Netgear orporated FWG114PV2 ProSafe 802.11g Wireless Firewall/Print Server User Manual FullManual

Netgear Incorporated ProSafe 802.11g Wireless Firewall/Print Server FullManual

UserManual.wiki >

Netgear orporated >

FWG114PV2 User Manual >

Users Manual Part 3

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PVirtual Private Networking 8-41March 2004, 202-10027-01b. Click Pre-Shared Key.Figure 8-29: Connection Identity Pre-Shared Keyc. Enter hr5xb84l6aa9r6, which is the same Pre-Shared Key entered in the FWG114P. d. Click OK.4. Configure the Connection Identity Settings.a. In the Network Security Policy list, click the Security Policy subheading.Figure 8-30: Security Policyb. For this example, ensure that the following settings are configured: – In the Select Phase 1 Negotiation Mode menu, select Aggressive Mode. – Select the Enable Perfect Forward Secrecy (PFS) check box. – In the PFS Key Group drop-down list, Diffie-Hellman Group 2. – Select the Enable Replay Detection check box. In this example, enter this pre-shared key in this field: hr5xb84l6aa9r6

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P8-42 Virtual Private NetworkingMarch 2004, 202-10027-015. Configure the Connection Security PolicyIn this step, you will provide the authentication (IKE Phase 1) settings, and the key exchange (Phase 2) settings. The setting choices in this procedure follow the VPNC guidelines.Figure 8-31: Connection Security Policy Authentication (Phase 1)a. Configure the Authentication (Phase 1) Settings. • Expand the Security Policy heading, then expand the Authentication (Phase 1) heading, and click on Proposal 1. • For this example, ensure that the following settings are configured: – In the Encrypt Alg menu, select Triple DES. – In the Hash Alg, select SHA-1. – In the SA Life, select Unspecified. – In the Key Group menu, select Diffie-Hellman Group 2.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PVirtual Private Networking 8-43March 2004, 202-10027-01Figure 8-32: Connection Security Policy Key Exchange (Phase 2)b. Configure the Key Exchange (Phase 2). • Expand the Key Exchange (Phase 2) heading, and click on Proposal 1. • For this example, ensure that the following settings are configured: – In the SA Life menu, select Unspecified. – In the Compression menu, select None. – Check the Encapsulation Protocol (ESP) check box. – In the Encrypt Alg menu, select Triple DES. – In the Hash Alg, select SHA-1. – In the Encapsulation menu, select Tunnel.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P8-44 Virtual Private NetworkingMarch 2004, 202-10027-016. Configure the Global Policy Settings.a. From the Options menu at the top of the Security Policy Editor window, select Global Policy Settings.Figure 8-33: Security Policy Editor Global Policy Optionsb. Increase the Retransmit Interval period to 45 seconds.c. Select the Allow to Specify Internal Network Address check box and click OK.7. Save the VPN Client Settings. From the File menu at the top of the Security Policy Editor window, select Save. After you have configured and saved the VPN client information, your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN router’s LAN.Note: Whenever you make changes to a Security Policy, save them first, then deactivate the security policy, reload the security policy, and finally activate the security policy. This ensures that your new settings will take effect.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P8-46 Virtual Private NetworkingMarch 2004, 202-10027-01To test the connection to a computer connected to the FWG114P, simply ping the IP address of that computer. Once connected, you can open a browser on the remote PC and enter the LAN IP Address of the FWG114P, which is http://192.168.0.1 in this example. After a short wait, you should see the login screen of the FWG114P.From the FWG114P to the Client PC You can use the FWG114P Diagnostic utilities to test the VPN connection from the FWG114P to the client PC. Run ping tests from the Diagnostics link of the FWG114P main menu.Monitoring the PC VPN Connection Information on the progress and status of the VPN client connection can be viewed by opening the Netgear ProSafe VPN Client Connection Monitor or Log Viewer. To launch these functions, click on the Windows Start button, then select Programs, then Netgear ProSafe VPN Client, then either the Connection Monitor or Log Viewer.The Log Viewer screen for a successful connection is similar to the one shown below:Figure 8-34: Log Viewer screen

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PVirtual Private Networking 8-47March 2004, 202-10027-01A sample Connection Monitor screen for a different connection is shown below:Figure 8-35: Connection Monitor screenIn this example the following connection options apply:• The FWG114P has a public IP WAN address of 66.120.188.153• The FWG114P has a LAN IP address of 192.168.0.1• The VPN client PC is behind a home NAT router and has a dynamically assigned address of 192.168.0.3While the connection is being established, the Connection Name field in this menu will say “SA” before the name of the connection. When the connection is successful, the “SA” will change to the yellow key symbol shown in the illustration above.Viewing the FWG114P VPN Status and Log InformationInformation on the status of the VPN client connection can be viewed by opening the FWG114P VPN Status screen. To view this screen, click the VPN Status link on the FWG114P main menu.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P8-48 Virtual Private NetworkingMarch 2004, 202-10027-01The FWG114P VPN Status screen for a successful connection is shown below:Figure 8-36: FWG114P VPN Status screen

Maintenance 9-1March 2004, 202-10027-01Chapter 9 MaintenanceThis chapter describes how to use the maintenance features of your ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P. These features are accessed via the Main Menu Maintenance heading.Viewing Wireless Firewall/Print Server Status InformationThe Router Status menu provides status and usage information. From the main menu of the browser interface, click on Maintenance, then select Router Status to view this screen.Figure 9-1: Router Status screen

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P9-2 MaintenanceMarch 2004, 202-10027-01The Router Status screen shows the following parameters:Table 9-1. Status FieldsField DescriptionSystem Name The System Name assigned to the router.Firmware Version The router firmware version.Printer Status The printer status.WAN Port These parameters apply to the Internet (WAN) port of the router. MAC Address This field displays the MAC address being used by the Internet (WAN) port of the router. IP Address This field displays the IP address being used by the Internet (WAN) port of the router. If no address is shown, the router cannot connect to the Internet.DHCP This field if the WAN port DHCP settings are dynamic or static.IP Subnet Mask This field displays the IP Subnet Mask being used by the Internet (WAN) port of the router.Domain Name Server Identifies the IP address of the DNS server(s).LAN PortMAC Address The Media Access Control address being used by the LAN port of the router. IP Address The IP address being used by the Local (LAN) port of the router. The default is 192.168.0.1.DHCP Identifies if the router’s built-in DHCP server is active for the LAN attached devices.IP Subnet Mask The IP Subnet Mask being used by the Local (LAN) port of the router. The default is 255.255.255.0.Wireless PortName (SSID) This field displays the wireless network name (SSID) being used by the wireless port of the router. The default is Wireless.Region This field displays the MAC address being used by the wireless port of the router. Channel/Frequency Identifies the channel the wireless port is using. See “Wireless Channels” on page E-7 for the frequencies used on each channel.Mode Identifies if the channel the wireless port is set for 802.11b, 802.11g, or both.Wireless AP Identifies if the wireless access point is on or off.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PMaintenance 9-3March 2004, 202-10027-01Click “WAN Status” to display the WAN connection status.Figure 9-2: Connection Status screenThis screen shows the following statistics:.Broadcast Name Identifies if the Name (SSID) is being broadcast.Serial PortStatus The status of the serial port. Click the Details button to view the Serial Port Log, Port Status, Physical Link, PPP Link, PPP IP Address, Phone Line Speed, and Serial Line Speed.Modem The status of the modem port. Dial-In The status of the Dial-In port. Internet Access The status of the serial Internet connection.Lan-to-LAN The status of the serial LAN-to-LAN connection.Table 9-1. Connection Status Fields Field DescriptionConnection Time The length of time the router has been connected to your Internet service provider’s network.Connection Method The method used to obtain an IP address from your Internet service provider.IP Address The WAN (Internet) IP Address assigned to the router.Table 9-1. Status FieldsField Description

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P9-4 MaintenanceMarch 2004, 202-10027-01Log action buttons are described in Table 9-2.Click “Show Statistics” to display router usage statistics.Figure 9-3: Router Statistics screenThis screen shows the following statistics:Network Mask The WAN (Internet) Subnet Mask assigned to the router.Default Gateway The WAN (Internet) default gateway the router communicates with.Table 9-2. Connection Status action buttonsField DescriptionRenew Click the Renew button to renew the DHCP lease.Table 9-1. Router Statistics Fields Field Descriptioninterface The statistics for the WAN (Internet), LAN (local), Wireless, and Serial interfaces. For each interface, the screen displays:Status The link status of the interface.TxPkts The number of packets transmitted on this interface since reset or manual clear.RxPkts The number of packets received on this interface since reset or manual clear.Table 9-1. Connection Status Fields (continued)Field Description

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PMaintenance 9-5March 2004, 202-10027-01WAN Status action buttons are described in Table 9-2.Viewing a List of Attached DevicesThe Attached Devices menu contains a table of all IP devices that the router has discovered on the local network. From the Main Menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table shown below:Figure 9-4: Attached Devices menuCollisions The number of collisions on this interface since reset or manual clear.Tx B/s The current transmission (outbound) bandwidth used on the interfaces.Rx B/s The current reception (inbound) bandwidth used on the interfaces.Up Time The amount of time since the router was last restarted.Serial Up Time The time elapsed since this port acquired the link.Poll Interval Specifies the intervals at which the statistics are updated in this window. Click on Stop to freeze the display.Table 9-2. Connection Status action buttonsField DescriptionSet Interval Enter a time and click the button to set the polling frequency.Stop Click the Stop button to freeze the polling information.Table 9-1. Router Statistics Fields (continued)Field Description

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P9-6 MaintenanceMarch 2004, 202-10027-01For each device, the table shows the IP address, Device Name (if available), and Ethernet MAC address. Note that if the router is rebooted, the table data is lost until the router rediscovers the devices. To force the router to look for attached devices, click the Refresh button.Upgrading the Router SoftwareThe routing software of the FWG114P Wireless Firewall/Print Server is stored in FLASH memory, and can be upgraded as new software is released by NETGEAR. Upgrade files can be downloaded from Netgear's Web site. If the upgrade file is compressed (.ZIP file), you must first extract the binary file before sending it to the router. The upgrade file can be sent to the router using your browser. Note: The Web browser used to upload new firmware into the FWG114P Wireless Firewall/Print Server must support HTTP uploads. NETGEAR recommends using Microsoft Internet Explorer or Netscape Navigator 3.0, or above. From the Main Menu of the browser interface, under the Maintenance heading, select the Router Upgrade heading. To upload new firmware:1. Download and unzip the new software file from NETGEAR. 2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary (.IMG) upgrade file.3. Click Upload.Note: When uploading software to the FWG114P, it is important not to interrupt the Web browser by closing the window, clicking a link, or loading a new page. If the browser is interrupted, it may corrupt the software. When the upload is complete, your router will automatically restart. The upgrade process will typically take about one minute.In some cases, you may need to reconfigure the router after upgrading.Configuration File ManagementThe configuration settings of the FWG114P Wireless Firewall/Print Server are stored within the router in a configuration file. This file can be saved (backed up) to a user’s computer, retrieved (restored) from the user’s computer, or cleared to the factory default settings.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PMaintenance 9-7March 2004, 202-10027-01From the Main Menu of the browser interface, under the Maintenance heading, select the Settings Backup heading to bring up the menu shown below. Figure 9-5: Settings Backup menuThree options are available, and are described in the following sections.Restoring and Backing Up the ConfigurationThe Restore and Backup options in the Settings Backup menu allow you to save and retrieve a file containing your router’s configuration settings.To save your settings, click Backup. Your browser will extract the configuration file from the router and will prompt you for a location on your computer to store the file. You can give the file a meaningful name at this time, such as SBC.cfg.To restore your settings from a saved configuration file, enter the full path to the file on your computer or click the Browse button to locate the file. When you have located it, click the Restore button to send the file to the router. The router will then reboot automatically.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P9-8 MaintenanceMarch 2004, 202-10027-01Erasing the ConfigurationIt is sometimes desirable to restore the router to a known blank condition. This can be done by using the Erase function, which will restore all factory settings. After an erase, the router's password will be password, the LAN IP address will be 192.168.0.1, and the router's DHCP client will be enabled.To erase the configuration, click the Erase button.To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the rear panel of the router. See “Restoring the Default Configuration and Password” on page 11-7.Changing the Administrator PasswordThe default password for the router’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. From the main menu of the browser interface, under the Maintenance heading, select Set Password to bring up this menu.Figure 9-6: Set Password menuTo change the password, first enter the old password, and then enter the new password twice. Click Apply. To change the login idle timeout, change the number of minutes and click Apply.

Advanced Configuration 10-1March 2004, 202-10027-01Chapter 10 Advanced ConfigurationThis chapter describes how to configure the advanced features of your ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P. These features can be found under the Advanced heading in the Main Menu of the browser interface.Using the WAN Setup OptionsThe first feature category under the Advanced heading is WAN Setup. This menu allows configuration of a DMZ server, MTU size, port speed, and so on. From the Main Menu of the browser interface, under Advanced, click on WAN IP Setup to view the WAN IP Setup menu, shown below.Figure 10-1: WAN Setup MenuThe WAN Setup options let you configure a DMZ server, change the MTU size, and set the WAN port speed. These options are discussed below.• Connect Automatically, as Required

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P10-2 Advanced ConfigurationMarch 2004, 202-10027-01Normally, this option is Enabled, so that an Internet connection will be made automatically whenever Internet-bound traffic is detected. In locations where Internet access is billed by the minute, if this causes high connection costs, you can disable this setting. If disabled, you must connect manually, using the sub-screen accessed from the Router Status menu “Show WAN Status” screen.• Setting Up a Default DMZ ServerThe use of the term ‘DMZ’ has become common, although it is a misnomer. In traditional firewalls, a DMZ is actually a separate physical network port. A true DMZ port is for connecting servers that require greater access from the outside, and will therefore be provided with a different level of security by the firewall. A better term for our application is Exposed Host. The default DMZ server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The router is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local computer can run the application properly if that computer’s IP address is entered as the default DMZ server.Incoming traffic from the Internet is normally discarded by the router unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the Default DMZ Server.The WAN Setup menu lets you configure a Default DMZ Server.To assign a computer or server to be a Default DMZ server, follow these steps: 1. Click WAN Setup link on the Advanced section of the main menu. 2. Type the IP address for that server. To remove the default DMZ server, replace the IP address numbers with all zeros.3. Click Apply.• Respond to Ping on Internet WAN Port If you want the router to respond to a 'ping' from the Internet, click the ‘Respond to Ping on Internet WAN Port’ check box. This should only be used as a diagnostic tool, since it allows your router to be discovered. Do not check this box unless you have a specific reason to do so.Note: DMZ servers pose a security risk. A computer designated as the default DMZ server loses much of the protection of the firewall, and is exposed to attacks from the Internet. If compromised, the DMZ server can be used to attack your network.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PAdvanced Configuration 10-3March 2004, 202-10027-01• Setting the MTU SizeThe default MTU size is usually fine. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes. For some ISPs, particularly those using PPPoE, you may need to reduce the MTU. This should not be done unless you are sure it is necessary for your ISP. Any packets sent through the router that are larger than the configured MTU size will be repackaged into smaller packets to meet the MTU requirement. To change the MTU size, under MTU Size, enter a new size between 64 and 1500. Then, click Apply to save the new configuration.• Setting the WAN Port SpeedIn most cases, your router can automatically determine (AutoSense) the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port speed. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M; otherwise, select 10M.How to Configure Dynamic DNSIf your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently. In this case, you can use a commercial dynamic DNS service, which will allow you to register your domain to their IP address, and will forward traffic directed to your domain to your frequently-changing IP address. The router contains a client that can connect to a dynamic DNS service provider. To use this feature, you must select a service provider and obtain an account with them. After you have configured your account information in the router, whenever your ISP-assigned IP address changes, your router will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.1. Log in to the router at its default LAN address of http://192.168.0.1, with its default user name of admin, default password of password, or using whatever password and LAN address you have chosen for the router.2. From the Main Menu of the browser interface, under Advanced, click on Dynamic DNS.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P10-4 Advanced ConfigurationMarch 2004, 202-10027-013. Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’ box, and register for an account. For example, for dyndns.org, go to www.dyndns.org.4. Select the “Use a dynamic DNS service” check box. 5. Select the name of your dynamic DNS Service Provider. 6. Type the host name that your dynamic DNS service provider gave you. The dynamic DNS service provider may call this the domain name. If your URL is myName.dyndns.org, then your host name is “myName.”7. Type the user name for your dynamic DNS account. 8. Type the password (or key) for your dynamic DNS account. 9. If your dynamic DNS provider allows the use of wildcards in resolving your URL, you may select the Use wildcards check box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as yourhost.dyndns.org10. Click Apply to save your configuration. Note: If your ISP assigns a private WAN IP address, such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PAdvanced Configuration 10-5March 2004, 202-10027-01Using the LAN IP Setup OptionsThe second feature category under the Advanced heading is LAN IP Setup. This menu allows configuration of LAN IP services, such as DHCP and RIP. From the Main Menu of the browser interface, under Advanced, click on LAN IP Setup to view the LAN IP Setup menu, shown below.Figure 10-2: LAN IP Setup MenuConfiguring LAN TCP/IP Setup ParametersThe router is shipped preconfigured to use private IP addresses on the LAN side, and to act as a DHCP server. The router’s default LAN IP configuration is:• LAN IP addresses—192.168.0.1• Subnet mask—255.255.255.0

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P10-6 Advanced ConfigurationMarch 2004, 202-10027-01These addresses are part of the IETF-designated private address range for use in private networks, and should be suitable in most applications. If your network has a requirement to use a different IP addressing scheme, you can make those changes in this menu.The LAN IP parameters are:• IP Address This is the LAN IP address of the router.• IP Subnet Mask This is the LAN Subnet Mask of the router. Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router.• RIP Direction RIP (Router Information Protocol) allows a router to exchange routing information with other routers. The RIP Direction selection controls how the router sends and receives RIP packets. Both is the default. — When set to Both or Out Only, the router will broadcast its routing table periodically. — When set to Both or In Only, it will incorporate the RIP information that it receives. — When set to None, it will not send any RIP packets and will ignore any RIP packets received. • RIP Version This controls the format and the broadcasting method of the RIP packets that the router sends. (It recognizes both formats when receiving.) By default, this is set for RIP-1. — RIP-1 is universally supported. RIP-1 is probably adequate for most networks, unless you have an unusual network setup. — RIP-2 carries more information. RIP-2B uses subnet broadcasting.Note: If you change the LAN IP address of the router while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PAdvanced Configuration 10-7March 2004, 202-10027-01Using the Router as a DHCP serverBy default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, and default gateway addresses to all computers connected to the router's LAN. The assigned default gateway address is the LAN address of the router. IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.For most applications, the default DHCP and TCP/IP settings of the router are satisfactory. See “IP Configuration by DHCP” on page B-10 for an explanation of DHCP and information about how to assign IP addresses for your network. If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the ‘Use router as DHCP server’ check box. Otherwise, leave it checked. Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address. These addresses should be part of the same IP address subnet as the router’s LAN IP address. Using the default addressing scheme, you should define a range between 192.168.0.2 and 192.168.0.253, although you may wish to save part of the range for devices with fixed addresses.The router will deliver the following parameters to any LAN device that requests DHCP:• An IP Address from the range you have defined.• Subnet Mask.• Gateway IP Address (the router’s LAN IP address).• Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu; otherwise, the router’s LAN IP address).• Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu).Using Address ReservationWhen you specify a reserved IP address for a computer on the LAN, that computer will always receive the same IP address each time it access the router’s DHCP server. Reserved IP addresses should be assigned to servers that require permanent IP settings. To reserve an IP address: 1. Click the Add button.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P10-8 Advanced ConfigurationMarch 2004, 202-10027-012. In the IP Address box, type the IP address to assign to the computer or server. (choose an IP address from the router’s LAN subnet, such as 192.168.0.X) 3. Type the MAC Address of the computer or server. (Tip: If the computer is already present on your network, you can copy its MAC address from the Attached Devices menu and paste it here.) 4. Click Apply to enter the reserved address into the table. Note: The reserved address will not be assigned until the next time the computer contacts the router's DHCP server. Reboot the computer or access its IP configuration and force a DHCP release and renew. To edit or delete a reserved address entry: 1. Click the button next to the reserved address you want to edit or delete. 2. Click Edit or Delete.Configuring Static RoutesStatic Routes provide additional routing information to your router. Under normal circumstances, the router has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases, such as multiple routers or multiple IP subnets located on your network.From the Main Menu of the browser interface, under Advanced, click on Static Routes to view the Static Route menu. To add or edit a Static Route:1. Click the Add button to open the Static Routes menu.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PAdvanced Configuration 10-9March 2004, 202-10027-01Figure 10-3. Static Route Entry and Edit Menu2. Type a route name for this static route in the Route Name box. (This is for identification purpose only.) 3. Select Active to make this route effective. 4. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. 5. Type the Destination IP Address of the final destination. 6. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.254. 7. Type the Gateway IP Address, which must be a router on the same LAN segment as the router. 8. Type a number between 1 and 15 as the Metric value. This represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1. 9. Click Apply to have the static route entered into the table. As an example of when a static route is needed, consider the following case:• Your primary Internet access is through a cable modem to an ISP.• You have an ISDN router on your home network for connecting to the company where you are employed. This router’s address on your LAN is 192.168.0.100.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P10-10 Advanced ConfigurationMarch 2004, 202-10027-01• Your company’s network is 134.177.0.0.When you first configured your router, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.0.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your router will forward your request to the ISP. The ISP forwards your request to the company where you are employed, and the request will likely be denied by the company’s firewall.In this case you must define a static route, telling your router that 134.177.0.0 should be accessed through the ISDN router at 192.168.0.100. The static route would look like Figure 10-3.In this example:• The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.x.x addresses. • The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192.168.0.100. • A Metric value of 1 will work since the ISDN router is on the LAN. • Private is selected only as a precautionary security measure in case RIP is activated.Enabling Remote Management AccessUsing the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your FWG114P Wireless Firewall/Print Server.To configure your router for Remote Management:1. Select the Turn Remote Management On check box.2. Specify what external addresses will be allowed to access the router’s remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical.a. To allow access from any IP address on the Internet, select Everyone. Note: Be sure to change the router's default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PAdvanced Configuration 10-11March 2004, 202-10027-01b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this computer. Enter the IP address that will be allowed access. 3. Specify the Port Number that will be used for accessing the management interface.Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management Web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP.4. Click Apply to have your changes take effect.Note: When accessing your router from the Internet, you will type your router's WAN IP address into your browser's Address (in IE) or Location (in Netscape) box, followed by a colon (:) and the custom port number. For example, if your external address is 134.177.0.123 and you use port number 8080, you must enter in your browser: http://134.177.0.123:8080Using Universal Plug and Play (UPnP)Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access the network and connect to other devices as needed. UPnP devices can automatically discover the services from other registered UPnP devices on the network. Figure 10-4. UPnP Menu

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P10-12 Advanced ConfigurationMarch 2004, 202-10027-01Turn UPnP On: UPnP can be enabled or disabled for automatic device configuration. The default setting for UPnP is enabled. If disabled, the router will not allow any device to automatically control the resources, such as port forwarding (mapping), of the router. Advertisement Period: The Advertisement Period is how often the router will broadcast its UPnP information. This value can range from 1 to 1440 minutes. The default period is 30 minutes. Shorter durations will ensure that control points have current device status at the expense of additional network traffic. Longer durations may compromise the freshness of the device status but can significantly reduce network traffic.Advertisement Time To Live: The time to live for the advertisement is measured in hops (steps) for each UPnP packet sent. The time to live hop count is the number of steps a broadcast packet is allowed to propagate for each UPnP advertisement before it disappears. The number of hops can range from 1 to 255. The default value for the advertisement time to live is 4 hops, which should be fine for most home networks. If you notice that some devices are not being updated or reached correctly, then it may be necessary to increase this value a little.UPnP Portmap Table: The UPnP Portmap Table displays the IP address of each UPnP device that is currently accessing the router and which ports (Internal and External) that device has opened. The UPnP Portmap Table also displays what type of port is opened and if that port is still active for each IP address. Advanced Wireless Settings Note: Incorrectly changing these settings can prevent the wireless functions from working. • RTS Threshold Request to Send Threshold. The packet size that is used to determine if it should use the CSMA/CD (Carrier Sense Multiple Access with Collision Detection) mechanism or the CSMA/CA define the mechanism for packet transmission. With the CSMA/CD transmission mechanism, the transmitting station sends out the actual packet as soon as it has waited for the silence period. With the CSMA/CA transmission mechanism, the transmitting station sends out an RTS packet to the receiving station, and waits for the receiving station to send back a CTS (Clear to Send) packet before sending the actual packet data. • Fragmentation Length This is the maximum packet size used for fragmentation. Packets larger than the size programmed in this field will be fragmented. The Fragment Threshold value must be larger than the RTS Threshold value.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PAdvanced Configuration 10-13March 2004, 202-10027-01• Beacon Interval Specifies the data beacon rate between 20 and 1000. •DTIM The Delivery Traffic Indication Message. Specifies the data beacon rate between 1 and 255.• Preamble Type A long transmit preamble may provide a more reliable connection or slightly longer range. A short transmit preamble gives better performance.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P10-14 Advanced ConfigurationMarch 2004, 202-10027-01

Troubleshooting 11-1March 2004, 202-10027-01Chapter 11TroubleshootingThis chapter gives information about troubleshooting your ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P. After each problem description, instructions are provided to help you diagnose and solve the problem.Basic FunctioningAfter you turn on power to the router, the following sequence of events should occur:1. When power is first applied, verify that the PWR LED is on.2. After approximately 10 seconds, verify that:a. The TEST LED is not lit.b. The LAN port LEDs are lit for any local ports that are connected.If a port’s LED is lit, a link has been established to the connected device. If a LAN port is connected to a 100 Mbps device, verify that the port’s LED is green. If the port is 10 Mbps, the LED will be OFF.c. The Internet port LED is lit.If any of these conditions does not occur, refer to the appropriate following section.Power LED Not OnIf the Power and other LEDs are off when your router is turned on:• Make sure that the power cord is properly connected to your router and that the power supply adapter is properly connected to a functioning power outlet. • Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product.If the error persists, you have a hardware problem and should contact technical support.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P11-2 TroubleshootingMarch 2004, 202-10027-01LEDs Never Turn Off When the router is turned on, the LEDs turns on for about 10 seconds and then turns off. If all the LEDs stay on, there is a fault within the router.If all LEDs are still on one minute after power up:• Cycle the power to see if the router recovers.• Clear the router’s configuration to the factory defaults. This will set the router’s IP address to 192.168.0.1. This procedure is explained in “Restoring the Default Configuration and Password” on page 11-7.If the error persists, you might have a hardware problem and should contact technical support.LAN or Internet Port LEDs Not OnIf either the LAN LEDs or the Internet LED do not light when the Ethernet connection is made, check the following:• Make sure that the Ethernet cable connections are secure at the router and at the hub or workstation.• Make sure that power is turned on to the connected hub or workstation.• Be sure you are using the correct cable:When connecting the router’s Internet port to a broadband modem, use the cable that was supplied with the broadband modem. This cable could be a standard straight-through Ethernet cable or an Ethernet crossover cable.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PTroubleshooting 11-3March 2004, 202-10027-01Troubleshooting the Web Configuration InterfaceIf you are unable to access the router’s Web Configuration interface from a computer on your local network, check the following:• Check the Ethernet connection between the computer and the router as described in the previous section.• Make sure your computer’s IP address is on the same subnet as the router. If you are using the recommended addressing scheme, your computer’s address should be in the range of 192.168.0.2 to 192.168.0.254. Refer to “Verifying TCP/IP Properties” on page 3-5 or “Verifying TCP/IP Properties (Macintosh)” on page 3-8 to find your computer’s IP address. Follow the instructions in Chapter 4 to configure your computer.Note: If your computer’s IP address is shown as 169.254.x.x: Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server. These auto-generated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the computer to the router and reboot your computer.• If your router’s IP address has been changed and you do not know the current IP address, clear the router’s configuration to the factory defaults. This will set the router’s IP address to 192.168.0.1. This procedure is explained in “Restoring the Default Configuration and Password” on page 11-7.• Make sure your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure the Java applet is loaded.• Try quitting the browser and launching it again.• Make sure you are using the correct login information. The factory default login name is admin and the password is password. Make sure that CAPS LOCK is off when entering this information.If the router does not save changes you have made in the Web Configuration Interface, check the following:• When entering configuration settings, be sure to click the APPLY button before moving to another menu or tab, or your changes will be lost. • Click the Refresh or Reload button in the Web browser. The changes may have occurred, but the Web browser may be caching the old configuration.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P11-4 TroubleshootingMarch 2004, 202-10027-01Troubleshooting the ISP ConnectionIf your router is unable to access the Internet, you should first determine whether the router is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your router must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager.To check the WAN IP address: 1. Launch your browser and select an external site, such as www.netgear.com.2. Access the Main Menu of the router’s configuration at http://192.168.0.1. 3. Under the Maintenance heading, select Router Status.4. Check that an IP address is shown for the WAN Port. If 0.0.0.0 is shown, your router has not obtained an IP address from your ISP.If your router is unable to obtain an IP address from the ISP, you may need to force your broadband modem to recognize your new router by performing the following procedure:1. Turn off power to the broadband modem. 2. Turn off power to your router. 3. Wait five minutes and reapply power to the broadband modem. 4. When the modem’s LEDs indicate that it has reacquired sync with the ISP, reapply power to your router.If your router is still unable to obtain an IP address from the ISP, the problem may be one of the following:• Your ISP may require a login program. Ask your ISP whether they require PPP over Ethernet (PPPoE) or some other type of login.• If your ISP requires a login, you may have incorrectly set the login name and password.• Your ISP may check for your computer's host name. Assign the computer Host Name of your ISP account as the Account Name in the Basic Settings menu.• Your ISP only allows one Ethernet MAC address to connect to Internet, and may check for your computer’s MAC address. In this case:Inform your ISP that you have bought a new network device and ask them to use the router’s MAC address.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PTroubleshooting 11-5March 2004, 202-10027-01ORConfigure your router to spoof your computer’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 3-17.If your router can obtain an IP address, but your computer is unable to load any Web pages from the Internet:• Your computer may not recognize any DNS server addresses. A DNS server is a host on the Internet that translates Internet names (such as www addresses) to numeric IP addresses. Typically your ISP will provide the addresses of one or two DNS servers for your use. If you entered a DNS address during the router’s configuration, reboot your computer and verify the DNS address as described in “Verifying TCP/IP Properties” on page 3-5. Alternatively, you may configure your computer manually with DNS addresses, as explained in your operating system documentation.• Your computer may not have the router configured as its TCP/IP gateway.If your computer obtains its information from the router by DHCP, reboot the computer and verify the gateway address as described in “Verifying TCP/IP Properties” on page 3-5.Troubleshooting a TCP/IP Network Using a Ping UtilityMost TCP/IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. Troubleshooting a TCP/IP network is made very easy by using the ping utility in your computer or workstation.Testing the LAN Path to Your RouterYou can ping the router from your computer to verify that the LAN path to your router is set up correctly.To ping the router from a computer running Windows 95 or later:1. From the Windows toolbar, click on the Start button and select Run.2. In the field provided, type Ping followed by the IP address of the router, as in this example:ping 192.168.0.13. Click on OK.You should see a message like this one:

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P11-6 TroubleshootingMarch 2004, 202-10027-01Pinging <IP address> with 32 bytes of dataIf the path is working, you see this message:Reply from < IP address >: bytes=32 time=NN ms TTL=xxxIf the path is not working, you see this message:Request timed outIf the path is not functioning correctly, you could have one of the following problems:• Wrong physical connections— Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 11-2.— Check that the corresponding Link LEDs are on for your network interface card and for the hub ports (if any) that are connected to your workstation and router.• Wrong network configuration— Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your computer or workstation.— Verify that the IP address for your router and your workstation are correct and that the addresses are on the same subnet.Testing the Path from Your Computer to a Remote DeviceAfter verifying that the LAN path works correctly, test the path from your computer to a remote device. From the Windows run menu, type:PING -n 10 <IP address>where <IP address> is the IP address of a remote device, such as your ISP’s DNS server.If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies:— Check that your computer has the IP address of your router listed as the default gateway. If the IP configuration of your computer is assigned by DHCP, this information will not be visible in your computer’s Network Control Panel. Verify that the IP address of the router is listed as the default gateway as described in “Verifying TCP/IP Properties” on page 3-5.— Check to see that the network address of your computer (the portion of the IP address specified by the netmask) is different from the network address of the remote device.— Check that your broadband modem is connected and functioning.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PTroubleshooting 11-7March 2004, 202-10027-01— If your ISP assigned a host name to your computer, enter that host name as the Account Name in the Basic Settings menu.— Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single computer connected to that modem. If this is the case, you must configure your router to “clone” or “spoof” the MAC address from the authorized computer. Refer to “Manually Configuring Your Internet Connection” on page 3-17.Restoring the Default Configuration and PasswordThis section explains how to restore the factory default configuration settings, changing the router’s administration password to password and the IP address to 192.168.0.1. You can erase the current configuration and restore factory defaults in two ways:• Use the Erase function of the router (see “Erasing the Configuration” on page 9-8).• Use the Default Reset button on the rear panel of the router. Use this method for cases when the administration password or IP address is not known.To restore the factory default configuration settings without knowing the administration password or IP address, you must use the Default Reset button on the rear panel of the router.1. Press and hold the Default Reset button until the Test LED turns on (about 10 seconds).2. Release the Default Reset button and wait for the router to reboot.Problems with Date and TimeThe E-Mail menu in the Content Filtering section displays the current date and time of day. The FWG114P Wireless Firewall/Print Server uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include:• Date shown is January 1, 2000. Cause: The router has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the router, wait at least five minutes and check the date and time again.• Time is off by one hour. Cause: The router does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings Time”.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P11-8 TroubleshootingMarch 2004, 202-10027-01

Technical Specifications A-1March 2004, 202-10027-01Appendix ATechnical SpecificationsThis appendix provides technical specifications for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P.Network Protocol and Standards CompatibilityData and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE)VPN Protocols:Tunnels:IPSec, SHA-1, MD5, DES, 3DES, ESP, DH1, DH22 IPSec TunnelsPower AdapterNorth America: 120V, 60 Hz, inputUnited Kingdom, Australia: 240V, 50 Hz, inputEurope: 230V, 50 Hz, inputJapan: 100V, 50/60 Hz, inputAll regions (output): 12 V DC @ 1.2 A output, 18W maximumPhysical SpecificationsDimensions: H: 32 x L: 188 x W: 124 mm (1.25 x 7.4 x 4.9 in.)Weight: 0.64 kg (1.4 lb)Environmental SpecificationsOperating temperature: 0° to 40° C (32º to 104º F)Operating humidity: 90% maximum relative humidity, noncondensing

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PA-2 Technical SpecificationsMarch 2004, 202-10027-01Electromagnetic EmissionsFor North America and Australia FCC Part 15 Class BFor Japan VCCI Class BFor Europe EN 300 328, EN 301 489-17, EN 301 489-1, EN 60950Interface SpecificationsLAN: 10BASE-T or 100BASE-Tx, RJ-45WAN: 10BASE-T or 100BASE-TxPrinter: USB v1.1Serial: RS-232 male DB-9 connectorWirelessData Encoding: 802.11b: Direct Sequence Spread Spectrum (DSSS) 802.11g: Orthogonal Frequency Division Multiplexing (OFDM)Maximum Computers Per Wireless Network: Limited by the amount of wireless network traffic generated by each node. Typically 30-70 nodes.802.11b and g Radio Data Rate 1, 2, 5.5, 6, 9, 12, 18, 24, 36, 48, and 54 Mbps (Auto-rate capable)802.11b and g Transmit Power and Receive Sensitivity Maximum Transmit Power / Receive Sensitivity54 Mbps, 11g 14.5 dBm typical - 72 dBm typical48 Mbps, 11g 14.5 dBm typical - 75 dBm typical36 Mbps, 11g 15.5 dBm typical - 80dBm typical24 Mbps, 11g 15.5 dBm typical - 82 dBm typical18Mbps, 11g 16.5 dBm typical - 84 dBm typical12 Mbps, 11g 16.5 dBm typical - 85 dBm typical6 Mbps, 11g 16.5 dBm typical - 86 dBm typical11 Mbps, 11b 17.5 dBm typical - 83 dBm typical5.5 Mbps, 11b 17.5 dBm typical - 86 dBm typical2 Mbps, 11b 17.5 dBm typical - 89 dBm typical1Mbps, 11b 17.5 dBm typical - 92 dBm typicalNote: For Europe, the maximum transmit power does not exceed +15 dBmAntenna: External detachable 5 dBi omnidirectional 802.11 Security 40-bits (also called 64-bits), 128-bits WEP data encryption, and WPA

Networks, Routing, and Firewall Basics B-1March 2004, 202-10027-01Appendix BNetworks, Routing, and Firewall BasicsThis appendix provides an overview of IP networks, routing, and firewalls.Related PublicationsAs you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet. The RFC documents outline and define the standard protocols and procedures for the Internet. The documents are listed on the World Wide Web at www.ietf.org and are mirrored and indexed at many other sites worldwide.Basic Router ConceptsLarge amounts of bandwidth can be provided easily and relatively inexpensively in a local area network (LAN). However, providing high bandwidth between a local network and the Internet can be very expensive. Because of this expense, Internet access is usually provided by a slower-speed wide-area network (WAN) link, such as a cable or DSL modem. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router.What is a Router?A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-2 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01Routing Information ProtocolOne of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table.The FWG114P Wireless Firewall/Print Server supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications. IP Addresses and the InternetBecause TCP/IP networks are interconnected across the world, every machine on the Internet must have a unique address to make sure that transmitted data reaches the correct destination. Blocks of addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA). Individual users and small organizations may obtain their addresses either from the IANA or from an Internet service provider (ISP). You can contact IANA at www.iana.org.The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot notation (also called dotted-decimal notation), in which each group of eight bits is written in decimal form, separated by decimal points.For example, the following binary address: 11000011 00100010 00001100 00000111 is normally written as: 195.34.12.7The latter version is easier to remember and easier to enter into your computer.In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application.There are five standard classes of IP addresses. These address classes have different ways of determining the network and host sections of the address, allowing for different numbers of hosts on a network. Each address type begins with a unique bit pattern, which is used by the TCP/IP software to identify the address class. After the address class has been determined, the software can correctly identify the host section of the address. The following figure shows the three main address classes, including network and host sections of the address for each address type.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PNetworks, Routing, and Firewall Basics B-3March 2004, 202-10027-01Figure 11-1: Three Main Address ClassesThe five address classes are:• Class A Class A addresses can have up to 16,777,214 hosts on a single network. They use an eight-bit network number and a 24-bit node number. Class A addresses are in this range: 1.x.x.x to 126.x.x.x. • Class B Class B addresses can have up to 65,354 hosts on a network. A Class B address uses a 16-bit network number and a 16-bit node number. Class B addresses are in this range: 128.1.x.x to 191.254.x.x. • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range:192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range:224.0.0.0 to 239.255.255.255. • Class E Class E addresses are for experimental use. Class ANetwork NodeClass BClass CNetwork NodeNetwork Node

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-4 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01This addressing structure allows IP addresses to uniquely identify each physical network and each node on each physical network.For each unique value of the network portion of the address, the base address of the range (host address of all zeros) is known as the network address and is not usually assigned to a host. Also, the top address of the range (host address of all ones) is not assigned, but is used as the broadcast address for simultaneously sending a packet to all hosts with the same network address.NetmaskIn each of the address classes previously described, the size of the two parts (network address and host address) is implied by the class. This partitioning scheme can also be expressed by a netmask associated with the IP address. A netmask is a 32-bit quantity that, when logically combined (using an AND operator) with an IP address, yields the network address. For instance, the netmasks for Class A, B, and C addresses are 255.0.0.0, 255.255.0.0, and 255.255.255.0, respectively.For example, the address 192.168.170.237 is a Class C IP address whose network portion is the upper 24 bits. When combined (using an AND operator) with the Class C netmask, as shown here, only the network portion of the address remains:11000000 10101000 10101010 11101101 (192.168.170.237)combined with:11111111 11111111 11111111 00000000 (255.255.255.0)Equals:11000000 10101000 10101010 00000000 (192.168.170.0)As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros. Subnet AddressingBy looking at the addressing structures, you can see that even with a Class C address, there are a large number of hosts per network. Such a structure is an inefficient use of addresses if each end of a routed link requires a different network number. It is unlikely that the smaller office LANs would have that many devices. You can resolve this problem by using a technique known as subnet addressing.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PNetworks, Routing, and Firewall Basics B-5March 2004, 202-10027-01Subnet addressing allows us to split one IP network address into smaller multiple physical networks known as subnetworks. Some of the node numbers are used as a subnet number instead. A Class B address gives us 16 bits of node numbers translating to 64,000 nodes. Most organizations do not use 64,000 nodes, so there are free bits that can be reassigned. Subnet addressing makes use of those bits that are free, as shown below.Figure 11-2: Example of Subnetting a Class B AddressA Class B address can be effectively translated into multiple Class C addresses. For example, the IP address of 172.16.0.0 is assigned, but node addresses are limited to 255 maximum, allowing eight extra bits to use as a subnet address. The IP address of 172.16.97.235 would be interpreted as IP network address 172.16, subnet number 97, and node number 235. In addition to extending the number of addresses available, subnet addressing provides other benefits. Subnet addressing allows a network manager to construct an address scheme for the network by using different subnets for other geographical locations in the network or for other departments in the organization.Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address. The new netmask (or subnet mask) is 255.255.255.128. The first subnet has network number 192.68.135.0 with hosts 192.68.135.1 to 129.68.135.126, and the second subnet has network number 192.68.135.128 with hosts 192.68.135.129 to 192.68.135.254.Note: The number 192.68.135.127 is not assigned because it is the broadcast address of the first subnet. The number 192.68.135.128 is not assigned because it is the network address of the second subnet.7262Class BNetwork Subnet Node

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-6 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits. For example, to partition your Class C network with subnet mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240.The following table displays several common netmask values in both the dotted-decimal and the masklength formats.Table 11-1. Netmask Notation Translation Table for One OctetNumber of Bits Dotted-Decimal Value1 1282 1923 2244 2405 2486 2527 2548 255Table 11-2. Netmask FormatsDotted-Decimal Masklength255.0.0.0 /8255.255.0.0 /16255.255.255.0 /24255.255.255.128 /25255.255.255.192 /26255.255.255.224 /27255.255.255.240 /28255.255.255.248 /29255.255.255.252 /30255.255.255.254 /31255.255.255.255 /32

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PNetworks, Routing, and Firewall Basics B-7March 2004, 202-10027-01NETGEAR strongly recommends that you configure all hosts on a LAN segment to use the same netmask for the following reasons:• So that hosts recognize local IP broadcast packets.When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address. In order for this scheme to work, all devices on the segment must agree on which bits comprise the host address. • So that a local router or bridge recognizes which addresses are local and which are remote.Private IP AddressesIf your local network is isolated from the Internet (for example, when using NAT), you can assign any IP addresses to the hosts without problems. However, the IANA has reserved the following three blocks of IP addresses specifically for private networks:10.0.0.0 - 10.255.255.255172.16.0.0 - 172.31.255.255192.168.0.0 - 192.168.255.255NETGEAR recommends that you choose your private network number from this range. The DHCP server of the FWG114P Wireless Firewall/Print Server is preconfigured to automatically assign private addresses.Regardless of your particular situation, do not create an arbitrary IP address; always follow the guidelines explained here. For more information about address assignment, refer to RFC 1597, Address Allocation for Private Internets, and RFC 1466, Guidelines for Management of IP Address Space. The Internet Engineering Task Force (IETF) publishes RFCs on its Web site at www.ietf.org.Single IP Address Operation Using NATIn the past, if multiple computers on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FWG114P Wireless Firewall/Print Server employs an address-sharing method called Network Address Translation (NAT). This method allows several networked computers to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your ISP.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-8 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01The router accomplishes this address sharing by translating the internal LAN IP addresses to a single address that is globally unique on the Internet. The internal LAN IP addresses can be either private addresses or registered addresses. For more information about IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).The following figure illustrates a single IP address operation. Figure 11-3: Single IP Address Operation Using NATThis scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system. However, using port forwarding, you can allow one PC (for example, a Web server) on your local network to be accessible to outside users.192.168.0.2192.168.0.3192.168.0.4192.168.0.5192.168.0.1 172.21.15.105Private IP addressesassigned by userInternetIP addressesassigned by ISP

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PNetworks, Routing, and Firewall Basics B-9March 2004, 202-10027-01MAC Addresses and Address Resolution ProtocolAn IP address alone cannot be used to deliver data from one LAN device to another. To send data between LAN devices, you must convert the IP address of the destination device to its media access control (MAC) address. Each device on an Ethernet network has a unique MAC address, which is a 48-bit number assigned to each device by the manufacturer. The technique that associates the IP address with a MAC address is known as address resolution. Internet Protocol uses the Address Resolution Protocol (ARP) to resolve MAC addresses.If a device sends data to another station on the network and the destination MAC address is not yet recorded, ARP is used. An ARP request is broadcast onto the network. All stations on the network receive and read the request. The destination IP address for the chosen station is included as part of the message so that only the station with this IP address responds to the ARP request. All other stations discard the request. Related DocumentsThe station with the correct IP address responds with its own MAC address directly to the sending device. The receiving station provides the transmitting station with the required destination MAC address. The IP address data and MAC address data for each station are held in an ARP table. The next time data is sent, the address can be obtained from the address information in the table.For more information about address assignment, refer to the IETF documents RFC 1597, Address Allocation for Private Internets, and RFC 1466, Guidelines for Management of IP Address Space.For more information about IP address translation, refer to RFC 1631, The IP Network Address Translator (NAT).Domain Name ServerMany of the resources on the Internet can be addressed by simple descriptive names, such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as a telephone directory maps names to phone numbers, or as an ARP table maps IP addresses to MAC addresses, a domain name system (DNS) server maps descriptive names of network resources to IP addresses.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-10 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01When a PC accesses a resource by its descriptive name, it first contacts a DNS server to obtain the IP address of the resource. The PC sends the desired message using the IP address. Many large organizations, such as ISPs, maintain their own DNS servers and allow their customers to use the servers to look up addresses.IP Configuration by DHCPWhen an IP-based local area network is installed, each PC must be configured with an IP address. If the computers need to access the Internet, they should also be configured with a gateway address and one or more DNS server addresses. As an alternative to manual configuration, there is a method by which each PC on the network can automatically obtain this configuration information. A device on the network may act as a Dynamic Host Configuration Protocol (DHCP) server. The DHCP server stores a list or pool of IP addresses, along with other information (such as gateway and DNS addresses) that it may assign to the other devices on the network. The FWG114P Wireless Firewall/Print Server has the capacity to act as a DHCP server.The FWG114P Wireless Firewall/Print Server also functions as a DHCP client when connecting to the ISP. The firewall can automatically obtain an IP address, subnet mask, DNS server addresses, and a gateway address if the ISP provides this information by DHCP.Internet Security and FirewallsWhen your LAN connects to the Internet through a router, an opportunity is created for outsiders to access or disrupt your network. A NAT router provides some protection because by the very nature of the Network Address Translation (NAT) process, the network behind the NAT router is shielded from access by outsiders on the Internet. However, there are methods by which a determined hacker can possibly obtain information about your network or at the least can disrupt your Internet access. A greater degree of protection is provided by a firewall router.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PNetworks, Routing, and Firewall Basics B-11March 2004, 202-10027-01What is a Firewall?A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur. When an incident is detected, the firewall can log details of the attempt, and can optionally send e-mail to an administrator notifying them of the incident. Using information from the log, the administrator can take action with the ISP of the hacker. In some types of intrusions, the firewall can fend off the hacker by discarding all further packets from the hacker’s IP address for a period of time.Stateful Packet InspectionUnlike simple Internet sharing routers, a firewall uses a process called stateful packet inspection to ensure secure firewall filtering to protect your network from attacks and intrusions. Since user-level applications, such as FTP and Web browsers can create complex patterns of network traffic, it is necessary for the firewall to analyze groups of network connection "states." Using stateful packet inspection, an incoming packet is intercepted at the network layer and then analyzed for state-related information associated with all network connections. A central cache within the firewall keeps track of the state information associated with all network connections. All traffic passing through the firewall is analyzed against the state of these connections in order to determine whether or not it will be allowed to pass through or be rejected.Denial of Service AttackA hacker may be able to prevent your network from operating or communicating by launching a Denial of Service (DoS) attack. The method used for, such an attack can be as simple as merely flooding your site with more requests than it can handle. A more sophisticated attack may attempt to exploit some weakness in the operating system used by your router or gateway. Some operating systems can be disrupted by simply sending a packet with incorrect length information.Ethernet CablingAlthough Ethernet networks originally used thick or thin coaxial cable, most installations currently use unshielded twisted pair (UTP) cabling. The UTP cable contains eight conductors, arranged in four twisted pairs, and terminated with an RJ45 type connector. A normal straight-through UTP Ethernet cable follows the EIA568B standard wiring as described below in Table B-1

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-12 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01.Category 5 Cable QualityCategory 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.) or 100 meters (m) in length, divided as follows:20 ft. (6 m) between the hub and the patch panel (if used)295 ft. (90 m) from the wiring closet to the wall outlet10 ft. (3 m) from the wall outlet to the desktop deviceThe patch panel and other connecting hardware must meet the requirements for 100 Mbps operation (Category 5). Only 0.5 inch (1.5 cm) of untwist in the wire pair is allowed at any termination point.A twisted pair Ethernet network operating at 10 Mbits/second (10BASE-T) will often tolerate low quality cables, but at 100 Mbits/second (10BASE-Tx) the cable must be rated as Category 5, or Cat 5, by the Electronic Industry Association (EIA). This rating will be printed on the cable jacket. A Category 5 cable will meet specified requirements regarding loss and crosstalk. In addition, there are restrictions on maximum cable length for both 10 and 100 Mbits/second networks.Table B-1. UTP Ethernet cable wiring, straight-throughPin Wire color Signal1 Orange/White Transmit (Tx) +2 Orange Transmit (Tx) -3 Green/White Receive (Rx) +4Blue5 Blue/White6 Green Receive (Rx) -7 Brown/White8Brown

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PNetworks, Routing, and Firewall Basics B-13March 2004, 202-10027-01Inside Twisted Pair CablesFor two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device. Computers and workstation adapter cards are usually media-dependent interface ports, called MDI or uplink ports. Most repeaters and switch ports are configured as media-dependent interfaces with built-in crossover ports, called MDI-X or normal ports. Auto Uplink technology automatically senses which connection, MDI or MDI-X, is needed and makes the right connection.Figure B-1 illustrates straight-through twisted pair cable.Figure B-1: Straight-Through Twisted-Pair CableFigure B-2 illustrates crossover twisted pair cable.Figure B-2: Crossover Twisted-Pair Cable

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-14 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each EndNote: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.Uplink Switches, Crossover Cables, and MDI/MDIX SwitchingIn the wiring table above, the concept of transmit and receive are from the perspective of the PC, which is wired as Media Dependant Interface (MDI). In this wiring, the PC transmits on pins 1 and 2. At the hub, the perspective is reversed, and the hub receives on pins 1 and 2. This wiring is referred to as Media Dependant Interface - Crossover (MDI-X). When connecting a PC to a PC, or a hub port to another hub port, the transmit pair must be exchanged with the receive pair. This exchange is done by one of two mechanisms. Most hubs provide an Uplink switch which will exchange the pairs on one port, allowing that port to be connected to another hub using a normal Ethernet cable. The second method is to use a crossover cable, which is a special cable in which the transmit and receive pairs are exchanged at one of the two cable connectors. Crossover cables are often unmarked as such, and must be identified by comparing the two connectors. Since the cable connectors are clear plastic, it is easy to place them side by side and view the order of the wire colors on each. On a straight-through cable, the color order will be the same on both connectors. On a crossover cable, the orange and blue pairs will be exchanged from one connector to the other.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PNetworks, Routing, and Firewall Basics B-15March 2004, 202-10027-01The FWG114P Wireless Firewall/Print Server incorporates Auto UplinkTM technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto UplinkTM will accommodate either type of cable to make the right connection.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PB-16 Networks, Routing, and Firewall BasicsMarch 2004, 202-10027-01

Preparing Your Network C-1March 2004, 202-10027-01Appendix CPreparing Your NetworkThis appendix describes how to prepare your network to connect to the Internet through the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114P and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).Preparing Your Computers for TCP/IP NetworkingComputers access the Internet using a protocol called TCP/IP (Transmission Control Protocol/Internet Protocol). Each computer on your network must have TCP/IP installed and selected as its networking protocol. If a Network Interface Card (NIC) is already installed in your PC, then TCP/IP is probably already installed as well.Most operating systems include the software components you need for networking with TCP/IP:•Windows® 95 or later includes the software components for establishing a TCP/IP network. • Windows 3.1 does not include a TCP/IP component. You need to purchase a third-party TCP/IP application package, such as NetManage Chameleon.• Macintosh Operating System 7 or later includes the software components for establishing a TCP/IP network.• All versions of UNIX® or Linux® include TCP/IP components. Follow the instructions provided with your operating system or networking software to install TCP/IP on your computer.Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of your firewall. Write down this information before reconfiguring your computers. Refer to “Obtaining ISP Configuration Information for Windows Computers” on page C-10 or “Obtaining ISP Configuration Information for Macintosh Computers” on page C-11 for further information.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PC-2 Preparing Your NetworkMarch 2004, 202-10027-01In your IP network, each PC and the firewall must be assigned unique IP addresses. Each PC must also have certain other IP configuration information, such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup. For a detailed explanation of the meaning and purpose of these configuration items, refer to “Appendix B, “Networks, Routing, and Firewall Basics.” The FWG114P Wireless Firewall/Print Server is shipped preconfigured as a DHCP server. The firewall assigns the following TCP/IP configuration information automatically when the computers are rebooted:• PC or workstation IP addresses—192.168.0.2 through 192.168.0.254• Subnet mask—255.255.255.0• Gateway address (the firewall)—192.168.0.1These addresses are part of the IETF-designated private address range for use in private networks.Configuring Windows 95, 98, and Me for TCP/IP NetworkingAs part of the PC preparation process, you need to manually install and configure TCP/IP on each networked PC. Before starting, locate your Windows CD; you may need to insert it during the TCP/IP installation process.Install or Verify Windows Networking ComponentsTo install or verify the necessary components for IP networking:1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.2. Double-click the Network icon.The Network window opens, which displays a list of installed components:

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PPreparing Your Network C-3March 2004, 202-10027-01You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks.If you need to install a new adapter, follow these steps:a. Click the Add button.b. Select Adapter, and then click Add.c. Select the manufacturer and model of your Ethernet adapter, and then click OK.If you need TCP/IP:a. Click the Add button.b. Select Protocol, and then click Add.c. Select Microsoft.d. Select TCP/IP, and then click OK.Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PC-4 Preparing Your NetworkMarch 2004, 202-10027-01If you need Client for Microsoft Networks:a. Click the Add button.b. Select Client, and then click Add.c. Select Microsoft.d. Select Client for Microsoft Networks, and then click OK.3. Restart your PC for the changes to take effect.Enabling DHCP to Automatically Configure TCP/IP SettingsAfter the TCP/IP protocol components are installed, each PC must be assigned specific information about itself and resources that are available on its network. The simplest way to configure this information is to allow the PC to obtain the information from the internal DHCP server of the FWG114P Wireless Firewall/Print Server. To use DHCP with the recommended default addresses, follow these steps:1. Connect all computers to the firewall, then restart the firewall and allow it to boot.2. On each attached PC, open the Network control panel (refer to the previous section) and select the Configuration tab.3. From the components list, select TCP/IP->(your Ethernet adapter) and click Properties.4. In the IP Address tab, select “Obtain an IP address automatically”.5. Select the Gateway tab.6. If any gateways are shown, remove them.7. Click OK.8. Restart the PC.Repeat steps 2 through 8 for each PC on your network.Selecting Windows’ Internet Access Method1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.2. Double-click the Internet Options icon.3. Select “I want to set up my Internet connection manually” or “I want to connect through a Local Area Network” and click Next.4. Select “I want to connect through a Local Area Network” and click Next.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PPreparing Your Network C-5March 2004, 202-10027-015. Uncheck all boxes in the LAN Internet Configuration screen and click Next.6. Proceed to the end of the Wizard.Verifying TCP/IP PropertiesAfter your PC is configured and has rebooted, you can check the TCP/IP configuration using the utility winipcfg.exe:1. On the Windows taskbar, click the Start button, and then click Run.2. Type winipcfg, and then click OK.The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway.3. From the drop-down box, select your Ethernet adapter.The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends:• The IP address is between 192.168.0.2 and 192.168.0.254• The subnet mask is 255.255.255.0• The default gateway is 192.168.0.1Configuring Windows NT, 2000 or XP for IP NetworkingAs part of the PC preparation process, you need to manually install and configure TCP/IP on each networked PC. Before starting, locate your Windows CD; you may need to insert it during the TCP/IP installation process.Installing or Verifying Windows Networking ComponentsTo install or verify the necessary components for IP networking:1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.2. Double-click the Network and Dialup Connections icon.3. If an Ethernet adapter is present in your PC, you should see an entry for Local Area Connection. Double-click that entry.4. Select Properties.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PC-6 Preparing Your NetworkMarch 2004, 202-10027-015. Verify that ‘Client for Microsoft Networks’ and ‘Internet Protocol (TCP/IP)’ are present. If not, select Install and add them.6. Select ‘Internet Protocol (TCP/IP)’, click Properties, and verify that “Obtain an IP address automatically is selected.7. Click OK and close all Network and Dialup Connections windows.8. Make sure your PC is connected to the firewall, then reboot your PC.Verifying TCP/IP PropertiesTo check your PC’s TCP/IP configuration:1. On the Windows taskbar, click the Start button, and then click Run.The Run window opens.2. Type cmd and then click OK.A command window opens3. Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends:• The IP address is between 192.168.0.2 and 192.168.0.254• The subnet mask is 255.255.255.0• The default gateway is 192.168.0.14. Type exit Configuring the Macintosh for TCP/IP NetworkingBeginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP.MacOS 8.6 or 9.x1. From the Apple menu, select Control Panels, then TCP/IP.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PPreparing Your Network C-7March 2004, 202-10027-01The TCP/IP Control Panel opens:2. From the “Connect via” box, select your Macintosh’s Ethernet interface.3. From the “Configure” box, select Using DHCP Server.You can leave the DHCP Client ID box empty.4. Close the TCP/IP Control Panel.5. Repeat this for each Macintosh on your network.MacOS X1. From the Apple menu, choose System Preferences, then Network.2. If not already selected, select Built-in Ethernet in the Configure list.3. If not already selected, Select Using DHCP in the TCP/IP tab.4. Click Save.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PC-8 Preparing Your NetworkMarch 2004, 202-10027-01Verifying TCP/IP Properties for Macintosh ComputersAfter your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends:• The IP Address is between 192.168.0.2 and 192.168.0.254• The Subnet mask is 255.255.255.0• The Router address is 192.168.0.1If you do not see these values, you may need to restart your Macintosh or you may need to switch the “Configure” setting to a different option, then back again to “Using DHCP Server”.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PPreparing Your Network C-9March 2004, 202-10027-01Verifying the Readiness of Your Internet AccountFor broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer. Your firewall does not support a USB-connected broadband modem.For a single-user Internet account, your ISP supplies TCP/IP configuration information for one computer. With a typical account, much of the configuration information is dynamically assigned when your PC is first booted up while connected to the ISP, and you will not need to know that dynamic information. In order to share the Internet connection among several computers, your firewall takes the place of the single PC, and you need to configure it with the TCP/IP information that the single PC would normally use. When the firewall’s Internet port is connected to the broadband modem, the firewall appears to be a single PC to the ISP. The firewall then allows the computers on the local network to masquerade as the single PC to access the Internet through the broadband modem. The method used by the firewall to accomplish this is called Network Address Translation (NAT) or IP masquerading.Are Login Protocols Used?Some ISPs require a special login protocol, in which you must enter a login name and password in order to access the Internet. If you normally log in to your Internet account by running a program, such as WinPOET or EnterNet, then your account uses PPP over Ethernet (PPPoE). When you configure your router, you will need to enter your login name and password in the router’s configuration menus. After your network and firewall are configured, the firewall will perform the login task when needed, and you will no longer need to run the login program from your PC. It is not necessary to uninstall the login program.What Is Your Configuration Information?More and more, ISPs are dynamically assigning configuration information. However, if your ISP does not dynamically assign configuration information but instead uses fixed configurations, your ISP should have given you the following basic information for your account:

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PC-10 Preparing Your NetworkMarch 2004, 202-10027-01• An IP address and subnet mask• A gateway IP address, which is the address of the ISP’s router• One or more domain name server (DNS) IP addresses• Host name and domain suffixFor example, your account’s full server names may look like this:mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com.If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.If an ISP technician configured your PC during the installation of the broadband modem, or if you configured it using instructions provided by your ISP, you need to copy the configuration information from your PC’s Network TCP/IP Properties window or Macintosh TCP/IP Control Panel before reconfiguring your PC for use with the firewall. These procedures are described next.Obtaining ISP Configuration Information for Windows ComputersAs mentioned above, you may need to collect configuration information from your PC so that you can use this information when you configure the FWG114P Wireless Firewall/Print Server. Following this procedure is only necessary when your ISP does not dynamically supply the account information. To get the information you need to configure the firewall for Internet access:1. On the Windows taskbar, click the Start button, point to Settings, and then click Control Panel.2. Double-click the Network icon.The Network window opens, which displays a list of installed components.3. Select TCP/IP, and then click Properties.The TCP/IP Properties dialog box opens.4. Select the IP Address tab.If an IP address and subnet mask are shown, write down the information. If an address is present, your account uses a fixed (static) IP address. If no address is present, your account uses a dynamically-assigned IP address. Click “Obtain an IP address automatically”.5. Select the Gateway tab.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PPreparing Your Network C-11March 2004, 202-10027-01If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address.6. Select the DNS Configuration tab.If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS.7. Click OK to save your changes and close the TCP/IP Properties dialog box.You are returned to the Network window.8. Click OK.9. Reboot your PC at the prompt. You may also be prompted to insert your Windows CD.Obtaining ISP Configuration Information for Macintosh ComputersAs mentioned above, you may need to collect configuration information from your Macintosh so that you can use this information when you configure the FWG114P Wireless Firewall/Print Server. Following this procedure is only necessary when your ISP does not dynamically supply the account information. To get the information you need to configure the firewall for Internet access:1. From the Apple menu, select Control Panels, then TCP/IP.The TCP/IP Control Panel opens, which displays a list of configuration settings. If the “Configure” setting is “Using DHCP Server”, your account uses a dynamically-assigned IP address. In this case, close the Control Panel and skip the rest of this section.2. If an IP address and subnet mask are shown, write down the information. 3. If an IP address appears under Router address, write down the address. This is the ISP’s gateway address.4. If any Name Server addresses are shown, write down the addresses. These are your ISP’s DNS addresses.5. If any information appears in the Search domains information box, write it down.6. Change the “Configure” setting to “Using DHCP Server”.7. Close the TCP/IP Control Panel.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PC-12 Preparing Your NetworkMarch 2004, 202-10027-01Restarting the NetworkOnce you have set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the firewall.After configuring all of your computers for TCP/IP networking and restarting them, and connecting them to the local network of your FWG114P Wireless Firewall/Print Server, you are ready to access and configure the firewall.

Firewall Log Formats D-1March 2004, 202-10027-01Appendix DFirewall Log FormatsAction ListDrop: Packet dropped by Firewall current inbound or outbound rules.Reset: TCP session reset by Firewall.Forward: Packet forwarded by Firewall to the next hop based on matching the criteria in the rules table.Receive: Packet was permitted by the firewall rules and modified prior to being forwarded and/or replied to.Field List<DATE><TIME>: Log's date and time<EVENT>: Event is that access the device or access other host via the device<PKT_TYPE>: Packet type pass Firewall<SRC_IP><DST_IP>: IP address in the packet<SRC_PORT><DST_PORT>: Port in the packet<SRC_INF><DST_INF>: Include `LAN` and `WAN` (optional)<ACTION>: As `Action List` referenced<DESCRIPTION>: A complement to the log (optional)<DIRECTION>: Inbound and Outbound<SERVICE>: Firewall costumed serviceOutbound LogOutgoing packets that match the Firewall rules are logged.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PD-2 Firewall Log FormatsMarch 2004, 202-10027-01The format is:<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP > <DST_INF> <ACTION><DESCRIPTION>[Fri, 2003-12-05 22:19:42] - UDP Packet - Source:172.31.12.233,138 ,WAN - Destination:172.31.12.255,138 ,LAN [Drop] - [Inbound Default rule match][Fri, 2003-12-05 22:35:04] - TCP Packet - Source:172.31.12.156,34239 ,WAN - Destination:192.168.0.10,21[FTP Control] ,LAN [Forward] - [Inbound Rule(1) match][Fri, 2003-12-05 22:35:11] - UDP Packet - Source:172.31.12.200,138 ,WAN - Destination:172.31.12.255,138 ,LAN [Forward] - [Inbound Rule(1) not match]Notes:SRC_INF = WANDST_INF = LANDESCRIPTION = "Inbound rule match", "Inbound Default rule match"PKT_TYPE = "UDP packet", "TCP connection", "ICMP packet"Inbound LogIncoming packets that match the Firewall rules are logged.The format is:<DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP > <DST_INF> <ACTION><DESCRIPTION>[Fri, 2003-12-05 22:59:56] - ICMP Packet [Echo Request] - Source:192.168.0.10,LAN - Destination:192.168.0.1,WAN [Forward] - [Outbound Default rule match][Fri, 2003-12-05 23:00:58] - ICMP Packet [Echo Request] - Source:192.168.0.10,LAN - Destination:172.31.12.200,WAN [Forward] - [Outbound Default rule match][Fri, 2003-12-05 23:02:30] - TCP Packet - Source:192.168.0.10,3472 ,LAN - Destination:216.239.39.99,80[HTTP] ,WAN [Forward] - [Outbound Default rule match]Notes:SRC_INF = LANDST_INF = WANDESCRIPTION = "Outbound rule match", "Outbound Default rule match"PKT_TYPE = "UDP packet", "TCP connection", "ICMP packet"Other IP TrafficSome special packets matching the Firewall rules, like VPN connection, etc. are logged.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PFirewall Log Formats D-3March 2004, 202-10027-01The format is:<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT ><DST_PORT><ACTION><DESCRIPTION><DATE><TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION> <DESCRIPTION>[Wed, 2003-07-30 17:43:28] - IPSEC Packet - Source: 64.3.3.201, 37180 WAN - Destination: 10.10.10.4,80[HTTP] LAN - [Drop] [VPN Packet][Wed, 2003-07-30 18:44:50] - IP Packet [Type Field: 321] - Source 18.7.21.69 192.168.0.3 - [Drop]Notes:DESCRIPTION = "VPN Packet"PKT_TYPE = "GRE", "AH", "ESP", "IP packet [Type Field: Num]", "IPSEC"ACTION = "Forward", "Drop"Router OperationOperations that the router initiates are logged.The format is:<DATE><TIME><EVENT>[Wed, 2003-07-30 16:30:59] - Log emailed[Wed, 2003-07-30 13:38:31] - NETGEAR activated[Wed, 2003-07-30 13:42:01] - NTP Reply InvalidThe format is:<DATE><TIME><EVENT><DST_IP><DATE><TIME><EVENT><SRC_IP>[Wed, 2003-07-30 16:32:33] - Send out NTP Request to 207.46.130.100[Wed, 2003-07-30 16:35:27] - Receive NTP Reply from 207.46.130.100

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PD-4 Firewall Log FormatsMarch 2004, 202-10027-01Other Connections and Traffic to this RouterThe format is:<DATE><TIME>< PKT_TYPE ><SRC_IP><DST_IP><ACTION>[Fri, 2003-12-05 22:31:27] - ICMP Packet[Echo Request] - Source: 192.168.0.10 - Destination: 192.168.0.1 - [Receive][Wed, 2003-07-30 16:34:56] - ICMP Packet[Type: 238] - Source: 64.3.3.201 - Destination: 192.168.0.3 - [Drop][Fri, 2003-12-05 22:59:56] - ICMP Packet[Echo Request] - Source:192.168.0.10 - Destination:192.168.0.1 - [Receive]The format is:<DATE><TIME><EVENT>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT><DST_INF><ACTION>[Wed, 2003-07-30 16:24:23] - UDP Packet - Source: 207.46.130.100 WAN - Destination: 10.10.10.4,1234 LAN - [Drop][Wed, 2003-07-30 17:48:09] - TCP Packet[SYN] - Source: 64.3.3.201,65534 WAN - Destination: 10.10.10.4,1765 LAN - [Receive][Fri, 2003-12-05 22:07:11] - IP Packet [Type Field:8], from 20.97.173.18 to 172.31.12.157 - [Drop]Notes:ACTION = "Drop", "Receive"EVENT = "ICMP Packet", "UDP Packet", "TCP Packet", "IP Packet"DoS Attack/ScanCommon attacks and scans are logged.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PFirewall Log Formats D-5March 2004, 202-10027-01The format is:<DATE><TIME><PKT_TYPE>< SRC_IP><SRC_PORT ><SRC_INF>< DST_IP><DST_PORT ><DST_PORT><ACTION><DESCRIPTION><DATE> <TIME> <PKT_TYPE> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION> <DESCRIPTION>[Fri, 2003-12-05 21:22:07] - TCP Packet - Source:172.31.12.156,54611 ,WAN - Destination:172.31.12.157,134 ,LAN [Drop] - [FIN Scan][Fri, 2003-12-05 21:22:38] - TCP Packet - Source:172.31.12.156,59937 ,WAN - Destination:172.31.12.157,670 ,LAN [Drop] - [Nmap Xmas Scan][Fri, 2003-12-05 21:23:06] - TCP Packet - Source:172.31.12.156,39860 ,WAN - Destination:172.31.12.157,18000 ,LAN [Drop] - [Null Scan][Fri, 2003-12-05 21:27:55] - TCP Packet - Source:172.31.12.156,38009 ,WAN - Destination:172.31.12.157,15220 ,LAN [Drop] - [Full Sapu Scan][Fri, 2003-12-05 21:28:56] - TCP Packet - Source:172.31.12.156,35128 ,WAN - Destination:172.31.12.157,38728 ,LAN [Drop] - [Full Xmas Scan][Fri, 2003-12-05 21:30:30] - IP Packet - Source:227.113.223.77,WAN - Destination:172.31.12.157,LAN [Drop] - [Fragment Attack][Fri, 2003-12-05 21:30:30] - IP Packet - Source:20.97.173.18,WAN - Destination:172.31.12.157,LAN [Drop] - [Targa3 Attack][Fri, 2003-12-05 21:30:30] - TCP Packet - Source:3.130.176.84,37860 ,WAN - Destination:172.31.12.157,63881 ,LAN [Drop] - [Vecna Scan][Fri, 2003-12-05 21:30:31] - ICMP Packet [Type 238] - Source:100.110.182.63,WAN - Destination:172.31.12.157,LAN [Drop] - [ICMP Flood][Fri, 2003-12-05 21:33:52] - UDP Packet - Source:127.0.0.1,0 ,WAN - Destination:172.31.12.157,0 ,LAN [Drop] - [Fragment Attack][Fri, 2003-12-05 19:20:00] - TCP Session - Source:54.148.179.175,58595 ,LAN - Destination:192.168.0.1,20[FTP Data] ,WAN [Reset] - [SYN Flood][Fri, 2003-12-05 19:21:22] - UDP Packet - Source:172.31.12.156,7 ,LAN - Destination:172.31.12.157,7 ,WAN [Drop] - [UDP Flood][Fri, 2003-12-05 20:59:08] - ICMP Echo Request packet - Source:192.168.0.5,LAN - Destination:172.31.12.99,WAN [Drop] - [ICMP Flood][Fri, 2003-12-05 18:07:29] - TCP Packet - Source:192.168.0.10,1725 ,LAN - Destination:61.177.58.50,1352 ,WAN [Drop] - [TCP incomplete sessions overflow][Fri, 2003-12-05 21:11:24] - TCP Packet - Source:192.168.0.10,2342 ,LAN - Destination:61.177.58.50,1352 ,WAN [Drop] - [First TCP Packet not SYN]Notes:DESCRIPTION = "SYN Flood", "UDP Flood", "ICMP Flood", "IP Spoofing", "TearDrop", "Brute Force", "Ping of Death", "Fragment Attack", "Targa3 Attack", "Big Bomb""SYN with Data", "Full Xmas Scan", "Full Head Scan", "Full Sapu Scan", "FIN Scan", "SYN FIN Scan", "Null Scan", "Nmap Xmas Scan", "Vecna Scan", "Tcp SYN RES Set", "Other Scan""TCP incomplete sessions overflow", "TCP preconnect traffic", "TCP invalid traffic", "First TCP Packet not SYN", "First TCP Packet with no SYN"<DATE><TIME><PKT_TYPE>< SRC_IP >< DST_IP><ACTION>[Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=896] - Source: 64.3.3.201 - Destination: 10.10.10.4 - [Drop][Wed, 2003-07-30 17:45:17] - TCP Packet [Malformed, Length=1000] - Source: 64.3.3.201- Destination: 10.10.10.4 - [Forward]Notes:PKT_TYPE = "TCP", "UDP", "ICMP", "Proto: Number"

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PD-6 Firewall Log FormatsMarch 2004, 202-10027-01Access Block SiteIf keyword blocking is enabled and a keyword is specified, attempts to access a site whose URL contains a specified keyword are logged. The format is <DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>[Fri, 2003-12-05 23:01:47] - Attempt to access blocked sites - Source:192.168.0.10,LAN - Destination:www.google.com/,WAN - [Drop]Notes:EVENT = Attempt to access blocked sitesSRC_INF = LANDST_INF = WANAll Web Sites and News Groups Visited All Web sites and News groups that you visit are logged.The format is<DATE> <TIME> <EVENT> <SRC_IP> <SRC_INF> <DST_IP> <DST_INF> <ACTION>[Fri, 2003-12-05 23:03:49] - Access site - Source:192.168.0.10,LAN - Destination:euro.allyes.com,WAN - [Forward]Notes:EVENT = Attempt to access blocked sitesSRC_INF = LAN or WANDST_INF = WAN or LANSystem Admin SessionsAdministrator session logins and failed attempts are logged, as well as manual or idle-time logouts.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PFirewall Log Formats D-7March 2004, 202-10027-01The format is: <DATE><TIME><EVENT ><SRC_IP><DATE><TIME><EVENT ><SRC_IP><SRC_PORT><DST_IP><DST_PORT><ACTION>[Fri, 2003-12-05 21:07:43] - Administrator login successful - IP:192.168.0.10[Fri, 2003-12-05 21:09:16] - Administrator logout - IP:192.168.0.10[Fri, 2003-12-05 21:09:31] - Administrator login fail, Username error - IP:192.168.0.10[Fri, 2003-12-05 21:09:25] - Administrator login fail, Password error - IP:192.168.0.10[Fri, 2003-12-05 21:16:15] - Login screen timed out - IP:192.168.0.10[Fri, 2003-12-05 21:07:43] - Administrator Interface Connecting[TCP] - Source 192.168.0.10,2440 - Destination 192.168.0.1,80 - [Receive]Notes:ACTION: Receive or DropPolicy Administration LOG<DATE> <TIME> <EVENT> <DIRECTION> <SERVICE>< DESCRIPTION >[Fri, 2003-12-05 21:48:41] - Administrator Action - Inbound Policy to Service [BGP] is Added[Fri, 2003-12-05 21:49:41] - Administrator Action - Outbound Policy to Service [BGP] is Added[Fri, 2003-12-05 21:50:14] - Administrator Action - Inbound Policy to Service [BGP] is Modified[Fri, 2003-12-05 21:50:57] - Administrator Action - Outbound Policy to Service [BGP] is Modified[Fri, 2003-12-05 21:51:14] - Administrator Action - Inbound Policy to Service [BGP] is Deleted[Fri, 2003-12-05 21:52:12] - Administrator Action - Inbound Policy to Service [BGP] is Moved to Index [0][Fri, 2003-12-05 21:54:41] - Administrator Action - Outbound Policy to Service [FTP] is Moved to Index [1][Fri, 2003-12-05 22:01:47] - Administrator Action - Inbound Policy to Service [BGP] is changed to Disable[Fri, 2003-12-05 22:02:14] - Administrator Action - Inbound Policy to Service [BGP] is changed to Enable[Fri, 2003-12-05 22:02:35] - Administrator Action - Outbound Policy to Service [NFS] is changed to Disable[Fri, 2003-12-05 22:02:52] - Administrator Action - Outbound Policy to Service [NFS] is changed to EnableNotes:DIRECTION: Inbound or OutboundSERVICE: Supported service name

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PD-8 Firewall Log FormatsMarch 2004, 202-10027-01

Wireless Networking Basics E-1March 2004, 202-10027-01Appendix EWireless Networking BasicsThis chapter provides an overview of Wireless networking.Wireless Networking OverviewThe FWG114P Wireless Firewall/Print Server conforms to the Institute of Electrical and Electronics Engineers (IEEE) 802.11b and 802.11g standards for wireless LANs (WLANs). On an 802.11b or g wireless link, data is encoded using direct-sequence spread-spectrum (DSSS) technology and is transmitted in the unlicensed radio spectrum at 2.5GHz. The maximum data rate for the 802.11b wireless link is 11 Mbps, but it will automatically back down from 11 Mbps to 5.5, 2, and 1 Mbps when the radio signal is weak or when interference is detected. The 802.11g auto rate sensing rates are 1, 2, 5.5, 6, 9, 12, 18, 24, 36, 48, and 54 Mbps. The 802.11 standard is also called Wireless Ethernet or Wi-Fi by the Wireless Ethernet Compatibility Alliance (WECA, see http://www.wi-fi.net), an industry standard group promoting interoperability among 802.11 devices. The 802.11 standard offers two methods for configuring a wireless network - ad hoc and infrastructure.Infrastructure ModeWith a wireless Access Point, you can operate the wireless LAN in the infrastructure mode. This mode provides wireless connectivity to multiple wireless network devices within a fixed range or area of coverage, interacting with wireless nodes via an antenna. In the infrastructure mode, the wireless access point converts airwave data into wired Ethernet data, acting as a bridge between the wired LAN and wireless clients. Connecting multiple Access Points via a wired Ethernet backbone can further extend the wireless network coverage. As a mobile computing device moves out of the range of one access point, it moves into the range of another. As a result, wireless clients can freely roam from one Access Point domain to another and still maintain seamless network connection.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PE-2 Wireless Networking BasicsMarch 2004, 202-10027-01Ad Hoc Mode (Peer-to-Peer Workgroup)In an ad hoc network, computers are brought together as needed; thus, there is no structure or fixed points to the network - each node can generally communicate with any other node. There is no Access Point involved in this configuration. This mode enables you to quickly set up a small wireless workgroup and allows workgroup members to exchange data or share printers as supported by Microsoft networking in the various Windows operating systems. Some vendors also refer to ad hoc networking as peer-to-peer group networking.In this configuration, network packets are directly sent and received by the intended transmitting and receiving stations. As long as the stations are within range of one another, this is the easiest and least expensive way to set up a wireless network. Network Name: Extended Service Set Identification (ESSID)The Extended Service Set Identification (ESSID) is one of two types of Service Set Identification (SSID). In an ad hoc wireless network with no access points, the Basic Service Set Identification (BSSID) is used. In an infrastructure wireless network that includes an access point, the ESSID is used, but may still be referred to as SSID.An SSID is a thirty-two character (maximum) alphanumeric key identifying the name of the wireless local area network. Some vendors refer to the SSID as network name. For the wireless devices in a network to communicate with each other, all devices must be configured with the same SSID.The ESSID is usually broadcast in the air from an access point. The wireless station sometimes can be configured with the ESSID ANY. This means the wireless station will try to associate with whichever access point has the stronger radio frequency (RF) signal, providing that both the access point and wireless station use Open System authentication.Authentication and WEP Data EncryptionThe absence of a physical connection between nodes makes the wireless links vulnerable to eavesdropping and information theft. To provide a certain level of security, the IEEE 802.11 standard has defined these two types of authentication methods:•Open System. With Open System authentication, a wireless computer can join any network and receive any messages that are not encrypted.

Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PWireless Networking Basics E-3March 2004, 202-10027-01•Shared Key. With Shared Key authentication, only those PCs that possess the correct authentication key can join the network. By default, IEEE 802.11 wireless devices operate in an Open System network. Wired Equivalent Privacy (WEP) data encryption is used when the wireless devices are configured to operate in Shared Key authentication mode. 802.11 AuthenticationThe 802.11 standard defines several services that govern how two 802.11 devices communicate. The following events must occur before an 802.11 Station can communicate with an Ethernet network through an access point, such as the one built in to the FWG114P:1. Turn on the wireless station.2. The station listens for messages from any access points that are in range.3. The station finds a message from an access point that has a matching SSID.4. The station sends an authentication request to the access point.5. The access point authenticates the station.6. The station sends an association request to the access point.7. The access point associates with the station.8. The station can now communicate with the Ethernet network through the access point.An access point must authenticate a station before the station can associate with the access point or communicate with the network. The IEEE 802.11 standard defines two types of authentication: Open System and Shared Key.• Open System Authentication allows any device to join the network, assuming that the device SSID matches the access point SSID. Alternatively, the device can use the “ANY” SSID option to associate with any available Access Point within range, regardless of its SSID. • Shared Key Authentication requires that the station and the access point have the same WEP Key to authenticate. These two authentication procedures are described below.Open System AuthenticationThe following steps occur when two devices use Open System Authentication:1. The station sends an authentication request to the access point.

$Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PE-4 Wireless Networking BasicsMarch 2004, 202-10027-012. The access point authenticates the station.3. The station associates with the access point and joins the network.This process is illustrated below.Figure E-1: Open system authenticationShared Key AuthenticationThe following steps occur when two devices use Shared Key Authentication:1. The station sends an authentication request to the access point.2. The access point sends challenge text to the station.3. The station uses its configured 64-bit or 128-bit default key to encrypt the challenge text, and sends the encrypted text to the access point.4. The access point decrypts the encrypted text using its configured WEP Key that corresponds to the station’s default key. The access point compares the decrypted text with the original challenge text. If the decrypted text matches the original challenge text, then the access point and the station share the same WEP Key and the access point authenticates the station. 5. The station connects to the network.If the decrypted text does not match the original challenge text (the access point and station do not share the same WEP Key), then the access point will refuse to authenticate the station and the station will be unable to communicate with either the 802.11 network or Ethernet network.This process is illustrated below.).4%2.%4 ,/#!,$&7/1./1.$&7?MjÊ. +Á.?wjË8ÁjjÄÄË7+!Ë.jWÖÁÍßËÁjÝ?-/$%, 7 Ï¤o072 4%347,!.(QDEOH$FFHVV3RLQW$3!UTHENTICATIONREQUESTSENTTO!0!0AUTHENTICATES#LIENTCONNECTSTONETWORK2SHQ6\VWHP$XWKHQWLFDWLRQ6WHSV#ABLEOR$,3MODEM&OLHQWDWWHPSWLQJWRFRQQHFW$

$Reference Manual for the ProSafe Wireless 802.11g Firewall/Print Server Model FWG114PWireless Networking Basics E-5March 2004, 202-10027-01Figure E-2: Shared key authenticationOverview of WEP ParametersBefore enabling WEP on an 802.11 network, you must first consider what type of encryption you require and the key size you want to use. Typically, there are three WEP Encryption options available for 802.11 products:1. Do Not Use WEP: The 802.11 network does not encrypt data. For authentication purposes, the network uses Open System Authentication.2. Use WEP for Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the network uses Open System Authentication.3. Use WEP for Authentication and Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the wireless network uses Shared Key Authentication.Note: Some 802.11 access points also support Use WEP for Authentication Only (Shared Key Authentication without data encryption). ).4%2.%4 ,/#!,$&7/1./1.$&7?MjÊ. +Á.?wjË8ÁjjÄÄË7+!Ë.jWÖÁÍßËÁjÝ?-/$%, 7 Ï¤o072 4%347,!.(QDEOH$FFHVV3RLQW!UTHENTICATIONREQUESTSENTTO!0!0SENDSCHALLENGETEXT#LIENTENCRYPTSCHALLENGETEXTANDSENDSITBACKTO!0!0DECRYPTSANDIFCORRECTAUTHENTICATESCLIENT#LIENTCONNECTSTONETWORK6KDUHG.H\$XWKHQWLFDWLRQ6WHSV#ABLEOR$,3MODEM&OLHQWDWWHPSWLQJWRFRQQHFW$