSS)  
802.11g: Orthogonal Frequency Division Multiplexing (OFDM)  
Maximum Computers Per Limited by the amount of wireless network traffic generated by each  
Wireless Network:  
node. Typically 30-70 nodes.  
802.11b and g  
Radio Data Rate  
1, 2, 5.5, 6, 9, 12, 18, 24, 36, 48, and 54 Mbps (Auto-rate capable)  
802.11b and g  
Maximum Transmit Power / Receive Sensitivity  
Transmit Power and  
Receive Sensitivity  
54 Mbps, 11g  
48 Mbps, 11g  
36 Mbps, 11g  
24 Mbps, 11g  
18Mbps, 11g  
12 Mbps, 11g  
6 Mbps, 11g  
11 Mbps, 11b  
5.5 Mbps, 11b  
2 Mbps, 11b  
1Mbps, 11b  
14.5 dBm typical  
14.5 dBm typical  
15.5 dBm typical  
15.5 dBm typical  
16.5 dBm typical  
16.5 dBm typical  
16.5 dBm typical  
17.5 dBm typical  
17.5 dBm typical  
17.5 dBm typical  
17.5 dBm typical  
- 72 dBm typical  
- 75 dBm typical  
- 80dBm typical  
- 82 dBm typical  
- 84 dBm typical  
- 85 dBm typical  
- 86 dBm typical  
- 83 dBm typical  
- 86 dBm typical  
- 89 dBm typical  
- 92 dBm typical  
Note: For Europe, the maximum transmit power does not exceed +15 dBm  
Antenna:  
External detachable 5 dBi omnidirectional  
802.11 Security  
40-bits (also called 64-bits), 128-bits WEP data encryption, and WPA  
A-2  
Technical Specifications  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Appendix B  
Networks, Routing, and Firewall Basics  
This appendix provides an overview of IP networks, routing, and firewalls.  
Related Publications  
As you read this document, you may be directed to various RFC documents for further  
information. An RFC is a Request For Comment (RFC) published by the Internet Engineering  
Task Force (IETF), an open organization that defines the architecture and operation of the Internet.  
The RFC documents outline and define the standard protocols and procedures for the Internet. The  
documents are listed on the World Wide Web at www.ietf.org and are mirrored and indexed at  
many other sites worldwide.  
Basic Router Concepts  
Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area  
network (LAN). However, providing high bandwidth between a local network and the Internet can  
be very expensive. Because of this expense, Internet access is usually provided by a slower-speed  
wide-area network (WAN) link, such as a cable or DSL modem. In order to make the best use of  
the slower WAN link, a mechanism must be in place for selecting and transmitting only the data  
traffic meant for the Internet. The function of selecting and forwarding this data is performed by a  
router.  
What is a Router?  
A router is a device that forwards traffic between networks based on network layer information in  
the data and on routing tables maintained by the router. In these routing tables, a router builds up a  
logical picture of the overall network by gathering and exchanging information with other routers  
in the network. Using this information, the router chooses the best path for forwarding network  
traffic.  
Routers vary in performance and scale, number of routing protocols supported, and types of  
physical WAN connection they support.  
Networks, Routing, and Firewall Basics  
201-10301-02, May 2005  
B-1  
Download from Www.Somanuals.com. All Manuals Search And Download.  
         
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Routing Information Protocol  
One of the protocols used by a router to build and maintain a picture of the network is the Routing  
Information Protocol (RIP). Using RIP, routers periodically update one another and check for  
changes to add to the routing table.  
The FWG114P v2 Wireless Firewall/Print Server supports both the older RIP-1 and the newer  
RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP  
is not required for most home applications.  
IP Addresses and the Internet  
Because TCP/IP networks are interconnected across the world, every machine on the Internet must  
have a unique address to make sure that transmitted data reaches the correct destination. Blocks of  
addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA).  
Individual users and small organizations may obtain their addresses either from the IANA or from  
an Internet service provider (ISP). You can contact IANA at www.iana.org.  
The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot  
notation (also called dotted-decimal notation), in which each group of eight bits is written in  
decimal form, separated by decimal points.  
For example, the following binary address:  
11000011 00100010 00001100 00000111  
is normally written as:  
195.34.12.7  
The latter version is easier to remember and easier to enter into your computer.  
In addition, the 32 bits of the address are subdivided into two parts. The first part of the address  
identifies the network, and the second part identifies the host node or station on the network. The  
dividing point may vary depending on the address range and the application.  
There are five standard classes of IP addresses. These address classes have different ways of  
determining the network and host sections of the address, allowing for different numbers of hosts  
on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP  
software to identify the address class. After the address class has been determined, the software  
can correctly identify the host section of the address. The following figure shows the three main  
address classes, including network and host sections of the address for each address type.  
B-2  
Networks, Routing, and Firewall Basics  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Class A  
Network  
Class B  
Node  
Network  
Node  
Class C  
Network  
Node  
Figure 11-1: Three Main Address Classes  
The five address classes are:  
Class A  
Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit  
network number and a 24-bit node number. Class A addresses are in this range:  
1.x.x.x to 126.x.x.x.  
Class B  
Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit  
network number and a 16-bit node number. Class B addresses are in this range:  
128.1.x.x to 191.254.x.x.  
Class C  
Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the  
network address and eight bits for the node. They are in this range:  
192.0.1.x to 223.255.254.x.  
Class D  
Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are  
in this range:  
224.0.0.0 to 239.255.255.255.  
Class E  
Class E addresses are for experimental use.  
Networks, Routing, and Firewall Basics  
201-10301-02, May 2005  
B-3  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
This addressing structure allows IP addresses to uniquely identify each physical network and each  
node on each physical network.  
For each unique value of the network portion of the address, the base address of the range (host  
address of all zeros) is known as the network address and is not usually assigned to a host. Also,  
the top address of the range (host address of all ones) is not assigned, but is used as the broadcast  
address for simultaneously sending a packet to all hosts with the same network address.  
Netmask  
In each of the address classes previously described, the size of the two parts (network address and  
host address) is implied by the class. This partitioning scheme can also be expressed by a netmask  
associated with the IP address. A netmask is a 32-bit quantity that, when logically combined (using  
an AND operator) with an IP address, yields the network address. For instance, the netmasks for  
Class A, B, and C addresses are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.  
For example, the address 192.168.170.237 is a Class C IP address whose network portion is the  
upper 24 bits. When combined (using an AND operator) with the Class C netmask, as shown here,  
only the network portion of the address remains:  
11000000 10101000 10101010 11101101 (192.168.170.237)  
combined with:  
11111111 11111111 11111111 00000000 (255.255.255.0)  
Equals:  
11000000 10101000 10101010 00000000 (192.168.170.0)  
As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of  
the number of ones from the left. This number is appended to the IP address, following a backward  
slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating  
that the netmask is 24 ones followed by 8 zeros.  
Subnet Addressing  
By looking at the addressing structures, you can see that even with a Class C address, there are a  
large number of hosts per network. Such a structure is an inefficient use of addresses if each end of  
a routed link requires a different network number. It is unlikely that the smaller office LANs would  
have that many devices. You can resolve this problem by using a technique known as subnet  
addressing.  
B-4  
Networks, Routing, and Firewall Basics  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  
   
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
Subnet addressing allows us to split one IP network address into smaller multiple physical  
networks known as subnetworks. Some of the node numbers are used as a subnet number instead.  
A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most  
organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet  
addressing makes use of those bits that are free, as shown below.  
Class B  
Network  
Subnet  
Node  
Figure 11-2: Example of Subnetting a Class B Address  
A Class B address can be effectively translated into multiple Class C addresses. For example, the  
IP address of 172.16.0.0 is assigned, but node addresses are limited to 255 maximum, allowing  
eight extra bits to use as a subnet address. The IP address of 172.16.97.235 would be interpreted as  
IP network address 172.16, subnet number 97, and node number 235. In addition to extending  
the number of addresses available, subnet addressing provides other benefits. Subnet addressing  
allows a network manager to construct an address scheme for the network by using different  
subnets for other geographical locations in the network or for other departments in the  
organization.  
Although the preceding example uses the entire third octet for a subnet address, note that you are  
not restricted to octet boundaries in subnetting. To create more network numbers, you need only  
shift some bits from the host address to the network address. For instance, to partition a Class C  
network number (192.68.135.0) into two, you shift one bit from the host address to the network  
address. The new netmask (or subnet mask) is 255.255.255.128. The first subnet has network  
number 192.68.135.0 with hosts 192.68.135.1 to 129.68.135.126, and the second subnet has  
network number 192.68.135.128 with hosts 192.68.135.129 to 192.68.135.254.  
Note: The number 192.68.135.127 is not assigned because it is the broadcast address  
of the first subnet. The number 192.68.135.128 is not assigned because it is the network  
address of the second subnet.  
Networks, Routing, and Firewall Basics  
201-10301-02, May 2005  
B-5  
Download from Www.Somanuals.com. All Manuals Search And Download.  
Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P v2  
The following table lists the additional subnet mask bits in dotted-decimal notation. To use the  
table, write down the original class netmask and replace the 0 value octets with the dotted-decimal  
value of the additional subnet bits. For example, to partition your Class C network with subnet  
mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240.  
Table 11-1.  
Netmask Notation Translation Table for One Octet  
Dotted-Decimal Value  
Number of Bits  
1
2
3
4
5
6
7
8
128  
192  
224  
240  
248  
252  
254  
255  
The following table displays several common netmask values in both the dotted-decimal and the  
masklength formats.  
Table 11-2.  
Netmask Formats  
Masklength  
Dotted-Decimal  
255.0.0.0  
/8  
255.255.0.0  
/16  
/24  
/25  
/26  
/27  
/28  
/29  
/30  
/31  
/32  
255.255.255.0  
255.255.255.128  
255.255.255.192  
255.255.255.224  
255.255.255.240  
255.255.255.248  
255.255.255.252  
255.255.255.254  
255.255.255.255  
B-6  
Networks, Routing, and Firewall Basics  
201-10301-02, May 2005  
Download from Www.Somanuals.com. All Manuals Search And Download.  

Multi Tech Equipment Modem ISIHI 2S User Manual
National Instruments Switch 6024E User Manual
NETGEAR Network Card EN516 User Manual
New Holland Lawn Mower FX751V User Manual
NordicTrack Treadmill NTL10751 User Manual
Oliveri Kitchen Utensil 777 NT User Manual
Omnitron Systems Technology TV Converter Box OC12FF User Manual
Oregon Scientific Marine Radio WMR86 User Manual
Oricom Two Way Radio PMR755 User Manual
Panasonic VCR AJ SD755 User Manual