Netgear DG834G User's Manual
Contents
1. NETOEAR Coane 1 2 S ur wee Range Up to 300 Feet an a 1 Open System Easy but no security 2 MAC Access List No data security 3 WEP Security but some performance impact 4 WPA Strong security Figure 3 1 There are several ways you can enhance the security of your wireless network e Restrict Access Based on MAC Address You can allow only trusted PCs to connect so that unknown PCs cannot wirelessly connect to the DG834G v3 Restricting access by MAC address adds an obstacle against unwanted access to your network but the data broadcast over the wireless link is fully exposed e Turn Off the Broadcast of the Wireless Network Name SSID If you disable broadcast of the SSID only devices that have the correct SSID can connect This nullifies wireless network discovery feature of some products such as Windows XP but the data is still exposed 3 2 Wireless Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G e WEP Wired Equivalent Privacy WEP data encryption provides data security WEP Shared Key authentication and WEP data encryption will block all but the most determined eavesdropper e WPA Wi Fi Protected Access WPA data encryption provides data security The very strong authentication along with dynamic per frame re keying of WPA make it virtually impossible to compromise Because this is a new standard wireless device driv2. Send alert immediately Select the corresponding check box if you would like immediate notification of a significant security event such as a known attack port scan or attempted access to a blocked site e Send logs according to this schedule Specifies how often to send the logs Hourly Daily Weekly or When Full Day for sending log Specifies which day of the week to send the log Relevant when the log is sent weekly or daily Time for sending log Specifies the time of day to send the log Relevant when the log is sent daily or weekly If the Weekly Daily or Hourly option is selected and the log fills up before the specified period the log is automatically e mailed to the specified e mail address After the log is sent it is cleared from the modem router s memory If the modem router cannot e mail the log file the log buffer may fill up In this case the modem router overwrites the log and discards its contents 5 14 Managing Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Running Diagnostic Utilities and Rebooting the Modem Router The ADSL Modem Wireless Router has a diagnostics feature You can use the diagnostics menu to perform the following functions from the modem router e Ping an IP Address to test connectivity to see if you can reach a remote host e Perform a DNS Lookup to test if an Internet name resolves to an IP address to verify that t
3. FQDN or Gateway IP Subnet Mask WAN IP Address Client toDG834 Dynamic DG834G v3 toClient 192 168 3 1 255 255 255 0 22 23 24 25 Follow this procedure to configure a client to gateway VPN tunnel using the VPN Wizard v1 0 October 2006 Virtual Private Networking Reference Manual for the ADSL Modem Wireless Router DG834G 1 Login to the DG834G v3 at its LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed VPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium vPNC and assumes a pre shared key greatly simplifies setup After creating the policies through VPN Wizard you can always update the parameters through VPN Settings link on the left menu Figure 7 4 2 Fillin the Connection Name and the pre shared key select the type of target end point and click Next to proceed Enter the new Connection Name e g RoadWarrior VPN Wizard Step 1 of 3 Connection Name and Remote IP Type connec nana E ae Enter the pre shared key shared key e g 12345678 n VPN m C Aremote VPN Gateway SCENDE A remote VPN client single PC Select the radio button A remote VPN client single PC Back Next Cancel Figure 7 5 gt Tip The Connection Name is arbitrary and not relevant to
4. Remote LAN IP Address Single PC no subnet gt Single Start IP address T 23 IL IL Finish IP address L L Subnet Mask JL LL JL ESP Configuration SPI Incoming Hex 3 Characters SPI Outgoing Hex 3 Characters Encryption 3DES Key DES 8 chars 3DES 24 chars Authentication SHA 1 Key MDS 16 chars SHA 1 20 chars Back Cancel Figure 7 47 7 48 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G General The DG834G v3 VPN tunnel network connection fields are defined as follows Policy Name enter a unique name to identify this policy This name is not supplied to the remote VPN endpoint It is used only to help you manage the policies Remote VPN Endpoint select the desired option IP address or Fully Qualified Domain Name and enter the address of the remote VPN endpoint to which you wish to connect Note The remote VPN endpoint must have this VPN Gateway s address entered as its Remote VPN Endpoint Local LAN This identifies which PCs on your LAN are covered by this policy For each selection data must be provided as follows Single address enter an IP address in the Single Start IP address field Typically this setting is used when you wish to make a single Server on your LAN available to remote users Range address enter the starting IP address in the Single Start IP address
5. e Your ISP may require a Multiplexing Method or Virtual Path Identifier Virtual Channel Identifier parameter Verify with your ISP the Multiplexing Method and parameter value and update the router s ADSL Settings accordingly e Your ISP may require a login program Ask your ISP whether they require PPP over Ethernet PPPoE or PPP over ATM PPPOA login Troubleshooting 8 5 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G If you have selected a login program you may have incorrectly set the Service Name User Name and Password See Troubleshooting PPPoE or PPPoA below Your ISP may check for your computer s host name Assign the computer Host Name of your ISP account to the modem router in the browser based Setup Wizard Your ISP only allows one Ethernet MAC address to connect to Internet and may check for your computer s MAC address In this case Inform your ISP that you have bought a new network device and ask them to use the router s MAC address OR Configure your router to spoof your computer s MAC address This can be done in the Basic Settings menu Refer to the ADSL Modem Wirelesss Router Setup Manual see Table 2 2 on page 2 10 Troubleshooting PPPoE or PPPoA The PPPoA or PPPoA connection can be debugged as follows 1 2 3 4 5 Access the Main Menu of the router at http 192 168 0 1 Under the Maintenance heading select the Router Status link Click the Co
6. Current VPN Tunnels SAs SPl n SPl Out Policy Name Remote Endpoint Action SLifeTime HLifeTime 2 GtoG _ Connect E Done DD fep internet Figure 7 46 c Review the VPN Status Log screen Figure 7 45 to verify that the tunnel is connected Virtual Private Networking 1 47 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Using Manual Policy to Configure VPN Tunnels As an alternative to IKE you may use Manual Keying in which you must specify each phase of the connection A Manual VPN policy requires all settings for the VPN tunnel to be manually input at each end both VPN endpoints Click the VPN Policies link of the main menu and then click the Add Manual Policy radio button to display the Manual Keys menu shown in Figure 7 47 Mid VPN Manual Policy Policy Table Enable Name Type Local Remote ESP General 1 I ltclent Auo 192168007 3DES Policy Name 255 255 255 0 192 168 0 0 7 192 168 207 Remote VPN Endpoint Fi C 2 m TeFVL Ato ooo 255 255 0 2552552550 3DES Address Type Fixed IP Address Address Data Edit Delet Eee ren V NETBIOS Enable Apply Cancel ew ma Local LAN IP Address Subnet address Add Auto Poli Add Manual Poli __AdanuePoicy _AaaNenaiPotcy SinglerStart address j192 fies fo ft Finish address Subnet Mask 255 j255 255 Jo
7. Reference Manual for the ADSL Modem Wireless Router DG834G NETGEAR NETGEAR Inc 4500 Great America Parkway Santa Clara CA 95054 USA 202 10155 01 October 2006 2006 by NETGEAR Inc All rights reserved Trademarks NETGEAR is a trademark of Netgear Inc Microsoft Windows and Windows NT are registered trademarks of Microsoft Corporation Other brand and product names are registered trademarks or trademarks of their respective holders Statement of Conditions In the interest of improving internal design operational function and or reliability NETGEAR reserves the right to make changes to the products described in this document without notice NETGEAR does not assume any liability that may occur due to the use or application of the product s or circuit layout s described herein Federal Communications Commission FCC Compliance Notice Radio Frequency Notice This equipment has been tested and found to comply with the limits for a Class B digital device pursuant to part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference in a residential installation This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instructions may cause harmful interference to radio communications However there is no guarantee that interference will not occur in a particular installation If this equipment does cau
8. Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the DG834G v3 configuration a Expand the Key Exchange subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Key Exchange INI Security Policy Editor NETGEAR ProSafe VPN Client Elle Edit Options Help il NETGEAR Network Security Policy My Connections IPSec Protocols dB toDG834G Seconds KBytes G My Identity SA Life Unspecified E a Security Policy ES Authentication Phase 1 Compression None b J Proposal 1 i ES Key Exchange Phase 2 IV Encapsulation Protocol ESP Proposal 1 Encrypt Alg Triple DES Jp Other Connections Hash Alg SHAT Encapsulation Tunnel Authentication Protocol AH Ez ri Figure 7 14 In the SA Life menu select Unspecified In the Compression menu select None Check the Encapsulation Protocol ESP checkbox In the Encrypt Alg menu select the type of encryption to correspond with what was configured for the Encryption Protocol in the DG834G v3 in Table 7 3 on page 7 8 In this example use Triple DES Virtual Private Networking 7 17 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G f Inthe Hash Alg menu select SHA 1 g Inthe Encapsulation me
9. E Current VPN Tunnels SAs Microsoft Internet Explorer Current VPN Tunnels SAs SPI In SPI Out Policy Name Remote Endpoint SLifeTime HLifeTime GtoG Figure 7 28 c Look at the VPN Status Log screen Figure 7 27 to verify that the tunnel is connected 7 28 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G VPN Tunnel Control Activating a VPN Tunnel There are three ways to activate a VPN tunnel e Use the VPN Status page e Activate the VPN tunnel by pinging the remote endpoint e Start using the VPN tunnel Note Refer to Using Auto Policy to Configure VPN Tunnels on page 7 38 to enable mE the IKE keepalive capability on an existing VPN tunnel Using the VPN Status Page to Activate a VPN Tunnel To use the VPN Status screen to activate a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834G v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 7 29 VPN Status Log Tue 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 27 GtoG initiating Main Mode GtoG ISAKMP SA established GtoG sent QI2 IPsec SA established GtoG sent QI2 IPsec S54 established Retesh CherLog vestes Figure 7 29 Virtual Private Networking 7 29 v1 0 October 2006 Hef
10. G1 RoadWarrior Auto 192 168 3 1 255 255 255 0 3DES Figure 7 8 Virtual Private Networking 7 11 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G To view or modify the tunnel settings select the radio button next to the tunnel entry and click Edit Note Refer to Using Auto Policy to Configure VPN Tunnels on page 7 38 to enable the IKE keepalive capability on an existing VPN tunnel Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC This procedure describes how to configure the NETGEAR ProSafe VPN Client We will assume the PC running the client has a dynamically assigned IP address The PC must have the NETGEAR ProSafe VPN Client program installed that supports IPSec Go to the NETGEAR website Attp www netgear com and select VPNOTIL VPNOSL in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client Note Before installing the NETGEAR ProSafe VPN Client software be sure to turn off any virus protection or firewall software you may be running on your PC 1 Install the NETGEAR ProSafe VPN Client on the remote PC and reboot e You may need to insert your Windows CD to complete the installation e Ifyou do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You
11. This represents the number of routers between your network and the destination Usually a setting of 2 or 3 works but if this is a direct connection set it to 1 4 Click Apply to have the static route entered into the table Universal Plug and Play UPnP Universal Plug and Play UPnP helps devices such as Internet appliances and computers access the network and connect to other devices as needed UPnP devices can automatically discover the services from other registered UPnP devices on the network 1 Click UPnP on the main menu to invoke the UPnP menu UPnP M Turn UPnP On Advertisement Period in minutes s oO a Advertisement Time To Live in hops UPnP Portmap Table Active Protocol Int Port Ext Port IPAddress Apply Cancel Refresh Figure 6 7 2 Fill out the UPnP screen Turn UPnP On UPnP can be enabled or disabled for automatic device configuration The default setting for UPnP is enabled If disabled the Router will not allow any device to automatically control the resources such as port forwarding mapping of the Router Advanced Configuration 6 13 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Advertisement Period The Advertisement Period is how often the Router will advertise broadcast its UPnP information This value can range from 1 to 1440 minutes The default period is for 30 minutes Shorter durations will ensure that control p
12. gateway can be configured to use a 3 party service in lieu of a permanent and unchanging IP address to establish bi directional VPN connectivity To use DDNS you must register with a DDNS service provider Example DDNS Service Providers include e DynDNS www dyndns org e TZO com netgear tzo com e ngDDNS ngddns iego net In this example Gateway A is configured using an example FQDN provided by a DDNS Service provider In this case we established the hostname dg834g dyndns org for gateway A using the DynDNS service Gateway B will use the DDNS Service Provider when establishing a VPN tunnel In order to establish VPN connectivity Gateway A must be configured to use Dynamic DNS and Gateway B must be configured to use a DNS hostname to find Gateway A provided by a DDNS Service Provider Again the following step by step procedures assume that you have already registered with a DDNS Service Provider and have the configuration information necessary to set up the gateways Step By Step Configuration 1 Login to the DG834G v3 labeled Gateway A as in the illustration Out of the box the DG834G v3 is set for its default LAN address of http 192 168 0 1 with its default user name of admin and default password of password For this example we will assume you have set the local LAN address as 10 5 6 1 for Gateway A and have set your own password 2 Click on the Dynamic DNS link on the left side of the Settings management GUI This will ta
13. gt ping 192 168 60 1 Pinging 192 168 0 1 with 32 bytes of data Reply from 192 168 0 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time ims Figure 7 16 Once the connection is established you can open the browser of the PC and enter the LAN IP address of the remote DG834G v3 After a short wait you should see the login screen of the Modem Router unless another PC already has the DG834G v3 management interface open Information on the progress and status of the VPN client connection can be viewed by opening the NETGEAR ProSafe Log Viewer To launch this function click on the Windows Start button then select Programs then NETGEAR ProSafe VPN Client then Log Viewer The Log Viewer screen for a successful connection is shown below VPN Status Log added connection description fromDG834 adding interface ipsecO pppO 67 116 6 4 fromDG834G responding to Main Mode fr fromDG834G sent MR3 ISAKMP SA establ fromDG834G responding to Quick Mode fromDG834G IPsec SA established deleting connection fromDbG834G instan deleting connection fromDG834G shutting down interface ipsecO pppO 67 added connection description frombG834 adding interface ipsecO pppO 67 116 6 4 wld Sun 2002 09 08 12 01 35 Sun 2002 09 08 12 01 35 Tue 2005 05 24 20 46 33 Tue 2005 05 24 20 46 35 Tue 2005 05 24 20 46 35 Tue 2005 05 24 20 46 36 Tue 2005 05 24 20 50 41 Tue 2005 05
14. 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router 2 From the Main Menu of the browser interface under Advanced click Static Routes to view the Static Routes menu shown in Figure 6 5 Static Routes Ta activel Name Destination Gateway li ves isdnrr 134 177 0 0 192168 0 100 Add Edit Delete Figure 6 5 3 To add or edit a Static Route a Click the Edit button to open the Edit Menu shown in Figure 6 6 Static Routes Route Name isdn rr M Private IV Active Destination IP Address 134 177 IP Subnet Mask 255 255 p fo Gateway IP Address i92 EJ Metric ho Figure 6 6 b Type a route name for this static route in the Route Name box under the table This is for identification purpose only c Select Private if you want to limit access to the LAN only The static route will not be reported in RIP 6 12 Advanced Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G d Select Active to make this route effective e Type the Destination IP Address of the final destination f Type the IP Subnet Mask for this destination If the destination is a single host type 255 255 255 255 g Type the Gateway IP Address which must be a router on the same LAN segment as the router h Type a number between 1 and 15 as the Metric value
15. A Pawsmul Tue Firewall unica Ert abere DES E vn CH E da AE a o dte et s 2 2 802 11 Standards based Wireless Networking seen 2 3 Easy Installation and Management uiiuucccossasus eet acera citar cerca et ck addere anders 2 3 derer SUPPO RR TS 2 4 Mittal Private Networking VPN Lue cecn steer eret crebra ea nanna 2 5 Auto Sensing and Auto Uplink LAN Ethernet Connections sssssss 2 5 ESIC CSE lat UU TM 2 6 Trend Micro Home Network Security i uices eccese sacer cii pan n E Ere rv Feci 2 6 p ud Ru ioc TAE 2 7 The Routers Front Panel MNT EIU EU 2 8 TRE Rutes Rear Panel TT 2 9 Connecting the Router to the Internet eeeeeeeeseeeeeeeeee e ennetnnne tha ttn dena tica 2 10 Chapter 3 Wireless Configuration Considerations for a Wireless Network eeeeeeeeeesesieeeee seen tnnna haha ttn a khan a 3 1 Observe Performance Placement and Range Guidelines 3 1 Implement Appropriate Wireless Security ssssssssssssse 3 2 Upde rsianding Wireless Setlngs TII II IM 3 3 How to Set Up and Test Basic Wireless Connectivity seesesess 3 6 v1 0 October 2006 How to Restrict Wireless Access to Your Network eeee 3 7 Choosing WEP Authentication and Security Encryption Methods 3 10 Fey Cee rahe NEP e 3 12 How to CONG WRI ONS ocsusseusso
16. Internet Protocol TCP IP and Routing Information Protocol RIP Internet Networking and TCP IP Addressing in Appendix C provides further information on TCP IP e The Ability to Enable or Disable IP Address Sharing by NAT The DG834G v3 allows several networked PCs to share an Internet account using only a single IP address which may be statically or dynamically assigned by your Internet service provider ISP This technique known as Network Address Translation NAT allows the use of an inexpensive single user ISP account This feature can also be turned off completely while using the DG834G v3 if you want to manage the IP address scheme yourself e Automatic Configuration of Attached PCs by DHCP The DG834G v3 dynamically assigns network configuration information including IP modem router and domain name server DNS addresses to attached PCs on the LAN using the Dynamic Host Configuration Protocol DHCP This feature greatly simplifies configuration of PCs on your local network e DNS Proxy When DHCP is enabled and no DNS addresses are specified the modem router provides its own address as a DNS server to the attached PCs The modem router obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN e Classical IP RFC 1577 Some Internet service providers in Europe for example use Classical IP in their ADSL services In such cases the modem router is able to use the Classical IP addre
17. Mask Single address z E i Single Start IP address 192 16e E P Finish IP address Subnet Mask Responder only Main Mode 7 lt Auto M Fully Qualified Domain Name gt fromDG834G com Fully Qualified Domain Name toD G834G com 3DES z m s 600 Enable PFS Perfect Forward Security Back Cancel Figure B 13 fromDG834G in the example Dynamic IP address IKE Keep Alive is optional must match Remote LAN IP Address when enabled remote PC must respond to pings Subnet address 192 168 0 1 in this example 255 255 255 0 Single address 192 168 2 3 in this example 4 Remote NAT router must have Address Reservation set and VPN Passthrough enabled Main Mode Fully Qualified Domain Name fromDG834G com in this example Fully Qualified Domain Name toDG834G com in this example 3DES 12345678 in this example 3600 B 16 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 2 Click Apply when done to get the VPN Policies screen VPN Policies Policy Table Enable Name Type Local Remote ESP 192 168 0 1 IV fomDG834G Auto A zer zeg 192 168 2 3 3DES Edit Delete Apply Cancel Add Auto Policy Add Manual Policy Figure B 14 To view or modify the tunnel settings select the radio button next to the tunnel entry and cli
18. Router DG834G v1 0 October 2006 Related Documents
19. Router DG834G 2 To view the VPN tunnels status click the VPN Status link on the right side of the main menu Current VPN Tunnels SAs SPI In SPI Out Policy Name Remote Endpoint Action SLifeTime HLifeTime aa185e44 af bffcb fromDG834G 56 120 188 152 Drop 3289 3287 Figure B 27 B 30 v1 0 October 2006 NETGEAR VPN Configuration Reference Manual for the ADSL Modem Wireless Router DG834G NETGEAR VPN Configuration B 31 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G B 32 NETGEAR VPN Configuration v1 0 October 2006 Appendix C Related Documents This appendix provides links to reference documents you can use to gain a more complete understanding of the technologies used in your NETGEAR product Document Link Internet Networking and TCP IP http documentation netgear com reference enu tcpip index htm Addressing Wireless Communications http documentation netgear com reference enu wireless index htm Preparing a Computer for http documentation netgear com reference enu wsdhcp index htm Network Access Virtual Private Networking VPN http documentation netgear com reference enu vpn index htm Glossary http documentation netgear com reference enu glossary index htm Related Documents C 1 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless
20. The Summary screen below displays Please verify your inputs Connection Name GtoG Remote VPN Endpoint 22 23 24 25 Remote Client Access By Subnet Remote IP 192 168 3 1 255 255 255 0 Remote ID Local Client Access By subnet Local IP 192 158 0 1 255 255 255 0 Local ID You can click here to view the VPNC recommended parameters Please click Done to apply the changes Figure 7 24 Virtual Private Networking 7 25 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G To view the VPNC recommended authentication and encryption settings used by the VPN Wizard click the here link see Figure 7 24 Click Back to return to the Summary screen VPN Consortium VPNC Recommendation The following parameters are recommended by the VPNC and used in the VPN Wizard Secure Association Main Made Authentication Method Pre shared Key Encryption Protocol 3DES Authentication Protocol SHA 1 Key Life 1 hour IKE Life Time 24 hours NETBIOS Enabled Figure 7 25 5 Click Done on the Summary screen see Figure 7 24 to complete the configuration procedure The VPN Settings menu below displays showing that the new tunnel is enabled VPN Policies Policy Table 5 Enable Name Type Local Remote ESP 192 168 0 1 192 168 3 1 911 GtoG Auto 555 255 2550 2552552550 DES Figure 7 26 7 26 Virtual Private Networking v1 0 October 2006 Reference Manual for the AD
21. When in Per User mode everyone accessing the Internet through the router is required to log in To configure General mode 1 Enter a password in the Parental Controls Bypass Password box re enter it in the Confirm password box and then click Apply This password allows users to access pages that are blocked by Parental Controls 2 Select the access profile that will apply to all users as follows e To select a predefined profile click Apply Profile and then choose a profile from the list e To create a custom profile click Use Custom Settings and then select the check boxes as desired For additional choices click More Categories e To allow unrestricted Internet access click No Restrictions 3 Click Apply To configure Per User mode The User Account Information table in Per User mode shows each user s name access profile and status Users with Active status can access the Internet sites permitted by their access profiles Users with Inactive status cannot log in and cannot access any Internet sites To add a new user 1 Click Add Type the new user s login name and password and then re enter the password in the Confirm password box 2 Selectthe new user s status To allow Internet access click Active To completely disable this user s Internet access click Inactive 3 Select the access profile that will apply to this user as follows e To select a predefined profile click Apply Profile and t
22. can disregard this message e Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary e The system should show the ProSafe icon amp in the system tray after rebooting e Double click the system tray icon to open the Security Policy Editor 2 Add a new connection a Run the NETGEAR ProSafe Security Policy Editor program and using the VPN Tunnel Configuration Worksheet on page 7 8 create a VPN Connection 7 12 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G b From the Edit menu of the Security Policy Editor click Add then Connection S Security Policy Editor NETGEAR ProSafe VPN Client zT File Edit Options Help aj s x B 14 NETGEAR N Network Security Policy E L My Connections Gb toDG834 Gl Other Connections Secure Only Connect Manually Remote Party Identity and Addressing IDTwe iP Subnet gt Subnet 192 168 3 1 Mask 2552552550 Protocol All v Pot J Y Iv Connect using Secure Gateway Tunnel s ID Type IP Address v 22 23 24 25 C Nonsecure C Block Connection Security Figure 7 9 A New Connection listing appears in the list of policies Rename the New Connection so that it matches the Connection Name you entered in the VPN Settings of the DG834G v3 on LAN A ____ Note
23. click on the Log Viewer system tray icon to open the Connection Monitor popup menu Disconnect Connect Help About NETGEAR ProSafe VPN Cleg u of Figure B 22 To perform a ping test using our example start from the remote PC a Establish an Internet connection from the PC b Onthe Windows taskbar click the Start button and then click Run B 26 NETGEAR VPN Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G c Type ping t 192 168 0 1 and then click OK Type the name of a program folder document or Internet resource and Windows will open it For you Open ping 192 168 0 1 Cancel Browse Figure B 23 This will cause a continuous ping to be sent to the VPN router After between several seconds and two minutes the ping response should change from timed out to reply C gt ping 192 168 0 1 Pinging 192 168 0 1 with 32 bytes of data Reply from 192 168 0 1 bytes 32 time lt ims TTL 64 Reply from 192 168 0 1 bytes 32 time lt ims TTL 64 Reply from 192 168 8 1 bytes 32 time ims TTL 64 Figure B 24 Once the connection is established you can open the browser of the PC and enter the LAN IP address of the VPN router After a short wait you should see the login screen of the VPN router unless another PC already has the VPN router management interface open Note You can use the VPN router diagnostic utilities to t
24. data encryption keys These values must be identical on all computers and Access Points in your network e Automatic enter a word or group of printable characters in the Passphrase box and click the Generate button The four key boxes will be automatically populated with key values Manual enter hexadecimal digits any combination of 0 9 a f or A F Select which of the four keys will be active Select the radio button for the key you want to make active Be sure you clearly understand how the WEP key settings are configured in your wireless adapter Wireless adapter configuration utilities such as the one included in Windows XP only allow entry of one key which must match the default key you set in the DG834G v3 Click Apply to save your settings Note When configuring the modem router from a wireless computer if you configure WEP settings you will lose your wireless connection when you click Apply You must then either configure your wireless adapter to match the modem router WEP settings or access the modem router from a wired computer to make any further changes How to Configure WPA PSK Note Not all wireless adapters support WPA Consult the product document for your wireless adapter for instructions on configuring WPA settings To configure WPA PSK follow these steps 1 Log in at the default LAN address of http 192 168 0 1 with the default user name of admin and defau
25. documentation netgear com dg834g fra 208 10034 01 German http documentation netgear com dg8634g deu 208 10035 01 Italian http documentation netgear com dg834g ita 208 10036 01 Spanish http documentation netgear com dg834g esp 208 10037 01 Swedish http documentation netgear com dg8349 sve 208 10038 01 2 10 Introduction v1 0 October 2006 Chapter 3 Wireless Configuration This chapter describes how to configure the wireless features of your 54 Mbps ADSL Modem Wireless Router Model DG834G Considerations for a Wireless Network In planning your wireless network you should consider the level of security required You should also select the physical placement of your modem router in order to maximize the network speed To ensure proper compliance and compatibility between similar products in your area the operating channel and region must be set correctly Observe Performance Placement and Range Guidelines The operating distance or range of your wireless connection can vary significantly based on the physical placement of the wireless firewall The latency data throughput performance and notebook power consumption also vary depending on your configuration choices Note Failure to follow these guidelines can result in significant performance degradation or inability to wirelessly connect to the router For complete range performance specifications please see Appendix A Technical Specifications For best resul
26. endpoint IP Address the Internet IP address of the remote VPN endpoint Virtual Private Networking 7 41 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Fully Qualified Domain Name the Domain name of the remote VPN endpoint e Fully Qualified User Name the name E mail address or other ID of the remote VPN endpoint Remote Identity Data enter the data for the selection above If IP Address is selected no input is required Parameters Encryption Algorithm encryption Algorithm used for both IKE and IPSec This setting must match the setting used on the remote VPN Gateway DES and 3DES are supported e DES the Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES e 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys Authentication Algorithm authentication Algorithm used for both IKE and IPSec This setting must match the setting used on the remote VPN Gateway Auto MD5 and SHA 1 are supported Auto negotiates with the remote VPN endpoint and is not available in responder only mode e MD5 128 bits faster but less secure e SHA 1 default 160 bits slower but more secure Pre shared Key the key must be entered both here and on the remote VPN Gateway SA Life Time this determine
27. field and the finish IP address in the Finish IP address field This must be an address range used on your LAN Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Remote addresses Remote LAN This identifies which PCs on the remote LAN are covered by this policy For each selection data must be provided as follows Single PC no Subnet select this option if there is no LAN only a single PC at the remote endpoint If this option is selected no additional data is required Single address enter an IP address in the Single Start IP address field This must be an address on the remote LAN Typically this setting is used when you wish to access a server on the remote LAN Range address enter the starting IP address in the Single Start IP address field and the finish IP address in the Finish IP address field This must be an address range used on the remote LAN Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Local addresses Virtual Private Networking 7 49 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G ESP Configuration ESP Encapsulating Security Payload provides securit
28. filtering feature the ADSL Modem Wireless Router prevents objectionable content from reaching your PCs The modem router allows you to control access to Internet content by screening for keywords within Web addresses Key content filtering options include e Keyword blocking of HTTP traffic e Outbound Service Blocking limits access from your LAN to Internet locations or services that you specify as off limits e Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing e Blocking unwanted traffic from the Internet to your LAN The section below explains how to configure your modem router to perform these functions How to Block Keywords and Sites The ADSL Modem Wireless Router allows you to restrict access to Internet content based on functions such as Web addresses and Web address keywords 1 Log in to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router Protecting Your Network 4 3 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 2 Select the Block Sites link of the Security menu 3 4 Block Sites Keyword Blocking O Never O Per Schedule Always Type Keyword or Domain Name Here Add Keyword Block Sites
29. how the configuration NUES functions Virtual Private Networking 7 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G The Summary screen below displays VPN Wizard Summary Please verify your inputs Connection Name Remote VPN Endpoint Remote Client Access Remote IP Remote ID Local Client Access Lacal IP Local ID RoadWarrior Client PC Single PC no Subnet Dynamic By subnet 192 168 3 1 255 255 255 0 You can click here to view the VPNC recommended parameters Please click Done to apply the changes Figure 7 6 7 10 v1 0 October 2006 Virtual Private Networking Reference Manual for the ADSL Modem Wireless Router DG834G To view the VPNC recommended authentication and encryption settings used by the VPN Wizard click the here link Click Back to return to the Summary screen VPN Consortium VPNC Recommendation The following parameters are recommended by the VPNC and used in the VPN Wizard Secure Association Main Mode Authentication Method Pre shared Key Encryption Protocol 3DES Authentication Protocol SHA 1 Key Life 8 hours IKE Life Time 1 hour NETBIOS Enabled Back Figure 7 7 3 Click Done on the Summary screen to complete the configuration procedure The VPN Policies menu below displays showing that the new tunnel is enabled VPN Policies Policy Table Te Enable Name Type Local Remote ESP
30. menu as shown utbound Services T Enable Serice Name Action LAN Users WAN Servers Log 1 iv AIM BLOCK by schedule Any Any Match IDefaui Yes Any ALLOW always Any Any Never Add Edit Move Delete Inbound Services Enable Service Name Action LAN Server IP address WAN Users Log c 1 iv CU SEEME ALLOW always 192 168 0 11 134 177 88 1 134 177 88 254 Not Match 2 Vv HTTP ALLOW always 192 168 0 99 Any Never Default Yes Any BLOCK always Any Match Add Edit Move Delete Figure 4 8 Protecting Your Network v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G For any traffic attempting to pass through the firewall the packet information is subjected to the rules in the order shown in the Rules Table beginning at the top and proceeding to the default rules at the bottom In some cases the order of precedence of two or more rules may be important in determining the disposition of a packet The Move button allows you to relocate a defined rule to a new position in the table Services Services are functions performed by server computers at the request of client computers For example Web servers serve Web pages time servers serve time and date information and game hosts serve data about other players moves When a computer on the Internet sends a request for service to a server computer the requested service is identified
31. or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Advanced section of the main menu select the Remote Management link Remote Management Turn Remote Management On Remote Management Address Allow Remote Access By Only This Computer IP Address Range From To 9 Everyone Port Number 8080 Figure 5 10 3 Select the Turn Remote Management On check box 5 16 Managing Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 4 Specify what external addresses will be allowed to access the modem router s remote management For security restrict access to as few external IP addresses as practical e To allow access from any IP address on the Internet select Everyone e To allow access from a range of IP addresses on the Internet select IP address range Enter a beginning and ending IP address to define the allowed range To allow access from a single IP address on the Internet select Only this Computer Enter the IP address that will be allowed access 5 Specify the Port Number that will be used for accessing the management interface Web browser access normally uses the standard HTTP service port 80 For greater security you can change the remote management Web interface to a custom port by entering that number in the box provided Choose a number between 1024 and 65535 but do not use th
32. policy For each selection data must be provided as follows Single address enter an IP address in the Single Start IP address field Typically this setting is used when you wish to make a single Server on your LAN available to remote users Range address enter the starting IP address in the Single Start IP address field and the finish IP address in the Finish IP address field This must be an address range used on your LAN Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Remote addresses Remote LAN This identifies which PCs on the remote LAN are covered by this policy For each selection data must be provided as follows 7 40 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Single PC no Subnet select this option if there is no LAN only a single PC at the remote endpoint If this option is selected no additional data is required The typical application is a PC running the VPN client at the remote end Single address Enter an IP address in the Single Start IP address field This must be an address on the remote LAN Typically this setting is used when you wish to access a server on the remote LAN e Range address enter the starting IP address in the Single Start IP address field and
33. port number This is also known as port forwarding Note Some residential broadband ISP accounts do not allow you to run any server processes such as a Web or FTP server from your location Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location If you are unsure refer to the Acceptable Use Policy of your ISP 4 6 Protecting Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Remember that allowing inbound services opens holes in your firewall Only enable those ports that are necessary for your network Following are two application examples of inbound rules Inbound Rule Example A Local Public Web Server If you host a public Web server on your local network you can define a rule to allow inbound Web HTTP requests from any outside IP address to the IP address of your Web server at any time of day This rule is shown Inbound Services Service HTTP TCP 80 Action a a Send to LAN Server 192 168 WAN Users mw o A start E finish fo E Hs Neve e Back Cancel Figure 4 5 The parameters are e Service From this list select the application or service to be allowed or blocked The list already displays many common services but you are not limited to these choices Use the Services menu to add any additional services or applications that do not already appear Action C
34. reboot your computer If your router s IP address was changed and you do not know the current IP address clear the router s configuration to factory defaults This will set the router s IP address to 192 168 0 1 This procedure is explained in Using the Reset button on page 8 9 Make sure your browser has Java JavaScript or ActiveX enabled If you are using Internet Explorer click Refresh to be sure the Java applet is loaded Try quitting the browser and launching it again Make sure you are using the correct login information The factory default login name is admin and the password is password Make sure that CAPS LOCK is off when entering this information Troubleshooting 8 3 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G If the router does not save changes you have made in the Web Configuration Interface check the following e When entering configuration settings be sure to click the Apply button before moving to another menu or tab or your changes are lost e Click the Refresh or Reload button in the Web browser The changes may have occurred but the Web browser may be caching the old configuration Troubleshooting the ISP Connection If your router is unable to access the Internet you should check the ADSL connection then the WAN TCP IP connection ADSL link If your router is unable to access the Internet you should first determine whether you have an
35. select the Respond to Ping on Internet WAN Port check box This should only be used as a diagnostic tool since it allows your modem router to be discovered Do not select this box unless you have a specific reason to do so MTU Size The normal MTU Maximum Transmit Unit value for most Ethernet networks is 1500 Bytes or 1492 Bytes for PPPoE connections For some ISPs you may need to reduce the MTU But this is rarely required and should not be done unless you are sure it is necessary for your ISP connection Configuring LAN IP Settings The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP These features can be found under the Advanced heading in the Main Menu of the browser interface The modem router is shipped preconfigured to use private IP addresses on the LAN side and to act as a DHCP server The modem router s default LAN IP configuration is LANIP addresses 192 168 0 1 e Subnet mask 255 255 255 0 6 4 Advanced Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G These addresses are part of the Internet Engineering Task Force IETF designated private address range for use in private networks and should be suitable in most applications If your network has a requirement to use a different IP addressing scheme you can make those changes in this menu LAN IP Setup LAN TCPAP Setup IP Address 192 1e8 o a IP Subnet Mask 255 255 25
36. settings of the ADSL Modem Wireless Router are stored in a configuration file in the modem router This file can be backed up to your computer restored or reverted to factory default settings The procedures below explain how to do these tasks How to Back Up the Configuration to a File 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Maintenance heading of the Main Menu select the Backup Settings menu shown Backup Settings Save a Copy of Current Settings Restore Saved Settings from a File Revert to Factory Default Settings Ioe m HHnm Uni Figure 5 1 3 Click Backup to save a copy of the current settings 4 Store the cfg file on a computer on your network Managing Your Network 5 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G How to Restore the Configuration from a File 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 2 From the Maintenance heading of the Main Menu select the Settings Backup menu Enter the full path
37. the LAN Path to Your ROUGE iiie eeeiaua ssciassans comasesactomauscadionaseiicnsanieye 8 7 Testing the Path from Your Computer to a Remote Device iseeneses 8 8 Restoring the Default Configuration and Password scene 8 9 Using the Reset DUTON m 8 9 Probleme wiih Date and TIME i222 5 denied a ici Rud ub eR poU Ed GR LS 8 9 Appendix A Technical Specifications Appendix B NETGEAR VPN Configuration Rcs cp ce Mt qe EET B 1 rea spears B 1 cane dWl Uris M n B 2 Disa v3 with FQDN t FVYLIJZO m B 6 rene cease B 6 v1 0 October 2006 SlSGp By eEreieis M B 8 Configuration Summary Telecommuter Example sse B 14 Setting Up the Client to Gateway VPN Configuration Telecommuter Example B 14 Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the sega X ESI Amer m B 15 Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommister s Home Office uses dta A avandia saan adde ined toad E a pu KR pq B 18 Monitoring the VPN Tunnel Telecommuter Example ecce B 28 Viewing the PC Client s Connection Monitor and Log Viewer ss B 28 Viewing the VPN Router s VPN Status and Log Information B 29 Appendix C Related Documents v1 0 October 2006 v1 0 October 2006 Ch
38. to the file on your network or click the Browse button to locate the file 4 When you have located the cfg file click the Restore button to upload the file to the modem router 5 The modem router will then reboot automatically How to Erase the Configuration It is sometimes desirable to restore the modem router to the factory default settings This can be done by using the Erase function 1 Toerase the configuration from the Maintenance menu Settings Backup link click the Erase button on the screen 2 The modem router will then reboot automatically After an erase the modem router s password will be password the LAN IP address will be 192 168 0 1 and the modem router s DHCP client will be enabled Note To restore the factory default configuration settings without knowing the login password or IP address you must use the Default Reset button on the rear panel of the modem router See The Router s Rear Panel on page 2 9 Upgrading the Modem Router s Firmware The software of the ADSL Modem Wireless Router is stored in FLASH memory and can be upgraded as new software is released by NETGEAR Upgrade files can be downloaded from NETGEAR s Web site If the upgrade file is compressed ZIP file you must first extract the binary BIN or IMG file before uploading it to the modem router 5 2 Managing Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G H
39. v3 lets you select the following wireless authentication schemes e Automatic e Open System e Shared key ____ Note The authentication scheme is separate from the data encryption You can choose an authentication scheme which requires a shared key but still leave the data transmissions unencrypted If you require strong security use both the Shared Key and WEP encryption settings Set your wireless adapter according to the authentication scheme you choose for the ADSL Modem Wireless Router Please refer to Wireless Communications in Appendix C for a full explanation of each of these options as defined by the IEEE 802 11g wireless communication standard Encryption Choices Please refer to Wireless Communications in Appendix C for a full explanation of each of the following choices as defined by the IEEE 802 11g wireless communication standard Choose the encryption strength from the drop down list Disable No encryption will be applied This setting is useful for troubleshooting your wireless connection but leaves your wireless data fully exposed 64 or 128 bit WEP When 64 Bit WEP or 128 Bit WEP is selected WEP encryption will be applied If WEP is enabled you can manually or automatically program the four data encryption keys These values must be identical on all computers and access points in your network Wireless Configuration 3 11 v1 0 October 2006 Heference Manual for the ADSL Modem Wireles
40. your settings ___ Note The Block Sites feature is disabled when the Trend Micro Home Security feature is enabled This is because the Trend security system has incorporates its own site blocking capability Firewall Rules Firewall rules are used to block or allow specific traffic passing through from one side of the router to the other Inbound rules WAN to LAN restrict access by outsiders to private resources selectively allowing only specific outside users to access specific resources Outbound rules LAN to WAN determine what outside resources local users can have access to A firewall has two default rules one for inbound traffic and one for outbound The default rules of the DG834G v3 are e Inbound Block all access from outside except responses to requests from the LAN side e Outbound Allow all access from the LAN side to the outside You can define additional rules that will specify exceptions to the default rules By adding custom rules you can block or allow access based on the service or application source or destination IP addresses and time of day You can also choose to log traffic that matches or does not match the rule you have defined You can change the order of precedence of rules so that the rule that applies most often will take effect first See Order of Precedence for Rules on page 4 11 for more details Protecting Your Network 4 5 v1 0 October 2006 Heference Manual for the
41. 21 e See Using Auto Policy to Configure VPN Tunnels on page 7 38 when the VPN Wizard and its VPNC defaults see Table 7 2 are not appropriate for your special circumstances but you want to automate the Internet Key Exchange IKE setup e See Using Manual Policy to Configure VPN Tunnels on page 7 48 when the VPN Wizard and its VPNC defaults see Table 7 2 are not appropriate for your special circumstances and you must specify each phase of the connection You manually enter all the authentication and key parameters You have more control over the process however the process is more complex and there are more opportunities for errors or configuration mismatches between your DG834G v3 and the corresponding VPN endpoint gateway or client workstation Note NETGEAR publishes additional interoperability scenarios with various gateway and client software products Look on the NETGEAR web site at www netgear com for these interoperability scenarios 7 6 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G How to Set Up a Client to Gateway VPN Configuration VPN Tunnel 22 23 24 25 0 0 0 0 DG834G 192 168 3 1 tt LJ LJ CJ ranig NETGEAR PCs ProSafe VPN Client Figure 7 3 Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway involves the following two steps Step 1 Configuring the Client t
42. 24 20 50 41 Tue 2005 05 24 20 50 41 Tue 2005 05 24 20 50 42 Tue 2005 05 24 20 50 42 Refresh Clear Log VPN Status Figure 7 17 Note Use the active VPN tunnel information and pings to determine whether a failed connection is due to the VPN tunnel or some reason outside the VPN tunnel Virtual Private Networking 7 19 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 9 The Connection Monitor screen for this connection is shown below Sfi Connection Monitor NETGEAR ProSafe VPN Client Jof x Global Statistics Non Secured Packets 411738 Secured Packets 85 Reset ode Reset Dropped Packets 10 Secured Data KBytes Deta Ep My Connections toDG834 192 168 2 2 255 255 255 255 192 168 3 1 255 255 255 0 22232425 ALL ALL ALL Figure 7 18 In this example you can see the following e The DG834G v3 has a public IP WAN address of 22 23 24 25 e The DG834G v3 has a LAN IP address of 192 168 3 1 e The VPN client PC has a dynamically assigned address of 192 168 2 2 While the connection is being established the Connection Name field in this menu will say SA before the name of the connection When the connection is successful the SA will change to the yellow key symbol shown in the illustration above Note While your PC is connected to a remote LAN through a VPN you might not have EN normal Internet access If this is the case you
43. 4G Gateway to Gateway VPN Tunnels e Gateway to Gateway VPN Tunnels provide secure access between networks such as a branch or home office and a main office DG834G VPN Firewall VPN Tunnel DG834G VPN Firewall Ems INTERNET PCs gg PCs Figure 7 2 A VPN between two or more NETGEAR VPN enabled routers is a good way to connect branch or home offices and business partners over the Internet VPN tunnels also enable access to network resources across the Internet In this case use DG834G v3s on each end of the tunnel to form the VPN tunnel end points See How to Set Up a Gateway to Gateway VPN Configuration on page 7 21 to set up this configuration Virtual Private Networking 7 3 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Planning a VPN When you set up a VPN it is helpful to plan the network configuration and record the configuration parameters on a worksheet Table 7 1 VPN Tunnel Configuration Worksheet Connection Name Pre Shared Key Secure Association Main Mode or Manual Keys Perfect Forward Secrecy Enabled or Disabled Encryption Protocol DES or 3DES Authentication Protocol MD5 or SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Key Life in seconds IKE Life Time in seconds FQDN or Gateway IP VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask WAN IP Address T
44. 5 0 RIP Direction None RIP Version Disable v Use Router as DHCP Server Starting IP Address 192 ji68 o 2 Ending IP Address 192 168 0 254 Address Reservation IP Address Device Name MAC Address Add Edit Delete Figure 6 2 The LAN TCP IP Setup parameters are e IP Address This is the LAN IP address of the modem router Warning If you change the LAN IP address of the modem router while connected A through the browser you or anyone else using the router will be disconnected You must then open a new connection to the new IP address and log in again Others using the router will have to restart their computer and connect to the router again e PSubnet Mask This is the LAN Subnet Mask of the modem router Combined with the IP address the IP Subnet Mask allows a device to know which other addresses are local to it and which must be reached through a gateway or modem router Advanced Configuration 6 5 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G e RIP Direction RIP Router Information Protocol allows a modem router to exchange routing information with other routers The RIP Direction selection controls how the Modem Router sends and receives RIP packets Both is the default When set to Both or Out Only the modem router will broadcast its routing table periodically When set to Both or In Only it will incorporate the RIP info
45. 55 0 In Step 1 enter toFVL328 for the Connection Name In Step 2 enter fv1328 dyndns org for the remote WAN s IP address c InStep 3 enter the following e IP Address 172 23 9 1 e Subnet Mask 255 255 255 0 6 Configure the FVL328 as in the Gateway to Gateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 7 21 being certain to use appropriate network addresses for the environment In Step 1 enter toDG834 for the Connection Name In Step 2 enter dg834g dyndns org for the remote WAN s IP address c InStep 3 enter the following e IP Address 10 5 6 1 e Subnet Mask 255 255 255 0 7 Test the VPN tunnel by pinging the remote network from a PC attached to the DG834G v3 a Open the command prompt Start gt Run gt cmd b ping 172 23 9 1 B 12 NETGEAR VPN Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G AWINNT system32 ping exe Pinging 172 23 9 1 with 32 bytes of data from 172 23 9 1 time lt i ms TTL 128 from 172 23 9 1 time lt i ms TTL 128 from 172 9 1 time lt 1 ms TTL 128 from 172 23 9 1 time lt 1 TTL 128 from 172 9 1 time lt 16 TTL 128 from 172 9 1 time lt i ms TTL 128 from 172 9 1 timeX1B8ms TTL 128 Figure B 11 Note The pings may fail the first time If this happens try the pings a second Ed time NETGEAR VPN Configuration B 13 v1 0 Oct
46. 834G v3 can restrict wireless access to your network by not broadcasting the wireless network name SSID However by default this feature is turned off If you turn this feature on wireless devices will not see your DG834G v3 You must configure your wireless devices to match the wireless network name SSID you configure in the ADSL Modem Wireless Router Note The SSID of any wireless access adapters must match the SSID you configure in the 54 Mbps ADSL Modem Wireless Router Model DG834G If they do not match you will not get a wireless connection to the DG834G v3 Restricting Wireless Access Based on the Wireless Station Access List This list determines which wireless hardware devices will be allowed to connect to the firewall To restrict access based on MAC addresses follow these steps 1 Log in to the DG834G v3 firewall at its default LAN address of http 192 168 0 1 with its default user name of admin and default password of password or using whatever LAN address and password you have set up 3 8 Wireless Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 2 From the Wireless Settings menu Wireless Station Access List section click the Setup Access List button to display the list shown below Wireless Station Access List M Turn Access Control On Trusted Wireless Stations Device Name MAC Address Available Wireless Stations Device Name MA
47. ADSL Modem Wireless Router DG834G To access the rules configuration of the DG834G v3 click the Firewall Rules link on the main menu then click Add for either an Outbound or Inbound Service Firewall Rules Outbound Services 2 Enable Service Name Action LAN Users WAN Servers Log Default Yes Any ALLOW always Any Any Never Add Edit Move Delete Inbound Services 2 Enable Service Name Action LAN Server IP address WAN Users Log Default Yes Any BLOCK always Any Match Add Edit Move Delete Figure 4 4 e To edit an existing rule select its button on the left side of the table and click Edit e To delete an existing rule select its button on the left side of the table and click Delete To move an existing rule to a different position in the table select its button on the left side of the table and click Move At the script prompt enter the number of the desired new position and click OK Inbound Rules Port Forwarding Because the DG834G v3 uses Network Address Translation NAT your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers However by defining an inbound rule you can make a local server for example a Web server or game server visible and available to the Internet The rule tells the modem router to direct inbound traffic for a particular service to one local server based on the destination
48. ADSL link with the service provider The state of this connection is indicated with the Internet LED Internet LED Green or Blinking Green If your Internet LED is green or blinking green then you have a good ADSL connection You can be confident that the service provider has connected your line correctly and that your wiring is correct Internet LED Blinking Amber If your Internet LED is blinking amber then your modem router is attempting to make an ADSL connection with the service provider The LED should turn green within several minutes If the Internet LED does not turn green disconnect all telephones on the line If this solves the problem reconnect the telephones one at a time being careful to use a microfilter on each telephone If the microfilters are connected correctly you should be able to connect all your telephones If disconnecting telephones does not result in a green Internet LED there may be a problem with your wiring If the telephone company has tested the ADSL signal at your Network Interface Device NID then you may have poor quality wiring in your house 8 4 Troubleshooting v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Internet LED Off If the Internet LED is off disconnect all telephones on the line If this solves the problem reconnect the telephones one at a time being careful to use a microfilter on each telephone If the microfilters are connected correctly y
49. C Address UNKNOWN 00 09 5B 68 7F 84 Add New Station Manually Device Name MAC Address Figure 3 4 3 Select the Turn Access Control On check box to enable restricting wireless computers by their MAC addresses 4 Ifthe wireless station is currently connected to the network you can select it from the Available Wireless Stations list Click Add to add the station to the Trusted Wireless Stations list 5 Ifthe wireless station is not currently connected you can enter its address manually Enter the MAC address of the authorized computer The MAC address is usually printed on the wireless card or it may appear in the modem router s DHCP table The MAC address will be 12 hexadecimal digits Click Add to add your entry You can add several stations to the list but the entries will be discarded if you do not click Apply Wireless Configuration 3 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G You can copy and paste the MAC addresses from the modem router s Attached Devices menu into the MAC Address box of this menu To do this configure each wireless computer to obtain a wireless link to the modem router The computer should then appear in the Attached Devices menu Note If you are configuring the modem router from a wireless computer whose MAC address is not in the Trusted Wireless Stations list and you select Trusted Wireless Stations only you will lo
50. Containing these Keywords or Domain Names Delete Keyword Clear List J Allow Trusted IP Address to Visit Blocked Sites Trusted IP Address Figure 4 3 To enable keyword blocking select one of the following e Per Schedule to turn on keyword blocking according to the settings on the Schedule page Always to turn on keyword blocking all of the time independent of the Schedule page Enter a keyword or domain in the Keyword box click Add Keyword then click Apply Some examples of Keyword application follow Ifthe keyword XXX is specified the URL lt http www badstuff com xxx html gt is blocked e Ifthe keyword com is specified only Web sites with other domain suffixes such as edu or gov can be viewed Enter the keyword to block all Internet browsing access Up to 32 entries are supported in the Keyword list To delete a keyword or domain select it from the list click Delete Keyword then click Apply To specify a trusted user enter that computer s IP address in the Trusted IP Address box and click Apply Protecting Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G You can specify one trusted user which is a computer that will be exempt from blocking and logging Since the trusted user will be identified by an IP address you should configure that computer with a fixed IP address 7 Click Apply to save
51. In this example the Connection Name used on the client side of the VPN tunnel is toDG834 and it does not have to match the Road Warrior Connection Name used on the gateway side of the VPN tunnel because Connection Names are arbitrary to how the VPN tunnel functions mr Tip Choose Connection Names that make sense to the people using and md pues administering the VPN Select Secure in the Connection Security check box group d Select IP Subnet in the ID Type menu e Inthis example type 192 168 3 1 in the Subnet field as the network address of the DG834G v3 f Enter 255 255 255 0 in the Mask field as the LAN Subnet Mask of the DG834G v3 g Select All in the Protocol menu to allow all traffic through the VPN tunnel Virtual Private Networking 7 13 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G h Select the Connect using Secure Gateway Tunnel check box i Select IP Address in the ID Type menu below the check box j Enter the public WAN IP Address of the DG834G v3 in the field directly below the ID Type menu In this example 22 23 24 25 would be used k The resulting Connection Settings are shown in Figure 7 10 3 Configure the Security Policy in the NETGEAR ProSafe VPN Client software a Inthe Network Security Policy list expand the new connection by double clicking its name or clicking on the symbol My Identity and Security Policy subheadings appear
52. Name Password and LAN address you have chosen for the router From the Main Menu under Advanced click the LAN IP Setup link to view the menu shown LAN IP Setup LAN TCPAP Setup IP Address 192 168 0 ME IP Subnet Mask 255 255 255 0 RIP Direction None RIP Version Disable Use Router as DHCP Server Starting IP Address 192 168 0 2 Ending IP Address 192 168 0 254 Address Reservation 2 IP Address Device Name MAC Address Figure 6 3 3 Enter the TCP IP DHCP or Reserved IP parameters 4 Click Apply to save your changes 6 8 Advanced Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Configuring Dynamic DNS If your network has a permanently assigned IP address you can register a domain name and have that name linked with your IP address by public Domain Name Servers DNS However if your Internet account uses a dynamically assigned IP address you will not know in advance what your IP address will be and the address can change frequently In this case you can use a commercial dynamic DNS service that will allow you to register your domain to their IP address and will forward traffic directed at your domain to your frequently changing IP address The router contains a client that can connect to a dynamic DNS service provider To use this feature you must select a service provider and obtain an account with them Af
53. SL Modem Wireless Router DG834G Note Refer to Using Auto Policy to Configure VPN Tunnels on page 7 38 to enable the IKE keepalive capability on an existing VPN tunnel 6 Repeat for the DG834G v3 on LAN B and pay special attention to use the following network settings as appropriate e WAN IP of the remote VPN gateway e g 14 15 16 17 e LANI settings of the remote VPN gateway IP Address e g 192 168 0 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps m Note The VPN Status screen is only one of three ways to active a VPN tunnel See y y Activating a VPN Tunnel on page 7 29 for information on the other ways Virtual Private Networking 7 27 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G a Open the DG834G v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 7 27 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 27 GtoG initiating Main Mode GtoG ISAKMP SA established GtoG sent QIZ IPsec SA established GtoG sent QI2 IPsec SA established Retesh GearLog veNsiene Figure 7 27 b Click on VPN Status Figure 7 29 to get the Current VPN Tunnels SAs screen Figure 7 28 Click on Connect for the VPN tunnel you want to activate
54. Setting Up A Default DMZ Sever iuexidkk eee is EU EPYI RN E ERA PASEAR iene 6 2 Connect Automatically as Reguired assisen ann ii Ro rro on tti a 6 3 Disable Port Scan and DOS Protection 1i cuia ista aai k ttr eta Ra d dk ad nia 6 3 Respond to Ping on Internet WAN POLT iicet eren euet ker re tet 6 4 Eph gt Ri ences pore Perc r Peter ner rte were ROA ETON 6 4 Conger Eig E 6 4 DHCP 6 6 Howto Configure LAN TCP IP Settings uice seen khi dota haac aix E Cook uat 6 8 Coming moo Drame DNS as eoiiio a E PUTQRRE SP NN SRH NN 6 9 Howto Configure Dynamit DNG seereis rero tera er o peg ag ed 6 9 Bii red uir PT 6 11 zuedatel bgs T 6 11 How to GonRgule Statie POLIS ccskkspeci opp rrEnthaa EFPH HERE FP AIAX FRI A 1 Ve Pad reri 6 12 Universal Plug and Play UPA iouis de an EORR BAIE EE E meine 6 13 Chapter 7 Virtual Private Networking Overview of VPN Configuration 125 c ouiiieeckeed dass dide k niinniin rian a bait Ev Eabb dd iia 7 2 C lientdo Gateway VPN TUBIS 12 eise nd S RH SR E En m d d 7 2 Gateway to Gateway VPN Tunnels 25 ner ri Rte xk eta xni Reed x REFER reru ORE EH adu HERE 7 3 mir T 7 4 biu BI Ete pe rir TM 7 6 How to Set Up a Client to Gateway VPN Configuration sseene 7 7 Step 1 Configuring the Client to Gateway VPN Tunnel on the DG834G v3 7 7 Step 2 Configuring the NETGEAR ProSafe VPN Cl
55. Table 5 Enable Name Type Local Remote ESP 192168017 192168317 9 GtoG Auto 555255 255 0 2552552550 SDES Figure 7 44 6 Repeat for the DG834G v3 on LAN B and pay special attention to use the following network settings as appropriate e General Remote Address Data e g 14 15 16 17 Remote LAN Start IP Address IP Address e g 192 168 0 1 Subnet Mask e g 255 255 255 0 Preshared Key e g 12345678 7 Use the VPN Status screen to activate the VPN tunnel by performing the following steps Note The VPN Status screen is only one of three ways to active a VPN tunnel See s Activating a VPN Tunnel on page 7 29 for information on the other ways 7 46 Virtual Private Networking v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G a Openthe DG834G v3 management interface and click on VPN Status to display the VPN Status Log screen Figure 7 45 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 26 2004 06 22 22 58 27 GtoG initiating Main Mode GtoG ISAKMP SA established GtoG sent QIZ IPsec SA established GtoG sent QI2 IPsec Si established Retesh GearLog VPNStatus Figure 7 45 b Click VPN Status Figure 7 45 to display the Current VPN Tunnels SAs screen Figure 7 46 Click on Connect for the VPN tunnel you want to activate E Current VPN Tunnels SAs Microsoft Internet Explorer
56. Time WAN PPPoE 0 0 0 0 0 00 00 00 LAN 10M100M 542 751 294 155 00 08 47 WLAN 54M 288 0 0 70 0 00 08 36 ADSL Link Downstream Upstream Connection Speed 0 kbps Okbps Line Attenuation 0 db Odb Noise Margin Odb 0 db Poll Interval 5 secs Set Interval Figure 5 4 5 6 Managing Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G This screen shows the following statistics Table 5 2 Router Statistics Fields Field Description WAN or LAN Port The statistics for the WAN Internet and LAN ports or Upstream Connection Speed Status The link status of the port TxPkts The number of packets transmitted on this port since reset or manual clear RxPkts The number of packets received on this port since reset or manual clear Collisions The number of collisions on this port since reset or manual clear Tx B s The current line utilization percentage of current bandwidth used on this port Rx B s The average line utilization for this port Up Time The time elapsed since the last power cycle or reset ADSL Link Downstream The statistics for the upstream and downstream ADSL link These statistics will be of interest to your technical support representative if you are having problems obtaining or maintaining a connection Typically the downstream speed is faster than the upstream speed Line Attenuation The line attenuation will increase the further y
57. Wrong physical connections Make sure the LAN port LED is on If the LED is off follow the instructions in LAN or Internet Port LEDs Not On on page 8 2 Check that the corresponding Link LEDs are on for your network interface card and for the hub ports if any that are connected to your workstation and router e Wrong network configuration Verify that the Ethernet card driver software and TCP IP software are both installed and configured on your PC or workstation Verify that the IP address for your router and your workstation are correct and that the addresses are on the same subnet Testing the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly test the path from your PC to a remote device From the Windows run menu type PING n 10 IP address where IP address gt is the IP address of a remote device such as your ISP s DNS server If the path is functioning correctly replies as in the previous section are displayed If you do not receive replies Check that your PC has the IP address of your router listed as the default modem router If the IP configuration of your PC is assigned by DHCP this information will not be visible in your PC s Network Control Panel Verify that the IP address of the router is listed as the default modem router as described in Preparing a Computer for Network Access in Appendix C Check to see that the network address of yo
58. a Inthe Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol b Expand the Authentication subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Authentication INI Security Policy Editor NETGEAR ProSafe VPN Client Elle Edit Options Help gt E NETGEAR N Network Security Policy My Connections Authentication Method and Algorithms By toD6834G My Identity Authentication Method 8 Security Policy amp Authentication Phase 1 Proposal 1 E Key Exchange Phase 2 Encryption and Data Integrity Algorithms 3 Proposal 1 a Other Connections Encrypt Alg Triple DES Ne Hash Alg SHA 1 vj Seconds SA Life Unspecified v Pre Shared Key Key Group _ Diffie Hellman Group 2 E Figure 7 13 7 16 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G e f g In the Authentication Method menu select Pre Shared key In the Encrypt Alg menu select the type of encryption to correspond with what was configured for the Encryption Protocol in the DG834G v3 in Table 7 3 on page 7 8 In this example use Triple DES In the Hash Alg menu select SHA 1 In the SA Life menu select Unspecified In the Key Group menu select Diffie Hellman Group 2 6
59. a Ipp 12n 188 1E9 22 23 24 25 Ping IP Address J 1 jo Subnet address v Single Start address 192 ree Jo J 10 5 6 Finish address 34 al l Subnet Mask 255 ess 255 Jo Subnet address z Single Start IP address 192 hes e ft Finish IP address 275 779 a Subnet Mask 255 Jess j255 o WANIPAddress z nia IP Address n a 3DES v SHAH v 12345678 28800 Seconds Enable PFS Perfect Forward Security Back Cancel NETGEAR VPN Configuration v1 0 October 2006 B 3 Heference Manual for the ADSL Modem Wireless Router DG834G 2 Configure the FVL328 as in the Gateway to Gateway procedures for the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 7 21 being certain to use appropriate network addresses for the environment In Step 1 enter toDG834 for the Connection Name In Step 2 enter 14 15 16 17 for the remote WAN s IP address c InStep 3 enter the following e IP Address 10 5 6 1 e Subnet Mask 255 255 255 0 B 4 NETGEAR VPN Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Y Policy Name mais vopGsa4 Mode tocam Resmotedn Encr Auth DH IDirmcton Type Both Orections 3 Fxthange Mode Main Mode med M gi toDG834 Main 22 23 24 25 14 15 16 17 3DES SHA1 Group 2 1024 Bib yep WANPAddes m oo teased 11722232435 Click IKE Polici
60. al Private Networking v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Type the name of a program Folder document or Internet resource and Windows will open it For you Open ping 192 168 0 1 Figure 7 31 Running a Ping test to the LAN from the PC This will cause a continuous ping to be sent to the first DG834G v3 After between several seconds and two minutes the ping response should change from timed out to reply Note Use Ctrl C to stop the pinging GC gt ping 192 168 60 1 Pinging 192 168 0 1 with 32 bytes of data Reply from 192 168 0 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time lt ims Reply from 192 168 0 1 bytes 32 time ims Figure 7 32 Once the connection is established you can open the browser of the PC and enter the LAN IP address of the remote DG834G v3 After a short wait you should see the login screen of the Modem Router unless another PC already has the DG834G v3 management interface open e Gateway to Gateway Configuration test the VPN tunnel by pinging the remote network from a PC attached to the DG834G v3 a Open command prompt i e Start gt Run gt cmd Virtual Private Networking 7 31 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G ping 192 168 3 1 Pinging 192 168 3 1 with 32 bytes of data Reply from 192 168 3 1 bytes 32 time 2 ms TTL 254 Reply
61. apter 1 About This Manual This chapter describes the intended audience scope conventions and formats of this manual Audience Scope Conventions and Formats This reference manual assumes that the reader has basic to intermediate computer and Internet skills However basic computer network Internet firewall and VPN technologies tutorial information is provided in the Appendices and on the Netgear website Note Product updates are available on the NETGEAR Inc Web site at http kbserver netgear com products DG834G v3 asp This guide uses the following typographical conventions Table 1 1 italics Emphasis books CDs URL names bold User input fixed Screen text file and server names extensions commands IP addresses This guide uses the following formats to highlight special messages Note This format is used to highlight information of importance or special interest Tip This format is used to highlight a procedure that will save time or resources About This Manual 1 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G A Warning Ignoring this type of note may result in a malfunction or damage to the equipment A Danger This is a safety warning Failure to take heed of this notice may result in personal injury or death This manual is written for the ADSL Modem Wireless Router according to
62. arning When uploading software to the modem router it is important not to Managing Your Network 5 3 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Network Management Information The DG834G v3 provides a variety of status and usage information which is discussed below Viewing Modem Router Status and Usage Statistics From the Main Menu under Maintenance click Modem Router Status to view this screen Router Status Account Name Firmware Version V3 01 25 ADSL Port MAC Address 00 0f b5 c6 0e 91 IP Address Network Type PPPoE IP Subnet Mask Gateway IP Address Domain Name Server LAN Port MAC Address 00 0f b5 c6 0e 90 IP Address 192 168 0 1 DHCP On IP Subnet Mask 255 255 255 0 Modem ADSL Firmware Version 4 01 02 00 Modem Status Connecting DownStream Connection Speed 0 kbps UpStream Connection Speed 0 kbps VPI 0 Vcl 35 Wireless Port Name SSID zzopgun Region USA Channel 11 Wireless AP Enabled Broadcast Name Enabled Show Statistics Connection Status Figure 5 3 The Modem Router Status menu provides status and usage information 5 4 Managing Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G This screen shows the following parameters Table 5 1 Menu 3 2 Modem Router Status Fields Field Description Account Name The Host Name assigned to the modem router in the Basi
63. asily configure your modem router from almost any type of personal computer such as Windows Macintosh or Linux A user friendly Setup Wizard is provided and online help documentation is built into the browser based Web Management Interface Smart Wizard The firmware in the modem router automatically senses the type of Internet connection asking you only for the information required for your type of ISP account Remote management The modem router allows you to log in to the Web management interface from a remote location via the Internet For security you can limit remote management access to a specified remote IP address or range of addresses or you can choose a nonstandard port number Diagnostic functions The modem router incorporates built in diagnostic functions such as Ping DNS lookup and remote reboot These functions allow you to test Internet connectivity and reboot the modem router You can use these diagnostic functions directly from the DG834G v3 when you are connected on the LAN or when you are connected over the Internet via the remote management function Introduction 2 3 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G e Visual monitoring The modem router s front panel LEDs provide an easy way to monitor its status and activity e Flash erasable programmable read only memory EPROM for firmware upgrades Protocol Support The DG834G v3 supports Transmission Control Protocol
64. be 22 hours and 30 minutes If you set the start time after the end time the schedule will be effective through midnight the next day Click Apply to save your changes Trend Micro Home Network Security You can enable Home Network Security as if you didn t do so when you originally set up your router Home routers provide an enhanced Internet experience but the likelihood of attacks also increases Trend Micro Home Network Security addresses the security needs of computers accessing the Internet via home routers Note The 54 Mbps ADSL Modem Wireless Router Model DG834G supports Home Network Security To take advantage of this feature you must register an account with Trend Micro For more information refer to the Home Network Security Quick Start Guide on the NETGEAR Resource CD or to http www trendmicro com offers netgear The Trend Micro software requires Microsoft Internet Explorer 5 5 or higher Protecting Your Network 4 15 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G To begin using Home Network Security configure the Security Service and Parental Controls menus on your ADSL Modem Wireless Router Each screen has a GUI button to click that will take you to the Trend Micro Web site to open your Trend Micro account Note Because of overlapping functionality the Block Sites feature described in How to Block Keywords and Sites on page 4 3 is disabled
65. below the connection name b Click on the Security Policy subheading to show the Security Policy menu Security PONCY EICO A File Edit Options Help F alexm tl NETGEAR S Network Security Policy E My Connections p Security Policy C dy toDG834 T G My Identity Select Phase 1 Negotiation Mode S solic Main Mode m Security Policy Ql Other Connections C Aggressive Mode Use Manual Key I Enable Perfect Forward Secrecy PFS Enable Replay Detection Figure 7 10 c Select the Main Mode in the Select Phase 1 Negotiation Mode check box group 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide the Pre Shared Key that you configured in the DG834G v3 and either a fixed IP address or a fixed virtual IP address of the VPN client PC 7 14 Virtual Private Networking v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G a Inthe Network Security Policy list on the left side of the Security Policy Editor window click on My Identity S Security Policy Editor NETGEAR ProSafe VPN Client k o x Eile Edit Options Help Bexa NETGEAR N Network Security Policy My Connections My Identity e a ifi Pre Shared Key f3 My Identity Select Certificate GA Security Policy Qs Other Connections ID Type Port IP Address 7 an i Any Virt
66. by a service or port number This number appears as the destination port number in the transmitted IP packets For example a packet that is sent with destination port number 80 is an HTTP Web server request The service numbers for many common protocols are defined by the Internet Engineering Task Force IETF and published in RFC1700 Assigned Numbers Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application Although the DG834G v3 already holds a list of many service port numbers you are not limited to these choices Use the procedure below to create your own service definitions How to Define Services 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router 2 Select the Services link of the Security menu to display the Services menu shown Services Service Table Service Type Ports Add Custom Service Jl Edit Service Delete Service Figure 4 9 e To create a new Service click the Add Custom Service button 4 12 Protecting Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G e To edit an existing Service select its button on the left side of the table and click Edit Service e To delete an existing Service select its butt
67. c Settings menu Firmware Version ADSL Port MAC Address IP Address Network Type IP Subnet Mask Domain Name Server DNS This field displays the modem router firmware version These parameters apply to the Internet ADSL port of the modem router This field displays the Ethernet MAC address being used by the Internet ADSL port of the modem router This field displays the IP address being used by the Internet ADSL port of the modem router If no address is shown the modem router cannot connect to the Internet The network type depends is determined by your ISP Common network types are PPPoE and PPPOA This field displays the IP Subnet Mask being used by the Internet ADSL port of the modem router This field displays the DNS Server IP addresses being used by the modem router These addresses are usually obtained dynamically from the ISP LAN Port MAC Address IP Address DHCP IP Subnet Mask These parameters apply to the Local ADSL port of the modem router This field displays the Ethernet MAC address being used by the Local LAN port of the modem router This field displays the IP address being used by the Local LAN port of the modem router The default is 192 168 0 1 If OFF the modem router will not assign IP addresses to PCs on the LAN If ON the modem router will assign IP addresses to PCs on the LAN This field displays the IP Subnet Mask being used by the Local LAN po
68. cal port has detected a link with a 100 Mbps device Blink Green Data is being transmitted or received at 100 Mbps 5 LAN On Amber The Local port has detected a link with a 10 Mbps device Blink Amber Data is being transmitted or received at 10 Mbps Off No link is detected on this port 2 8 Introduction v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G The Router s Rear Panel The rear panel of the 54 Mbps ADSL Modem Wireless Router Model DG834G Figure 2 2 contains port connections Figure 2 2 Viewed from left to right the rear panel contains the following elements 1 RJ 11 ADSL port for connecting the firewall to an ADSL line 2 Four Local Ethernet RJ 45 LAN ports for connecting the firewall to the local computers 3 Factory Default Reset push button 4 AC power adapter outlet 5 Wireless antenna Introduction 2 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Connecting the Router to the Internet To connect your ADSL Modem Wireless Router to the Internet refer to the ADSL Modem Wirelesss Router Setup Manual on the DG834G ADSL Modem Wireless Router Resource CD or online as shown in the following table Table 2 2 Language URL Dutch http documentation netgear com dg834g nld 208 10039 01 English http documentation netgear com dg834g enu 208 10033 01 French http
69. ck Edit NETGEAR VPN Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter s Home Office This procedure describes how to configure the 54 Mbps ADSL Modem Wireless Router Model DG834G We will assume the PC running the client has a dynamically assigned IP address The PC must have a VPN client program installed that supports IPSec in this case study the NETGEAR VPN ProSafe Client is used Go to the NETGEAR website Attp www netgear com and select VPNO1IL VPNOSL in the Product Quick Find drop down menu for information on how to purchase the NETGEAR ProSafe VPN Client Note Before installing the 54 Mbps ADSL Modem Wireless Router Model DG834G software be sure to turn off any virus protection or firewall software you may be running on your PC 1 Install the NETGEA ProSafe VPN Client on the remote PC and reboot d e You may need to insert your Windows CD to complete the installation If you do not have a modem or dial up adapter installed in your PC you may see the warning message stating The NETGEAR ProSafe VPN Component requires at least one dial up adapter be installed You can disregard this message Install the IPSec Component You may have the option to install either the VPN Adapter or the IPSec Component or both The VPN Adapter is not necessary The system s
70. click Next to proceed Enter the new Connection Name e g GtoG VPN Wizard Step 1 of 3 Connection Name and Remote IP Type What le e new Enter the pre shared key onnection Name What is the pre shared me 1 C O e g 12345678 key This VPN tunnel will A remote VPN Gateway connect to C A remote VPN client enin oe Select the radio button A remote VPN Gateway Back Nex Cancel Figure 7 21 Virtual Private Networking 7 23 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 3 Fill in the IP Address or FQDN for the target VPN endpoint WAN connection and click Next Enter the WAN IP address of the Step 2 of 3 Remote IP address or the Internet name remote VPN gateway e g i 22 23 24 25 VPN Wizard What is the remote WAN s IP address or Internet name Back Next Cancel Figure 7 22 4 Identify the IP addresses at the target endpoint which can use this tunnel and click Next Enter the LAN IP settings of the remote VPN gateway IP Address e g 192 168 3 1 e Subnet Mask e g 255 255 255 0 VPN Wizard Step 3 of 3 Secure Connection Remote Accessibility What is the remote LAN IP address and Subnet Mask IP Address Subnet Mask Back Next Cancel Figure 7 23 7 24 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G
71. ctober 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 3 Click on VPN Status Figure 7 29 to get the Current VPN Tunnels SAs screen E Current VPN Tunnels SAs Microsoft Internet Explorer Current VPN Tunnels SAs s sPram spr outy Policy Name Remote Endpoint Action SLifeTime HLiferime 1 saseos4oa0 37752271685 RoadWarrior 192 168 2 2 Dep 28716 28715 Figure 7 35 This table lists the following data for each active VPN Tunnel SPI each SA has a unique SPI Security Parameter Index for traffic in each direction For Manual key exchange the SPI is specified in the Policy definition For Automatic key exchange the SPI is generated by the IKE protocol Policy Name the name of the VPN policy associated with this SA Remote Endpoint the IP address on the remote VPN Endpoint Action the action will be either a Drop or a Connect button SLifeTime Secs the remaining Soft Lifetime for this SA in seconds When the Soft Lifetime becomes zero the SA Security Association will re negotiated HLifeTime Secs the remaining Hard Lifetime for this SA in seconds When the Hard Lifetime becomes zero the SA Security Association will be terminated It will be re established if required 7 34 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Deactivating a VPN Tunnel Sometimes a VPN tunnel mu
72. cy Enabled or Disabled Encryption Protocol DES or 3DES Authentication Protocol MD5 or SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Key Life in seconds IKE Life Time in seconds GtoG 12345678 Main Disabled 3DES SHA 1 Group 2 28800 8 hours 3600 1 hour FQDN or Gateway IP VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask WAN IP Address DG834G v3 A LAN_A 192 168 0 1 255 255 255 0 14 15 16 17 DG834G v3 B LAN_B 192 168 3 1 255 255 255 0 22 23 24 25 Virtual Private Networking 7 43 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 2 Open the DG834G v3 on LAN A management interface and click on VPN Policies VPN Policies Policy Table s Enable Name Type Local Remote ESP Edit Delete Apply Cancel Add Auto Policy Add Manual Policy Figure 7 42 Click Add Auto Policy Enter policy settings see Figure 7 43 e General Policy Name GtoG Remote VPN Endpoint Address Type Fixed IP Address Remote VPN Endpoint Address Data 22 23 24 25 e Local LAN use default setting e Remote LAN IP Address select Subnet address from the pulldown menu Start IP address 192 168 3 1 Subnet Mask 255 255 255 0 IKE Direction Initiator and Responder Exchange Mode Main Mode Diffie Hellman DH Group Group 2 1024 Bit Local Identity Type use
73. d see How to Set Up a Gateway to Gateway VPN Configuration on page 7 21 being certain to use appropriate network addresses for the environment The LAN Addresses used in this example are as follows Unit WAN IP LAN IP LAN Subnet Mask DG834G 14 15 16 17 10 5 6 1 255 255 255 0 FVL328 22 13 24 25 172 23 9 1 255 255 255 0 In Step 1 enter toFVL328 for the Connection Name In Step 2 enter 22 23 24 25 for the remote WAN s IP address c In Step 3 enter the following e IP Address 172 23 9 1 e Subnet Mask 255 255 255 0 B 2 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Click VPN Policies under Advanced VPN to invoke this screen VPN Policies Policy Table Enable Name Type Local Remote 10 5 6 1 n 172239 1 1 B wEVE28 Auto 966 255 265 0 2552552550 SDES Add Auto Policy Figure B 2 Delete Appl Cancel VPN Auto Add Manual Policy Policy General Policy Name Remote VPN Endpoint M NetBIOS Enable IKE Keep All Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode ive Diffie Hellman DH Group Local Identity Type Data Remote Identity Data Parameters Type Encryption Algorithm Authentication Al Pre shared Key SA Life Time gorithm jens ARAORS J ORVL328 Address Type Fixed IP Address Address Dat
74. d Devices menu contains a table of all IP devices that the modem router has discovered on the local network From the Main Menu of the browser interface under the Maintenance heading select Attached Devices to view the table shown Attached Devices DHCP Addresses IP Address Device Name MAC Address 1 182 158 0 2 PSERVER 00 0 02 34 45 16 2 192 168 0 3 GEARGUY XP2 00 d0 59 e1 f8 5d 3 192 158 0 4 BLACKDELL 00 09 5b 0f db 13 4 192 158 0 5 OLD D0 c0 4f 29 bf c8 5 192 168 0 6 GEARGUY XP2 00 d0 59 d8 10 20 Figure 5 6 For each device the table shows the IP address Device Name if available and the Ethernet MAC address Note that if the modem router is rebooted the table data 1s lost until the modem router rediscovers the devices To force the modem router to look for attached devices click the Refresh button Viewing Selecting and Saving Logged Information The modem router will log security related events such as denied incoming service requests hacker probes and administrator logins If you enabled content filtering in the Block Sites menu the Logs page can show you when someone on your network tries to access a blocked site If you enabled e mail notification you will receive these logs in an e mail message If you do not have e mail notification enabled you can view the logs here Managing Your Network 5 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G An example of the log
75. default setting Remote Identity Type use default setting e Parameters Encryption Algorithm 3DES 7 44 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Authentication Algorithm MD5 Pre shared Key 12345678 VPN Auto Policy General Policy Name Remote YPN Endpoint M NetBIOS Enable IKE Keep Alive Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode Diffie Hellman DH Group Local Identity Type Data Remote Identity Type Data Parameters Encryption Algorithm Authentication Algorithm Pre shared Key SA Life Time Enable PFS Perfect Forward Security GteG Address Type Fixed IP Address z 22 23 24 25 Address Data Ping IP Address i Subnet address J Single Start address uo N ENG 3 18 Finish address SI TT Subnet Mask N in tn Subnet address x Single Start IP address N Finish IP address ENG ENG 311 AA Subnet Mask N tn tn initiator and Responder Main Mode Group 2 1024 Bit WANIPAddress x n a PAddess x DES Auto v 1234s 678 3600 Seconds Back Cancel Figure 7 43 Virtual Private Networking 7 45 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 5 Click Apply The Get VPN Policies web page is displayed VPN Policies Policy
76. dett i dept met elei aee iod e edt p e ae bet 3 13 Haute Configure VXPA DE T uuesbossekeni nt tixqic ee re Ro ec dbuE EEC cei t ead rtu E Lo aai cess dadas 3 14 Chapter 4 Protecting Your Network Protecting Access to Your 54 Mbps ADSL Modem Wireless Router Model DG834G 4 1 How to Change the Built In Password 1222 5 5 2 5 tratte tata reda rita 4 1 Changing the Administrator Login Timeout ssenm 4 2 Configuring Basic Firewall SUFVIGES apad umis dict o tua ad o eU que Friede ua Ea laden ovas RE 4 3 Blocking Keywords Sites and Servicos sissisodan sade etra ond d as 4 3 Howto Block Keywords and Sites esae kuzeietickesop etl eunt dtr ok dvi ka 2a EU LER dE 4 3 un NL e idiniriin ini 4 5 mbound Rules Fon Forwarding esis nciiens ein Dort b rt od os tp S 4 6 Outbound R les Service Blocking ioi es rire tbe ke Fux REPE CE RR anna 4 9 Order of Precedence for RUES i c rr tatus susti tta aset euasit tras pr edd 4 11 o rc MEC 4 12 Howto Donne SeFVECBE soie ete EIOS E EON DEN DEI EQU ERN E E Me MU FRI SUE 4 12 Setting Times and Scheduling Firewall Services eeeeeeeeeeeeennn 4 13 How t Set Your TIMO ZONG TII 4 13 How to Schedule Firewall SOFVIGOS occccccis scsi scot sionsecass Joti cscshienssdsostsemisvesss tuv rect 4 15 Trend Micro Home Network SUT iiie har ro Pr I Pa r4 dear Hawisoeeisonnas 4 15 DOCU Senice SONOS sacri aa eae 4 16 Parental Controls SONS 4 18 Chapter 5 Managing You
77. devices in your network key 1 must be the same for all key 2 must be the same for all and so on The DG834G v3 provides two methods for creating WEP encryption keys Passphrase These characters are case sensitive Enter a word or group of printable characters in the Passphrase box and click the Generate button Note Not all wireless adapters support passphrase key generation Manual These values are not case sensitive 64 bit WEP enter 10 hexadecimal digits any combination of 0 9 a f or A F 128 bit WEP enter 26 hexadecimal digits any combination of 0 9 a f or A F Wireless Configuration 3 5 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Table 3 1 Wireless Security Options continued Field Description WPA PSK Wi WPA Pre Shared Key uses a pre shared key to perform the authentication and Fi Protected generate the initial data encryption keys Then it dynamically varies the encryption key Access Pre For a full explanation of WPA see Wireless Communications in Appendix C Shared Key WPA 802 1x Note Not all wireless adapters support WPA Furthermore client software is required on the client Windows XP and Windows 2000 with Service Pack 3 do include the client software that supports WPA Nevertheless the wireless adapter hardware and driver must also support WPA User authentication is implemented using 802 1x and RADIUS servers For a full explanation of WPA s
78. e number of any common service port The default is 8080 which is a common alternate for HTTP 6 Click Apply to have your changes take effect When accessing your modem router from the Internet you will type your modem router s WAN IP address in your browser s Address in IE or Location in Netscape box followed by a colon and the custom port number For example if your external address is 134 177 0 123 and you use port number 8080 enter in your browser http 134 177 0 123 8080 Note In this case the http must be included in the address Managing Your Network 5 17 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 5 18 v1 0 October 2006 Managing Your Network Chapter 6 Advanced Configuration This chapter describes how to configure the advanced features of your 54 Mbps ADSL Modem Wireless Router Model DG834G Configuring Advanced Security The 54 Mbps ADSL Modem Wireless Router Model DG834G provides a variety of advanced features such as Setting up a Demilitarized Zone DMZ Server Connecting Automatically as Required Disabling Port Scan and DOS Protection Responding to a Ping on the Internet WAN Port MTU Size Flexibility on configuring your LAN TCP IP settings Using the Router as a DHCP Server Configuring Dynamic DNS Configuring Static Routes These features are discussed below Advanced Configuration 6 1 v1 0 October 2006 Hefe
79. e initiating device and whether it interface originated from the LAN or WAN Destination The name or IP address of the destination device or Web site Destination port The service port number of the destination device and whether and interface it s on the LAN or WAN Log action buttons are described in Table 5 5 below Table 5 5 Security Log action buttons Field Description Refresh Refresh the log screen Clear Log Clear the log entries Send Log Email the log immediately Apply Apply the current settings Cancel Clear the current settings Managing Your Network 5 11 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Selecting What Information to Log Besides the standard information listed above you can choose to log additional information Those optional selections are as follows e Attempted access to blocked site e Connections to the Web based interface of the modem router e Modem Router operation start up get time etc Known DoS attacks and Port Scans Saving Log Files on a Server You can choose to write the logs to a computer running a syslog program To activate this feature select to Broadcast on Lan or enter the IP address of the server where the Syslog file will be written Examples of Log Messages Following are examples of log messages In all cases the log entry shows the timestamp as Day Year Month Date Hour Minute Sec
80. e vaesentlige krav og evrige relevante krav i direktiv 1999 5 EF Deutsch Hiermit erklart NETGEAR Inc dass sich das Gerat 54 Mbps ADSL Modem Wireless German Router Model DG834G in bereinstimmung mit den grundlegenden Anforderungen und den brigen einschl gigen Bestimmungen der Richtlinie 1999 5 EG befindet Eesti K esolevaga kinnitab NETGEAR Inc seadme 54 Mbps ADSL Modem Wireless Router Estonian Model DG834G vastavust direktiivi 1999 5 E p hin uetele ja nimetatud direktiivist tulenevatele teistele asjakohastele s tetele English Hereby NETGEAR Inc declares that this 54 Mbps ADSL Modem Wireless Router Model DG834G is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC Espanol Por medio de la presente NETGEAR Inc declara que el 54 Mbps ADSL Modem Spanish Wireless Router Model DG834G cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999 5 CE EAAnvikh ME THN lIAPOYZA NETGEAR Inc AHAONEI OTI 54 Mbps ADSL Modem Wireless Greek Router Model DG834G ZYMMOPOONETAI lIPO TIZ OYZIOAEIZ ANAITHZEIZ KAI TIZ AOINES ZXETIKE2 AIATAZEIX THX OAHIMAZ 1999 5 EK Francais Par la pr sente NETGEAR Inc d clare que l appareil 54 Mbps ADSL Modem Wireless French Router Model DG834G est conforme aux exigences essentielles et aux autres dispositions pertinentes de la directive 1999 5 CE Italiano Con la presente NETGEAR Inc dic
81. eMe connections are allowed only from a specified range of external IP addresses In this case we have also specified logging of any incoming CU SeeMe requests that do not match the allowed parameters Inbound Services Service CU SEEME TCP UDP 7648 Action atOWawsys H Send to LAN Server ALES ss J0 Ju WAN Users Address Range start 134 Ji Jes finish 134 r7 jgg 254 Not Match s Back Cancel Figure 4 6 4 8 Protecting Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Considerations for Inbound Rules If your external IP address is assigned dynamically by your ISP the IP address may change periodically as the DHCP lease expires Consider using the Dynamic DNS feature in the Advanced menu so that external users can always find your network If the IP address of the local server computer is assigned by DHCP it may change when the computer is rebooted To avoid this use the Reserved IP address feature in the LAN IP menu to keep the computer s IP address constant Local computers must access the local server using the computer s local LAN address 192 168 0 11 in the example above Attempts by local computers to access the server using the external WAN IP address will fail Outbound Rules Service Blocking The DG834G v3 allows you to block the use of certain Internet services by computers on your network This is called service blocking or port filteri
82. ee Wireless Communications in Appendix C Fill in the following Radius Server Name IP Address This field is required Enter the name or IP address of the Radius Server on your LAN Radius Port Enter the port number used for connections to the Radius Server Radius Shared Key Enter the desired value for the Radius shared key This key enables the DG834G v3 to log in to the Radius server and must match the value used on the Radius server How to Set Up and Test Basic Wireless Connectivity Follow the instructions below to set up and test basic wireless connectivity Once you have established basic wireless connectivity you can enable security settings appropriate to your needs 1 Login to the DG834G v3 firewall at its default LAN address of http 192 168 0 1 with its default user name of admin and default password of password or using whatever LAN address and password you have set up 2 Click the Wireless Settings link in the main menu of the DG834G v3 firewall 3 Choose a suitable descriptive name for the wireless network name SSID In the SSID box enter a value of up to 32 alphanumeric characters The default SSID is Wireless Note The SSID of any wireless access adapters must match the SSID you configure in the 54 Mbps ADSL Modem Wireless Router Model DG834G If they do not match you will not get a wireless connection to the DG834G v3 Wireless Configuration v1 0 October 2006 Reference Manual for
83. el DG834G AC power adapter varies by region Category 5 Cat 5 Ethernet cable Telephone cable with RJ 11 connector Microfilters quantity and type vary by region DG834G ADSL Modem Wireless Router Resource CD including this guide Two plastic feet that can be used to stand the ADSL Modem Wireless Router on end Warranty and Support Information cards If any of the parts are incorrect missing or damaged contact your NETGEAR dealer Keep the carton including the original packing materials in case you need to return the product for repair Introduction 2 7 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G The Router s Front Panel The front panel shown below contains status LEDs NETGEAR Figure 2 1 You can use the LEDs to verify various conditions Table 2 1 describes each LED Table 2 1 LED Descriptions Label Activity Description On Power is supplied to the router 1 Power Off Power is not supplied to the router On The system is initializing 2 Test Off The system is ready and running Blink Amber Indicates ADSL training 3 Internet On Green The Internet port has detected a link with an attached device Blink Green Data is being transmitted or received by the Internet port On Indicates that the Wireless port is initialized 4 Wireless Off The Wireless Access Point is turned off On Green The Lo
84. elect this check box to automatically check for updates to Trend Micro scanning components Choose the desired checking interval from the list and then click Apply Note If your ISP bills by the amount of time or traffic you use set the update frequency to once a day Client Virus Protection Status Provides information on all computers on your network IP Address The computer s IP address Computer Name The name of the computer as shown in Control Panel System Antivirus Software The type of antivirus software installed on the computer Virus Def File Version The version of the virus pattern file in use by the antivirus software Scan Engine The version of the scan engine in use by the antivirus software Status Indicates if the virus pattern file or scan engine require updating if no recognized antivirus software is found the status 1s Potential Threat Protecting Your Network 4 17 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Parental Controls Settings Click Parental Controls under Content Filtering on the Main menu to get the Trend Micro Parental Controls menu shown below Click this banner to install the Trend Micro dashboard and set up your Trend Micro account Trend Micro Parental Controls Enable Parental Controls O Never OPer Schedule Always Parental Controls Access Log Get 1 Year of Parental Controls From Sept
85. ellow key symbol Note While your PC is connected to a remote LAN through a VPN you might not have normal Internet access If this is the case you will need to close the VPN y connection in order to have normal Internet access Viewing the VPN Router s VPN Status and Log Information To view information on the status of the VPN client connection open the VPN router s VPN Status screen by following the steps below l To view this screen click the Router Status link of the VPN router s main menu then click the VPN Status button The VPN Status Log screen for a connection is shown below VPN Status Log 2002 09 08 12 01 35 added connection description fromDGs34 2002 09 08 12 01 35 adding interface ipsecO pppO 67 116 6 4 2005 05 24 20 46 33 fromDG834G responding to Main Mode fr 2005 05 24 20 46 35 fromDG834G sent MR3 ISAKMP SA establ 2005 05 24 20 46 35 fromDG834G responding to Quick Mode 2005 05 24 20 46 36 fromDG834G IPsec SA established 2005 05 24 20 50 41 deleting connection fromPG834G instan 2005 05 24 20 50 41 deleting connection fromPG834G 2005 05 24 20 50 41 shutting down interface ipsecO pppO 67 2005 05 24 20 50 42 added connection description fromDG834 2005 05 24 20 50 42 adding interface ipsecO pppO 67 116 6 4 aid Refresh Clear Log VPN Status Figure B 26 NETGEAR VPN Configuration B 29 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless
86. ember 19 2005 Free Enable Trend Micro Home Category Access Attempts Times Accessed Network Security How Adult Mature 0 0 Pornography 0 0 Select the Parental Controls Mode Sex Education 0 0 Use General Controls Use Per User Controls Intimate Apparel Swimsuit 0 0 Parental Control Logs D Nudity 8 8 Alcohol Tobacco 0 a General Controls Illegal Questionable 0 0 r Gambling 0 0 Parental Controls Bypass Password eeeeeeeeseeseeet j Violence Hate Racism 0 0 Confirm password 00000000000000 Weapons 0 0 Access Control O No Restrictions Illegal Drugs 0 0 Apply Profile General v Hacking Proxy Avoidance 0 0 Use Custom Settings o Raster ap Figure 4 13 Trend Micro Parental Controls menu To configure Parental Controls Click Always to turn on Parental Controls all the time e Click Never to turn off Parental Controls e Click Per Schedule to turn on Parental Controls at the times specified on the Schedule page Note After changing Parental Controls settings click Apply to save changes 4 18 Protecting Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G To select Parental Controls Mode e Click Use General Controls to select General mode In General mode one access profile applies to all users e Click Use Per User Controls to select Per User mode In Per User mode each user has an individual access profile Note
87. eminude depictions of the human body Such depictions need not be sexual in intent or effect May include sites containing nude paintings or photo galleries of an artistic nature This category includes nudist or naturist sites e Pornography Sites that contain sexually explicit material Sex Education Sites that provide information sometimes graphic on reproduction sexual development safe sex practices sexuality birth control and sexual development Also includes sites that offer tips for better sex as well as products used for sexual enhancement e Violence Hate Racism Sites depicting or advocating physical harm to people or property Includes sites that convey hostility or aggression toward or the denigration of an individual or group on the basis of race religion gender nationality ethnic origin and so forth Weapons Sites that sell review or describe guns knives martial arts devices and related accessories Does not include sites that promote weapons collecting or groups that either support or oppose weapons ownership Protecting Your Network 4 21 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 4 22 Protecting Your Network v1 0 October 2006 Chapter 5 Managing Your Network This chapter describes how to perform network management tasks with your 54 Mbps ADSL Modem Wireless Router Model DG834G Backing Up Restoring or Erasing Your Settings The configuration
88. er and software availability may be limited Understanding Wireless Settings To configure the Wireless interface of your modem router click the Wireless Settings link in the Setup section of the main menu The Wireless Settings menu will appear similar to that shown below Wireless Settings Wireless Network Name SSID zztopgun Region Europe by Channel v Mode g amp b v Wireless Access Point v Enable Wireless Access Point v Allow Broadcast of Name SSID Wireless Isolation Wireless Station Access List Setup Access List Security Options 9 Disable O WEP Wired Equivalent Privacy O WPA PSK Wi Fi Protected Access Pre Shared Key O WPA 802 1x Figure 3 2 Wireless Configuration 3 3 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G The following parameters are in the Wireless Settings menu Wireless Network Name SSID The Service Set ID also known as the wireless network name Enter a value of up to 32 alphanumeric characters The same Name SSID must be assigned to all wireless devices in your network The default SSID is NETGEAR but NETGEAR strongly recommends that you change your network Name to a different value Note This value is case sensitive For example Wireless is not the same as x wireless Region Select your country region from the drop down list This field displays the region of operation for which the wirel
89. erence Manual for the ADSL Modem Wireless Router DG834G Table B 2 Profile Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway not PC Client to Gateway Security Scheme IKE with Preshared Secret Key not Certificate based IP Addressing NETGEAR Gateway A Fully Qualified Domain Name FQDN NETGEAR Gateway B FDQN 10 5 6 0 24 VPNC Example 172 23 9 0 24 Network Interface Addressing Gateway B WAN IP de IP INTI fvl328 dyndns org dg834g dyndns org DG834G FQDN FQDN FVL328 Gateway A Figure B 5 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834G v3 asp NETGEAR VPN Configuration B 7 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G The Use of a Fully Qualified Domain Name FQDN Many ISPs Internet Service Providers provide connectivity to their customers using dynamic instead of static IP addressing This means that a user s IP address does not remain constant over time which presents a challenge for gateways attempting to establish VPN connectivity A Dynamic DNS DDNS service allows a user whose public IP address is dynamically assigned to be located by a host or domain name It provides a central public database where information such as email addresses host names and IP addresses can be stored and retrieved Now a
90. erence Manual for the ADSL Modem Wireless Router DG834G 3 Click on VPN Status Figure 7 29 to get the Current VPN Tunnels SAs screen Figure 7 30 Click on Connect for the VPN tunnel you want to activate E nm t VPN Tunnels SAs Microsoft Internet Explorer Current VPN Tunnels SAs SPI In sPicoup PolicyName Remote Endpoint Action SLifeTime HLifeTime 28185844 afobfch fromDG834G 686 120 188 152 Drop 3288 3287 Internet Figure 7 30 Activate the VPN Tunnel by Pinging the Remote Endpoint Note This section uses 192 168 3 1 for an example remote endpoint LAN IP address To activate the VPN tunnel by pinging the remote endpoint e g 192 168 3 1 do the following steps depending on whether your configuration is client to gateway or gateway to gateway Client to Gateway Configuration to check the VPN Connection you can initiate a request from the remote PC to the DG834G v3 s network by using the Connect option in the NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our example start from the remote PC a Establish an Internet connection from the PC b Onthe Windows taskbar click the Start button and then click Run c Type ping t 192 168 3 1 and then click OK 7 30 Virtu
91. es how to configure Trend Micro Home Network Security Protecting Access to Your 54 Mbps ADSL Modem Wireless Router Model DG834G For security reasons the modem router has its own user name and password Also after a period of inactivity for a set length of time the administrator login will automatically disconnect When prompted enter admin for the modem router User Name and password for the modem router Password You can use procedures below to change the modem router s password and the amount of time for the administrator s login timeout Note The user name and password are not the same as any user name or password your may use to log in to your Internet connection NETGEAR recommends that you change this password to a more secure password The ideal password should contain no dictionary words from any language and should be a mixture of both upper and lower case letters numbers and symbols Your password can be up to 30 characters How to Change the Built In Password 1 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router http 192 168 0 1 Figure 4 1 Protecting Your Network 4 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 2 From the Main Menu of the browser interface under the Maintenance headin
92. es under VPN to invoke this screen pe menne a 4 IKE SA Parameters Encryption agora JES v Atentic ation Algorthm sa z wenbcabon Menos Pre shaeed Key uM C RSA Signature requires Cervical Difie Meliman DH Group Group 2 1024 Bi SA Life Time 20600 secs _Back Apply Cans Name Type Local Remoto at ESP lim2ismes Auto 192 168 2 0255 2552550 19216001255 2552550 Disabled ESP west 172239 Click VPN Policies under ens Aaa ene VPN to invoke this screen m n toDG834 IKE policy gmijemes zy toDG834_ m IKE Keep Ave Ping mnaaress A 4 Remote VPN Endpoint Address Type IP Address x Address Data 67 125 31 84 SAU 9econgc 14 15 16 17 b Kybtes F iPas PFs PFS Key Group Group 106880 F Nel05 Enable SA Life Time Traffic Selector ILocat IP Subnet address s SttiPaddess fisz fo k po FmahiPaddese 5 5 5 0 sutemask fess fess iss D o UST Siveied s zl sunt scones iz fice o fr Fines IP address j E b D Subnet Mask Ess pss qus fo J AH Configuration I Enable Autherticabon Authenbcason gorm MOS S ESP Confiqur ation F Enable Encryption Encryption Aigoritim poes z F Enable Autnerscation Authentication Algoetm SHA 1 Back Aeg Carca Figure B 3 NETGEAR VPN Configuration B 5 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 3 Test the VPN tunnel by pinging the remote network fro
93. ess from your LAN to Internet locations or services that you specify as off limits Logs security incidents The DG834G v3 will log security events such as blocked incoming traffic port scans attacks and administrator logins You can configure the modem router to email the log to you at specified intervals You can also configure the modem router to send immediate alert messages to your email address or email pager whenever a significant event occurs 2 2 Introduction v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 802 11 Standards based Wireless Networking The ADSL Modem Wireless Router includes an 802 11g compliant wireless access point providing continuous high speed 10 100 Mbps access between your wireless and Ethernet devices The access point provides 802 11g Standards based wireless networking at up to 54 Mbps Works with both 802 11g and 802 11b wireless devices 64 bit and 128 bit WEP encryption security WEP keys can be entered manually or generated by passphrase Support for Wi Fi Protected Access Pre Shared Key WPA PSK encryption and 802 1x authentication Wireless access can be restricted by MAC address Easy Installation and Management You can install configure and operate the DG834G v3 within minutes after connecting it to the network The following features simplify installation and management tasks Browser based management Browser based configuration allows you to e
94. ess interface is intended Note In the USA the Region is preset according to regulatory requirements and cannot be changed In other areas you can and must set the Region It may not be legal to operate the wireless access point in a region other than one of those identified in this field Channel This field determines which operating frequency will be used It should not be necessary to change the wireless channel unless you notice interference problems with another nearby access point Mode The default is g amp b which allows both g and b wireless stations to access this device g only allows only 802 11g wireless stations to be used b only allows 802 11b wireless stations 802 11g wireless stations can still be used if they can operate in 802 11b mode Wireless Access Point Enable Wireless Access Point This field lets you turn off or turn on the wireless access point built in to the modem router The wireless icon on the front of the modem router will also display the current status of the Wireless Access Point to let you know if it is disabled or enabled The wireless access point must be enabled to allow wireless stations to access the Internet Allow Broadcast of Name SSID If enabled the SSID is broadcast to all Wireless Stations Stations which have no SSID or a null value can then adopt the correct SSID for connections to this Access Point 3 4 Wireless Configurat
95. est the VPN connection from the VPN router to the client PC Run ping tests from the Diagnostics link of the VPN router main menu NETGEAR VPN Configuration B 27 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Monitoring the VPN Tunnel Telecommuter Example Viewing the PC Client s Connection Monitor and Log Viewer To view information on the progress and status of the VPN client connection open the 54 Mbps ADSL Modem Wireless Router Model DG834G Log Viewer 1 To launch this function click on the Windows Start button then select Programs then 54 Mbps ADSL Modem Wireless Router Model DG834G then Log Viewer rw Note Use the active VPN tunnel information and pings to determine whether a failed connection is due to the VPN tunnel or some reason outside the VPN tunnel 2 The Connection Monitor screen is shown below NERT Monitor NETGEAR ProSafe VPN Client Global Statistics Non Secured Packets poi 4 Secured Packets o Dropped Packets o Secured Data KBytes o Local Address Local Subnet Remote Address Remote Modifier GW Address Figure B 25 B 28 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G While the connection is being established the Connection Name field in this menu will show SA before the name of the connection When the connection is successful the SA will change to the y
96. ey Figure B 19 f Inthe Pre Shared Key dialog box click the Enter Key button Enter the DG834G v3 s Pre Shared Key and click OK In this example 12345678 is entered This field is case sensitive 5 Configure the VPN Client Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration a Inthe Network Security Policy list on the left side of the Security Policy Editor window expand the Security Policy heading by double clicking its name or clicking on the symbol b Expand the Authentication subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Authentication NETGEAR VPN Configuration B 23 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help ia NETGEAR S Network Security Policy My Connections By toDG834G f3 My Identity Authentication Method E Security Policy Pesky B Eg Authentication Phase 1 jones D Key Exchange Phase 2 Encryption and Data Integrity Algorithms A Proposal 1 Ds Other Connections Encrypt Alg Triple DES 7 Hash Alg SHA 1 SZ Authentication Method and Algorithms Seconds SA Life Unspecified v Key Group Diffie Hellman Group 2 hl Figure B 20 In the Authen
97. eying setup in which you must specify each phase of the connection see Using Manual Policy to Configure VPN Tunnels on page 7 48 Table 7 2 Parameters Recommended by the VPNC and Used in the VPN Wizard Parameter Secure Association Factory Default Main Mode Authentication Method Pre shared Key Encryption Method 3DES Authentication Protocol SHA 1 Diffie Hellman DH Group Group 2 1024 bit Key Life IKE Life Time 8 hours 1 hour e What level of IPSec VPN encryption will you use DES The Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys e What level of authentication will you use MDS 128 bits faster but less secure SHA 1 160 bits slower but more secure Virtual Private Networking 7 5 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G VPN Tunnel Configuration There are two tunnel configurations and three ways to configure them e Use the VPN Wizard to configure a VPN tunnel recommended for most situations See How to Set Up a Client to Gateway VPN Configuration on page 7 7 See How to Set Up a Gateway to Gateway VPN Configuration on page 7
98. from 192 168 3 1 bytes 32 time 18ms TTL 254 Reply from 192 168 3 1 bytes 32 time 2 ms TTL 254 Figure 7 33 Note The pings may fail the first time If so then try the pings a second time Start Using a VPN Tunnel to Activate It To use a VPN tunnel use a Web browser to go to a URL whose IP address or range is covered by the policy for that VPN tunnel 7 32 v1 0 October 2006 Virtual Private Networking Heference Manual for the ADSL Modem Wireless Router DG834G Verifying the Status of a VPN Tunnel To use the VPN Status page to determine the status of a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834G v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 7 34 VPN Status Log Tue 2004 06 22 22 58 26 GtoG initiating Main Mode 2004 06 22 22 58 26 GtoG ISAKMP S4 established 2004 06 22 22 58 26 GtoG sent QIZ IPsec SA established 2004 06 22 22 58 27 GtoG sent QI2 IPsec 54 established Retest _CieerLog veNSteus Figure 7 34 Log this log shows the details of recent VPN activity including the building of the VPN tunnel If there is a problem with the VPN tunnel refer to the log for information about what might be the cause of the problem e Click Refresh to see the most recent entries e Click Clear Log to delete all log entries Virtual Private Networking 7 33 v1 0 O
99. g select Set Password to bring up the menu shown Set Password Old Password Set Password Repeat New Password Administrator login times out after idle for 95 minutes Figure 4 2 To change the password first enter the old password and then enter the new password twice Click Apply to save your changes Note After changing the password you will be required to log in again to continue the configuration If you have backed up the modem router settings previously you should do a new backup so that the saved settings file includes the new password Changing the Administrator Login Timeout For security the administrator s login to the modem router configuration will timeout after a period of inactivity To change the login timeout period 1 Inthe Set Password menu type a number in Administrator login times out field The suggested default value is 5 minutes 2 Click Apply to save your changes or click Cancel to keep the current period 4 2 Protecting Your Network v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Configuring Basic Firewall Services Basic firewall services you can configure include access blocking and scheduling of firewall security These topics are presented below Blocking Keywords Sites and Services The modem router provides a variety of options for blocking Internet based content and communications services With its content
100. hat the port s LED is green If the port is 10 Mbps the LED will be amber If any of these conditions does not occur refer to the appropriate following section Power LED Not On If the Power and other LEDs are off when your router is turned on e Make sure that the power cord is properly connected to your router and that the power supply adapter is properly connected to a functioning power outlet e Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product If the error persists you have a hardware problem and should contact technical support Test LED Never Turns On or Test LED Stays On When the router is turned on the Test LED turns on for about 10 seconds and then turns off If the Test LED does not turn on or if it stays on there is a fault within the router If you experience problems with the Test LED e Cycle the power to see if the router recovers and the LED blinks for the correct amount of time If all LEDs including the Test LED are still on one minute after power up e Cycle the power to see if the router recovers e Clear the router s configuration to factory defaults This will set the router s IP address to 192 168 0 1 This procedure is explained in Using the Reset button on page 8 9 If the error persists you might have a hardware problem and should contact technical support LAN or Internet Port LEDs Not On If either the LAN LEDs or Internet LED do not light when the Et
101. he DNS server configuration is working e Display the Routing Table to identify what other modem routers the modem router is communicating with e Reboot the modem router to enable new network configurations to take effect or to clear problems with the modem router s network connection From the Main Menu of the browser interface under the Maintenance heading select the Modem Router Diagnostics heading to display the menu shown Diagnostics Ping an IP address IP Address i i Ping Perform a DNS Lookup Internet Name IP address DNS Server Display the Routing Table Reboot Reboot the Router Figure 5 9 Managing Your Network 5 15 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Enabling Remote Management Using the Remote Management page you can allow a user or users on the Internet to configure upgrade and check the status of your 54 Mbps ADSL Modem Wireless Router Model DG834G Tip Be sure to change the modem router s default password to a very secure password gt The ideal password should contain no dictionary words from any language and should be a mixture of letters both upper and lower case numbers and symbols Your password can be up to 30 characters Configuring Remote Management 1 Log in to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password
102. he Encrypt Alg menu select the type of encryption In this example use Triple DES f Inthe Hash Alg menu select SHA 1 g Inthe Encapsulation menu select Tunnel h Leave the Authentication Protocol AH checkbox unchecked Save the VPN Client settings From the File menu at the top of the Security Policy Editor window select Save After you have configured and saved the VPN client information your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN router s LAN 8 Check the VPN Connection NETGEAR VPN Configuration B 25 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G To check the VPN Connection you can initiate a request from the remote PC to the VPN router s network by using the Connect option in the ADSL Modem Wireless Router menu bar see Figure B 22 Since the remote PC has a dynamically assigned WAN IP address it must initiate the request a Right click the system tray icon to open the popup menu b Select Connect to open the My Connections list c Choose toDG834G The 54 Mbps ADSL Modem Wireless Router Model DG834G will report the results of the attempt to connect Once the connection is established you can access resources of the network connected to the VPN router Security Policy Editor Certificate Manager Deactivate Security Policy Reload Security Policy g Remove Icon Right mouse
103. hen choose a profile from the list Protecting Your Network 4 19 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G e To create a custom profile click Use Custom Settings and then select the check boxes as desired For additional choices click More Categories To allow unrestricted Internet access click No Restrictions 4 Click Apply To change a user s account information 1 Select the user s name in the User Account Information table and then click Edit 2 Make the desired changes and then click Apply To delete a user select the user s name in the User Account Information table and then click Delete Parental Controls Logs Click Parental Controls Logs to view attempts to access restricted sites and actual accesses Blocking criteria for potentially offensive categories Trend Micro has defined twelve potentially offensive categories of Web sites Following are the blocking criteria for each category Adult Mature Content Sites that contain material of an adult nature but without excessive violence sexual content or nudity These sites may include profane or vulgar content not appropriate for children e Alcohol Tobacco Sites that promote or sell alcohol and tobacco products Includes sites that glamorize or otherwise encourage alcohol or tobacco use Does not include sites that sell alcohol or tobacco as a subset of another business Gambling Sites where users can
104. hernet connection is made check the following 8 2 Troubleshooting v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Make sure that the Ethernet cable connections are secure at the router and at the hub or Workstation Make sure that power is turned on to the connected hub or workstation Be sure you are using the correct cable When connecting the router s WAN ADSL port use the cable that was supplied with the DG834G v3 Troubleshooting the Web Configuration Interface If you are unable to access the router s Web Configuration interface from a computer on your local network check the following If you are using an Ethernet connected computer check the Ethernet connection between the computer and the router as described in the previous section Make sure your computer s IP address is on the same subnet as the router If you are using the recommended addressing scheme your computer s address should be in the range of 192 168 0 2 to 192 168 0 254 Refer to Preparing a Computer for Network Access in Appendix C to find your computer s IP address Note If your computer s IP address is shown as 169 254 x x Recent versions of Windows and MacOS will generate and assign an IP address if the computer cannot reach a DHCP server These auto generated addresses are in the range of 169 254 x x If your IP address is in this range check the connection from the computer to the router and
105. hiara che questo 54 Mbps ADSL Modem Wireless Italian Router Model DG834G conforme ai requisiti essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999 5 CE Latviski Ar o NETGEAR Inc deklarg ka 54 Mbps ADSL Modem Wireless Router Model Latvian DG834G atbilst Direktivas 1999 5 EK b tiskaj m prasibam un citiem ar to saistitajiem noteikumiem Lietuvig Siuo NETGEAR Inc deklaruoja kad Sis 54 Mbps ADSL Modem Wireless Router Lithuanian Model DG834G atitinka esminius reikalavimus ir kitas 1999 5 EB Direktyvos nuostatas v1 0 October 2006 Nederlands Hierbij verklaart NETGEAR Inc dat het toestel 54 Mbps ADSL Modem Wireless Router Dutch Model DG834G in overeenstemming is met de essenti le eisen en de andere relevante bepalingen van richtlijn 1999 5 EG Malti Hawnhekk NETGEAR Inc jiddikjara li dan 54 Mbps ADSL Modem Wireless Router Maltese Model DG834G jikkonforma mal tiijiet essenzjali u ma provvedimenti orajn relevanti li hemm fid Dirrettiva 1999 5 EC Magyar Alulirott NETGEAR Inc nyilatkozom hogy a 54 Mbps ADSL Modem Wireless Router Hungarian Model DG834G megfelel a vonatkoz alapvet k vetelm nyeknek s az 1999 5 EC ir nyelv egy b el r sainak Polski Niniejszym NETGEAR Inc ocewiadcza e 54 Mbps ADSL Modem Wireless Router Polish Model DG834G jest zgodny z zasadniczymi wymogami oraz pozosta ymi stosownymi postanowieniami Dyrekty
106. hoose how you want this type of traffic to be handled You can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu Send to LAN Server Enter the IP address of the computer or server on your LAN which will receive the inbound traffic covered by this rule Protecting Your Network 4 7 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G e WAN Users These settings determine which packets are covered by the rule based on their source WAN IP address Select the desired option Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields Single address enter the required address in the Start field e Log You can select whether the traffic will be logged The choices are Never no log entries will be made for this service Always any traffic for this service type will be logged Match traffic of this type which matches the parameters and action will be logged Not match traffic of this type which does not match the parameters and action will be logged Inbound Rule Example Allowing Videoconferencing If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses such as from a branch office you can create an inbound rule In the example shown here CU Se
107. hould show the ProSafe icon amp in the system tray after rebooting Double click the system tray icon to open the Security Policy Editor 2 Adda new connection a Run the NETGEAR ProSafe Security Policy Editor program and create a VPN Connection B 18 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G b From the Edit menu of the Security Policy Editor click Add then Connection A New Connection listing appears in the list of policies Rename the New Connection so that it matches the Connection Name you entered in the VPN Settings of the DG834G v3 on Gateway A A Note In this example the Connection Name used on the client side of the VPN tunnel is toDG834G and it does not have to match the VPN client Connection Name used on the gateway side of the VPN tunnel see Figure B 16 because Connection Names are arbitrary to how the VPN tunnel functions m3 Tip Choose Connection Names that make sense to the people using and E administrating the VPN Si Security Policy Editor NETGEAR ProSafe VPN Client _ File Edit Options Help elexa tlt NETGEAR N Network Security Policy J My Connections New Connection Qy Other Connections r Connection Security Secure T Only Connect Manually C Nonsecure S C Block Remote Party Identity and Addressing ID Type Any v IP Addres
108. ient on the Remote PC 7 12 How to Set Up a Gateway to Gateway VPN Configuration eeeseees 7 21 v1 0 October 2006 bier ET DUST mter 7 29 Activating a ea MTS uo RR RTT 7 29 Verifying the Status of a VPN Tunnel m 7 33 Deactivating a VPN TUNNEL iius rita petto e a 7 35 Deleting a VPN TUMMEL eR 7 37 How to Set Up VPN Tunnels in Special Circumstances cccceeeeeeeeeeeeeeeeeaeees 7 38 Using Auto Policy to Configure VPN Tunnels erret nnns 7 38 Using Manual Policy to Configure VPN Tunnels sem 7 48 Chapter 8 Troubleshooting Ec FARCUDPUDO 4desn a belstum rletc ai E E SE obtu telo adus bep dat elu dius 8 1 Powor LED O X 8 2 Test LED Never Turns On or Test LED Stays On saesesnerseneesrrieerrrrrrerererresrreensnes 8 2 LAN or internet Port LEDS NOE OM 21sssiseicac stet ptis rst dieka zia dde dev ttd d Pec rti dde a 8 2 Troubleshooting the Web Configuration Interface esee 8 3 Troubleshooting Wie ISP Connection sinc variance nee eae 8 4 ADSL IMK qe 8 4 Obtaining a WAN IP Address uide does eae ia kaa Gbxg Ga tiia PE AREE C CE a ru Aba CEA d ERE Rad edic 8 5 Troubleshooting PPPOE or PPPOA e 8 6 Troubleshooting Intemet Browsing 12 5 c repere or aae D eR pa aa raa d Ald e a ipla 8 7 Troubleshooting a TCP IP Network Using the Ping Utility eeseeeeense 8 7 Testing
109. if you enable Trend Micro Home Security Security Service Settings Click Security Service under Content Filtering on the Main menu to get the Security Service Settings menu shown below Security Service Settings Enable Trend Micro Security Services r Get 1 Year of Parental Controls N Free Enable Trend Micro Home Hetwork Security How c 4 Update Checking Interval Click this banner to install the Trend Micro dashboard and set up your Trend Micro account C Automatically check for update components Check for update components every 3 minutes v Any Client Virus Protection Status Antivirus Virus Def Scan Engine Software File Version Version amp IP Address Computer Status Figure 4 12 To install Home Network Security click the Trend Micro banner and then follow the on screen instructions For assistance refer to the Home Network Security Quick Start Guide included on the NETGEAR Resource CD You can download this document and the Home Network Security User s Guide at http www trendmicro com en support tmss netgear 4 16 Protecting Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Enable Trend Micro Security Services Select this check box and then click Apply to enable the Security Service features on this page automatic updates and Client Virus Protection Status information e Automatically check for update components S
110. in an IP address by DHCP from the firewall Once your computers have basic wireless connectivity to the firewall you can configure the advanced wireless security functions of the firewall How to Restrict Wireless Access to Your Network By default any wireless PC that is configured with the correct SSID will be allowed access to your wireless network For increased security the 54 Mbps ADSL Modem Wireless Router Model DG834G provides several ways to restrict wireless access to your network e Turn off wireless connectivity completely e Restrict access based on the Wireless Network Name SSID e Restrict access based on the Wireless Card Access List Wireless Configuration 3 7 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G These options are discussed below Wireless Access Point M Enable Wireless Access Point C Allow Broadcast of Name SSID Figure 3 3 Restricting Access to Your Network by Turning Off Wireless Connectivity You can completely turn off the wireless portion of the DG834G v3 For example if your notebook computer is used to wirelessly connect to your router and you take a business trip you can turn off the wireless portion of the router while you are traveling Other members of your household who use computers connected to the router via Ethernet cables will still be able to use the router Restricting Wireless Access Based on the Wireless Network Name SSID The DG
111. ion v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Wireless Isolation If enabled Wireless Stations will not be able to communicate with each other or with Stations on the wired network This feature should normally be disabled e Wireless Station Access List By default any wireless computer that is configured with the correct wireless network name or SSID will be allowed access to your wireless network For increased security you can restrict access to the wireless network to only specific computers based on their MAC addresses Click Setup Access List to display the Wireless Station Access List menu Security Options Table 3 1 Wireless Security Options Field Description Disable Wireless security is not used WEP Wired You can select the following WEP options Equivalent Privacy Authentication Type Open the DG834G v3 does not perform any authentication Shared WEP shared key authentication For a full explanation of WEP shared key see Wireless Communications in Appendix C Encryption Strength If Shared or Open Network Authentication is enabled you can choose 64 or 128 bit WEP data encryption Note With Open Network Authentication and 64 or 128 bit WEP Data Encryption the DG834G v3 does perform 64 or 128 bit data encryption but does not perform any authentication Security Encryption WEP Key These key values must be identical on all wireless
112. ke you to the Dynamic DNS Menu B 8 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 3 Onthe DG834G v3 configure the Dynamic DNS settings a Browse to the Dynamic DNS Setup Screen see Figure B 6 in the Advanced menu Dynamic DNS Use a Dynamic DNS Service Service Provider www DynDNS org Host Name 7 User Name FO Password tT I Use Wildcards Apply Cancel Show Status Figure B 6 b Configure this screen with appropriate account and hostname settings and then click Apply e Check the box Use a Dynamic DNS Service e Host Name dg834g dyndns org e User Name user s account username e Password lt user s account password gt c Click Show Status The resulting screen should show Update OK good see Figure B 7 DDNS Status Microsoft Internet Explorer EE Lic x Update OK good Figure B 7 NETGEAR VPN Configuration B 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 4 Onthe FVL328 configure the Dynamic DNS settings Assume a properly configured DynDNS account a Browse to the Dynamic DNS Setup Screen see Figure B 8 in the Advanced menu Dynamic DNS Use a dynamic DNS service None C DynDNS org Click here for information C TZO com Click here for free trial C ngDDNS Click here to register Apply Cancel Show Status Figure B 8 b Select the DynDNS org
113. l or IKE keying methods standard MD5 and SHA 1 authentication methods and standard DES and 3DES encryption methods It is compatible with many other VPN products e Supports 3DES encryption for maximum security e VPN Wizard based on VPNC recommended settings Auto Sensing and Auto Uplink LAN Ethernet Connections With its internal 4 port 10 100 switch the DG834G v3 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network The local LAN ports are autosensing and capable of full duplex or half duplex operation The modem router incorporates Auto Uplink technology Each local Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub That port will then configure itself to the correct configuration This feature also eliminates the need to worry about crossover cables as Auto Uplink will accommodate either type of cable to make the right connection Introduction 2 5 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Content Filtering With its content filtering feature the DG834G v3 prevents objectionable content from reaching your PCs The modem router allows you to control access to Internet content by screening for keywords within Web addresses You can configure the modem router to log and report attempts to acces
114. lem For the common problems listed go to the section indicated Is the router on Have I connected the router correctly Go to Basic Functioning on page 8 1 I can t access the router s configuration with my browser Go to Troubleshooting the Web Configuration Interface on page 8 3 I ve configured the router but I can t access the Internet Go to Troubleshooting the ISP Connection on page 8 4 I can t remember the router s configuration password Go to Restoring the Default Configuration and Password on page 8 9 I want to clear the configuration and start over again Go to Restoring the Default Configuration and Password on page 8 9 Basic Functioning After you turn on power to the router the following sequence of events should occur 1 When power is first applied verify that the Power LED is on see The Router s Front Panel on page 2 8 for an illustration and explanation of the LEDs 2 Verify that the Test LED lights within a few seconds indicating that the self test procedure is running 3 After approximately 10 seconds verify that a The Test LED is not lit b The LAN port LEDs are lit for any local ports that are connected Troubleshooting 8 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G c The WAN port LED is lit If a port s LED is lit a link has been established to the connected device If a LAN port is connected to a 100 Mbps device verify t
115. lt password of password or using whatever LAN address and password you have set up Click Wireless Settings in the Setup section of the main menu of the DG834G v3 Choose the WPA PSK radio button The WPA PSK page will display a WPA PSK Security Encryption section Enter the pre shared key in the Passphrase field Click Apply to save your settings Wireless Configuration 3 13 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G How to Configure WPA 802 1x Note Not all wireless adapters support WPA Consult the product document for your wireless adapter for instructions on configuring WPA settings To configure WPA 802 1x follow these steps 1 Log in at the default LAN address of http 192 168 0 1 with the default user name of admin and default password of password or using whatever LAN address and password you have set up 2 Click Wireless Settings in the Setup section of the main menu of the DG834G v3 3 Choose the WPA 802 1x radio button The page will display the WPA 802 1x section 4 Enter the Radius server name IP address 5 Enter the Radius port number 6 Enter the Shared Key 7 Click Apply to save your settings 3 14 Wireless Configuration v1 0 October 2006 Chapter 4 Protecting Your Network This chapter describes how to use the basic firewall features of the 54 Mbps ADSL Modem Wireless Router Model DG834G to protect your network It also describ
116. m a PC attached to the DG834G v3 a Open the command prompt Start gt Run gt cmd b ping 172 23 9 1 ESCA WINNT system32 ping exe Pinging 172 23 9 1 with 32 bytes of data from 9 1 bytes 32 time lt i ms TTL 128 from 9 1 bytes 32 time lt i ms TTL 128 from E 9 1 bytes 32 time lt i ms TTL 128 from 7 9 1 bytes 32 time lt i ms TTL 128 from 9 1 bytes 32 time lt i ms TTL 128 from 9 1 bytes 32 time lt i ms TTL 128 from 9 1 bytes 32 time lt i ms TTL 128 Figure B 4 Note The pings may fail the first time If this happens try the pings a second time DG834G v3 with FQDN to FVL328 This appendix is a case study on how to configure a VPN tunnel from a NETGEAR DG834G v3 to a FVL328 using a Fully Qualified Domain Name FQDN to resolve the public address of one or both routers This case study follows the VPN Consortium interoperability profile guidelines found at Attp www vpnc org InteropProfiles Interop 01 html Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Check that there are no firewall restrictions B 6 NETGEAR VPN Configuration v1 0 October 2006 Ref
117. mputer may not have the modem router configured as its TCP IP modem router If your computer obtains its information from the modem router by DHCP reboot the computer and verify the modem router address as described in Preparing a Computer for Network Access in Appendix C Troubleshooting a TCP IP Network Using the Ping Utility Most TCP IP terminal devices and routers contain a ping utility that sends an echo request packet to the designated device The device then responds with an echo reply Troubleshooting a TCP IP network is made very easy by using the ping utility in your computer Testing the LAN Path to Your Router You can ping the router from your computer to verify that the LAN path to your router is set up correctly To ping the router from a PC running Windows 95 or later 1 From the Windows toolbar click the Start button and select Run 2 Inthe field provided type Ping followed by the IP address of the router as in this example ping 192 168 0 1 3 Click OK You should see a message like this one Pinging IP address with 32 bytes of data Troubleshooting 8 7 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G If the path is working you see this message Reply from IP address gt bytes 32 time NN ms TTL xxx If the path is not working you see this message Request timed out If the path is not functioning correctly you could have one of the following problems e
118. n Figure 7 38 Click Drop for the VPN tunnel you want to deactivate E Current VPN Tunnels S s Microsoft Internet Explorer Current VPN Tunnels SAs g SPI In SPI Out Policy Name Remote Endpoint Action SLifeTime HLifeTime 1 saee064080 3779227165 RoadWarrior 192 168 2 2 _Drop 28716 28715 g Figure 7 38 7 36 Virtual Private Networking v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Deleting a VPN Tunnel To delete a VPN tunnel 1 Login to the Modem Router 2 Open the DG834G v3 management interface and click VPN Policies to display the VPN Policies screen Figure 7 39 Select the radio button for the VPN tunnel to be deleted and click the Delete button VPN Policies Policy Table Enable Name Type Local Remote ESP 1 RoadWarrior Auto 192 168 3 1 255 255 255 0 3DES Figure 7 39 Virtual Private Networking 7 37 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G How to Set Up VPN Tunnels in Special Circumstances When the VPN Wizard and its VPNC defaults see Table 7 2 are not appropriate for your special circumstances use one of the following alternatives e Auto Policy for a typical automated Internet Key Exchange IKE setup see Using Auto Policy to Configure VPN Tunnels on page 7 38 Auto Policy uses the IKE protocol to define the authentication scheme and automatically gene
119. ng You can define an outbound rule to block Internet access from a local computer based on e P address of the local computer source address e IP address of the Internet site being contacted destination address e Time of day e Type of service being requested service port number Following is an application example of outbound rules Protecting Your Network 4 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Outbound Rule Example Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu You can also have the modem router log any attempt to use Instant Messenger during that blocked period Outbound Services Service AlM TCP 5190 z Action BLOCK by schedule otherwise allow LAN users Any start fo p p finish p WAN Users Any J Back Cancel Figure 4 7 The parameters are e Service From this list select the application or service to be allowed or blocked The list already displays many common services but you are not limited to these choices Use the Add Custom Service feature to add any additional services or applications that do not already appear Action Choose how you want this type of traffic to be handled Y
120. nnection Status button If all of the steps indicate OK then your PPPoE or PPPoA connection is up and working If any of the steps indicates Failed you can attempt to reconnect by clicking Connect The modem router will continue to attempt to connect indefinitely If you cannot connect after several minutes you may be using an incorrect Service Name User Name or Password There also may be a provisioning problem with your ISP Note Unless you connect manually the modem router will not authenticate using gt PPPoE or PPPoA until data is transmitted to the network 8 6 Troubleshooting v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Troubleshooting Internet Browsing If your modem router can obtain an IP address but your computer is unable to load any Web pages from the Internet e Your computer may not recognize any DNS server addresses A DNS server is a host on the Internet that translates Internet names such as www addresses to numeric IP addresses Typically your ISP will provide the addresses of one or two DNS servers for your use If you entered a DNS address during the modem router s configuration reboot your computer and verify the DNS address as described in Preparing a Computer for Network Access in Appendix C Alternatively you can configure your computer manually with DNS addresses as explained in your operating system documentation e Your co
121. nu select Tunnel h Leave the Authentication Protocol AH checkbox unchecked 7 Savethe VPN Client Settings From the File menu at the top of the Security Policy Editor window select Save After you have configured and saved the VPN client information your PC will automatically open the VPN connection when you attempt to access any IP addresses in the range of the remote VPN router s LAN 8 Check the VPN Connection To check the VPN Connection you can initiate a request from the remote PC to the DG834G v3 s network by using the Connect option in the NETGEAR ProSafe menu bar The NETGEAR ProSafe client will report the results of the attempt to connect Since the remote PC has a dynamically assigned WAN IP address it must initiate the request To perform a ping test using our example start from the remote PC Establish an Internet connection from the PC On the Windows taskbar click the Start button and then click Run Type ping t 192 168 3 1 andthen click OK Type the name of a program Folder document or Internet resource and Windows will open it For you Open ping 192 168 0 1 v Figure 7 15 7 18 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G This will cause a continuous ping to be sent to the first DG834G v3 After between several seconds and two minutes the ping response should change from timed out to reply C
122. o Gateway VPN Tunnel on the DG834G v3 on page 7 7 uses the VPN Wizard to configure the VPN tunnel between the remote PC and network gateway e Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC on page 7 12 configures the NETGEAR ProSafe VPN Client endpoint Step 1 Configuring the Client to Gateway VPN Tunnel on the DG834G v3 Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 7 2 on page 7 5 If you have special requirements not covered by these VPNC recommended parameters refer to How to Set Up VPN Tunnels in Special Circumstances on page 7 38 to set up the VPN tunnel The worksheet below identifies the parameters used in the following procedure A blank worksheet is at Planning a VPN on page 7 4 Virtual Private Networking 7 7 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Table 7 3 VPN Tunnel Configuration Worksheet Connection Name Pre Shared Key Secure Association Main Mode or Manual Keys Perfect Forward Secrecy Enabled or Disabled Encryption Protocol DES or 3DES Authentication Protocol MD5 or SHA 1 Diffie Hellman DH Group Group 1 or Group 2 Key Life in seconds IKE Life Time in seconds VPN Endpoint Local IPSec ID LAN IP Address RoadWarrior 12345678 Main Disabled 3DES SHA 1 Group 2 28800 8 hours 3600 1 hour
123. o set up a VPN connection you must configure each endpoint with specific identification and connection information describing the other endpoint You must configure the outbound VPN settings on one end to match the inbound VPN settings on other end and vice versa This set of configuration information defines a security association SA between the two VPN endpoints When planning your VPN you must make a few choices first e Will the local end be any device on the LAN a portion of the local network as defined by a subnet or by a range of IP addresses or a single PC e Will the remote end be any device on the remote LAN a portion of the remote network as defined by a subnet or by a range of IP addresses or a single PC 7 4 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G e Will either endpoint use Fully Qualified Domain Names FQDNs FQDNSs supplied by Dynamic DNS providers see The Use of a Fully Qualified Domain Name FQDN on page B 8 can allow a VPN endpoint with a dynamic IP address to initiate or respond to a tunnel request Otherwise the side using a dynamic IP address must always be the initiator e What method will you use to configure your VPN tunnels The VPN Wizard using VPNC defaults see Table 7 2 The typical automated Internet Key Exchange IKE setup see Using Auto Policy to Configure VPN Tunnels on page 7 38 A Manual K
124. ober 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Configuration Summary Telecommuter Example The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Assure that there are no firewall restrictions Table B 3 Configuration summary telecommuter example VPN Consortium Scenario Scenario 1 Type of VPN PC client to gateway with client behind NAT router Security Scheme IKE with Preshared Secret Key not Certificate based IP Addressing Gateway Fully Qualified Domain Name FQDN Client Dynamic 192 168 0 1 24 Telecommuter Example _ Client B Gateway A NAT Router B mme e a y 3 37 2 D B INTI FQDN 0 0 0 0 ritar dyadns ord 192 168 2 3 pit fromDG834G com toDG834G com 192 168 0 1 Router Router PC at employer s at telecommuter s running NETGEAR main office home office ProSafe VPN Client Figure B 12 Setting Up the Client to Gateway VPN Configuration Telecommuter Example Setting up a VPN between a remote PC running the NETGEAR ProSafe VPN Client and a network gateway involves the following two steps Step 1 Configuring the Client to Gate
125. oints have current device status at the expense of additional network traffic Longer durations may compromise the freshness of the device status but can significantly reduce network traffic Advertisement Time To Live The time to live for the advertisement is measured in hops steps for each UPnP packet sent A hop is the number of steps allowed to propagate for each UPnP advertisement before it disappears The number of hops can range from 1 to 255 The default value for the advertisement time to live is 4 hops which should be fine for most home networks If you notice that some devices are not being updated or reached correctly then it may be necessary to increase this value a little UPnP Portmap Table The UPnP Portmap Table displays the IP address of each UPnP device that is currently accessing the Router and which ports Internal and External that device has opened The UPnP Portmap Table also displays what type of port is opened and if that port is still active for each IP address 3 To save cancel or refresh the table Click Apply to save the new settings to the Router Click Cancel to disregard any unsaved changes Click Refresh to update the portmap table and to show the active ports that are currently opened by UPnP devices 6 14 Advanced Configuration v1 0 October 2006 Chapter 7 Virtual Private Networking This chapter describes how to use the virtual private networking VPN features of the ADSL Modem Wireles
126. on on the left side of the table and click Delete Service 3 Use the page shown below to define or edit a service Services Service Definition Name Type TCP v Start Port Finish Port Back Apply Cancel Figure 4 10 4 Click Apply to save your changes Setting Times and Scheduling Firewall Services The ADSL Modem Wireless Router uses the Network Time Protocol NTP to obtain the current time and date from one of several Network Time Servers on the Internet How to Set Your Time Zone In order to localize the time for your log entries you must specify your Time Zone 1 Log in to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router Protecting Your Network 4 13 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 2 Select the Schedule link of the Security menu to display menu shown below Schedule Cusrent Time 2002 09 10 02 42 17 Apply Cancel Figure 4 11 3 Select your time zone This setting will be used for the blocking schedule according to your local time zone and for time stamping log entries Select the Adjust for daylight savings time check box if your time zone is currently in daylight savings time Note If your region uses Daylight Savings Time you must manuall
127. ond Activation and Administration Tue 2002 05 21 18 48 39 NETGEAR activated This entry indicates a power up or reboot with initial time entry Tue 2002 05 21 18 55 00 Administrator login successful IP 192 168 0 2 Thu 2002 05 21 18 56 58 Administrator logout IP 192 168 0 2 This entry shows an administrator logging in and out from IP address 192 168 0 2 Tue 2002 05 21 19 00 06 Login screen timed out IP 192 168 0 2 This entry shows a time out of the administrator login Wed 2002 05 22 22 00 19 Log emailed This entry shows when the log was emailed 5 12 Managing Your Network v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Dropped Packets Wed 2002 05 22 07 15 15 TCP packet dropped Source 64 12 47 28 4787 WAN Destination 134 177 0 11 21 LAN Inbound Default rule match Sun 2002 05 22 12 50 33 UDP packet dropped Source 64 12 47 28 10714 WAN Destination 134 177 0 11 6970 LAN Inbound Default rule match Sun 2002 05 22 21 02 53 ICMP packet dropped Source 64 12 47 28 0 WAN Destination 134 177 0 11 0 LAN Inbound Default rule match These entries show an inbound FTP port 21 packet User Datagram Protocol UDP packet port 6970 and Internet Control Message Protocol ICMP packet port 0 being dropped as a result of the default inbound rule which states that all inbound packets are denied Enabling Security E
128. ou are physically located from your ISP s facilities Noise Margin This is the signal to noise ratio and is a measure of the quality of the signal on the line Poll Interval Specifies the interval at which the statistics are updated in this window Click Stop to freeze the display Managing Your Network v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Click the Connection Status button to display modem router connection status shown below Connection Status Connection Time 00 00 00 Connected Connecting to Server Negotiation ON Authentication lon Getting IP Addresses 192 168 10 13 Getting Network Mask Connect Disconnect Close Window 255 255 255 255 Figure 5 5 This screen shows the following statistics Table 5 3 Connection Status Fields for PPPoA Field Description Connection Time The time elapsed since the last connection to the Internet via the ADSL port Connecting to The connection status Sender Negotiation ON or OFF Authentication ON or OFF IP Address The IP Address assigned to the WAN port by the ADSL Internet Service Provider Network Mask The Network Mask assigned to the WAN port by the ADSL Internet Service Provider Managing Your Network v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Viewing Attached Devices The Attache
129. ou can block or allow always or you can choose to block or allow according to the schedule you have defined in the Schedule menu LAN Users These settings determine which packets are covered by the rule based on their source LAN IP address Select the desired option Any all IP addresses are covered by this rule Address range if this option is selected you must enter the Start and Finish fields Single address enter the required address in the Start field 4 10 Protecting Your Network v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G destination WAN IP address Select the desired Any all IP addresses are covered by this Single address enter the required addres Log You can select whether the traffic will be logged Order of Precedence for Rules As you define new rules they are added to the table WAN Users These settings determine which packets are covered by the rule based on their option rule Address range if this option is selected you must enter the Start and Finish fields s in the Start field logged The choices are Never no log entries will be made for this service Always any traffic for this service type will be logged Match traffic of this type that matches the parameters and action will be logged Not match traffic of this type that does not match the parameters and action will be s in the Rules
130. ou should be able to connect all your telephones If disconnecting telephones does not result in a green Internet LED the problem may be one of the following e Check that the telephone company has made the connection to your line and tested it e Verify that you are connected to the correct telephone line If you have more than one phone line be sure that you are connected to the line with the ADSL service It may be necessary to use a swapper if you ADSL signal is on pins 1 and 4 or the RJ 11 jack The ADSL Modem Wireless Router uses pins 2 and 3 Obtaining a WAN IP Address If your modem router is unable to access the internet and your Internet LED is green or blinking green you should determine whether the modem router is able to obtain a WAN IP address from the ISP Unless you have been assigned a static IP address your modem router must request an IP address from the ISP You can determine whether the request was successful using the browser interface To check the WAN IP address from the browser interface 1 Launch your browser and select an external site such as www netgear com 2 Access the Main Menu of the modem router s configuration at http 192 168 0 1 3 Under the Maintenance heading check that an IP address is shown for the WAN Port If 0 0 0 0 is shown your modem router has not obtained an IP address from your ISP If your router is unable to obtain an IP address from the ISP the problem may be one of the following
131. ow to Upgrade the Modem Router Firmware NETGEAR recommends that you back up your configuration before doing a firmware upgrade After the upgrade is complete you may need to restore your configuration settings 1 Download and unzip the new software file from NETGEAR The Web browser used to upload new firmware into the modem router must support HTTP uploads NETGEAR recommends using Microsoft Internet Explorer 5 0 or above or Netscape Navigator 4 7 or above 2 Login to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the modem router 3 From the Main Menu of the browser interface under the Maintenance heading select the Modem Router Upgrade heading to display the menu shown Firmware Upgrade Locate and Select the Upgrade File from your Hard Disk Figure 5 2 4 Inthe Modem Router Upgrade menu click the Browse to locate the binary BIN or IMG upgrade file 5 Click Upload interrupt the Web browser by closing the window clicking a link or loading a new page If the browser is interrupted it may corrupt the software When the upload is complete your modem router will automatically restart The upgrade process will typically take about one minute In some cases you may need to clear the configuration and reconfigure the modem router after upgrading i W
132. p Group 1 or Group 2 Key Life in seconds IKE Life Time in seconds VPN Endpoint Local IPSec ID LAN IP Address Subnet Mask GtoG 12345678 Main Disabled 3DES SHA 1 Group 2 28800 8 hours 3600 1 hour FQDN or Gateway IP WAN IP Address DG834G v3 A GW A 192 168 0 1 255 255 255 0 14 15 16 17 DG834G v3 B GW B 192 168 3 1 255 255 255 0 22 23 24 25 Note The LAN IP address ranges of each VPN endpoint must be different The connection will fail if both are using the NETGEAR default address range of 192 168 0 x Follow this procedure to configure a gateway to gateway VPN tunnel using the VPN Wizard 1 Login to the DG834G v3 on LAN A at its default LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Wizard link in the main menu to display this screen Click Next to proceed 7 22 Virtual Private Networking v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G VPN Wizard The Wizard sets most parameters to defaults as proposed by the VPN Consortium VPNC and assumes a pre shared key greatly simplifies setup After creating the policies through VPN Wizard you can always update the parameters through VPN Settings link on the left menu Figure 7 20 2 Fillin the Connection Name and the pre shared key select the type of target end point and
133. place bets or participate in betting pools including lotteries online Also includes sites that provide information assistance recommendations or training on placing bets or participating in games of chance Does not include sites that sell gambling related products or machines Also does not include offline casino and hotel sites unless meeting one of the foregoing criteria e Hacking Proxy Avoidance Sites providing information on illegal or questionable access to or use of communications equipment and software or that provide information on how to bypass proxy server features or gain unauthorized access to URLs e egal Drugs Sites that promote offer sell supply or advocate the illegal use cultivation manufacture or distribution of drugs pharmaceuticals intoxicating plants and chemicals and related paraphernalia 4 20 Protecting Your Network v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G e J llegal Questionable Sites that advocate or advise on performing illegal acts such as service theft evading law enforcement fraud burglary techniques and plagiarism Also includes sites that provide or sell questionable educational materials such as term papers Intimate Apparel Swimsuit Sites that contain images of swimsuits intimate apparel or other suggestive clothing Does not include sites selling undergarments as a subset of another business Nudity Sites containing nude or s
134. provides the steps needed to configure VPN tunnels when there are special circumstances and the VPNC recommended defaults of the VPN Wizard are inappropriate The two alternatives for configuring VPN tunnels are Auto Policy and Manual Policy Virtual Private Networking 7 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Overview of VPN Configuration Two common scenarios for configuring VPN tunnels are between a remote personal computer and a network gateway and between two or more network gateways The DG834G v3 supports both of these types of VPN configurations The ADSL Modem Wireless Router supports up to five concurrent tunnels Client to Gateway VPN Tunnels Client to Gateway VPN Tunnels provide secure access from a remote PC such as a telecommuter connecting to an office network VPN Tunnel DG834G Y INTERNET f S PC LJ Lj Running NETGEAR PCs ProSafe VPN Client Figure 7 1 A VPN client access allows a remote PC to connect to your network from any location on the Internet In this case the remote PC is one tunnel endpoint running the VPN client software The ADSL Modem Wireless Router on your network is the other tunnel endpoint See How to Set Up a Client to Gateway VPN Configuration on page 7 7 to set up this configuration 7 2 Virtual Private Networking v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG83
135. r Network Backing Up Restoring or Erasing Your Settings 1st entr nnne hast dein 5 1 Howto Back Up the Configuration to a File iius ce iude beret Rer IR Re een ebore in ed 5 1 How to Restore the Configuration from a File ceeeeeeeseeeeeeee eines 5 2 Howto Erase th Configuration 5s cioe acorde dud bora dex hdd Rar d EE X3 dU A og E LA dan Ga 5 2 Upgrading the Modem Boule s Firmware uis iini tr teet Fakt p et Ferte pen Fair app eratis 5 2 How to Upgrade the Modem Router Firmware cccssscccccseessecceceeessnseeeeenseenes 5 3 Network Management Information ecesseeieeeieeeeseeee esent nint n 5 4 Viewing Modem Router Status and Usage Statistics 0 00 eee eee 5 4 v1 0 October 2006 viewing Affached DEVICES i cascuntihicccus edd tcl td exta k tad ditt adult va dad eei 5 9 Viewing Selecting and Saving Logged Information sseeesss 5 9 E campos or Log NOSSHOBEE oemi a a rea bebe bn a bcr eden bebo tu ber iege 5 12 Enabling Security Event E mail Notification iusserit teh need 5 13 Running Diagnostic Utilities and Rebooting the Modem Router sssss 5 15 Enabling Remote Management uaascessocs epos ko tied ovr i pcb td doe deat a eund tu gat dd i 5 16 Configuring Remote Management io ar det a te en b rt b e e RR 5 16 Chapter 6 Advanced Configuration Configuring Advanced Security 1 eissaiedaecdi erp haad ek rn ed rh a d GR ran d RN dada 6 1
136. radio button see Figure B 8 configure with appropriate account and hostname settings see Figure B 9 and then click Apply e Host and Domain Name fvl328 dyndns org e User Name user s account username e Password user s account password B 10 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Dynamic DNS Use a dynamic DNS service C None DynDNS org Click here for information C TZO com Click here for free trial C ngDDNS Click here to register DynDNS Host and Domain Name a aaeeeo example yourname dyndns org I Use wildcards Apply Cancel Show Status Figure B 9 c Click Show Status The resulting screen should show Update OK good see Figure B 10 a3 Dynamic DNS Details Microsoft Internet Explorer Dynamic DNS Update OK good TZO service is not enabled ngDDNS service is not enabled Figure B 10 NETGEAR VPN Configuration B 11 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 5 Configure the DG834G v3 as in the Gateway to Gateway procedures using the VPN Wizard see How to Set Up a Gateway to Gateway VPN Configuration on page 7 21 being certain to use appropriate network addresses for the environment The LAN Addresses used in this example are as follows Device LAN IP Address LAN Subnet Mask DG834G v3 10 5 6 1 255 255 255 0 FVL328 172 23 6 1 255 255 2
137. rate the encryption keys Manual Policy for a Manual Keying setup in which you must specify each phase of the connection see Using Manual Policy to Configure VPN Tunnels on page 7 48 Manual Policy does not use IKE Rather you manually enter all the authentication and key parameters You have more control over the process however the process is more complex and there are more opportunities for errors or configuration mismatches between your DG834G v3 and the corresponding VPN endpoint gateway or client workstation Using Auto Policy to Configure VPN Tunnels You need to configure matching VPN settings on both VPN endpoints The outbound VPN settings on one end must match to the inbound VPN settings on other end and vice versa See Example of Using Auto Policy on page 7 43 for an example of using Auto Policy Configuring VPN Network Connection Parameters All VPN tunnels on the ADSL Modem Wireless Router require configuring several network parameters This section describes those parameters and how to access them The most common configuration scenarios will use IKE to manage the authentication and encryption keys The IKE protocol performs negotiations between the two VPN endpoints to automatically generate and update the required encryption parameters Click the VPN Policies link of the main menu and then click the Add Auto Policy button to display the VPN Auto Policy menu shown in Figure 7 40 7 38 Virtual Private Netwo
138. ration password or IP address is not known Using the Reset button To restore the factory default configuration settings without knowing the administration password or IP address you must use the Default Reset button on the rear panel of the router 1 Press and hold the Default Reset button until the Test LED turns on about 10 seconds 2 Release the Default Reset button and wait for the router to reboot Problems with Date and Time The E mail menu in the Content Filtering section displays the current date and time of day The ADSL Modem Wireless Router uses the Network Time Protocol NTP to obtain the current time from one of several Network Time Servers on the Internet Each entry in the log is stamped with the date and time of day Problems with the date and time function can include Troubleshooting 8 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Date shown is January 1 2000 Cause The router has not yet successfully reached a Network Time Server Check that your Internet access settings are configured correctly If you have just completed configuring the router wait at least five minutes and check the date and time again e Time is off by one hour Cause The router does not automatically sense Daylight Savings Time In the E mail menu check or uncheck the box marked Adjust for Daylight Savings Time 8 10 Troubleshooting v1 0 October 2006 Appendix A Technical Specifica
139. rence Manual for the ADSL Modem Wireless Router DG834G Setting Up A Default DMZ Server The Default DMZ Server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT The modem router is programmed to recognize some of these applications and to work properly with them but there are other applications that may not function well In some cases one local computer can run the application properly if that computer s IP address is entered as the Default DMZ Server Warning For security reasons you should avoid using the Default DMZ Server feature A When a computer is designated as the Default DMZ Server it loses much of the protection of the firewall and is exposed to many exploits from the Internet If compromised the computer can be used to attack your network Incoming traffic from the Internet is normally discarded by the modem router unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu Instead of discarding this traffic you can have it forwarded to one computer on your network This computer is called the Default DMZ Server How to Configure a Default DMZ Server To assign a computer or server to be a Default DMZ server follow these steps 1 Log in to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using wha
140. rking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G VPN Policies Policy Table Enable Name Type Local v toClient Auto 192 168 0 0 255 255 255 0 ToFVL Auto 192 168 0 0 255 255 255 0 192 168 201 255 255 255 0 Add Auto Policy Figure 7 40 Edit Delete Apply Cancel Add Manual Policy VPN Auto Policy General Policy Name Remote VPN Endpoint T NetBIOS Enable IKE Keep Alive Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode Diffie Hellman DH Group Local Identity Type Data Remote Identity Type Data Parameters Encryption Algorithm Authentication Algorithm Pre shared Key SA Life Time Enable PFS Perfect Forward Security Back Cancel Address Type Dynamic IP address z Address Data n a 4 AUB ae 311 Ping IP Address Subnet address x Single Start address Finish address Subnet Mask TS a a TS in a AOA qu Single PC no Subnet j Single Start IP address Finish IP address aa n HHU qd Subnet Mask Responder only Auto z WAN IP Address z n a IP Address n a 3DES x Auto n 3600 Seconds Virtual Private Networking v1 0 October 2006 7 39 Heference Manual for the ADSL Modem Wireless Rou
141. rmation that it receives When set to None it will not send any RIP packets and will ignore any RIP packets received e RIP Version This controls the format and the broadcasting method of the RIP packets that the modem router sends It recognizes both formats when receiving By default this is set for RIP 1 RIP 1 is universally supported RIP 1 is probably adequate for most networks unless you have an unusual network setup RIP 2 carries more information Both RIP 2B and RIP 2M send the routing data in RIP 2 format RIP 2B uses subnet broadcasting RIP 2M uses multicasting DHCP By default the modem router will function as a DHCP Dynamic Host Configuration Protocol server allowing it to assign IP DNS server and default gateway addresses to all computers connected to the modem router s LAN The assigned default gateway address is the LAN address of the router IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN For most applications the default DHCP and TCP IP settings of the router are satisfactory See Internet Networking and TCP IP Addressing in Appendix C for an explanation of DHCP and information about how to assign IP addresses for your network Use Router as DHCP server If another device on your network will be the DHCP server or if you will manually config
142. rst configured your router two implicit static routes were created A default route was created with your ISP as the modem router and a second static route was created to your local network for all 192 168 0 x addresses With this configuration if you attempt to access a device on the 134 177 0 0 network your router will forward your request to the ISP The ISP forwards your request to the company where you are employed and the request will likely be denied by the company s firewall In this case you must define a static route telling your router that 134 177 0 0 should be accessed through the ISDN router at 192 168 0 100 The static route would look like Figure 6 6 In this example e The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134 177 x x addresses e The Modem Router IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192 168 0 100 e A Metric value of 1 will work since the ISDN router is on the LAN This represents the number of routers between your network and the destination This is a direct connection so it is set to 1 Private is selected only as a precautionary security measure in case RIP is activated Advanced Configuration 6 11 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G How to Configure Static Routes 1 Log into the router at its default LAN address of http 192 168 0
143. rt of the modem router The default is 255 255 255 0 Modem ADSL Firmware Version Modem Status These parameters apply to the Local WAN port of the modem router The version of the firmware The connection status of the modem Managing Your Network 5 5 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Table 5 1 Menu 3 2 Modem Router Status Fields continued Field Description Downstream Speed The speed at which the modem is receiving data from the ADSL line Upstream Speed The speed at which the modem is transmitting data to the ADSL line VPI The Virtual Path Identifier setting VCI The Virtual Channel Identifier setting Wireless Port These are the settings as set in the Wireless Settings page see Understanding Wireless Settings in Chapter 3 for details Name SSID The Service Set ID also known as the wireless network name Region The country where the unit is set up for use Channel The current channel which determines the operating frequency Wireless AP Indicates if the Access Point feature is disabled or not If not enabled the Wireless LED on the front panel will be off Broadcast Name Indicates if the DG834G v3 is configured to broadcast its SSID Click the Show Statistics button to display modem router usage statistics as shown below System Up Time 00 08 51 Port Status TxPkts RxPkts Collisions Tx B s Rx Bis Up
144. ructions for correct handling Customer Support Refer to the Support Information Card that shipped with your 54 Mbps ADSL Modem Wireless Router Model DG834G World Wide Web NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator URL http www netgear com A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required v1 0 October 2006 Product and Publication Details Model Number Publication Date Product Family Product Name Home or Business Product Language Publication Part Number Publication Version Number Change History DG834G v3 October 2006 Modem Router 54 Mbps ADSL Modem Wireless Router Model DG834G Home English 202 10155 01 1 0 Version Date Published Change Description 1 0 January 2006 Original publication 1 1 October 2006 Removed NETBIOS feature vi v1 0 October 2006 Contents Reference Manual for the ADSL Modem Wireless Router DG834G Chapter 1 About This Manual Audience Scope Conventions and Formats cccccccccccccsesceceseseseeeeeeeeeeeseceeeeeseseeeees 1 1 c io Primi this Manai oseas eater Pe eer ir rnin Die Pears me error Perrier peter re try eree ret rr 1 2 Chapter 2 Introduction About Ihe Modemi FROME auussosxen exe tie ERI BA eiae tI c prex EU prae b Cede Wied aba P BATA 2 1 nisl Do 2 2
145. s Protocol all et A OTC Connect using Secure Gateway Tunnel E Figure B 15 NETGEAR VPN Configuration B 19 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help ia ma x l NETGEAR N Network Security Policy C My Connections Connection Security e EGER G Secure r Only Connect Manually G My Identity CORR vem El Security Policy Block E Authentication Phase 1 ds A Proposal 1 E S Key Exchange Phase 2 Remote Party Identity and Addressing Proposal 1 Fp Other Connections ID Tipe IP Subnet z Subnet 19216801 Mask 255 255 255 0 Protocol A v Pot IV Connect using Secure Gateway Tunnel v v 1D Type Domain Name x Gateway Hostname fromDG834G com dyndns org Figure B 16 c Select Secure in the Connection Security check box group d Select IP Subnet in the ID Type menu e In this example type 192 168 0 1 in the Subnet field as the network address of the DG834G v3 Enter 255 255 255 0 in the Mask field as the LAN Subnet Mask of the DG834G v3 Select All in the Protocol menu to allow all traffic through the VPN tunnel poo om Select the Connect using Secure Gateway Tunnel check box Select Domain Name in the ID Type menu below the check box and enter fromDG834G com in this example pi o j Select Gateway Hos
146. s Router VPN communications paths are called tunnels VPN tunnels provide secure encrypted communications between your local network and a remote network or computer See Virtual Private Networking VPN in Appendix C to learn more about VPN This chapter is organized as follows Overview of VPN Configuration on page 7 2 provides an overview of the two most common VPN configurations Client to Gateway and Gateway to Gateway Planning a VPN on page 7 4 provides a worksheet for recording the configuration parameters of the VPN you want to set up along with the VPN Committee VPNC recommended default parameters set by the VPN Wizard VPN Tunnel Configuration on page 7 6 summarizes the three ways to configure a VPN tunnel VPN Wizard recommended for most situations Auto Policy and Manual Policy How to Set Up a Client to Gateway VPN Configuration on page 7 7 provides the steps needed to configure a VPN tunnel between a remote PC and a network gateway using the VPN Wizard and the NETGEAR ProSafe VPN Client How to Set Up a Gateway to Gateway VPN Configuration on page 7 21 provides the steps needed to configure a VPN tunnel between two network gateways using the VPN Wizard VPN Tunnel Control on page 7 29 provides the step by step procedures for activating verifying deactivating and deleting a VPN tunnel once the VPN tunnel has been configured How to Set Up VPN Tunnels in Special Circumstances on page 7 38
147. s Router DG834G There are two methods for creating WEP encryption keys e Passphrase Enter a word or group of printable characters in the Passphrase box and click the Generate button e Manual 64 bit WEP Enter 10 hexadecimal digits any combination of 0 9 a f or A F 128 bit WEP Enter 26 hexadecimal digits any combination of 0 9 a f or A F Select the radio button for the key you want to make active How to Configure WEP To configure WEP data encryption follow these steps 1 Login to the DG834G v3 firewall at its default LAN address of http 192 168 0 1 with its default user name of admin and default password of password or using whatever LAN address and password you have set up 2 Click the Wireless Settings link in the Setup section of the main menu for the DG834G v3 modem router In the Security Options section select the WEP Wired Equivalent Privacy radio button Go to the WEP Security Encryption portion of the page WEP Security Encryption Authentication Type Automatic M Encryption Strength Automatic Open System NEM Shared Ke Passphrase Key1 Key 2 O Ky 3O si Key 4 O Figure 3 6 5 Select the Authentication Type 6 Select the Encryption Strength setting 3 12 Wireless Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 7 9 Enter the encryption keys You can manually or automatically program the four
148. s file is shown below Logs Current time 2003 08 26 07 42 Include in Log 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 2003 08 26 06 04 14 06 04 14 07 17 17 07 26 19 07 26 32 07 29 48 07 38 12 07 38 39 07 38 42 07 39 43 07 39 49 07 39 49 07 41 29 Send out NTP reque Receive NTP Replay Administrator logi Administrator logi Administrator logi Administrator logi TCP Packet Sourc ICMP Packet Sour TCP Packet Sourc TCP Packet Sourc ICMP Packet Sour TCP Packet Sourc TCP Packet Sourc E Refresh Clear Log Send Log Vv Attempted access to blocked sites Connections to the Web based interface of this Router M Router operation start up get time etc M Known DoS attacks and Port Scans Syslog Disable C Broadcast on LAN C Send to this Syslog server IP address Figure 5 7 Apply Cancel 5 10 v1 0 October 2006 Managing Your Network Reference Manual for the ADSL Modem Wireless Router DG834G Log entries are described in Table 5 4 below Table 5 4 Security Log entry descriptions Field Description Date and Time The date and time the log entry was recorded Description or The type of event and what action was taken if any Action Source IP The IP address of the initiating device for this log entry Source port and The service port number of th
149. s in a browser window Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can save paper and printer ink by selecting this feature Z2 About This Manual 1 3 v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 1 4 About This Manual v1 0 October 2006 Chapter 2 Introduction This chapter describes the features of the NETGEAR 54 Mbps ADSL Modem Wireless Router Model DG834G The ADSL Modem Wireless Router is a combination of a built in ADSL modem modem router 4 port switch and firewall which enables your entire network to safely share an Internet connection that otherwise would be used by a single computer Note If you are unfamiliar with networking and routing refer to Internet Networking and TCP IP Addressing in Appendix C to become more familiar with the terms and procedures used in this manual About the Modem Router The 54 Mbps ADSL Modem Wireless Router Model DG834G provides continuous high speed 10 100 Ethernet access between your Ethernet devices With minimum setup you can install and use the modem router within minutes The ADSL Modem Wireless Router provides multiple Web content filtering options reporting and instant alerts Parents and network administrators can establish restricted access policies based on time of day Web site addresses and address keywords The
150. s objectionable Internet sites Trend Micro Home Network Security This service bundle from Trend Micro has three components Trend Micro dashboard This component is free for unlimited use From the dashboard you can Scan your computer and entire network for security vulnerabilities View individual computer and network wide security reports Detect and remove spyware View attempts to access content restricted by Parental Controls Purchase subscriptions for Parental Controls and Trend Micro Internet Security Trend Micro Internet Security You can install this program on up to 10 computers and try it free for 60 days Its features include Real time and scheduled scanning to remove viruses Trojans spyware and other Internet threats Personal firewall Network intruder detection Anti spam e Router based Parental Controls This service restricts home network users from viewing inappropriate Web content It is free for 60 days and when you register your free trial of Trend Micro Internet Security your free use of Parental Controls is automatically extended to one year For instructions on activating these services refer to Trend Micro Home Network Security on page 4 15 2 6 Introduction v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G What s in the Box The product package should contain the following items 54 Mbps ADSL Modem Wireless Router Mod
151. s the time interval before the SA Security Association expires It will automatically be re established as required While using a short time period or data amount increases security it also degrades performance It is common to use periods over an hour 3600 seconds for the SA Life Time This setting applies to both IKE and IPSec SAs IPSec PFS Perfect Forward Secrecy if enabled security is enhanced by ensuring that the key is changed at regular intervals Also even if one key is broken subsequent keys are no easier to break Each key has no relationship to the previous key This setting applies to both IKE and IPSec SAs When configuring the remote endpoint to match this setting you may have to specify the Key Group used For this device the Key Group is the same as the DH Group setting in the IKE section 7 42 Virtual Private Networking v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Example of Using Auto Policy A 14 15 16 17 DG834G VPN Firewall VPN Tunnel 22 23 24 25 Ma 192 168 0 1 Ja PCs Figure 7 41 B DG834G VPN Firewall 1 Setthe LAN IPs on each DG834G v3 to different subnets and configure each properly for the Internet The following settings are assumed for this example Table 7 5 VPN Tunnel Configuration Worksheet Connection Name Pre Shared Key Secure Association Main Mode or Manual Keys Perfect Forward Secre
152. schr nkungen unterliegen Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung Das Bundesamt f r Zulassungen in der Telekommunikation wurde davon unterrichtet da dieses Ger t auf den Markt gebracht wurde und es ist berechtigt die Serie auf die Erf llung der Vorschriften hin zu berpr fen v1 0 October 2006 Certificate of the Manufacturer Importer It is hereby certified that the 54 Mbps ADSL Modem Wireless Router Model DG834G has been suppressed in accordance with the conditions set out in the BMPT AmtsbIVfg 243 1991 and Vfg 46 1992 The operation of some equipment for example test transmitters in accordance with the regulations may however be subject to certain restrictions Please refer to the notes in the operating instructions Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations Voluntary Control Council for Interference VCCI Statement This equipment is in the second category information equipment to be used in a residential area or an adjacent area thereto and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas When used near a radio or TV receiver it may become the cause of radio interference Read inst
153. se harmful interference to radio or television reception which can be determined by turning the equipment off and on the user is encouraged to try to correct the interference by one or more of the following measures e Reorient or relocate the receiving antenna ncrease the separation between the equipment and receiver e Connect the equipment into an outlet on a circuit different from that to which the receiver is connected e Consult the dealer or an experienced radio TV technician for help Federal Communications Commission FCC Radiation Exposure Statement This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment In order to avoid the possibility of exceeding the FCC radio frequency exposure limits human proximity to the antenna shall not be less than 20 cm 8 inches during normal operation v1 0 October 2006 European Union Statement of Compliance Hereby NETGEAR Inc declares that this modem router is in compliance with the essential requirements and other relevant provisions of Directive 1999 5 EC esky NETGEAR Inc t mto prohlaSuje Ze tento 54 Mbps ADSL Modem Wireless Router Czech Model DG834G je ve shodi se z kladn mi po adavky a dal mi pe slu nymi ustanoven mi smirnice 1999 5 ES Dansk Undertegnede NETGEAR Inc erkl rer herved at f lgende udstyr 54 Mbps ADSL Danish Modem Wireless Router Model DG834G overholder d
154. se your wireless connection when you click Apply You must then access the modem router from a wired computer to make any further changes 6 Make sure the Turn Access Control On check box is selected then click Apply Now only devices on this list will be allowed to wirelessly connect to the DG834G v3 This prevents unauthorized access to your network Choosing WEP Authentication and Security Encryption Methods Security Encryption WEP Authentication Type Open System z Encryption Strength Open System Shared Ke Security Encryption WEP Key Passprase Generate Key 1 ET860DESCEB20FS5AED0E22A Key 2 O 177 Key 3 C 77777 Key 4 C 77 Apply Cancel Figure 3 5 3 10 Wireless Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Restricting wireless access prevents intruders from connecting to your network However the wireless data transmissions are still vulnerable to snooping Using the WEP data encryption settings described below will prevent a determined intruder from eavesdropping on your wireless data communications Also if you are using the Internet for such activities as purchases or banking those Internet sites use another level of highly secure encryption called SSL You can tell if a web site is using SSL because the web address begins with HTTPS rather than HTTP Authentication Type Selection The DG834G
155. ss from the ISP PPP over Ethernet PPPoE PPP over Ethernet is a protocol for connecting remote hosts to the Internet over an ADSL connection by simulating a dial up connection This feature eliminates the need to run a login program such as EnterNet or WinPOET on your computer e PPP over ATM PPPoA PPP over ATM is a protocol for connecting remote hosts to the Internet over an ADSL connection by simulating an ATM connection 2 4 Introduction v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Dynamic DNS Dynamic DNS services allow remote users to find your network using a domain name when your IP address is not permanently assigned The modem router contains a client that can connect to many popular Dynamic DNS services to register your dynamic IP address e Universal Plug and Play UPnP UPnP is a networking architecture that provides compatibility between networking technologies UPnP compliant routers provide broadband users at home and small businesses with a seamless way to participate in online games videoconferencing and other peer to peer services Virtual Private Networking VPN The ADSL Modem Wireless Router provides a secure encrypted connection between your local area network LAN and remote networks or clients It includes the following VPN features e Supports 5 VPN connections e Supports industry standard VPN protocols The ADSL Modem Wireless Router supports standard Manua
156. st be deactivated for testing purposes There are two ways to deactivate a VPN tunnel e Policy table on VPN Policies page e VPN Status page Using the Policy Table on the VPN Policies Page to Deactivate a VPN Tunnel To use the VPN Policies page to deactivate a VPN tunnel perform the following steps 1 Log in to the Modem Router 2 Open the DG834G v3 management interface and click on VPN Policies to get the VPN Policies screen Figure 7 36 VPN Policies Policy Table amp Enable Name Type Local Remote ESP G 1 Iv ReadWarrior Auto 192 168 3 1 255 255 255 0 3DES Figure 7 36 3 Clear the Enable check box for the VPN tunnel you want to deactivate and click Apply To reactivate the tunnel check the Enable box and click Apply Using the VPN Status Page to Deactivate a VPN Tunnel To use the VPN Status page to deactivate a VPN tunnel perform the following steps 1 Log in to the Modem Router Virtual Private Networking 7 35 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 2 Open the DG834G v3 management interface and click on VPN Status to get the VPN Status Log screen Figure 7 37 2004 06 22 22 GtoG initiating Main Mode 2004 06 22 22 GtoG ISAKMP SA established 2004 06 22 22 GtoG sent QI2 IPsec 5A established 2004 06 22 22 GtoG sent QI2 IPsec Si established Figure 7 37 3 Click VPN Status Figure 7 37 to get the Current VPN Tunnels SAs scree
157. study follows the VPN Consortium interoperability profile guidelines found at Attp www vpnc org InteropProfiles Interop 01 html Configuration Profile The configuration in this document follows the addressing and configuration mechanics defined by the VPN Consortium Gather all the necessary information before you begin the configuration process Verify whether the firmware is up to date all of the addresses that will be necessary and all of the parameters that need to be set on both sides Check that there are no firewall restrictions Table B 1 Profile Summary VPN Consortium Scenario Scenario 1 Type of VPN LAN to LAN or Gateway to Gateway not PC Client to Gateway Security Scheme IKE with Preshared Secret Key not Certificate based IP Addressing NETGEAR Gateway A Static IP address NETGEAR Gateway B Static IP address NETGEAR VPN Configuration B 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 10 5 6 0 24 VPNC Example 172 23 9 0 24 Network Interface Addressing Gateway A y Gateway B ANB 14 15 16 17 22 23 24 25 L INTERNET 10 5 6 1 WANIE SI WAN IP EM 172 23 9 1 DG834G FVL328 Figure B 1 Note Product updates are available on the NETGEAR Inc web site at http kbserver netgear com DG834G v3 asp Step By Step Configuration 1 Configure the DG834G v3 as in the Gateway to Gateway procedures using the VPN Wizar
158. ter DG834G The DG834G v3 VPN tunnel network connection fields are defined as follows General These settings identify this policy and determine its major characteristics Policy Name Enter a unique name to identify this policy This name is not supplied to the remote VPN endpoint It is used only to help you manage the policies Remote VPN Endpoint If the remote endpoint has a dynamic IP address select Dynamic IP address No Address Data input is required You can set up multiple remote dynamic IP policies but only one such policy can be enabled at a time Otherwise select the desired option IP address or Domain Name and enter the address of the remote VPN endpoint to which you wish to connect Note The remote VPN endpoint must have this VPN Gateway s address entered as its Remote VPN Endpoint IKE Keep alive Enable this if you wish to ensure that a connection is kept open or if that is not possible that it is quickly re established when disconnected The Ping IP Address must be associated with the remote endpoint The remote LAN address must be used This IP address will be pinged periodically to generate traffic for the VPN tunnel The remote keep alive IP address must be covered by the remote LAN IP range and must correspond to a device that can respond to ping The range should be made as narrow as possible to meet this objective Local LAN This identifies which PCs on your LAN are covered by this
159. ter you have configured your account information in the router whenever your ISP assigned IP address changes your router will automatically contact your dynamic DNS service provider log in to your account and register your new IP address How to Configure Dynamic DNS Warning If your ISP assigns a private WAN IP address such as 192 168 x x or 10 x x x A the dynamic DNS service will not work because private addresses will not be routed on the Internet 1 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User Name Password and LAN address you have chosen for the router Advanced Configuration 6 9 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 2 From the Main Menu of the browser interface under Advanced select Dynamic DNS to display the page below Dynamic DNS C Use a Dynamic DNS Service Service Provider www DynDNS org v Host Name User Name Password Cluse Wildcards Figure 6 4 3 Access the Web site of one of the dynamic DNS service providers whose names appear in the Service Provider box and register for an account For example for dyndns org go to www dyndns org 4 Select the Use a dynamic DNS service check box Select the name of your dynamic DNS Service Provider 6 Type the Host Name that your dynamic DNS service provider gave yo
160. tever Password and LAN address you have chosen for the modem router 6 2 Advanced Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G 2 From the Main Menu under Advanced click the WAN Setup link to view the page shown WAN Setup v Connect Automatically as Required C Disable Port Scan and DOS Protection Default DMZ Server E Respond to Ping on Internet WAN Port MTU Size in bytes 1492 Figure 6 1 3 Select the Default DMZ Server check box 4 Type the IP address for that server 5 Click Apply to save your changes Connect Automatically as Required Normally this option should be enabled so that an Internet connection will be made automatically whenever Internet bound traffic is detected If this causes high connection costs you can disable this setting If disabled you must connect manually using the sub screen accessed from the Connection Status button on the Status screen If you have an Always on connection this setting has no effect Disable Port Scan and DOS Protection The Firewall protects your LAN against Port Scans and Denial of Service DOS attacks This should be disabled only in special circumstances Advanced Configuration 6 3 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Respond to Ping on Internet WAN Port If you want the modem router to respond to a ping from the Internet
161. the finish IP address in the Finish IP address field This must be an address range used on the remote LAN e Subnet address enter an IP address in the Single Start IP address field and the desired network mask in the Subnet Mask field The remote VPN endpoint must have these IP addresses entered as its Local addresses IKE Direction Type this setting is used when determining if the IKE policy matches the current traffic Select the desired option e Responder only incoming connections are allowed but outgoing connections will be blocked Initiator and Responder both incoming and outgoing connections are allowed Exchange Mode ensure the remote VPN endpoint is set to use Main Mode Diffie Hellman DH Group the Diffie Hellman algorithm is used when exchanging keys The DH Group setting determines the number of bit size used in the exchange This value must match the value used on the remote VPN Gateway Local Identity Type select the desired option to match the Remote Identity Type setting on the remote VPN endpoint WAN IP Address your Internet IP address Fully Qualified Domain Name your domain name e Fully Qualified User Name your name E mail address or other ID Local Identity Data enter the data for the selection above If WAN IP Address is selected no input is required Remote Identity Type select the desired option to match the Local Identity Type setting on the remote VPN
162. the ADSL Modem Wireless Router DG834G 4 Setthe Region Select the region in which the wireless interface will operate Set the Channel The default channel is 11 This field determines which operating frequency will be used It should not be necessary to change the wireless channel unless you notice interference problems with another nearby wireless router or access point Select a channel that is not being used by any other wireless networks within several hundred feet of your firewall For more information on the wireless channel frequencies please refer to Wireless Communications in Appendix C 6 For initial configuration and test leave the Wireless Card Access List set to allow everyone access by making sure that Turn Access Control On is not selected in the Wireless Station Access List In addition leave the Encryption Strength set to Disabled 7 Click Apply to save your changes Note If you are configuring the firewall from a wireless computer and you change the firewall s SSID channel or security settings you will lose your wireless connection when you click Apply You must then change the wireless settings of your computer to match the firewall s new settings 8 Configure and test your computers for wireless connectivity Program the wireless adapter of your computers to have the same SSID and channel that you configured in the router Check that they have a wireless link and are able to obta
163. the VPN client PC NETGEAR VPN Configuration B 21 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G a Inthe Network Security Policy list on the left side of the Security Policy Editor window click My Identity INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help a NETGEAR N Network Security Policy J My Connections My Identity oDG834G Shares Dy Select Cetficate _Pre Shared Key E E Security Policy None 25 Peres Phase 1 ID Type Pot 4 Proposal 1 D Key Mech Phase 2 Domain Nane zi zi Qs Other Ne iu Virtual Adapter Disabled M Intemet Interface Name 1 Intel R PRO 100 VE Network Connection 1P Adar 19216823 Figure B 18 b Choose None in the Select Certificate menu c Select Domain Name in the ID Type menu and enter toDG834G com in this example in the box below it Choose Disabled in the Virtual Adapter menu d Inthe Internet Interface box select Intel PRO 100VE Network Connection in this example your Ethernet adapter may be different in the Name menu and enter 192 168 2 3 in this example in the IP Addr box B 22 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G e Click the Pre Shared Key button r Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared k
164. these specifications Table 1 2 Manual Scope Product Version 54 Mbps ADSL Modem Wireless Router Model DG834G Manual Publication Date October 2006 How to Print this Manual To print this manual you can choose one of the following several options according to your needs Printing a Page in the HTML View Each page in the HTML version of the manual is dedicated to a major topic Use the Print button on the browser toolbar to print the page contents Printing a Chapter Use the PDF of This Chapter link at the top left of any page Click the PDF of This Chapter link at the top right of any page in the chapter you want to print The PDF version of the chapter you were viewing opens in a browser window Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files The Acrobat reader is available on the Adobe Web site at http www adobe com 1 2 About This Manual v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Click the print icon in the upper left of the window Tip If your printer supports printing two pages on a single sheet of paper you can E save paper and printer ink by selecting this feature Printing the Full Manual Use the Complete PDF Manual link at the top left of any page Click the Complete PDF Manual link at the top left of any page in the manual The PDF version of the complete manual open
165. tication Method menu select Pre Shared key In the Encrypt Alg menu select the type of encryption In this example use Triple DES e Inthe Hash Alg menu select SHA 1 f Inthe SA Life menu select Unspecified g Inthe Key Group menu select Diffie Hellman Group 2 6 Configure the VPN Client Key Exchange Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the VPN router configuration B 24 NETGEAR VPN Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G a Expand the Key Exchange subheading by double clicking its name or clicking on the symbol Then select Proposal 1 below Key Exchange INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help Network Security Policy My Connections By toDG834G 3 My Identity z E Security Policy Eg Authentication Phase 1 4 Proposal 1 z D Key Exchange Phase 2 m NETGEAR N IPSec Protocols Seconds KBytes SA Life Unspecified x Compression None M Encapsulation Protocol ESP Encrypt Alg Triple DES Other Connections Hash Alg SHA 1 E Encapsulation Tunnel X Authentication Protocol AH Figure B 21 a In the SA Life menu select Unspecified In the Compression menu select None Check the Encapsulation Protocol ESP checkbox a p e Int
166. tions This appendix provides technical specifications for the 54 Mbps ADSL Modem Wireless Router Model DG834G Network Protocol and Standards Compatibility Data and Routing Protocols Power Adapter North America United Kingdom Australia Europe Japan All regions output Physical Specifications Dimensions Weight Environmental Specifications Operating temperature Operating humidity Electromagnetic Emissions Meets requirements of Interface Specifications LAN WAN TCP IP RIP 1 RIP 2 DHCP PPPoE or PPPoA RFC 1483 Bridged or Routed Ethernet and RFC 1577 Classical IP over ATM 120V 60 Hz input 240V 50 Hz input 230V 50 Hz input 100V 50 60 Hz input 12 V AC 1 0A output 6 9 x 4 7 x 1 1 175 mm x 119 mm x 28 mm 0 7 Ibs 0 3 kg 0 to 40 C 32 to 104 F 90 maximum relative humidity noncondensing FCC Part 15 Class B VCCI Class B EN 55 022 CISPR 22 Class B 10BASE T or 100BASE Tx RJ 45 ADSL ADSL2 Dual RJ 11 pins 2 and 3 T1 413 G DMT G Lite ITU Annex A for the DG834G or ITU Annex B for the DG834GB Technical Specifications v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G A 2 v1 0 October 2006 Technical Specifications Appendix B NETGEAR VPN Configuration DG834G v3 to FVL328 This appendix is a case study on how to configure a secure IPSec VPN tunnel from a NETGEAR DG834G v3 to a FVL328 This case
167. tname and enter ntgr dyndns org in this example k The resulting Connection Settings are shown in Figure B 16 3 Configure the Security Policy in the 54 Mbps ADSL Modem Wireless Router Model DG834G software a In the Network Security Policy list expand the new connection by double clicking its name or clicking on the symbol My Identity and Security Policy subheadings appear below the connection name B 20 NETGEAR VPN Configuration v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G b Click on the Security Policy subheading to show the Security Policy menu INI Security Policy Editor NETGEAR ProSafe VPN Client File Edit Options Help a NETGEAR S Network Security Policy My Connections Security Policy T amp ea a Select Phase 1 Negotiation Mode G Au enu Main Mode Security Policy Ex Authentication Phase 1 Aggressive Mode E Proposal 1 C Use M l E D Key Exchange Phase 2 enne d Proposal 1 Ds Other Connections Enable Perfect Forward Secrecy PFS Ditie Hetman Group 2 Enable Replay Detection Figure B 17 c Select the Main Mode in the Select Phase 1 Negotiation Mode check box 4 Configure the VPN Client Identity In this step you will provide information about the remote VPN client PC You will need to provide the Pre Shared Key that you configured in the DG834G v3 and either a fixed IP address or a fixed virtual IP address of
168. ts place your firewall e Near the center of the area in which your computers will operate e nan elevated location such as a high shelf where the wirelessly connected computers have line of sight access even if through walls e Away from sources of interference such as computers microwaves and cordless phones e With the Antenna tight and in the upright position e Away from large metal surfaces Wireless Configuration 3 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G The time it takes to establish a wireless connection can vary depending on both your security settings and placement WEP connections can take slightly longer to establish Also WEP encryption can consume more battery power on a notebook computer Implement Appropriate Wireless Security Note Indoors computers can connect over 802 11g wireless networks at a maximum range of up to 300 feet Such distances can allow for others outside of your immediate area to access your network Unlike wired network data your wireless data transmissions can extend beyond your walls and can be received by anyone with a compatible adapter For this reason use the security features of your wireless equipment The ADSL Modem Wireless Router provides highly effective security features which are covered in detail in this chapter Deploy the security features appropriate to your needs Wireless Data Security Options
169. u The dynamic DNS service provider may call this the domain name If your URL is myName dyndns org then your Host Name is myName 7 Type the User Name for your dynamic DNS account Type the Password or key for your dynamic DNS account If your dynamic DNS provider allows the use of wildcards in resolving your URL you can select the Use wildcards check box to activate this feature For example the wildcard feature will cause yourhost dyndns org to be aliased to the same IP address as yourhost dyndns org 10 Click Apply to save your configuration 6 10 Advanced Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Using Static Routes Static Routes provide additional routing information to your router Under normal circumstances the router has adequate routing information after it has been configured for Internet access and you do not need to configure additional static routes You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network Static Route Example As an example of when a static route is needed consider the following case e Your primary Internet access is through a cable modem to an ISP e You have an ISDN router on your home network for connecting to the company where you are employed This router s address on your LAN is 192 168 0 100 e Your company s network is 134 177 0 0 When you fi
170. ual Adapter Disabled Intemal Network IP Address noon r Internet Interface Name And z IP Addr amp ny Figure 7 11 b Choose None in the Select Certificate menu c Select IP Address in the ID Type menu If you are using a virtual fixed IP address enter this address in the Internal Network IP Address box Otherwise leave this box empty d In the Internet Interface box select the adapter you use to access the Internet Select PPP Adapter in the Name menu if you have a dial up Internet account Select your Ethernet adapter if you have a dedicated Cable or DSL line You may also choose Any if you will be switching between adapters or if you have only one adapter Virtual Private Networking 7 15 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G e Click the Pre Shared Key button In the Pre Shared Key dialog box click the Enter Key button Enter the DG834G v3 s Pre Shared Key and click OK In this example 12345678 is entered This field is case sensitive Pre Shared Key Enter Pre Shared Key at least 8 characters This key is used during Authentication Phase if the Authentication Method Proposal is Pre Shared key Figure 7 12 5 Configure the VPN Client Authentication Proposal In this step you will provide the type of encryption DES or 3DES to be used for this connection This selection must match your selection in the DG834G v3 configuration
171. ur PC the portion of the IP address specified by the netmask is different from the network address of the remote device Check that your cable or DSL modem is connected and functioning 8 8 Troubleshooting v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G If your ISP assigned a host name to your PC enter that host name as the Account Name in the Basic Settings menu Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem If this is the case you must configure your router to clone or spoof the MAC address from the authorized PC Refer to your ADSL Modem Wirelesss Router Setup Manual see Table 2 2 on page 2 10 Restoring the Default Configuration and Password This section explains how to restore the factory default configuration settings changing the router s administration password to password and the IP address to 192 168 0 1 You can erase the current configuration and restore factory defaults in two ways e Use the Erase function of the Web Configuration Manager see Backing Up Restoring or Erasing Your Settings on page 5 1 e Use the Default Reset button on the rear panel of the router Use this method for cases when the administ
172. ure the network settings of all of your computers clear the Use router as DHCP server check box Otherwise leave it selected 6 6 Advanced Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP Address These addresses should be part of the same IP address subnet as the router s LAN IP address Using the default addressing scheme you should define a range between 192 168 0 2 and 192 168 0 254 although you may want to save part of the range for devices with fixed addresses The router will deliver the following parameters to any LAN device that requests DHCP An IP Address from the range you have defined Subnet Mask Gateway IP Address is the router s LAN IP address Primary DNS Server if you entered a Primary DNS address in the Basic Settings menu otherwise the router s LAN IP address Secondary DNS Server if you entered a Secondary DNS address in the Basic Settings menu WINS Server short for Windows Internet Naming Service Server determines the IP address associated with a particular Windows computer A WINS server records and reports a list of names and IP address of Windows PCs on its local network If you connect to a remote network that contains a WINS server enter the server s IP address here This allows your PCs to browse the network using the Network Neighborhood feature of Windo
173. vent E mail Notification In order to receive logs and alerts by e mail you must provide your e mail information in the E mail subheading E mail J Turn E mail Notification On Send Alerts and Logs Via E mail Send To This E mail Address Outgoing Mail Server F My Mail Server requires authentication User Name Password Send E Mail alerts immediately ifa DoS attack is detected If a Port Scan is detected If someone attempts to access a blocked site Send Logs According to this Schedule Hourly x Day Time a m p m Figure 5 8 Managing Your Network 5 13 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Turn e mail notification on Select this check box if you want to receive e mail logs and alerts from the modem router Send alerts and logs via email Send To This E mail Address Enter the e mail address where you want to send the alerts and logs Use a full e mail address such as ChrisXY myISP com Outgoing Mail Server Enter the name or IP address of the outgoing SMTP mail server of your ISP such as mail myISP com Check My Mail Server requires authentication if you need to login to your SMTP server to send E mail If you check this box you must enter the user name and password for the mail server Tip If you cannot remember the above information from when you set up your e mail account check the settings in your e mail program
174. way VPN Tunnel on the VPN Router at the Employer s Main Office B 14 NETGEAR VPN Configuration v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G Step 2 Configuring the NETGEAR ProSafe VPN Client on the Remote PC at the Telecommuter s Home Office configures the NETGEAR ProSafe VPN Client endpoint Step 1 Configuring the Client to Gateway VPN Tunnel on the VPN Router at the Employer s Main Office Follow this procedure to configure a client to gateway VPN tunnel by filling out the VPN Auto Policy screen 1 Login to the VPN router at its LAN address of http 192 168 0 1 with its default user name of admin and password of password Click the VPN Policies link in the main menu to display the VPN Policies screen Click Add Auto Policy to proceed and enter the information NETGEAR VPN Configuration B 15 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G VPN Auto Policy General Policy Name Remote VPN Endpoint Address Type F NetBIOS Enable Iv IKE Keep Alive Local LAN IP Address Remote LAN IP Address IKE Direction Exchange Mode Diffie Hellman DH Group Local Identity Type Data Remote Identity Type Data Parameters Encryption Algorithm Authentication Algorithm Pre shared Key SA Life Time rompG834G Dynamic IP address Address Data Ping IP Address Subnet address z Single Start address Finish address Subnet
175. will need to close the lI If this is th y ill need to cl he VPN connection in order to have normal Internet access 7 20 Virtual Private Networking v1 0 October 2006 Reference Manual for the ADSL Modem Wireless Router DG834G How to Set Up a Gateway to Gateway VPN Configuration Note This section uses the VPN Wizard to set up the VPN tunnel using the VPNC default parameters listed in Table 7 2 on page 7 5 If you have special requirements not covered by these VPNC recommended parameters refer to How to Set Up VPN Tunnels in Special Circumstances on page 7 38 to set up the VPN tunnel Follow this procedure to configure a gateway to gateway VPN tunnel using the VPN Wizard A 14 15 16 17 DG834G VPN Firewall Figure 7 19 VPN Tunnel 22 23 24 25 UP d 192 168 3 1 B DG834G VPN Firewall LJ CJ RAM aa PCs Set the LAN IPs on each DG834G v3 to different subnets and configure each properly for the Internet The examples below assume the following settings Virtual Private Networking v1 0 October 2006 7 21 Heference Manual for the ADSL Modem Wireless Router DG834G Table 7 4 VPN Tunnel Configuration Worksheet Connection Name Pre Shared Key Secure Association Main Mode or Manual Keys Perfect Forward Secrecy Enabled or Disabled Encryption Protocol DES or 3DES Authentication Protocol MD5 or SHA 1 Diffie Hellman DH Grou
176. ws Reserved IP addresses When you specify a reserved IP address for a computer on the LAN that computer will always receive the same IP address each time it access the router s DHCP server Reserved IP addresses should be assigned to servers that require permanent IP settings To reserve an IP address 1 2 Click the Add button In the IP Address box type the IP address to assign to the computer or server Choose an IP address from the router s LAN subnet such as 192 168 0 x Type the MAC Address of the computer or server gt Tip If the computer is already present on your network you can copy its MAC ER address from the Attached Devices menu and paste it here Advanced Configuration 6 7 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G 4 Click Apply to enter the reserved address into the table Note The reserved address will not be assigned until the next time the computer configuration and force a DHCP release and renew contacts the router s DHCP server Reboot the computer or access its IP To edit or delete a reserved address entry 1 2 Click the button next to the reserved address you want to edit or delete Click Edit or Delete How to Configure LAN TCP IP Settings 1 Log in to the router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever User
177. wy 1999 5 EC Portugu s NETGEAR Inc declara que este 54 Mbps ADSL Modem Wireless Router Model Portuguese DG834G est conforme com os requisitos essenciais e outras disposi es da Directiva 1999 5 CE Slovensko NETGEAR Inc izjavlja da je ta 54 Mbps ADSL Modem Wireless Router Model Slovenian DG834G v skladu z bistvenimi zahtevami in ostalimi relevantnimi dolo ili direktive 1999 5 ES Slovensky NETGEAR Inc tymto vyhlasuje ze 54 Mbps ADSL Modem Wireless Router Model Slovak DG834G sp a z kladn po iadavky a v etky pr slu n ustanovenia Smernice 1999 5 ES Suomi NETGEAR Inc vakuuttaa t ten ett 54 Mbps ADSL Modem Wireless Router Model Finnish DG834G tyyppinen laite on direktiivin 1999 5 EY oleellisten vaatimusten ja sit koskevien direktiivin muiden ehtojen mukainen Svenska H rmed intygar NETGEAR Inc att denna utrustningstyp st r verensst mmelse med Swedish de v sentliga egenskapskrav och vriga relevanta best mmelser som framg r av direktiv 1999 5 EG A printed copy of the EU Declaration of Conformity certificate for this product is provided in the DG834G v3 product package Best tigung des Herstellers Importeurs Es wird hiermit best tigt daB das 54 Mbps ADSL Modem Wireless Router Model DG834G gem der im BMPT AmtsblVfg 243 1991 und Vfg 46 1992 aufgef hrten Bestimmungen entst rt ist Das vorschriftsm ige Betreiben einiger Ger te z B Testsender kann jedoch gewissen Be
178. y can also share high speed ADSL Internet access for up to 253 personal computers The included firewall and Network Address Translation NAT features protect you from hackers The DG834G v3 also supports Trend Micro Home Network Security a bundle of services that includes router based Parental Controls and network wide protection from viruses Trojans spyware spam and other Internet threats Introduction 2 1 v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G Key Features The ADSL Modem Wireless Router provides the following features A built in ADSL modem A powerful true firewall 802 11g standards based wireless networking Easy Web based setup for installation and management Extensive Internet protocol support Trustworthy VPN Communications over the Internet VPN Wizard for easy VPN configuration Auto Sensing and Auto Uplink LAN Ethernet connections Content filtering Support for Trend Micro Home Network Security These features are discussed below A Powerful True Firewall Unlike simple Internet sharing NAT routers the DG834G V3 is a true firewall using stateful packet inspection to defend against hacker attacks Its firewall features include Denial of Service DoS protection Automatically detects and thwarts Denial of Service DoS attacks such as Ping of Death SYN Flood LAND Attack and IP Spoofing Blocks unwanted traffic from the Internet to your LAN Blocks acc
179. y for the payload data sent through the VPN tunnel SPI enter the required security policy indexes SPIs Each policy must have unique SPIs These settings must match the remote VPN endpoint The in setting here must match the out setting on the remote VPN endpoint and the out setting here must match the in setting on the remote VPN endpoint Encryption select the desired Encryption Algorithm and enter the key in the field provided For 3DES the keys should be 24 ASCII characters and for DES the keys should be 8 ASCII characters e DES the Data Encryption Standard DES processes input data that is 64 bits wide encrypting these values using a 56 bit key Faster but less secure than 3DES e 3DES Triple DES achieves a higher level of security by encrypting the data three times using DES with three different unrelated keys Authentication select the desired SHA 1 or MD5 Authentication Algorithm and enter the key in the field provided For MD5 the keys should be 16 ASCII characters For SHA 1 the keys should be 20 ASCII characters e MD5 128 bits faster but less secure e SHA 1 default 160 bits slower but more secure 7 50 Virtual Private Networking v1 0 October 2006 Chapter 8 Troubleshooting This chapter gives information about troubleshooting your 54 Mbps ADSL Modem Wireless Router Model DG834G After each problem description instructions are provided to help you diagnose and solve the prob
180. y select Adjust for Daylight Savings Time on the first day of Daylight Savings Time and clear it at the end Enabling Daylight Savings Time will cause one hour to be added to the standard time 4 The modem router has a list of NETGEAR NTP servers If you would prefer to use a particular NTP server as the primary server enter its IP address under Use this NTP Server 5 Click Apply to save your settings 4 14 Protecting Your Network v1 0 October 2006 Heference Manual for the ADSL Modem Wireless Router DG834G How to Schedule Firewall Services If you enabled services blocking in the Block Services menu or Port forwarding in the Ports menu you can set up a schedule for when blocking occurs or when access is not restricted 1 Log in to the modem router at its default LAN address of http 192 168 0 1 with its default User Name of admin default password of password or using whatever Password and LAN address you have chosen for the modem router Select the Schedule link of the Security menu to display menu shown above To block Internet services based on a schedule select Every Day or select one or more days If you want to limit access completely for the selected days select All Day Otherwise to limit access during certain times for the selected days enter Start Blocking and End Blocking times Enter the values in 24 hour time format For example 10 30 am would be 10 hours and 30 minutes and 10 30 pm would
Download Pdf Manuals
Related Search