fulton.net.au
Netgear FR314 Firewall Router FAQ
| Pricing |
| Technical Information |
| Books |
| Corporate Profile |
| Buy Now |
|
Fulton
Network Technologies Pty Ltd
29
Westleigh Drive Westleigh,
NSW, 2120 +61
2 9875 3676 +61
2 9481 8079 +61
416 109 479 Email:
Web:
ABN: 68 087 124 481
|
Version 1.5 31-MAY-2001
Welcome to our FAQ for the FR314 Firewall Router. We'll be updating the FAQ and adding many more questions/answers over the coming weeks. We'd love to hear from you with suggestions, corrections, and new questions. Send your feedback to support@fulton.net.au
Please report any problems you find, including typos, missing or incorrect links, unclear or wrong answers etc.
Configuration Specifics for BigPond Advance ADSL
Configuration Specifics for BigPond Advance ADSL
-
Do I still need to use the Enternet (or another) login client?
-
What ADSL-specific configuration parameters do I need to enter?
Configuration Specifics for Optus@Home
What is the FR314 Cable/DSL Firewall Router?
The FR314 is a router used to share and secure a broadband (usually Cable or ADSL) internet connection.
The FR314 allows multiple PC's on a LAN to share the connection, while at the same time providing sophisticated firewall protection against external attack.
The FR314 also provides a rich set of content filtering features aimed at helping the home user protect children from accessing undesirable web content. The same capabilities can also assist the business user to avoid lost time and productivity from non-approved use.
Why should I use a hardware router?
Compared to software sharing solutions, such as ICS, hardware routers offer the following important benefits:
higher performance
more reliable
easier to setup and maintain
take up less space than a PC solution
use less power and output less heat than a PC solution
offer greater security
less prone to virus attack
What is significant about the FR314?
The FR314 provides three significant features that don't exist in conventional NAT routers:
static and dynamic content filtering
Sophisticated firewall incorporating SPI (stateful packet inspection) that provides much improved protection against DoS (Denial of Service) and address spoofing attacks
Comprehensive email-based logging, reporting and alerts
In the words of respected industry pundit Tim Higgins of Practically Networked:
In my mind, NETGEAR has established a new price-performance point for consumer routers. SonicWall has always had the richest feature set and most friendly user Interface of this class of routers, but they've always commanded a price that made many prospective buyers seek less expensive solutions. With the FR314, NETGEAR brings you most of the key features of a SonicWall SOHO2, throws in a four port 10/100 switch, and prices it to move with a street price about half the SOHO2's price!
Click here to read the full text of Tim's review.
Does the FR314 replace the RT311/RT314 routers?
No, the FR314 is an additional model that offers higher end capabilities required by some users. Many users will continue to find their needs satisfied (at lower cost) by an RT311 or RT314 router.
The FR314 should be considered when content filtering or sophisticated firewall capabilities are required.
What does the FR314 look like?
The FR314 is quite similar is size, shape and appearance to its well-known sibling, the RT314.
The FR314 is about the size of a large paperback novel. To be precise:
Width: 253 mm or 9.95 inches
Depth: 181 mm or 7.1 inches
Height: 35 mm or 1.4 inches
Compared to the RT314, there are a couple of notable differences:
There is no serial port, all configuration and management is done from a web console
There is a configuration reset switch on the rear panel. This is used to restore the default configuration of the router.
Is the FR314 simply a re-badged Zyxel 312?
No. Unlike some previous models of Netgear routers which were re-packaged and re-badged version of Zyxel products, the FR314 is a new development from Netgear using some software technology licensed from SonicWALL.
Is the hardware the same as the RT314?
No. While the external appearance and port configuration is similar in many respects to the RT314, they are quite different designs.
FR314 firmware cannot be loaded onto an RT314.
What networks is the FR314 supported on?
Just as with the RT311/RT314, the FR314 will be supported on both BPA and Optus@Home cable, and Telstra ADSL. It is expected that the FR314 will also operate correctly on each of the other major ADSL networks being rolled out.
Does the FR314 include a built-in login client for BPA cable?
Not in the initial release.
What is pricing and availability?
We expect to have the FR314 in stock on April 5th, 2001.
We will be offering the FR314 with the same package options that we offer on the other models in our router range:
On-site installation (FR314-I)
Pre-configured for your network and requirements (FR314-P)
User-installable version for the experienced user (FR314-U)
Indicative pricing is shown on the FR314 product page.
Content filtering is the ability to deny users access to a website based on a pre-determined set of rules.
What types of content filtering does the FR314 support?
The FR314 supports both static and dynamic content filtering:
Static content filtering includes filtering based on the web page URL, key words within the URL and the time of day and day of the week.
Dynamic content filtering based on objectionable subject matter, including restricting material containing violence, nudity, hate or sex. Dynamic content filtering can be enabled by purchasing an upgrade package that includes a subscription to the CyberPatrol CyberNOT blocklist.
How does the CyberNOT filtering operate?
Once the Cybernot upgrade has been purchased, the router can be configured to automatically download the updated blocklist on a regular basis.
The router is also configured to block or allow access to sites based on the following categories of potentially undesirable content.
What are the CyberNOT filtering categories?
Categories that can be blocked include:
Violence / profanity
Partial nudity
Full nudity
Sexual acts
Gross depictions
Intolerance
Satanic or cult
Drugs
Militant / Extremist
Sex education
Gambling
Alcohol and tobacco
How do I order the CyberNOT upgrade?
CyberNOT upgrades for the FR314 can be ordered from Fulton Network Technologies, just like any other Netgear product.
Upgrades are available for a 6 or 12 month term. Pricing is yet to be finalised.
The upgrade will be supplied as an upgrade license key that is entered into the FR314 using the web console.
Can different content filtering policies be applied for each user?
In the initial release of the FR314, content filtering policies are system wide, and cannot be varied by user. This may change in a future release.
Does the FR314 provide any protection against virus attack?
No. The content filtering capabilities of the FR314 are designed to stop access to websites containing undesirable content. There is no real-time processing of content to (for example) detect or block viruses.
Because the FR314 firewall router is a hardware device and doesn't run any of the commonly used PC operating systems, the router itself is less likely to be a virus target than a software firewall.
Does the FR314 provide any email filtering capability?
No. If you require email filtering to protect against virus attack or undesirable content, this will still need to be provided using a separate software solution.
What are the common types of firewall security?
There are three main types of firewall security commonly used in a broadband (cable/adsl) sharing context:
NAT Router. Because most broadband services provide only a single public IP address to the user, Network Address Translation (NAT) must be used to share the connection. The use of a NAT router provides some inherent security to devices behind it by virtue of its address hiding.
Packet Filtering. Packet Filtering is a simple firewall technology where the decision to block or allow data is made on a packet by packet basis, based on source or destination address or port number, protocol type or simple data masking. Packet filtering is fast, easy to implement, and can provide good security against many attacks. It has no knowledge of connection state or context, and offers no protection against common DoS (Denial of Service) attacks.
Stateful Packet Inspection. SPI is the technology used in most high-end firewalls. It can provide all the capabilities of packet filtering, plus protection against common DoS (Denial of Service) attacks.
What type of firewall is the FR314?
The FR314 is a NAT Router that incorporates Stateful Packet Inspection. The FR314 combines the security advantages of SPI with the configuration simplicity of a NAT router.
What type of firewall is the RT311 or RT314?
The RT311 and RT314 are NAT routers with relatively sophisticated packet filtering capabilities. While not matching the power and flexibility of SPI on the FR314, they greatly exceed the capabilities of many of their low-end competitors, and provide adequate security for many SOHO users.
What type of firewalling is provided by products from other vendors?
Most of the low-end broadband sharing routers that compete with the RT311 and RT314 are simple NAT routers with limited packet filtering. Generally speaking, they are limited to blocking or allowing packets by inbound destination port number.
The RT311 and RT314 on the other hand, can block or allow by source or destination IP address, source or destination port number, protocol ID or simple data mask.
Denial of service attacks are generally packets or requests sent from network devices designed to disrupt (deny) services in the target system.
A simple example would be to simply flood a system with useless data, to keep it busy processing that data, and prevent it doing its normal tasks.
What types of DoS attacks does the FR314 protect against?
Attacks designed to exploit TCP/IP implementation bugs, such as "Ping of Death" and "Teardrop"
TCP/IP specification weaknesses, such "SYN Floods" and "LANDAttacks"
Brute force data flooding, such as a "Smurf attack"
IP spoofing
How many users does the FR314 support?
The FR314 supports 8 users, with upgrades available to 20 or 45 users. (Note that this is different to routers in the RT311/RT314 family, which don't directly restrict the user count).
How are users counted against the license limit?
The router keeps a record of internal IP addresses which it has seen traffic from. It is possible to exclude addresses used by passive devices such as printers, secondary addresses on multi-homed devices etc from the user count.
The user count is not a count of "concurrently active" users.
How do I order the 20-user or 45-user upgrades?
User upgrades for the FR314 can be ordered from Fulton Network Technologies, just like any other Netgear product.
Pricing is yet to be finalised.
The upgrade will be supplied as an upgrade license key that is entered into the FR314 using the web console.
Does the FR314 support VPN pass-through?
In the initial release, the FR314 provides similar VPN pass-through capabilities to the RT311/RT314 family.
This includes:
outbound PPTP sessions
inbound PPTP to a single PPTP server
one inbound or outbound IPSec VPN connection
What logging capability is supported?
In the initial release, email-based logging of events and alerts is supported. Unlike the RT311/RT314, syslog logging is not currently supported.
Reports are running summaries of certain types of activities. The FR314 does not keep a detailed log of traffic, but instead calculates three rolling summaries, which can be viewed via the web console:
Top 25 most accessed web sites:
Top 25 bandwidth users by IP address:
Top 25 bandwidth consumers by service (port/protocol):
Is remote administration supported?
In the initial release, only devices connected to the LAN side of the router can be used for running the web console.
All administration tasks can be performed using the web console. Unlike the RT311/RT314 there is no supplementary telnet or serial port console.
Is MAC address spoofing supported on the WAN port?
Not in the initial release. This facility is currently only available on the RT311/RT314.
Does the FR314 support Dynamic DNS updates?
Not in the initial release. This facility is currently only available on the RT311/RT314, supporting the dynamic DNS service provided by www.dyndns.org
The router is a simple computer with a CPU and memory (but no disk drive!). The firmware is the operating system that runs on the router. It is updated from time to time by Netgear to fix bugs, and add new features.
Firmware updates are usually released every three to six months.
How do I find out what firmware version is installed on my router?
Connect to the router using a web browser, and select the menu option: General -> Status. In the example shown, the firmware version is 6.0.0.0.
What is the recommended firmware version?
At present, the only version available is the initial release, version 6.0.0.0.
Where can I download the firmware from?
The initial release firmware can be downloaded from:
www.netgear-support.com/ts/downloads/ngr_s2e_6000.bin
Download the firmware file to a convenient location. Connect to the router using a web browser, and select the menu option:
Maintenance -> Firmware. The following page will be displayed:
Click the Upload Firmware Now button. You will be prompted to ensure that you have taken a backup copy of the router's configuration, then the following page will be displayed:
Enter the firmware filename and press the Upload button.
While the firmware is uploading, make sure not to close your browser window, or interrupt it by clicking on a link or loading another page. This could cause a firmware corruption.After the firmware is uploaded, the FR314 will automatically restart.
Automatic Notification of Firmware Availability
Connect to the router using a web browser, and select the menu option:
Maintenance -> Firmware. The following page will be displayed:
Check the box tagged Notify me when new firmware is available. The router will then periodically check for the availability of new firmware and notify the firewall administrator by email.
Configuration Specifics for BigPond Advance ADSL
Do I still need to use the Enternet (or another) login client?
No separate login (or PPPoE) client is required when you use your FR314 router to manage your ADSL connection.
Until Telstra's Helpdesk becomes a little more knowledgeable about routers, it might be prudent to keep Telstra's Enternet client installed on one PC, in case you have a problem with your connection, and you need to report the fault to the helpdesk.
This would also enable you to carry out some basic troubleshooting and fault isolation.
Be sure that the Enternet client is not running when using your router, otherwise one or other of them might get confused...
PPPoE stands for Point-to-Point Protocol (PPP) Over Ethernet. PPP is the protocol normally used to manage a connection made over a dial-up line. PPP includes mechanism for establishing the connection, authenticating the user, data compression and error correction.
In PPPoE, dial-up like PPP packets are encapsulated inside Ethernet frames that are sent between the router and the ADSL modem.
The use of PPPoE rather than just raw ethernet (as used by the cable networks) means that the authentication process is standardised, and there is no need for a login client such as LaunchPad or BPALOGIN.
What ADSL-specific configuration parameters do I need to enter?
ADSL setup is normally quite straightforward:
- Set The Network Addressing Mode to NAT with PPPoE
- Enter your PPPoE username exactly as supplied by Telstra, eg fred@bigpond
- Enter your PPPoE password exactly as supplied by Telstra.
Most users will want to stay permanently connected to the ADSL network. In this case, leave the Disconnect after xx minutes of inactivity box unchecked. Otherwise, choose a suitable timeout and check the box.
Why does my external IP keep changing?
Because the PPPoE protocol used by the ADSL network is much like that used by a dial-up network, the PPPoE servers have been configured to allocate an IP address randomly at connection time.
Each time a new connection is made, you will most likely get a new IP.
This is different to the cable networks, where the network (mostly) tries to re-allocate you the same IP address each time you connect. In the cable networks, the IP address is usually matched to the Ethernet (MAC) address of the connected device.
We understand that Telstra plans to offer static IP addresses to ADSL users some time during 2001.
Is any MTU configuration required on client PC's?
No, the router is smarter in this respect than software sharing solutions like ICS.
Configuration Specifics for Optus@Home
Do I need to use a login client?
No separate login client is required for the Optus@Home Network. Authentication is based on the 11-character system supplied by Optus, eg CO1234567-A.
What Optus-specific configuration parameters do I need to enter?
For Optus@Home, you need to set the router's hostname and domain-name into the Firewall Installation Wizard during initial setup.
The hostname will be the name that the Optus installer changed your PC to during installation. It will be something like CO1234567-A. This name will be sent to the Optus DHCP server, and unless it matches correctly, the DHCP server will not allocate an address.
The domain-name will be <your-state>.optushome.com.au, eg: qld.optushome.com.au or nsw.optushome.com.au. Unless the domain-name is entered correctly, you may have difficulty accessing some of the pages on the Optus website.
Error Log - Retransmitting DHCP REQUEST (renewing)
When connected to BigPond or Optus@Home Cable, you may see many error log entries reporting difficulty renewing the upstream DHCP lease, as shown in the following sample:
The router is reporting that it is unable to renew the DHCP lease directly, because the DHCP server is not on the same IP network as the assigned WAN IP. In most cable networks, the DHCP server is a centralised resource upstream of the cable router, and is therefore on a different IP network.
To disable reporting of this error, connect to the router using a web browser, and select the menu option Firewall -> Log -> Log Settings. Uncheck the category System Maintenance, and press the Update button.
Router displays the incorrect time
The router needs to know the correct local time so that error log entries and alerts can be correctly time-stamped.
To set the time, the router connects to one of a pre-programmed list of NTP (Network Time Protocol) servers. It also needs to have had the local timezone set correctly. The timezone is set during Wizard Setup.
On BigPond Advance Cable, the router will be unable to connect to an NTP server until after the login client has successfully authenticated the WAN IP. This means that the time will be incorrectly displayed during initial setup. It should correct itself automatically soon after the login client has been started.
Unlike the RT311/RT314, the FR314 does not function as a DNS relay.
When using an RT311 or RT314, it was possible to configure a client PC with the IP address of the router as the IP address of its DNS server. DNS requests received by the router from client devices were relayed to the upstream DNS server. This simplified configuration of those client devices that used static IP addresses.
The FR314 does not provide this DNS-relay capability. It is necessary to configure client devices to directly use the IP addresses of the upstream DNS servers. The FR314 normally does this automatically for client devices with DHCP-assigned addresses, but it must be done manually for client devices with static IP settings.
For this reason, it will normally be preferable to configure DHCP reservations for those devices which need a fixed IP, rather than to use static IP settings.
Nortel Extranet VPN client times out
When using the Nortel Contivity Extranet VPN client to connect using an IPsec VPN tunnel, the connection is established correctly, but drops out after a few minutes.
The timeouts occur because (unlike most other client/server VPN connections), the Nortel server initiates the IKE renegotiation rather than the client. When the server does this it tries to open a new connection back to the FR314's public IP address. The FR314 drops the incoming connection attempt, unless a service mapping for IKE has been added.
To overcome the timeouts, connect to the FR314 using a web browser, and make the following configuration change:
Under Firewall->Access->Services, enter the local IP (192.168.1.10 in the example) of the PC running the Extranet client against the service "Key Exchange (IKE)"
FR314 FAQ Version 1.5, 31-MAY-2001
Copyright © 2000 Fulton Network Technologies Pty Ltd. All rights reserved.
Not to be reproduced or distributed in any form without prior permission.
All information contain herein is provided to the reader on the understanding that the reader is responsible for ensuring the correctness and suitability of the information for his particular needs.
1.5 31-MAY-2001 Nortel Extranet VPN
1.4 23-APR-2001 Added ADSL config
1.3 22-APR-2001 Added sample reports, Troubleshooting section
1.2 21-APR-2001 Added Config - Firmware
1.1 14-APR-2001 Added Optus Config
1.0 20-MAR-2001 Initial Release