1-877-771-8148   
  |   Home   |   Services   |   Support   |   Contact   |   About   |   WebMail   |  
Updated 04/29/2003

I am aware the table of contents does not match the actual document, and that internal links are broken.

Table of Contents
  1. Abstract
  3. General Configuration
    1. Connecting via the COnsole Port
    2. Configuring the Console Port
    3. Setting the Date and Time
    4. Checking Router CPU Usage
    5. Configuring Syslog
  4. Port Filtering
    1. Introduction
    2. Device Filters
    3. Protocol Filters
    4. Setting the Firewall to Default to Deny packets
      1. Introduction
      2. Step by Step
    5. Allowing Inbond Packets to Servers (when Denying by Default)
      1. Http
      2. NetBIOS SMB
    6. Allowing Inbond Packets to Servers (when Accepting by Default)
      1. Http
      2. NetBIOS SMB
  5. Port Forwarding
    1. Description
    2. Enableing/Disabling
    3. Configuring through Web
    4. Configuring through CLI
  6. VPN Setup
    1. Description
    2. PPP PPTP L2TP GRE

  1. Abstract

    2.

  2. Nothing

    3.

  3. General Configuration

    4.

    1. Accessing the router over the Console Port

      2.  To access the RT311/314 via the serial port you will need a Null Modem Cable. This is a serial cable in which the tx and rx lines cross over between one end and the other. It is sometime reffered to as a crossover cable. Once you have the serial cable connected to a serial port on the PC and router, open you r favoriate terminal emulator. If you are old school you can of course connect your Dec VT100 terminal. You will need to set some basic serial communication parameters regardless of how you choose to connect to the RT311/314. The serial speed is 9600 baud by default. There are 8 data bits, No parity, and one stop bit. I have not found that any type of flow control is used, thus the settings has no effect. Note: it is possible that the serial speed is 38,400 baud. This can occur if the user has at some point typed the 'sys baud' command in the command line. All of the possible speeds for the serial line are: 9600, 19200, 38400, 57600, and 115200.

    2. Configuring the Console speed

      3.  From the CLI enter menu Menu 24 - System Maintenance. Goto to Menu 24.2 - System Information and Console Port Speed. Select item Menu 24.2.2 - System Maintenance - Change Console Port Speed and use the space bar to toggle through the available console port speeds. Hit enter to save the change or his ESC to quit. If connected through the console port, you will immediately have to change your terminal serial port speed after making this change.

    3. Setting the Data and Time

      4.  To set the date and time go to the Command Line from menu 24 item 8. Type "sys date 2003 03 18" without the quotations to set the date to March 18,2003. Type "sys time 17 12 18" without the quotations to set the time to 18 seconds past 5:12 PM. When done exit the command line by typing exit.

    4. Checking Router CPU Usage

      5.  From the command line type 'sys cpu disp'. The output is the cpu usage over the past 62 seconds. The sec column displays the time period that the cpu was polled and the util column displays the cpu utilization level for that time period. Example output

    5. Configuring Syslog

      6.  FIXME Menu 24.2.2 - System Maintenance - Change Console Port Speed

  4. Port Filtering

    5.

    1. Introduction

      2.  The Netgear RT311/314 series routers allow users to implement a firewall through a 2 step process. First the user defines the specific filters for the firewall, then those filters are applied to exither the incoming or outgoing traffic of either the WAN or LAN ports of the router. The routers allow the user to create up to 6 rules per filter, and up to 4 filters may be chained together per direction of each port . Two different types of filters, DEVICE and PROTOCOL, exist.

    2. Device Filters

      3.  DEVICE filters are seldom used and are agnostic of the protocol type of the packet. They look a certain byte offset into the data packet and check whether a certain pattern of bytes matches an existing known pattern. This type of packet filtering is usefull in stopping worms and such from propagating in traffic which you would otherwise have allowed. This document will not cover filtering packets with this method.

    3. Protocol Filters

      4.  PROTOCOL filters are specific to the type of packet passing through the firewall and filter only those packets of that protocol type. The four most commonly filtered protocols are tcp(6),udp(17),igmp(2), and icmp(1). Note that if a protocol type of 0 is specified, the filter applies to all packets.

    4. Setting the Firewall to Deny Packets by Default

      5.

      1. Introduction

        2.  From the factory a default set of two protocol filters is applied to incoming packets on the WAN interface. These filters are designed to protect the average home user. One filter prevents NetBIOS(SMB) packets from entering the LAN. The other prevents management from occuring from outside the LAN by blocking Telnet, FTP, and HTTP access to the router. Beyond this, any packets are allowed into the LAN provided that they are forwarded by a SUA rule. From a security standpoint, one of the first changes which should be made to the firewall is to change from the accept by default type firewall to a deny by default type of firewall. There is no quick option to make this happen, rather this change requires that the user modify the way they think about the firewall. Rather than writing rules to deny packets, they write rules to allow packes, with a final rule which denies everything else. Now, no packets from the outside will be allowed in unless explicitly accepted by a firewall rule. The most basic firewall of this type which will still be functional would be created as follows. It denys all inbound conversations except DHCP, which is required for the router to obtain an IP address from the ISP.

      2. Step by Step:

        3.
        1. Delete the two default rulesets by going to menu 21. Select ruleset 1 and hit enter. Hit the spacebar to clear the ruleset name and hit enter. Hit enter again to delete the ruleset. Repeat this procedure for ruleset number 2. If there are any other rulesets they should be cleared also as they are explicity denying packets which will no longer be necessary.
        2. Create a rulset (I reccomend number 12) called DENY. This ruleset will deny all inbound udp below port 1024, all icmp, and all igmp. It will also deny all inbound TCP SYN requests, but will allow established tcp packets. The ruleset should appear as follows:

          Note that rule number 1 should have the TCP Estab option set to YES, all others should be set no.

          1 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0                                     N D N
          2 Y IP   Pr=6, SA=0.0.0.0, DA=0.0.0.0                                     N F N
          3 Y IP   Pr=17, SA=0.0.0.0, DA=0.0.0.0                                   N D N
          4 Y IP   Pr=2, SA=0.0.0.0, DA=0.0.0.0                                     N D N
          5 Y IP   Pr=1, SA=0.0.0.0, DA=0.0.0.0                                     N D F
          6 N

        3. Create a new rulset (I reccomend number 1 named DHCP) which will allow UDP packets to the router on port 68 for DHCP. You can add other rules as necessary to this ruleset to permit other services inbound. The rulset should appear as follows:

          1 Y IP Pr=17, SA=0.0.0.0, DA=0.0.0.0, DP=68                                     N F N 
           2 N
 3 N
 4 N
 5 N
 6 N
        4. Apply the 2 rulesets you just created to the incoming traffic on the WAN port. This is done through menu 11. Toggle the cursor to the Edit Filter Sets option and hit the space bar to change it to yes. Hit enter to enter the Remote Node Filter setup page. Add the two rulesets you just created to the input protocol filters. It should appear as follows. 
           			 Menu 11.5 - Remote Node Filter

                    Input Filter Sets:
                      protocol filters= 1, 12
          Hit enter to save and exit the Edit Filter Sets screen. Then hit enter to save and exit from the Remote Node Profile screen.

    5. Allowing Inbound Packets to Servers (when Denying Packets by default)

      6.

      1. HTTP

        2.  To allow outside users to access a webserver on your LAN when the firewall is setup as a Default to Deny firewall as described as above, you must open port 80 in the firewall. You must also not have the Remote Management Web Interface running the WAN port 80 if you wish to forward that port.
        Step by Step:
        1. Under Menu 21, either add to an existing ruleset or create a new on. Note if creating a new ruleset it must also be added to the Remote Node Filter sets as described above. If adding to an existing active ruleset, it will take affect immediately.
        2. Once in the ruleset select an unused rule number and hit enter. Set the Protocol to 6 and the Destination port to 80. Set Port # Comp to Equal and Action Matched to Forward. Example here. Hit enter to confirm the changes. It should appear under the Filter Rules Summary as below, although it may contain more rules or be numbered differently. It is Important any rules prior to it are set to check the Next rule.
          1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80                                    N F N

      2. NetBIOS SMB

        3. To allow NetBIOS ( SMB ) packets in when the firewall is configured as a Default to Deny firewall as described as above, you must open udp ports 137 and 139, and tcp port 138. For a description of how to selectively allow NetBIOS in when the firewall is in a default configuration go here.
        Step by Step
        1. Under Menu 21, create a new ruleset for NetBIOS.
        2. Once in the ruleset select rule number 1 and hit enter. Set the Protocol to 6 and the Destination port to 137. Set Port # Comp to Equal and Action Matched to Forward. Hit enter to confirm the changes. Repeat for rules 2 and 3 ports 138 and 139. Then repeat the process except with the protocol set to 17. If you wish to only accept packets from a single outside PC set that PC's IP address in the SA field. When you are done it should look like below:
          1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80                                    N F N
        3. Once you've finished creating the ruleset, you must apply it to incming packets on the WAN port. This is done through menu 11.
        4. Be sure that any other preceding rulesets listed in the Remote Node Filter setup have the last rule to check the Next Rule. If you have been following this document from the start all rulesets are set to check the next ruleset except ruleset #12, which should be listed last.

    6. Allowing Inbound Packets to Servers (when Accepting Packets by default)

      7.
        From the factory the Netgear RT311/314 routers have the firewall configured in such a way that almost all packets are allowed to pass through it. This is known as a "Default to Accept" type of firewall. This makes administration easier at the cost of security. The typical user will never have to add any rules to the firewall as the packets are allowed to pass through it by default. However, Netgear did implement 2 rulesets which drop packets to protect the user. The router will not allow any NetBIOS, Web, Telnet, or FTP access to it or any servers within the LAN. The following examples explain how to selectively bypass these firewall rules to allow a select few people access to these services on the LAN while maintaing some level of security. If you wish to allow everyone access to these services, simply disable the existing default rules.

      1. HTTP

        2.  To allow outside users to access a webserver on your LAN when the firewall is setup as a Default to Accept firewall , you must open port 80 in the firewall before it is denied by the default ruleset. You must also assure that the Remote Management Web Interface is not running on the WAN port if you wish to portforward port 80 to the inside.
        Step by Step:
        1. Under Menu 21, either add to an existing ruleset or create a new on. Note if creating a new ruleset it must also be added to the Remote Node Filter sets as described above. If adding to an existing active ruleset, it will take affect immediately.
        2. Once in the ruleset select an unused rule number and hit enter. Set the Protocol to 6 and the Destination port to 80. Set Port # Comp to Equal and Action Matched to Forward. Example here. Hit enter to confirm the changes. It should appear under the Filter Rules Summary as below, although it may contain more rules or be numbered differently. It is Important any rules prior to it are set to check the Next rule.
          1 Y IP Pr=6, SA=0.0.0.0, DA=0.0.0.0, DP=80                                    N F N

      2. NetBIOS SMB

        3. To allow NetBIOS ( SMB ) packets in from a single remote host when the firewall is configured as a Default to Accept firewall, you must create a ruleset which allows traffic on udp and tcp ports 137, 138, and139 before that traffic is denied by the default ruleset.
        Step by Step
        1. Under Menu 21, create a new ruleset for NetBIOS.
        2. Once in the ruleset select rule number 1 and hit enter. Set the Protocol to 6 and the Destination port to 137. Set Port # Comp to Equal and Action Matched to Forward. Hit enter to confirm the changes. Repeat for rules 2 and 3 ports 138 and 139. Then repeat the process except with the protocol set to 17. If you wish to only accept packets from a single outside PC set that PC's IP address in the SA field. When you are done it should look like below:
          1 Y IP Pr=6, SA=65.155.248.13, DA=0.0.0.0, DP=137                                    N F N
          2 Y IP Pr=6, SA=65.155.248.13, DA=0.0.0.0, DP=138                                    N F N
          3 Y IP Pr=6, SA=65.155.248.13, DA=0.0.0.0, DP=139                                    N F N
          4 Y IP Pr=17, SA=65.155.248.13, DA=0.0.0.0, DP=137                                   N F N
          5 Y IP Pr=17, SA=65.155.248.13, DA=0.0.0.0, DP=138                                   N F N
          6 Y IP Pr=17, SA=65.155.248.13, DA=0.0.0.0, DP=139                                   N F N
        3. Once you've finished creating the ruleset, you must apply it to incoming packets on the WAN port. This is done through menu 11.
        4. Be sure that the ruleset you just created precedes the default NetBIOS number 1 ruleset which denies packets.
        5. Be sure that any other preceding rulesets listed in the Remote Node Filter setup have the last rule to check the Next Rule.

  5. SUA and Port Forwarding

    6.

    1. Description

      2.  SUA is Netgear's acronym for Single User Account. SUA is Netgears implementation of Network Address Translation. RFC # FIXME . While SUA allows multiple PC's to access the WAN from the single IP address, it provides new challenges for users attemptin to access servers inside the LAN. Port forwarding provides a means to use internal servers and make them appears as the single host IP with the IP address of the router. Common uses for port forwarding are Web servers, Game servers, and SSH. The Netgear RT 311/314 series routers allow single and port range forwarding. They also provide a facility to forward all unforwarded packets to a chosen host. Port forwarding can be configured through both the web interface and the command line.

    2. Enabling/Disabling SUA Port Forwarding

      3.

    3. Configuring Port Forwarding through the Web

      4.
      1. Enter the ip address of the the router into a web browser and with the username admin authenticate to the router
      2. On the router's configuration webpage click on the Advanced link on the left, and then on the Ports Link
      3. You will be presented with a webpage with 12 port forwarding rules. The 1st rule allows all otherwise unforwareded packets to be directed to a specific IP address. The 12th is reserved for RoadRunner and cannot be modified.
      4. The other 10 rules numbers 2-11 are completely user configurable. To forward a single port set that port as both the start and finish rules. To forward a port range set the first and last ports of the range. The port forwarding is inclusive of the first and last ports.
      6. Enter the internal IP address that you want each port forwarded to.
      7. When done click on the Apply button.
      8. Be sure that any ports you are forwarding are also allowed through the packet filter

    4. Configuring Port Forwarding through the CLI

      5.