fulton.net.au

  Netgear RP114 Cable/ADSL Web Safe Router FAQ

Home

Products
Pricing
Technical Information
Books
Corporate Profile
Buy Now
 

Fulton Network

Technologies Pty Ltd

 

29 Westleigh Drive

Westleigh, NSW, 2120

 

+61 2 9875 3676 (ph)

+61 2 9481 8079 (fax)

+61 416 109 479 (mob)

 

Email:

sales@fulton.net.au         

support@fulton.net.au 

 

Web:

www.fulton.net.au

 

ABN: 68 087 124 481

 

 

Version 1.2 12-JUN-2002

This is the the FAQ covering the Netgear RP114 Web Safe Router.  We'll be updating the FAQ and adding many more questions/answers over the coming weeks.  We'd love to hear from you with suggestions, corrections, and new questions.  Send your feedback to support@fulton.net.au

Please report any problems you find, including typos, missing or incorrect links, unclear or wrong answers etc.

 

General Discussion

Configuration - General

Configuration - Firmware

Configuration - Hardware

Configuration Specifics for BigPond Advance Cable

Configuration Specifics for BigPond Advance ADSL

Configuration Specifics for Optus@Home

Application Compatibility

VPN Compatibility

Router Operations

Security

Syslog

Troubleshooting

General Discussion

Configuration - General

Configuration - Firmware

Configuration - Hardware

Configuration Specifics for BigPond Advance Cable

Configuration Specifics for BigPond Advance ADSL

Configuration Specifics for Optus@Home

Application Compatibility

VPN Compatibility

Router Operations

Security

Syslog

Troubleshooting

 

General Discussion

What networks has the RP114 been tested on in Australia?

The RP114 is in many respects an enhanced version of the Netgear RT314 router which has been extensively tested on, and are in use by many customers on the following networks:

  • Optus@Home Cable
  • Telstra BigPond Advance Cable (Motorola and DOCSIS)
  • Telstra Bigpond Advance ADSL

How difficult are they to install?

Not difficult at all, certainly no more difficult than installing a software solution such as WinRoute, and much less time consuming than setting up a Linux gateway.

If you plan to do the installation yourself, you will need to have some knowledge of TCP/IP, routing, Network Address Translation (NAT) and firewalls. 

If you purchase your router pre-configured from Fulton Network Technologies, we will provide an individually tailored Quick Start Guide that will have even the most novice networker up and running in 30 minutes or less.

What do they look like?

Click to enlarge

How big are they?

They're tiny, less than half the size of the RT314.  For those familiar with other Netgear products, they're very similar in size to the FS105 5-port 10/100 switch.  To be precise:

Width:    159 mm or 6.25 inches

Depth:    102 mm or 4.0 inches

Height:   32 mm  or 1.25 inches

I'm stuck - where can I get help?

  • If you're technically minded, you'll probably find all the answers you need in this FAQ.
  • If you have time on your side, and don't mind the occasional detour, you can check the archives of, or post your question in, one of the newsgroups like aus.net.access, bigpond.broadband.security, bigpond.broadband.security or bigpond.broadband.users.
  • If you would like individual help, or consulting assistance, we (Fulton Network Technologies) offer support on a flat fee, per-call or on-site basis.  Send us an email on support@fulton.net.au for further information.

What's the difference between the RP114 and the RT314?

There are a few significant differences:

  • The RP114 adds a set of web content filtering capabilities, including filtering by site, URL keyword and time-of-day.  Web access can be logged, and reports sent by email.
  • Both have a built-in 4-port 10/100 Ethernet switch, which might be all the ports you need for a small home or office network.  This can help you to avoid a mess of untidy cables.  The ports on the RP114 auto-switch between MDI (normal) and MDIX (uplink) mode, simplifying configuration and eliminating the need for crossover cables.

Why should I choose a Netgear router?

Before deciding to sell and recommend the Netgear range of broadband sharing routers, we did an extensive evaluation of these and competing products.  In our opinion:

  • Netgear routers provided the best balance between price, performance and features in their part of the market.
  • Netgear routers have a reputation for hardware and software quality that is well ahead of many of their competitors.
  • While not always the easiest routers to configure, this limitation is easily offset by their greater capability and flexibility.
  • Netgear routers have enjoyed stunning success in the US where they were first released.

How many PC's can the RP114 support on the local lan?

It depends on the speed of your connection and the usage patterns of your users.  The RP114's DHCP server will allocate up to 32 addresses on the local lan. You can connect more devices if you assign some or all of the addresses statically.

Most installations we've seen have been 2 and 20-30 PC's sharing their Cable or ADSL connection without problems.

Do you still need to run a login client like Telstra Launchpad?

No login client is required for Optus@home or Telstra ADSL.  The router includes a built-in login client for Telstra Bigpond Cable in firmware version 3.26 and higher, which means that Telstra Launchpad and alternative login clients such as BPAlogin and WinCable are no longer required.

Why should I buy my router from Fulton Network Technologies?

Deal with the Netgear router experts, and receive:

  • Your Netgear router fully tested and pre-configured for the network of your choice
  • Fulton's Quick Start Guide to get you up and running in minutes
  • Expert technical assistance and installation support

Do you only operate in Sydney?

We're based in Sydney, but we have customers throughout the country.  In fact, more than half our router business is from outside Sydney.

Overnight or same day shipment of product, combined with quality email and telephone support means that we can satisfy your needs, regardless of your location.

Other resources.

The following additional sites may be of interest:

Can I create a link to this FAQ?

Yes!  Our copyright notice prohibits reproduction or distribution of this document in any form.  But, you are welcome to create a hyperlink to the FAQ itself or the www.fulton.net.au home page without seeking permission.

Configuration - General

What should I set the router's System Name to be?

For the BigPond Advance Cable or ADSL networks, you can choose any name that appeals to you, eg RP114 or Matilda.  For these networks, the hostname has no affect on the operation of the router.

For Optus@Home, you need to set the System Name to the Optus supplied system name.  This will be the name that the Optus installer changed your PC to during installation.  It will be something like CO12345678-A.  This name will be sent to the Optus DHCP server, and unless it matches correctly, the DHCP server will not allocate an address.

[Currently (June 2002), setting the system name is not required for Optus cable connections.  It is unclear whether this is a temporary aberration, or whether the requirement has been permanently removed.]

Do I need to change the router password?

The default firewall filters only allow access to the router's configuration menus from the local or internal lan, not from the INTERNET or WAN port.  So if you trust everyone on the local lan, maybe not.  But, it's easy to change, and we strongly recommend that you do change it. 

How can I change the router password?

The password can be changed using the web console.  Connect to the router, login, and select:

Advanced -> System -> Password.  

click for larger image

Alternatively, use telnet to connect to the router, login, and select menu 23:

Menu 23 - System Password

Old Password= ?
New Password= ?
Retype to confirm= ?

Enter here to CONFIRM or ESC to CANCEL:

How can set I set the date and time on the router?

You don't need to, the router does it automatically using NTP.  No configuration is required, apart from setting the timezone.

What network addresses can I use on the local lan?

The router's default local network is 192.168.0.0/24 or 192.168.0.0 with a netmask of 255.255.255.0 if you prefer that notation.

The router can be configured to use any legal IP network or subnetwork for the local lan.

We recommend that you use the defaults, unless you already have a substantial working network in place that you want to connect to.  This is for the following reasons:

  • By using the defaults, you simplify setup of the router, and are less likely to cause yourself problems during installation.
  • You are probably more familiar with configuring IP settings on client workstations than you are configuring routers, so keep your life simple.
  • In the future, if you ever need to upgrade the firmware, the closer your config is to the defaults, the easier this process will be.

On the other hand, if you are purchasing your router from Fulton Network Technologies, we specialise in making the router's configuration match your existing or planned network.  Our individually tailored Quick Start Guide will ensure that your installation and setup is quick and trouble-free.

What address should I assign to the router itself?

We normally recommend that the router be assigned an IP address at one end of the range assigned to the local lan.  This is to make it easy to remember, and minimise the chance of a collision with another station's address.

Thus, for the default network, you would use either 192.168.0.1 (the factory default) or 192.168.0.254.

Should I used fixed IP addresses or DHCP-assigned addresses on the local lan?

It's usually easier to use DHCP-assigned addresses for client workstations on the local lan.  This is for a couple of reasons:

  • It's easier to set up the clients
  • All the necessary parameters, such as domain-name, gateway addresses, dns-server addresses etc are automatically inherited via DHCP.

The exception is for servers, which should always have a static IP.

Can I run two DHCP servers on my local lan?

You can, but you probably don't want to.  Unless you really understand DHCP and what you're trying to achieve, choose only one.  In most cases, this should be the router, as this will automatically inherit all the client parameters from the upstream Cable or ADSL network and assign them to the client workstations.

An exception might be when you have the need to assign advanced or proprietary DHCP options, not supported by the router's DHCP server, eg the addresses of WINS servers, or for networks running Windows 2000 Active Directory.

Does the router support SNMP?

Not at this time.  Access to management information is limited to syslog for firewall event logging, and the telnet and web management consoles.

Configuration - Firmware

What does the firmware do?

The router is a simple computer with a CPU and memory (but no disk drive!).  The firmware is the operating system that runs on the router.  It is updated from time to time by Netgear to fix bugs, and add new features.

Firmware updates are usually released every six months or so.

How do I find out what firmware version is installed on my router?

The firmware version can be checked using the web console.  Connect to the router, login, and select:

Maintenance -> System Settings

Alternatively, use telnet to connect to the router and select menu 24, sub-menu 1.  This will display something like:

Menu 24.1 - System Maintenance - Status


Port Status TxPkts RxPkts Cols Tx B/s Rx B/s Up Time
WAN 10M/Half 126292 177290 0 0 0 84:32:49
LAN 100M/Full 152690 339133 0 261 92 84:32:46

Port Ethernet Address IP Address IP Mask DHCP
WAN 00:a0:c5:e1:ee:cd 144.132.180.48 255.255.240.0 Client
LAN 00:a0:c5:e1:ee:cc 192.168.1.1 255.255.255.0 Server

System up Time: 84:32:55

Name: rp114.nsw.bigpond.net.au
Routing: IP
RAS F/W Version: V3.24 (CD.0) B4 | 2/19/2001

Press Command:

COMMANDS: 1-Drop WAN 9-Reset Counters ESC-Exit

What do the different firmware version numbers mean?

The following table contains a brief description of each released version.  Follow the link to the release notes for full details.

Version number

Description

Recommended Action

3.24

Original US Release

Upgrade to 3.26

3.25

Add port-range forwarding, simplified server setup.

Recommended
3.26 Adds built-in login client for BigPond Cable Recommended

What firmware version do you recommend?

We ship all our pre-configured RP114 routers with version 3.26 firmware.

If you purchased your router unconfigured, or from a retail store, it may have older firmware installed on it.

Our advice is to upgrade to version 3.26.

If you are using BigPond Cable, you should upgrade to version 3.26 when it becomes available, so that you can use the built-in login client.

Where can I download the firmware from?

Version 3.26 firmware can be downloaded from Netgear's website at www.netgear-support.com/ts/downloads/RP114_3_26.zip

How do I update the firmware?

Download the file to a convenient location, unzip it and you will have the following files:

Filename Size Function
114v325.bin 918,916 The firmware image. Install on the router as the file ras.
romfile0.114 16,384 The default configuration file. Install on the router as the file rom-0
ReleaseNotes.PDF  23,487 Release notes and installation instructions. 

Use ftp to connect to the router. Login using the username "admin" and the password you have set.  Issue the commands:

ftp> bin

ftp> put 114v325.bin ras

ftp> quit

The router will then automatically reboot.

 

If you wish to reset the configuration, you will also need to install the default configuration file.

Use ftp to connect to the router. Login using the username "admin" and the password you have set.  Issue the commands:

ftp> bin

ftp> put romfile0.114 rom-0

ftp> quit

The router will then automatically reboot.

Read the Release Notes and Resource Guide for further information.  Click here for information on keeping a backup copy of your configuration file.

For users running version 3.24 firmware or later, future firmware upgrades can be done using the web console.  Connect to the router, login, and select:

Maintenance -> Upgrade.

click for larger image  

 

Can I install RP114 firmware on the RT311/RT314?

No.  The RP114 firmware will not work on the RT314.  Attempting to install this firmware will cause the router to fail during startup.  Recovery will require re-installation of RT314 firmware and default configuration file using the serial port.

Configuration - Hardware

What kind of cable do I use between the router and the Cable or ADSL modem?

The cable connecting the INTERNET port on the router to the Cable or ADSL modem should be a standard (non-crossover) CAT-5 ethernet cable.  These are normally white or blue in colour.

A white CAT-5 cable is supplied with the router and can be used for this connection.

What kind of cable do I use between my RP114 and a directly attached PC

Ports on the RP114 auto-sense MDI (standard) and MDI-X (crossover) mode.  This means that either a standard or crossover cable CAT-5 can be used.  A standard cable (usually white or blue) would normally be used.

What's the serial port for?

Unlike the RT311/RT314, the RP114 does not have a serial port.  All configuration is done from a lan-connected PC, using a web browser or telnet.  

If it is necessary to reset the configuration, e.g. because of a lost password, the reset button must be used.

How do I connect a hub or switch to my RP114 so I can have more ports for local devices?

Connect any one of the four 10/100 switch ports on the RP114 to any port on another hub or switch using any Cat-5 cable.

Ports on the RP114 auto-sense MDI (standard) and MDI-X (crossover) mode.

Why is a switch better than a hub?

An ethernet switch is preferable to a simple hub for the following reasons:

  • An ethernet hub repeats all traffic onto all its ports.  A switch only transmits traffic to a particular port if the destination address is associated with that port.  This helps minimise traffic on individual segments which can improve performance on busy networks.
  • A switch is capable of operating in Full-Duplex mode, where the device connected to switch ports can send and receive simultaneously.  With a hub, only one station can receive or transmit at any one time.  Full-duplex mode only applies where a single device is attached to the port, but this can also improve performance for busy stations, eg fast servers.
  • Switches appear to be less prone to auto-sense failures, where one end of the link fails to correctly detect and set either the speed or duplex mode.  If the speed is incorrectly matched, the station is unlikely to work.  If the duplex mode is mis-matched, the station may well work, but performance may be very poor due to a high collision rate.

Configuration Specifics for BigPond Advance Cable

Do you still need to run a login client like Telstra Launchpad?

The RP114 includes a built-in login client for Telstra Bigpond Cable in firmware version 3.26 and higher, which means that Telstra Launchpad and alternative login clients such as BPAlogin and WinCable are no longer required.

What does the login client do?

The cable login client connects to the authentications server, sends the username/password, and if all is OK, the authentication server tells the cable router to enable traffic to/from the IP that was logged on from.

Before authentication, only a small amount of traffic within the BPA network itself is allowed, eg. DNS lookups, the authentication process itself, and ftp traffic to update-server (needed for installing the Telstra client).

The authentication server sends a heartbeat message every 5 minutes, and the login client is expected to respond to it.  If the login client fails to respond to the heartbeat, the authentication server tells the cable router to disable traffic to/from the IP.

In the case of a NAT router like the RP114, there is only one public IP used, and a single instance of the login client is therefore able to authenticate all users behind the router.

What BigPond Cable-specific configuration parameters do I need to enter?

When using firmware version 3.26, there is no longer any requirement to use BPALOGIN or WINCABLE.

In the setup wizard, set the Encapsulation to Ethernet, set the Service Type to BigPond/Telstra, and enter your BigPond username and password.

Click to enlarge

Ensure that any external login clients such as Telstra LaunchPad, BPALOGIN or WINCABLE are disabled or removed.

[Refer to cableclient.htm and qt002.htm for more detailed information]

Configuration Specifics for BigPond Advance ADSL

Do I still need to use the Enternet (or another) login client?

No separate login (or PPPoE) client is required when you use your RP114 router to manage your ADSL connection.

Until Telstra's Helpdesk becomes a little more knowledgeable about routers, it might be prudent to keep Telstra's Enternet client installed on one PC, in case you have a problem with your connection, and you need to report the fault to the helpdesk.

This would also enable you to carry out some basic troubleshooting and fault isolation.

Be sure that the Enternet client is not running when using your router, otherwise one or other of them might get confused...

What's PPPoE?

PPPoE stands for Point-to-Point Protocol (PPP) Over Ethernet.  PPP is the protocol normally used to manage a connection made over a dial-up line.  PPP includes mechanism for establishing the connection, authenticating the user, data compression and error correction.

In PPPoE, dial-up like PPP packets are encapsulated inside Ethernet frames that are sent between the router and the ADSL modem.  

The use of PPPoE rather than just raw ethernet (as used by the cable networks) means that the authentication process is standardised, and there is no need for a login client such as LaunchPad or BPALOGIN.

What ADSL-specific configuration parameters do I need to enter?

ADSL setup is normally quite straightforward:

  • Ensure that the Encapsulation Type is set to PPPoE
  • Set the service-name to "any"
  • Enter your PPPoE username exactly as supplied by Telstra, eg fred@bigpond
  • Enter your PPPoE password exactly as supplied by Telstra.

Test the connection using the command dev dial 1 from the command prompt (menu 24, sub-menu 8)

Why does my external IP keep changing?

Because the PPPoE protocol used by the ADSL network is much like that used by a dial-up network, the PPPoE servers have been configured to allocate an IP address randomly at connection time.

Each time a new connection is made, you will most likely get a new IP.

This is different to the cable networks, where the network (mostly) tries to re-allocate you the same IP address each time you connect.  In the cable networks, the IP address is usually matched to the Ethernet (MAC) address of the connected device.

We understand that Telstra plans to offer static IP addresses to ADSL users some time during 2001.

Meantime, you may wish to consider using one of the dynamic IP mapping services that are available, eg www.dyndns.org

Is any MTU configuration required on client PC's?

No, the router is smarter in this respect than software sharing like ICS.

Configuration Specifics for Optus@Home

Do I need to use a login client?

No separate login client is required for the Optus@Home Network.  Authentication is based on the 11-character system supplied by Optus, eg CO1234567-A.

[Currently (June 2002), setting the system name is not required for Optus cable connections.  It is unclear whether this is a temporary aberration, or whether the requirement has been permanently removed.]

What Optus-specific configuration parameters do I need to enter?

For Optus@Home, you need to set the routers's hostname (menu 1) to the Optus supplied system name.  

This will be the name that the Optus installer changed your PC to during installation.  It will be something like CO1234567-A.  This name will be sent to the Optus DHCP server, and unless it matches correctly, the DHCP server will not allocate an address.

Application Compatibility

Filemaker Pro

 

No special configuration is required on the router to support outbound connections to a Filemaker Pro server.

 

To accept inbound connections to a Filemaker Pro server running behind a Netgear RT311/RT314 router, you will need to create mappings as follows:

 

Usage Mode Port Mapping Required
Direct Access (non-web) 5003
Web Access  80 or 591

 

In all cases, the port mapping is to the internal IP of the Filemaker Pro server.

 

FTP Server

 

For outbound connections to an FTP server, no special configuration is required on the router.

 

Depending on the configuration of the ftp server (and/or server end firewall), it may be necessary to use passive mode for file transfer.  Passive mode is selected in the ftp client, the method varies from client to client.

 

In this example with a unix ftp client, the command is "passive":

 

$ ftp update-server
Connected to spr3.nsw-remote.bigpond.net.au.
220 spr3.nsw-remote.bigpond.net.au FTP server (Version 1.1.214.6 Wed Feb 9 08:0
3:34 GMT 2000) ready.
Name (update-server:username: ftp
331 Guest login ok, send your complete e-mail address as password.
230 Guest login ok, access restrictions apply.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> passive
Passive mode on.
ftp> dir
227 Entering Passive Mode (61,9,192,13,206,64)
150 Opening ASCII mode data connection for /usr/bin/ls.
total 2
dr-xr-xr-x 9 root other 1024 Jan 19 08:03 dist
dr-xr-xr-x 2 root other 96 Jan 22 1997 etc
drwxr-xr-x 2 root sys 96 Feb 9 1999 tmp
dr-xr-xr-x 3 root other 96 Jan 22 1997 usr
226 Transfer complete.
ftp>quit
221 Goodbye.
$

To configure an FTP server behind an RT311/RT314 router, create a mapping for port 21 to the (local) IP of the PC running the FTP server.

 

On the RT311/RT314 it was necessary to modify a packet filter to enable inbound ftp access.  This is not required on the RP114 with version 3.25 (and higher) firmware.

    

ICQ2000b

 

No changes should be required on the router.  In the ICQ client:

Preferences > settings > connections >

General Tab
connection type = permanent (LAN,Cable etc)
firewall type = ICQ will determine IP address automatically

Server Tab
select: using firewall
select: not using proxy
tick: keep connection alive
click reset (to change the port no.): next to icq server host name & port
number

Firewall & User Tab
No changes required

 

NetMeeting

For outbound NetMeeting connections, no special configuration should be required.

To accept inbound NetMeeting connections, you will need to create mappings for ports 1503 and 1720 to the (local) IP address of the PC running NetMeeting.

With NAT enabled, NetMeeting users within the same LAN will not be able to connect to the same remote NetMeeting user (as the remote user is not able to distinguish between local users with the same internet IP). But NAT allows one local NetMeeting user to connect to multiple Internet users at the same time.

 

pcAnywhere

 

For outbound connections using pcAnywhere, no special configuration should be required.

 

To accept inbound connections to a pcAnywhere "server" behind an RP114 router, you will need to create mappings for ports 5631 and 5632 to the (local) IP address of the PC running the pcAnywhere server.

 

If you need to have more than one pcAnywhere server behind the RP114 router, then you'll have to use ports other than the default (5631, 5632)  for the additional servers, and map them accordingly.

 

[The discussion above applies to pcAnywhere versions 7.5 and later.  Earlier versions used different port numbers]

 

Telnet Server

 

For outbound telnet connections no special configuration on the router is required.

 

To configure a telnet server behind an RP114 router create a mapping for port 23 to the (local) IP of the PC running the telnet server.

 

On the RT311/RT314 it was necessary to modify a packet filter to enable inbound telnet access.  This is not required on the RP114 with version 3.25 (and higher) firmware.

 

Timbuktu

 

For outbound connections using Timbuktu Pro, no special configuration should be required.

 

To accept inbound connections to a Timbuktu Pro "server" behind an RP114 router, you will need to create a port mapping for ports 407 to the (local) IP address of the PC running the Timbuktu server.

 

Note that the discussion above applies to Timbuktu versions 5.2 and later.  Earlier versions used different port numbers.

 

Refer to this Netopia technote for more information.

 

 

VNC

 

For outbound connections to a VNC server, no special configuration should be required.

 

By default, a VNC server runs on port 5900.  To accept inbound connections to a VNC server behind an RP114 router, you will need to create a mapping for port 5900 to the (local) IP address of the PC running the VNC server.

 

If you need to have more than one VNC server behind the RP114 router, then you'll have to use ports other than the default (5900)  for the additional servers, and map them accordingly.

 

For more information, see the VNC FAQ.

 

Web Server

 

For outbound connections to a web server, no special configuration is required.

 

To configure a web server behind an RP114 router, create a mapping for port 80 to the (local) IP of the PC running the web server.

 

If your website uses SSL, it may also be necessary to create a mapping for port 443 (SSL).  No filter rule changes are necessary for SSL.

 

On the RT311/RT314 it was necessary to modify a packet filter to enable inbound web access.  This is not required on the RP114 with version 3.25 (and higher) firmware.

 

Netgear Application Note

 

VPN Compatibility

PPTP

For outbound PPTP connections, no special configuration should be required.

To accept inbound PPTP connections, ie to allow a system on your local LAN to run as a PPTP server, you will need to create an SUA mapping for port 1723 to the (local) IP address of the server PC.

VPN connections and the BPA heartbeat

I can make a VPN connection, but it stops working after a couple of minutes.  Do I need to add an entry in the SUA list, if so what port number?


No SUA mapping should be required.  The problem is most likely happening because your VPN connection is re-routing its default gateway via the VPN link.  This prevents the BPA heartbeat response from getting back to the BPA authentication server via a legal route.

You have two choices:

(1) Create a specific route for the BPA servers or at least the
authentication server (dce-server).


(2) Un-check the option "use default gateway on remote network" in the VPN client setup.

The second is the easiest to setup, but may not be acceptable to your
network security people, as it opens up some possibility of compromising their firewall.

IPsec

[From the Netgear website]

Beginning with version 3.20, IPSec is supported for one PC in header passthruough mode only.

1. Is it correct that IPSec will only work on 1 PC on the LAN?

Yes, The firmware will only Support one client.

We know NAT replaces source ports of outgoing packets with random numbers, thus making itself able to forward the incoming responses to the corresponding client that originated the requests. Since the UDP port in the IPSec packet is used for key management and can not be changed by NAT, only one IPSec client is supported by the NAT Table.


2. What configuration is required?

A 'Default' server set is required for forwarding inbound IPSec ESP tunneling

It will also be necessary to configure the internal IPSec as a default server (unspecified service port) in menu 15 when it acts as a server gateway.


3. Is there more than one mode of IPSec? Can you explain?

IPSec has two protocols, AH (Authentication Header) and ESP (Encapsulating Security Payload). AH is mainly used to provide integrity, but not confidentiality, i.e., you can see it, but can't touch it. ESP hides the packet contents from prying eyes by encryption, i.e., the payload looks like garbage if you don't have the key.

IPSec provides two modes of operation, transport mode and tunnel mode. Transport mode is mainly for an IP host to protect the data generated locally, while tunnel mode is for a security gateway (SG) to provide IPsec service for other machines lacking IPSec capability. However, the IPSec hosts and the SG do not have to be separate machines.

Both the RT311 & RT314 support IPsec ESP mode, but we do not support IP Sec AH mode. There is a lot of documentation to consult for more information at:

http://www.ietf.org/html.charters/ipsec-charter.html

IPSec AH      RFC 2402
IPSec ESP     RFC 2406

Nortel (Contivity) Extranet VPN Client

No special configuration is required to allow outbound connections with the Nortel (Contivity) Extranet VPN Client.

If your Extranet connection times out after 2 or 3 minutes, add a port mapping for port 500 to the internal IP of the PC running the Extranet client.

This may be be required to handle incoming IKE (Key Exchange) messages.  Unlike some other IPSec-based VPN's, Extranet's IKE renegotiations are server-initiated, rather than client-initiated.

Note that timeouts may also occur if you are using a BPA Cable connection, and not handling heartbeat messages correctly.

Router Operations

Can I leave the router running all time?

Most users do.  The router is very much a set and forget device, and it's generally most convenient to leave it running continuously.  Do be sure to:

  • Provide adequate ventilation to ensure that the router doesn't overheat
  • Ensure that your firewall configuration is secure enough for you to leave your connection running continuously.

Is any routine maintenance required?

No routine maintenance is required.  It would be prudent to:

  • Scan the firewall logs from time to time to ensure that you are aware of any persistent or successful security violations.
  • Run an external port-scan against the router from time to time to see if any vulnerabilities are apparent.
  • Monitor one or two security lists or discussion groups, so that you are aware of any new vulnerabilities that become apparent.

Does the router keep statistics of data volumes transferred?

It does, but unfortunately these are not shown in the standard "System Status" menu.  The counters displayed there are packet counts, not byte counts.

You can access byte count statistics from the command interpreter (menu 24, sub-menu 8), using the command ip ifconfig:

dmz-gw> ip ifconfig
enif0: mtu 1500
inet 192.168.20.1, netmask 0xffffff00, broadcast 192.168.20.255
RIP RX:None, TX:None,
[InOctets 3636041044] [InUnicast 12780530] [InMulticast 1980818]
[InDiscards 178286] [InErrors 0] [InUnknownProtos 178286]
[OutOctets 3783243956] [OutUnicast 13948873] [OutMulticast 11]
[OutDiscards 0] [OutErrors 0]
enif1: mtu 1500
inet 144.132.180.48, netmask 0xffffff00, broadcast 144.132.191.255
RIP RX:None, TX:None,
[InOctets 568797035] [InUnicast 17750796] [InMulticast 122541]
[InDiscards 74888] [InErrors 0] [InUnknownProtos 74888]
[OutOctets 16636629] [OutUnicast 16386403] [OutMulticast 0]
[OutDiscards 0] [OutErrors 0]
dmz-gw>

How can I take a backup copy of the router's configuration?

Use ftp to connect to the router. Login using the username "admin" and the password you have set.  Issue the commands:

ftp> bin

ftp> get rom-0

ftp> quit

Save the file "rom-0" in a safe place for re-installation if necessary.

How can I reinstall the backup copy of the router's configuration?

Use ftp to connect to the router. Login using the username "admin" and the password you have set.  Issue the commands:

ftp> bin

ftp> put rom-0

ftp> quit

After you quit, the router should automatically re-boot running the newly installed config.

Security

How much security do I really need?

Only you can decide, and your decision needs to be based on many factors, including:

  • The sensitivity of your data
  • How easy it would be to recover lost data or damaged systems
  • How your network is configured
  • What types of systems are used

If you are unable to carry out this analysis yourself, you should consider engaging an experienced security consultant to advise you.  Fulton Network Technologies can assist with this on a consulting basis.

For large or complex requirements, you should consider using independent organisations (or teams) for design, implementation and audit.

Why is security so important on Cable and ADSL?

The main differences between Cable/ADSL and (say) a dial-up Internet connection are:

  • you're likely to stay connected continuously, or for long periods of time.  This means that you're exposed for longer periods of time.
  • you're likely to have the same IP address for long periods of time.  If a hacker finds your site interesting, he's more likely to be able to find his way back.
  • you're likely to have a high speed connection.  This makes you a more interesting target for (say) use as a relay for spam email or as a way-point for attacking others.

But where do I start?

As an absolute minimum, you should do the following:

  • Ensure that your router or software firewall is blocking incoming and outgoing NetBIOS traffic.  (This is the default for the RP114)
  • Ensure that your SUA/NAT mappings are limited to the minimum set that you actually use.
  • Don't use the "default" or "dmz" mapping unless it is absolutely essential.  If you need to use a default mapping, consider the merits of using a supplementary software firewall on the dmz host.

We recommend that you also undertake a port-scan of your network from an external site.  There are a number of free sites that will do this for you.  Choose one carefully, and follow-up on their recommendations.

What do the standard firewall rules do?

The factory default firewall rules consist of the following three rulesets:

  • NETBIOS_WAN, which blocks incoming TCP and UDP packets to ports 137, 138 and 139.  This stops outsiders making NetBIOS connections/requests to stations on your local lan.
  • NETBIOS_LAN, which outgoing requests to a NetBIOS nameserver

Any other incoming traffic is handled as follows:

  • If it is return traffic from an outbound NAT'd connection, it is sent to the appropriate local station.
  • If it matches a specific SUA mapping, it is sent to the mapped station.
  • If a "default" SUA mapping exists, it is sent to the mapped station.
  • Otherwise, it is sent to the router itself.

As the router itself only listens on a small set of management ports, most unmapped incoming packets will therefore be silently discarded.

How can I log attempted break-ins?

Logging is an option on each firewall rule.  Log messages are sent to a syslog server, which you can run on any convenient Unix, Windows or MacOS device on your network.

See the syslog section for further information.

How can I ensure that incoming packets from spoofed source addresses are dropped by the router?

Most incoming packets from spoofed (forged) source IP addresses will necessarily supply "source routing" information, in order to describe the return path for IP packets sent back to the attacker.

A common attack is for the source address to be forged, so that packets appear to have come from your own internal LAN.  Because the source appears to be from your own network, the firewall may let the packets through.

The following sample filter could be used to block source-routed packets:

Menu 21.3.5 - TCP/IP Filter Rule

Filter #: 3,5
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 0 IP Source Route= Yes
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= N/A
More= No Log= Action Matched
Action Matched= Drop
Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:
Press Space Bar to Toggle.

Note: The reader will need to determine an appropriate position for this rule in his firewall rule hierarchy, and ensure that the "Action Not Matched" value is appropriate.

Should I block ICMP traffic?

Generally speaking, blocking all ICMP traffic is overkill for many users.  Most ICMP messages perform useful functions while adding only a small or negligible security risk.

For example, blocking incoming destination unreachable messages may introduce delays waiting for timeouts (instead of an immediate error return) when connecting to hosts or networks that have failed.

As another example pings (echo request, echo reply) are a useful diagnostic tool in many situations.  Blocking them may make problems harder to diagnose, but allowing them may make it easier for someone to detect the existence of a host, which might then become a target for hackers.

Route redirects in particular are a security risk as they are frequently used in support of address spoofing attacks.

Many firewalls, including the RT311/RT314 family provide a simple mechanism to block all ICMP traffic, but don't easily allow blocking of selected ICMP messages by type.

How can I block ICMP traffic?

Here is a sample firewall rule that will block all ICMP traffic:

Menu 21.3.3 - TCP/IP Filter Rule

Filter #: 3,3
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 1     IP Source Route= No
Destination: IP Addr= 0.0.0.0
             IP Mask= 0.0.0.0
             Port #= 0
             Port # Comp= None
     Source: IP Addr= 0.0.0.0
             IP Mask= 0.0.0.0
             Port #= 0
             Port # Comp= None
TCP Estab= N/A
More= No            Log= None
Action Matched= Drop
Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Notes:  

This rule relies on the fact that ICMP traffic has an IP protocol ID of 1.

The reader will need to determine an appropriate position for this rule in his firewall rule hierarchy, and ensure that the "Action Not Matched" value is appropriate.

Syslog

Syslog Overview

Syslog is an industry standard protocol for logging errors and other events in a systematic manner.  

Syslog servers can record events from the local system as well as other systems and devices.  Syslog is widely used in the Unix world, where the syslog server is normally part of the base operating system.  Syslog servers (and clients) are also available for other operating systems including Windows and MacOS.

The RP114 routers can log certain events, including firewall events, to a syslog server.

Syslog Servers

For FreeBSD, Linux, and most other Unix variants, a syslog server is part of the base operating system.

For Windows:

Kiwi Enterprises Syslog

SL4NT

Tri Action Syslog

[All are shareware, Kiwi offers a freeware version which is adequate for many users]

For MacOS:

Mac Net Logger

Syslog Setup

  • Make sure that the syslog server is running and ready to accept logging messages.  In many Unix implementations, you will need to add a switch to the startup command line to allow messages to be accepted from systems/devices other than the server on which syslog is running.  In FreeBSD, this is done using the "-a allowed-peer" switch to syslogd.
  • Telnet to the router, and using menu 24.3.2, enable syslog logging:

Menu 24.3.2 - System Maintenance - UNIX Syslog

Syslog:
Active= Yes
Syslog IP Address= 192.168.1.2
Log Facility= Local 5

Types:
CDR= No
Packet triggered= No
Filter log= Yes
PPP log= No

The key items have been highlighted in blue.  Active must be set to Yes, the IP address where the syslog server is running must be entered, and the type of activity to be logged must be entered.  This is normally Filter log, for firewall events.

Log facility can be used to select between different logfiles, where the logger supports this.

  • The individual firewall rules to be logged must be selected. Telnet to the router, and go to menu 21.  Select a rule set, the a firewall rule, eg rule 21.3.3 which in the default setup blocks external access to the web management console.

Menu 21.3.3 - TCP/IP Filter Rule

Filter #: 3,3
Filter Type= TCP/IP Filter Rule
Active= Yes
IP Protocol= 6 IP Source Route= No
Destination: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #= 80
Port # Comp= Equal
Source: IP Addr= 0.0.0.0
IP Mask= 0.0.0.0
Port #=
Port # Comp= None
TCP Estab= No
More= No Log= Action Matched
Action Matched= Drop
Action Not Matched= Check Next Rule

Press ENTER to Confirm or ESC to Cancel:

Use <TAB> to move through the menu to the Log field and <SPACE> to toggle the contents of this field.  In the example, this has been set to Action Matched  which means that any attempts to connect to this port will be logged.

Understanding Syslog Entries

Syslog entries are kept reasonably succint, to avoid filling the log with unnecessary information.  A typical entry might be:

Feb 28 00:06:04 rt311 rt311: IP[Src=11.22.33.44 Dst=192.168.1.2 TCP spo=04479 dpo=00080]}S03>R03mD

This decodes as follows:

  • Local date and time
  • Hostname of router
  • Protocol IP
  • Source IP address 11.22.33.44
  • Destination IP address (after SUA mapping) 192.168.1.2
  • Protocol TCP
  • Source Port 4479
  • Destination Port 80
  • S03 = Ruleset 3
  • R03 = Rule 3 within that ruleset
  • m = matched (would be n for not matched)
  • D = Drop (otherwise F = Forward, or N for Check next Rule)

Troubleshooting

My BPA Cable keeps dropping out every few minutes

This is most likely because the heartbeat messages are not being forwarded correctly to the PC running the login client.

  • If you are using the Telstra LaunchPad login client (not recommended), check that you have created an SUA mapping for default to the IP address of the PC running LaunchPad.
  • If you are running Shane Hyde's bpalogin client, check that you are running version 1.7 or higher.  Check that you have correctly specified the local port to bind to.  If in doubt, use port 5050.  Click here for more information on which port to use.  Check that you have created an SUA mapping for the local port to the IP address of the PC running the login client.
  • If you are running Scott Campbell's wincable client, check that you are running version 2.5 or higher.  Check that you have correctly specified the local port to bind to.  If in doubt, use port 5050.  Click here for more information on which port to use.  Check that you have created an SUA mapping for the local port to the IP address of the PC running the login client.
  • If you are running the login client on a PC with a DHCP-assigned address (not recommended), check that the IP address has not changed and that it still matches the SUA mapping that you created.
  • If you have modified the firewall rules, check that you aren't blocking UDP traffic to/from the login client PC.  (Consider both the IP address and port number).  The Factory Default firewall rules *do* allow the heartbeat, and don't need to be modified to allow the heartbeat (or responses) through.

I've forgotten my password

If the router password has been lost, and it is necessary to gain access to the router to change the configuration or update the firmware, then it will be necessary to re-initialise the router configuration file using the router's reset switch.

Web Console not displaying correctly after firmware upgrade

After upgrading the router firmware, several users have reported that some pages of the web console don't display correctly.  Usually this shows up as missing images or the left-hand menubar is missing.

This occurs because your web browser is using cached pages from the previous version of the firmware.  To fix this, clear the browser cache:

In IE4/IE5:

Tools -> Internet Options -> General -> Delete Files

 

RP114 Web Safe Router FAQ Version 1.1, 14-AUG-2001

Copyright © 2000,2001,2002 Fulton Network Technologies Pty Ltd.  All rights reserved.

Not to be reproduced or distributed in any form without prior permission.

 

All information contain herein is provided to the reader on the understanding that the reader is responsible for ensuring the correctness and suitability of the information for his particular needs.

VERSION HISTORY

1.2   12-JUN-2002   Many corrections and updates

1.1   14-AUG-2001  Added info about 3.26 firmware and built-in cable client.

1.0   02-JUN-2001   Initial Release