参照マニュアル目次Reference Manual for the Model FVM318 Cable/DSL ProSafe Wireless VPN Security Firewall1Contents5Preface About This Manual5Chapter 1 Introduction5Chapter 2 Connecting the Firewall to the Internet5Chapter 3 Wireless Configuration5Chapter 4 Protecting Your Network6Chapter 5 Virtual Private Networking6Chapter 6 Managing Your Network6Chapter 7 Advanced Configuration7Chapter 8 Troubleshooting7Appendix A Technical Specifications8Appendix B Network, Routing, Firewall, and Wireless Basics8Appendix C Preparing Your Network8Glossary9Index9List of Procedures11Preface About This Manual13Audience13Typographical Conventions13Special Message Formats14Chapter 1 Introduction15Key Features of the FVM31815Virtual Private Networking (VPN)15Enhanced Wireless Security Through IPSec16A Powerful, True Firewall with Content Filtering16Autosensing Ethernet Connections with Auto Uplink™16Extensive Protocol Support17Easy Installation and Management18What’s in the Box?19The Firewall’s Front Panel19Figure 11: FVM318 Front Panel19Table 11: LED Descriptions20The Firewall’s Rear Panel21Figure 12: FVM318 Rear Panel21Chapter 2 Connecting the Firewall to the Internet23What You Will Need Before You Begin231. Have active Internet service such as that provided by an cable or DSL broadband account.232. Locate the Internet Service Provider (ISP) configuration information for your account.233. Connect the firewall to a cable or DSL modem and a computer as explained below.23Cabling and Computer Hardware Requirements23Network Configuration Requirements23Internet Configuration Requirements24Where Do I Get the Internet Configuration Parameters?24Procedure 2-1: Record Your Internet Connection Information25Connecting the FVM318 to Your LAN26Procedure 2-2: Connecting the Firewall to Your LAN261. Connect the firewall to your network.262. Log in to the firewall.263. Connect to the Internet.261. Connect the firewall.26a. Turn off your computer and cable or DSL Modem.26b. Disconnect the Ethernet cable (A) from your computer which connects to the modem.26Figure 21: Disconnect the cable or DSL Modem26c. Connect the Ethernet cable (A) from the modem to the FVM318’s Internet port.27Figure 22: Connect the cable or DSL Modem to the firewall27d. Connect the Ethernet cable (B) which came with the firewall from a local port on the router to your computer.27Figure 23: Connect the computers on your network to the firewall27e. Turn on the modem and wait about 30 seconds for the lights to stop blinking.28f. Turn on the firewall and wait for the Test light to stop blinking.28g. Now, turn on your computer. If you usually run software to log in to your Internet connection, do not run that software.28h. Now that the modem, firewall, and computer are turned on, verify the following:282. Log in to the firewall.28a. Log in to the firewall at its default address of http://192.168.0.1 using a browser like Internet Explorer or Netscape® Navigator.28Figure 24: Log in to the firewall.28Figure 25: Login window29b. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters.293. Connect to the Internet29Figure 26: Setup Wizard29a. You are now connected to the firewall. If you do not see the menu above, click the Setup Wizard link on the upper left of the main menu.30b. Click Next and follow the steps in the Setup Wizard for inputting the configuration parameters from your ISP to connect to the Internet.30c. When the firewall successfully detects an active Internet service, the Setup Wizard reports which connection type it discovered, and displays the appropriate configuration menu. If the Setup Wizard finds no connection, you will be prompted...30d. The Setup Wizard will report the type of connection it finds. The options are:30PPPoE Wizard-Detected Option31Figure 27: Setup Wizard menu for PPPoE accounts31Dynamic IP Wizard-Detected Option32Figure 28: Setup Wizard menu for Dynamic IP address accounts32Fixed IP Account Wizard-Detected Option33Figure 29: Setup Wizard menu for Fixed IP address accounts33Manually Configuring Your Internet Connection34Figure 210: Browser-based configuration Basic Settings menus34Procedure 2-3: Configuring the Internet Connection Manually351. Log in to the firewall at its default address of http://192.168.0.1 using a browser like Internet Explorer or Netscape® Navigator.352. Click the Basic Settings link under the Setup section of the main menu.353. If your Internet connection does not require a login, click No at the top of the Basic Settings menu and fill in the settings according to the instructions below. If your Internet connection does require a login, click Yes, and skip to step 3.35a. Enter your Account Name (may also be called Host Name) and Domain Name. These parameters may be necessary to access your ISP’s services such as mail or news servers.35b. Internet IP Address: If your ISP has assigned you a permanent, fixed (static) IP address for your PC, select “Use static IP address”. Enter the IP address that your ISP assigned. Also enter the netmask and the Gateway IP address. The Gatew...35c. Domain Name Server (DNS) Address: If you know that your ISP does not automatically transmit DNS addresses to the firewall during login, select “Use these DNS servers” and enter the IP address of your ISP’s Primary DNS Server. If a Secondar...35d. Gateway’s MAC Address: This section determines the Ethernet MAC address that will be used by the firewall on the Internet port. Some ISPs will register the Ethernet MAC address of the network interface card in your PC when your account is ...35e. Click Apply to save your settings.354. If your Internet connection does require a login, fill in the settings according to the instructions below. Select Yes if you normally must launch a login program such as Enternet or WinPOET in order to access the Internet.36a. Select your Internet service provider from the drop-down list.36Figure 211: Basic Settings ISP list36b. The screen will change according to the ISP settings requirements of the ISP you select.36c. Fill in the parameters for your ISP according to the Wizard-detected procedures starting on page 29.36d. Click Apply to save your settings.36Chapter 3 Wireless Configuration37Considerations For A Wireless Network37Observe Performance, Placement and Range Guidelines37Implement Appropriate Wireless Security38Figure 31: FVM318 wireless data security options38Understanding Wireless Settings39Figure 32: Wireless Settings menu39Wireless Network Settings39Restricting Access Based on the Wireless Card Access List40Figure 33: Wireless Card Access List menu40Choosing Authentication and Security Encryption Methods40Figure 34: Encryption Strength40Automatic Authentication Scheme Selection40Encryption Strength Choices41Disable41IPSec41Figure 35: IPSec main or aggressive mode settings41Figure 36: IPSec encryption protocol4264 or 128 bit WEP42Figure 37: Encryption Strength42Figure 38: 64 or 128 bit WEP encryption strength43Procedure 3-1: Set Up and Test Basic Wireless Connectivity431. Log in to the FVM318 firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up.442. Click the Wireless Settings link in the main menu of the FVM318 firewall.44Figure 39: Wireless Settings menu443. Choose a suitable descriptive name for the wireless network name (SSID). In the SSID box, enter a value of up to 32 alphanumeric characters. The default SSID is Wireless.444. Set the Region. Select the region in which the wireless interface will operate.445. Set the Channel. The default channel is 6.446. For initial configuration and test, leave the Wireless Card Access List set to “Everyone” and the Encryption Strength set to “Disabled.”447. Click Apply to save your changes.448. Configure and test your PCs for wireless connectivity.45Procedure 3-2: Restrict Wireless Access by MAC Address451. Log in to the FVM318 firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up.452. Click the Wireless Settings link in the main menu of the FVM318 firewall.453. From the Wireless Settings menu, click the Trusted PCs button to display the Wireless Access menu shown below.45Figure 310. Wireless Access menu454. Enter the MAC address of the authorized PC. Enter a descriptive name for the PC in the Device Name field. The MAC address is usually printed on the wireless card, or it may appear in the firewall’s “Attached Devices” DHCP table.465. Click Add to save your entry.466. Click Back to return to the Wireless Settings menu467. Be sure that the Trusted PCs only radio button is selected, then click Apply.46Procedure 3-3: Configure WEP461. Log in to the FVM318 firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up.462. Click the Wireless Settings link in the main menu of the FVM318 firewall.463. From the Security Encryption menu drop-down list, select the WEP encryption type you will use.47Figure 311. Wireless Settings encryption menu474. You can manually or automatically program the four data encryption keys. These values must be identical on all PCs and Access Points in your network.475. Click Apply to save your settings.47Configuring IPSec Wireless Connections48Figure 312. Configuring basic wireless IPSec VPN tunnel connections48Procedure 3-4: Configure Basic IPSec Wireless Connections491. Configure the FVM318 settings.49a. Log in to the FVM318 at http://192.168.0.1 with its default user name of admin and default password of password, or using whatever user name, password you have set up.49b. Click the Wireless link in the main menu Setup section to display the menu shown below.49Figure 313. Wireless Settings menu, IPSec selected49c. Click the Encryption Strength drop-down list box and select IPSec. The Wireless Settings menu will change to display the list of IPSec connections, as shown in Figure 313:49d. Click Add to display the IPSec client setting menu, as shown below.50Figure 314. IPSec Client Settings menu50e. Enter a descriptive name for this PC in Connection Name. This name is for your convenience only, and is not used in the VPN negotiation.50f. Enter the user name. An email address is an easy to remember user name.50g. Enter a Pre-Shared Key value for this connection.50h. Use the default Aggressive Mode and AES - 256 settings.502. Install the SafeNet SoftRemote Basic VPN client software.50a. Place the FVM318 Resource CD in your CD drive.50b. Install the SafeNet SoftRemote Basic VPN client.50Figure 315. SafeNet system tray icon with disabled indicator503. Configure the SoftRemote Basic VPN Client.51a. In the taskbar tray, right-click on the SafeNet icon and select Edit Security Policy in the VPN client task menu, as shown below.51Figure 316. SafeNet system tray icon menu51Figure 317. SafeNet basic configuration menu51b. In most cases, you can leave the IPSec Gateway as “LAN Gateway”, which indicates the firewall. If you are not using the firewall as your network’s default gateway, change IPSec Gateway to indicate either the IP Address or the network name ...52c. Enter the User Name and the Pre-Shared Key value that you programmed for this PC in the firewall’s IPSec Client Settings menu.52d. Click OK.52e. In the taskbar tray, right-click on the SafeNet icon and select Activate Security Policy in the task menu. The SafeNet icon will now appear without the red bar, as shown below.52Figure 318. SafeNet system tray icon showing enabled condition524. Test the SoftRemote Basic VPN Connection.52a. On the Windows taskbar, click the Start button, and then click Run.52b. Type ping -t 192.168.0.1 , and then click OK.52Figure 319. Run Ping from Windows Start Menu52Figure 320. Ping results53Figure 321. SafeNet system tray icon showing ON condition53c. Once the connection is established, you can open the browser of the PC and browse.53Using SoftRemoteLT Instead of SoftRemote Basic53Procedure 3-5: Configuring the SoftRemoteLT Full Client541. Install the SafeNet SoftRemoteLT Full VPN Client542. Open the Security Policy Editor.54Figure 322. SafeNet Security Policy Editor543. Create a VPN Connection.54a. From the Edit menu at the top of the Security Policy Editor window, click Add, then Connection. A New Connection listing will appear in the list of policies.55Figure 323. SafeNet Security Policy Editor new connection menu55b. Click and rename the New Connection list item to indicate that this is the policy for your local wireless connection, such as Wireless.55c. Select Secure on the right side of the Security Policy Editor window in the Connection Security box.55d. Select IP Subnet in the ID Type menu.55e. Type 0.0.0.0 in the Subnet and Mask fields.55f. Select All in the Protocol menu to allow all traffic through the VPN tunnel.55g. Check Connect using Secure Gateway Tunnel.55h. Select Any in the ID Type menu below the checkbox.55i. Select Gateway IP Address in the box to the right of ID Type.55j. Enter the LAN IP Address of the FVM318 firewall in the lower right box (usually 192.168.0.1).554. Configure the Security Policy.56a. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the new connection by double clicking its name or clicking on the “+” symbol.56b. Click on the Security Policy subheading to show the Security Policy menu.56Figure 324. SafeNet Security Policy Editor edit security policy menu56c. Select Aggressive Mode in the Select Phase 1 Negotiation Mode box.56d. Check the Enable Perfect Forward Secrecy (PFS) checkbox.56e. Select Diffie-Helman Group 2 for PFS Key Group.56f. Check the Enable Replay Detection checkbox.565. Configure the VPN Client Identity56a. Click on My Identity in the Network Security Policy list on the left side of the Security Policy Editor window.57Figure 325. SafeNet Security Policy Editor edit identity menu57b. Choose None in the Select Certificate menu.57c. Select Domain Name in the ID Type menu.57d. In the box below ID Type, enter the user name that you configured in the FVM318 firewall.57e. Select Disabled in the Virtual Adapter box.57f. In the Internet Interface box, select your wireless adapter or you may choose Any if you will be switching between adapters or if you have only one adapter.57g. Click the Pre-Shared Key button.57h. Click the Enter Key button in the Pre-Shared Key dialog box.57i. Enter the Pre-Shared Key that you configured in the FVM318 firewall and click OK. Note that this field is case sensitive.576. Configure VPN Client Authentication Proposal57a. In the Network Security Policy list on the left side of the Security Policy Editor window, expand the Security Policy heading by double clicking its name or clicking on the “+” symbol.57b. Expand the Authentication subheading by double clicking its name or clicking on the “+” symbol. Then select Proposal 1 below Authentication.58c. Select Pre-Shared key in the Authentication Method menu.58d. Select AES-256 in the Encrypt Alg menu. If your VPN client does not offer this selection, select Triple DES.58e. Select SHA-1 in the Hash Alg menu.58f. Select Seconds and enter 21600 in the SA Life menu.58g. Select Diffie-Hellman Group 2 in the Key Group menu.587. Configure VPN Client Key Exchange Proposal.58a. Expand the Key Exchange subheading by double clicking its name or clicking on the “+” symbol.58b. Select Proposal 1 below Key Exchange.58c. In the SA Life menu, select Seconds and enter 21600.58d. Select None in the Compression menu.58e. Check the Encapsulation Protocol (ESP) checkbox.58f. Select AES-256 in the Encrypt Alg menu. If your VPN client does not offer this selection, select Triple DES.58g. Select SHA-1 in the Hash Alg menu.58h. Select Tunnel in the Encapsulation menu.58i. Leave the Authentication Protocol (AH) checkbox unchecked.588. Save the VPN Client Settings.58Chapter 4 Protecting Your Network59Protecting Access to Your FVM318 firewall59Procedure 4-1: Changing the Administrator Password591. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin and default password of password, or using whatever password and LAN address you have chosen for the firewall.592. From the main menu of the browser interface, under the Maintenance heading, select Set Password to bring up the menu shown below.60Figure 41: Set Password menu603. To change the password, first enter the old password, and then enter the new password twice.604. Click Apply to save your changes.60Procedure 4-2: Changing the Administrator Login Timeout611. In the Set Password menu, type a number in ‘Administrator login times out’ field. The suggested default value is 5 minutes.612. Click Apply to save your changes or click Cancel to keep the current period.61Configuring Basic Firewall Services61Blocking Functions, Keywords, Sites, and Services61Procedure 4-3: Blocking Functions, Keywords, and Sites621. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.622. Click the Block Sites link of the Security section of the main menu to view the screen below.62Figure 42: Block Sites menu623. To block ActiveX, Java, Cookies, or Web Proxy functions for all Internet sites, click the check box next to the function and then click Apply.624. To enable keyword blocking, check “Turn keyword blocking on”, enter a keyword or domain in the Keyword box, click Add Keyword, then click Apply.625. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply.636. To specify a Trusted User, enter that PC’s IP address in the Trusted User box and click Apply.63Blocking Services63Procedure 4-4: Configuring Services Blocking641. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.642. Click the Block Services link of the Security section of the main menu to display this screen.64Figure 43: Block Services menu643. Modify the menu below to define or edit how a service is regulated.64Figure 44: Add Block Services menu644. Click Apply to save your definition.65Setting Times and Scheduling Firewall Services65Procedure 4-5: Setting Your Time Zone661. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.662. Click on the Schedule link of the Security menu to display the menu shown below.66Figure 45: Schedule Services menu663. Select your Time Zone. This setting will be used for the blocking schedule according to your local time zone and for time-stamping log entries.674. The firewall has a list of publicly available NTP servers. If you would prefer to use a particular NTP server as the primary server, enter its IP address under Use this NTP Server.675. Click Apply to save your settings.67Procedure 4-6: Scheduling Firewall Services671. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.672. Click on the Schedule link of the Security menu.673. To block Internet services based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, to limit access during certain times for the selected day...674. Click Apply to save your changes.67Chapter 5 Virtual Private Networking69FVM318 VPN Overview69Figure 51: Secure access through VPN tunnels69FVM318 VPN Configuration Planning71Procedure 5-1: Configuring a Network to Network VPN Tunnel72Figure 52: LAN to LAN VPN access from an FVM318 to an FVM31872Network to Network VPN Tunnel Configuration Worksheet721. Set up the two LANs to have different IP address ranges.73a. Log in to the FVM318 on LAN A at its default LAN address of http://192.168.0.1 with its default user name of admin and password of password. Click the LAN IP Setup link in the main menu Advanced section to display the LAN TCP/IP Setup menu...73Figure 53: Configuring the Local LAN (A) via the LAN IP Setup Menu73b. For this example, configure the FVM318 settings on LANs A and B as follows:73Network Configuration Settings73c. Click Apply. Because you changed the firewall’s IP address, you are now disconnected.73d. Reboot all PCs on network A.732. Configure the VPN settings on each FVM318.74a. From Setup section of the main menu of the FVM318, click the VPN Settings link. Click Add. The VPN Settings - Main Mode window opens as shown below:74Figure 54: VPN Settings - Main Mode IKE Edit menu74b. Fill in the Connection Name VPN settings as illustrated.74c. Under Secure Association, select Main Mode and fill in the settings below.75d. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.75e. Click Apply to save the Security Association tunnel settings into the table.753. Check the VPN Connection76a. Using our example, from a PC attached to the FVM318 on LAN A, on the Windows taskbar click the Start button, and then click Run.76b. Type ping -t 192.168.0.1 , and then click OK.76Figure 55: Running a Ping test from Windows76c. This will cause a continuous ping to be sent to the first FVM318. After between several seconds and two minutes, the ping response should change from “timed out” to “reply.”76Figure 56: Ping test results76Procedure 5-2: Configuring a Remote PC to Network VPN76Figure 57: PC to LAN VPN access from a PC to an FVM31877PC to Network VPN Tunnel Configuration Worksheet771. Configure the VPN Tunnel on the FVM318 on LAN A.78a. From the Setup Menu, click the VPN Settings link, then click Add to configure a new VPN tunnel. The VPN Settings - IKE window opens as shown below:78Figure 58: VPN Edit menu for connecting with a VPN client78b. Fill in the Connection Name VPN settings as illustrated.78c. Under Secure Association, select Main Mode and fill in the settings below.79d. If you need to run Microsoft networking functions such as Network Neighborhood, click the NETBIOS Enable check box to allow NETBIOS traffic over the VPN tunnel.79e. Click Apply to save the Security Association tunnel settings into the table.792. Install land Configure the SafeNet VPN Client Software on the PC.79a. Install the SafeNet Secure VPN Client.79Figure 59: Security Policy Editor New Connection80b. Add a new connection80c. Configure the Security Policy in the SafeNet VPN Client Software.81Figure 510: Security Policy Editor Security Policy81d. Configure the Global Policy Settings.82Figure 511: Security Policy Editor Global Policy Options82e. Configure the VPN Client Identity82Figure 512: Security Policy Editor My Identity83f. Configure the VPN Client Authentication Proposal.83g. Configure the VPN Client Key Exchange Proposal.84h. Save the VPN Client Settings.843. Check the VPN Connection.85a. Establish an Internet connection from the PC.85b. On the Windows taskbar, click the Start button, and then click Run.85c. Type ping -t 192.168.3.1 , and then click OK.85Figure 513: Running a Ping test to the LAN from the PC85Figure 514: Ping test results85Monitoring the PC VPN Connection Using SafeNet Tools86Figure 515: Log Viewer screen86Figure 516: Connection Monitor screen86Procedure 5-3: Deleting a Security Association871. Log in to the firewall.871. Click the VPN Settings link.872. In the VPN Settings Security Association table, select the radio button for the security association to be deleted.873. Click the Delete button.874. Click the Update button.87Manual Keying87Procedure 5-4: Using Manual Keying as an Alternative to IKE871. When editing the VPN Settings, you may select manual keying. At that time, the edit menu changes to look like the screen below:87Figure 517: VPN Edit menu for Manual Keying882. Incoming SPI - Enter a Security Parameter Index that the remote host will send to identify the Security Association (SA). This will be the remote host’s Outgoing SPI.883. Outgoing SPI - Enter a Security Parameter Index that this firewall will send to identify the Security Association (SA). This will be the remote host’s Incoming SPI.884. For Encryption Protocol, select one:89Figure 518: VPN encryption options89a. Null - Fastest, but no security.89b. DES - The Data Encryption Standard (DES) processes input data that is 64 bits wide, encrypting these values using a 56 bit key. Faster but less secure than 3DES or AES.89c. 3DES - (Triple DES) achieves a higher level of security by encrypting the data three times using DES with three different, unrelated keys.89d. AES - 128, - 192, or - 256. Most secure. Advanced Encryption Standard, a symmetric 128-bit block data encryption technique. It is an iterated block cipher with a variable block length and a variable key length. The block length and the key...89e. Enter a hexadecimal Encryption Key895. Select the Authentication Protocol896. Enter 32 hexadecimal characters for the Authentication Key. The authentication key must match exactly the key used by the remote router or host.897. Click the NETBIOS Enable check box to allow NETBIOS over the VPN tunnel.898. Click Apply to enter the SA into the table.89Blank VPN Tunnel Configuration Worksheets90Table 5-1: Network to Network IKE VPN Tunnel Configuration Worksheet90Table 5-2: PC to Network IKE VPN Tunnel Settings Configuration Worksheet91Chapter 6 Managing Your Network93Network Management Information93Viewing Router Status and Usage Statistics93Figure 61: Router Status screen93Table 61. Router Status Fields94Figure 62. Router Statistics screen95Table 62. Router Statistics Fields95Viewing Attached Devices96Figure 63: Attached Devices menu96Viewing, Selecting, and Saving Logged Information97Figure 64: Security Logs menu97Table 6-5: Security Log entry descriptions98Table 6-6: Security Log action buttons98Selecting What Information to Include in the Log98Enabling SYSLOG99Examples of log messages99Activation and Administration99Dropped Packets99Enabling Security Event E-mail Notification100Figure 67: E-mail menu100Backing Up, Restoring, or Erasing Your Settings101Procedure 6-1: Backup the Configuration to a File1011. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.1012. From the Maintenance heading of the main menu, select Backup to view the menu seen below.102Figure 68: Settings Backup menu1023. Click Backup to save a copy of the current settings.1024. Store the.cfg file on a computer on your network.102Procedure 6-2: Restore a Configuration from a File1021. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.1022. From the Maintenance heading of the main menu, select the Settings Backup menu as seen in Figure 68.1023. Enter the full path to the file on your network or click the Browse button to browse to the file.1024. When you have located the .cfg file, click the Restore button to upload the file to the firewall.1025. The firewall will then reboot automatically.102Procedure 6-3: Erase the Configuration1021. To erase the configuration, from the Maintenance menu Settings Backup link, click the Erase button on the screen.1032. The firewall will then reboot automatically.103Running Diagnostic Utilities and Rebooting the Router103Figure 69: Diagnostics menu104Enabling Remote Management104Procedure 6-4: Configure Remote Management1041. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.1042. Select the Allow Remote Management check box.1043. Specify what external addresses will be allowed to access the firewall’s remote management. For security, NETGEAR recommends that you restrict access to as few external IP addresses as practical.105a. To allow access from any IP address on the Internet, select Everyone.105b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range.105c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access.1054. Specify the Port Number that will be used for accessing the management interface.1055. Click Apply to have your changes take effect.105Upgrading the Router’s Firmware105Procedure 6-5: Router Upgrade1061. Download and unzip the new software file from NETGEAR.1062. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.1063. From the main menu of the browser interface, under the Maintenance heading, click Router Upgrade to display the menu shown below.106Figure 610: Router Upgrade menu1064. In the Router Upgrade menu, click the Browse button to locate the binary (.BIN or .IMG) upgrade file.1065. Click Upload to load the firmware into the firewall.106Chapter 7 Advanced Configuration107Configuring Advanced Security107Setting Up A Default DMZ Server1071. Click Default DMZ Server.1082. Type the IP address for that server.1083. Click Apply.108Respond to Ping on Internet WAN Port108Configuring LAN IP Settings108LAN TCP/IP Setup108MTU Size1101. Under MTU Size, select Custom.1102. Enter a new size between 64 and 1500.1103. Click Apply to save the new configuration.110Using the Router as a DHCP Server110Procedure 7-1: Using Reserved IP Addresses1111. Click the Add button.1112. In the IP Address box, type the IP address to assign to the PC or server. Choose an IP address from the router’s LAN subnet, such as 192.168.0.X.1113. Type the MAC Address of the PC or server.1114. Click Apply to enter the reserved address into the table.1111. Click the radio button next to the reserved address to select the entry you want to edit or delete.1112. Click Edit or Delete.111Procedure 7-2: Configuring LAN TCP/IP Settings1121. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.1122. From the main menu, under Advanced, click the LAN IP Setup link to view the menu, shown below.112Figure 71: LAN IP Setup Menu1123. Enter the UPnP, TCP/IP, MTU, or DHCP parameters.1124. Click Apply to save your changes.112Configuring Dynamic DNS113Procedure 7-3: Configuring Dynamic DNS1131. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.1132. From the main menu of the browser interface, under Advanced, click on Dynamic DNS.1133. Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’ box, and register for an account. For example, for dyndns.org, go to www.dyndns.org.1134. Select the “Use a dynamic DNS service” check box.1135. Select the name of your dynamic DNS Service Provider.1136. Type the Host Name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. If your URL is myName.dyndns.org, then your Host Name is “myName.”1137. Type the user name for your dynamic DNS account.1138. Type the password (or key) for your dynamic DNS account.1139. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the sa...11310. Click Apply to save your configuration.113Using Static Routes114Procedure 7-4: Configuring Static Routes1151. Log in to the firewall at its default LAN address of http://192.168.0.1 with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the firewall.1152. From the main menu of the browser interface, under Advanced, click on Static Routes to view the Static Routes table, shown below.115Figure 72: Static Routes Table1153. To add or edit a Static Route, follow these steps:115a. Click the Edit button to open the Edit Menu, shown in Figure 73.115Figure 73: Static Route Entry and Edit Menu115b. Type a route name for this static route in the Route Name box under the table. This is for identification purpose only.116c. Click the Active check box to make this route effective.116d. Click the Private check box if you want to limit access to the LAN only. The static route will not be reported in RIP.116e. Type the Destination IP Address of the final destination.116f. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255.116g. Type the Gateway IP Address, which must be a router on the same LAN segment as the firewall.116h. Type a number between 1 and 15 as the Metric value. This represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.1164. Click Apply to have the static route entered into the table.116Chapter 8 Troubleshooting117Basic Functions1171. When power is first applied, verify that the Power LED is on.1172. Verify that the Test LED lights within a few seconds, indicating that the self-test procedure is running.1173. After approximately 10 seconds, verify that:117a. The Test LED is not lit.117b. The Local port Link LEDs are lit for any local ports that are connected.117c. The Internet Link port LED is lit.117Power LED Not On118Test LED Never Turns On or Test LED Stays On118Local or Internet Port Link LEDs Not On118Troubleshooting the Web Configuration Interface119Troubleshooting the ISP Connection1201. Launch your browser and select an external site such as www.netgear.com1202. Access the main menu of the firewall’s configuration at http://192.168.0.11203. Under the Maintenance heading, select Router Status1204. Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.1201. Turn off power to the cable or DSL modem.1202. Turn off power to your firewall.1203. Wait five minutes and reapply power to the cable or DSL modem.1204. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to your firewall.120Troubleshooting a TCP/IP Network Using a Ping Utility121Procedure 8-5: Testing the LAN Path to Your Firewall1221. From the Windows toolbar, click on the Start button and select Run.1222. In the field provided, type Ping followed by the IP address of the firewall, as in this example:1223. Click on OK.122Procedure 8-6: Testing the Path from Your PC to a Remote Device123Restoring the Default Configuration and Password123Procedure 8-7: Using the Default Reset button1241. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).1242. Release the Default Reset button and wait for the firewall to reboot.124Problems with Date and Time124Appendix A Technical Specifications125Appendix B Network, Routing, Firewall, and Wireless Basics127Related Publications127Basic Router Concepts127What is a Router?128Routing Information Protocol128IP Addresses and the Internet128Figure 81: Three Main Address Classes129Netmask130Subnet Addressing131Figure 82: Example of Subnetting a Class B Address131Table 81. Netmask Notation Translation Table for One Octet132Table 82. Netmask Formats132Private IP Addresses133Single IP Address Operation Using NAT134Figure 83: Single IP Address Operation Using NAT134MAC Addresses and Address Resolution Protocol135Related Documents135Domain Name Server135IP Configuration by DHCP136Internet Security and Firewalls136What is a Firewall?137Stateful Packet Inspection137Denial of Service Attack137Wireless Networking138Wireless Network Configuration138Ad Hoc Mode (Peer-to-Peer Workgroup)138Infrastructure Mode138Extended Service Set Identification (ESSID)139Authentication and WEP Encryption139802.11b Authentication1391. Turn on the wireless station.1392. The station listens for messages from any access points that are in range.1403. The station finds a message from an access point that has a matching SSID.1404. The station sends an authentication request to the access point.1405. The access point authenticates the station.1406. The station sends an association request to the access point.1407. The access point associates with the station.1408. The station can now communicate with the Ethernet network through the access point.140Open System Authentication1401. The station sends an authentication request to the access point.1402. The access point authenticates the station.1403. The station associates with the access point and joins the network.140Figure 84: 802.11b open system authentication141Shared Key Authentication1411. The station sends an authentication request to the access point.1412. The access point sends challenge text to the station.1413. The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and sends the encrypted text to the access point.1414. The access point decrypts the encrypted text using its configured WEP Key that corresponds to the station’s default key. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the origi...1415. The station connects to the network.141Figure 85: 802.11b shared key authentication142Overview of WEP Parameters142Key Size143WEP Configuration Options143Wireless Channel Selection144Table 81. 802.11 Radio Frequency Channels144Ethernet Cabling145Table 82. UTP Ethernet cable wiring, straight-through145Uplink Switches, Crossover Cables, and MDI/MDIX Switching145Cable Quality146How Does VPN Work?147Figure 86: VPN overview147IKE: Managing and Exchanging Keys147Negotiating the SA - the Internet Key Exchange (IKE)1481. Phase 1. The peers establish a secure channel. After Phase 1, all IKE packets are encrypted.1482. Phase 2. The peers negotiate a general purpose SA.148Authentication: Phase 1148a. Both agree on basic algorithms and hashes.148b. Both exchange Diffie-Hellman public keys and pass nonces. Nonce is a cryptographic term for a fresh random number that is used only once.148c. Both parties verify each other’s identity. This exchange is already encrypted.148a. The initiator generates a Diffie-Hellman public value, sending it with the nonce.148b. The responder sends its own Diffie-Hellman value.149c. The initiator confirms the exchange.149Key Exchange: Phase 2149Two Common Applications of VPN149Accessing Network Resources from a VPN Client PC149Figure 87: Client to LAN access through VPN router149Figure 88: Client to LAN access through simple router to VPN router150Linking Two Networks Together150Figure 89: LAN to LAN access through VPN router to VPN router150Additional Reading150Appendix C Preparing Your Network153Preparing Your Computers for TCP/IP Networking153Configuring Windows 95, 98, and Me for TCP/IP Networking154Install or Verify Windows Networking Components1541. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.1542. Double-click the Network icon.154a. Click the Add button.155b. Select Adapter, and then click Add.155c. Select the manufacturer and model of your Ethernet adapter, and then click OK.155a. Click the Add button.155b. Select Protocol, and then click Add.155c. Select Microsoft.155d. Select TCP/IP, and then click OK.155a. Click the Add button.156b. Select Client, and then click Add.156c. Select Microsoft.156d. Select Client for Microsoft Networks, and then click OK.1563. Restart your PC for the changes to take effect.156Enabling DHCP in Windows 95B, 98, and Me156Selecting Windows’ Internet Access Method1581. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.1582. Double-click the Internet Options icon.1583. Select “I want to set up my Internet connection manually” or “I want to connect through a Local Area Network” and click Next.1584. Select “I want to connect through a Local Area Network” and click Next.1585. Uncheck all boxes in the LAN Internet Configuration screen and click Next.1586. Proceed to the end of the Wizard.158Verifying TCP/IP Properties1581. On the Windows taskbar, click the Start button, and then click Run.1582. Type winipcfg, and then click OK.1593. From the drop-down box, select your Ethernet adapter.159Configuring Windows NT4, 2000 or XP for IP Networking159Install or Verify Windows Networking Components1591. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.1592. Double-click the Network and Dialup Connections icon.1593. If an Ethernet adapter is present in your PC, you should see an entry for Local Area Connection. Double-click that entry.1594. Select Properties.1595. Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If not, select Install and add them.1596. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address automatically is selected.1597. Click OK and close all Network and Dialup Connections windows.1598. Then, restart your PC.159DHCP Configuration of TCP/IP in Windows XP, 2000, or NT4160DHCP Configuration of TCP/IP in Windows XP160DHCP Configuration of TCP/IP in Windows 2000163DHCP Configuration of TCP/IP in Windows NT4166Verifying TCP/IP Properties for Windows XP, 2000, and NT41681. On the Windows taskbar, click the Start button, and then click Run.1682. Type cmd and then click OK.1683. Type ipconfig /all1684. Type exit169Configuring the Macintosh for TCP/IP Networking169MacOS 8.6 or 9.x1691. From the Apple menu, select Control Panels, then TCP/IP.1692. From the “Connect via” box, select your Macintosh’s Ethernet interface.1693. From the “Configure” box, select Using DHCP Server.1694. Close the TCP/IP Control Panel.1695. Repeat this for each Macintosh on your network.169MacOS X1701. From the Apple menu, choose System Preferences, then Network.1702. If not already selected, select Built-in Ethernet in the Configure list.1703. If not already selected, Select Using DHCP in the TCP/IP tab.1704. Click Save.170Verifying TCP/IP Properties for Macintosh Computers170Verifying the Readiness of Your Internet Account171Are Login Protocols Used?171What Is Your Configuration Information?171Obtaining ISP Configuration Information for Windows Computers1721. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.1722. Double-click the Network icon.1723. Select TCP/IP, and then click Properties.1724. Select the IP Address tab.1725. Select the Gateway tab.1726. Select the DNS Configuration tab.1737. Click OK to save your changes and close the TCP/IP Properties dialog box.1738. Click OK.1739. Reboot your PC at the prompt. You may also be prompted to insert your Windows CD.173Obtaining ISP Configuration Information for Macintosh Computers1731. From the Apple menu, select Control Panels, then TCP/IP.1732. If an IP address and subnet mask are shown, write down the information.1733. If an IP address appears under Router address, write down the address. This is the ISP’s gateway address.1734. If any Name Server addresses are shown, write down the addresses. These are your ISP’s DNS addresses.1735. If any information appears in the Search domains information box, write it down.1736. Change the “Configure” setting to “Using DHCP Server”.1737. Close the TCP/IP Control Panel.173Restarting the Network174Glossary175Index181サイズ: 4.78MBページ数: 184Language: Englishマニュアルを開く