viii 202-10090-01, April 2005
Overview of WEP Parameters... D-5 Key Size.... D-6 WEP Configuration Options... D-7 Wireless Channels.... D-7 WPA and WPA2 Wireless Security... D-8 How Does WPA Compare to WEP?.. D-9 How Does WPA Compare to WPA2 (IEEE 802.11i)?.. D-10 What are the Key Features of WPA and WPA2 Security?. D-10 WPA/WPA2 Authentication: Enterprise-level User Authentication via 802.1x/EAP and RADIUS.. D-12 WPA/WPA2 Data Encryption Key Management.. D-14 Is WPA/WPA2 Perfect?.... D-16 Product Support for WPA/WPA2... D-16 Supporting a Mixture of WPA, WPA2, and WEP Wireless Clients is Discouraged D-16 Changes to Wireless Access Points... D-17 Changes to Wireless Network Adapters.. D-17 Changes to Wireless Client Programs.. D-18 Glossary
x 202-10090-01, April 2005
Chapter 1 About This Manual
This chapter describes the intended audience, scope, conventions, and formats of this manual.
Audience, Scope, Conventions, and Formats
This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the Netgear website. This guide uses the following typographical conventions:

Table 1-1.

italics bold fixed
Typographical Conventions
Emphasis, books, CDs, URL names User input Screen text, file and server names, extensions, commands, IP addresses
This guide uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest. This manual is written for the WGT624 v3 wireless router according to these specifications:

Table 1-2.

Product Version Manual Publication Date

Manual Scope

WGT624 vMbps Wireless Firewall Router April 2005
Note: Product updates are available on the NETGEAR, Inc. Web site at http://kbserver.netgear.com/products/WGT624 v3.asp.
About This Manual 202-10090-01, April 2005

How to Use This Manual

The HTML version of this manual includes the following: Buttons, at a time and , for browsing forwards or backwards through the manual one page
A button that displays the table of contents and an button. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual. A product model. button to access the full NETGEAR, Inc. online knowledge base for the

2-1 202-10090-01, April 2005

Introduction

Flash memory for firmware upgrade.
802.11g Wireless Networking
The WGT624 v3 wireless router includes an 802.11g wireless access point, providing continuous, high-speed 54 Mbps access between your wireless and Ethernet devices. The access point provides: 802.11g wireless networking at up to 108 Mbps. 802.11g wireless networking, with the ability to operate in 802.11g-only, 802.11b-only, or 802.11g and b modes, providing backwards compatibility with 802.11b devices or dedicating the wireless network to the higher bandwidth 802.11g devices. 64-bit and 128-bit WEP encryption security. WEP keys can be generated manually or by passphrase. WPA-PSK support. Support for Wi-Fi Protected Access (WPA) data encryption which provides strong data encryption and authentication based on a pre-shared key. Wireless access can be restricted by MAC address. Wireless network name broadcast can be turned off so that only devices that have the network name (SSID) can connect.
A Powerful, True Firewall with Content Filtering
Unlike simple Internet sharing NAT routers, the WGT624 v3 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: Denial of Service (DoS) protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. Blocks unwanted traffic from the Internet to your LAN. Blocks access from your LAN to Internet locations or services that you specify as off-limits. Logs security incidents. The WGT624 v3 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the router to email the log to you at specified intervals. You can also configure the router to send immediate alert messages to your email address or email pager whenever a significant event occurs.
2-2 202-10090-01, April 2005 Introduction
The WGT624 v3 prevents objectionable content from reaching your PCs. The router allows you to control access to Internet content by screening for keywords within web addresses. You can configure the router to log and report attempts to access objectionable Internet sites.

Click the button of an unused port in the table. Select the game again from the Service Name list. Change the beginning port number in the Start Port box. For these games, use the supplied number in the default listing and add +1 for each additional computer. For example, if you've already configured one computer to play Hexen II (using port 26900), the second computer's port number would be 26901, and the third computer would be 26902. Type the same port number in the End Port box that you typed in the Start Port box. Type the IP address of the additional computer in the Server IP Address box. Click Apply.

4. 5. 6.

Advanced Configuration 202-10090-01, April 2005
Some online games and videoconferencing applications are incompatible with NAT. The WGT624 v3 wireless router is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PCs IP address is entered as the default in the PORTS Menu. If one local PC acts as a game or videoconferencing host, enter its IP address as the default.

Using Port Triggering

Port Triggering is an advanced feature that allows you to dynamically open inbound ports on the basis of outbound traffic on different ports. This is an advanced feature that can be used for gaming and other Internet applications. Port Forwarding can typically be used to enable similar functionality, but it is static and has some limitations. Ports will be open to traffic from the Internet until the port forwarding rule is removed. Additionally, port forwarding does not work well for some applications when your WAN IP address is assigned by DHCP, and is changed frequently. Port Triggering opens an incoming port temporarily and does not require the server on the Internet to track your IP address if it is changed. Port Triggering monitors outbound traffic. When the gateway detects traffic on the specified outbound port, it remembers the IP address of the computer that sent the data and triggers the incoming port. Incoming traffic on the triggered port is then forwarded to the triggering computer. Once configured, operation is as follows: A PC makes an outgoing connection using a port number defined in the Port Triggering table. This Router records this connection, opens the INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC. The remote system receives the PCs request, and responds using a different port number. This Router matches the response to the previous request, and forwards the response to the PC. (Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules.)

Note: Only 1 PC can use a "Port Triggering" application at any time. After a PC has finished using a "Port Triggering" application, there is a "Time-out" period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated.
6-4 202-10090-01, April 2005 Advanced Configuration
Port Triggering Rules Menu
The Port Triggering Rules Menu lists the current rules: Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to disable a rule unless it interferes with some other function, such as Port Forwarding. Name - The name for this rule. Outgoing Ports - The port or port range for outgoing traffic. An outgoing connection using one of these ports will "Trigger" this rule. Incoming Ports - The port or port range used by the remote system when it responds to the outgoing request. A response using one of these ports will be forwarded to the PC which triggered this rule.
Figure 6-2: Port Triggering screens
Adding a new Rule To add a new rule, click the Add and enter the following data on the resulting screen. Name - enter a suitable name for this rule (e.g. the name of the application) Enable/Disable - select the desired option. Outgoing (Trigger) Port Range - enter the range of port numbers used by the application when it generates an outgoing request.
Incoming (Response) Port Range - enter the range of port numbers used by the remote system when it responds to the PC's request.
Modifying or Deleting an existing Rule: Select the desired rule by clicking the radio button beside the rule. Click Edit or Delete as desired. Checking Operation and Status
Rules Status To see which rules are currently being used, click the Status button. The following data will be displayed: Rule - the name of the Rule. LAN IP Address - The IP address of the PC currently using this rule. Open Ports - the Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining - The time remaining before this rule is released, and thus available for other PCs. This timer is restarted whenever incoming or outgoing traffic is received.
6-6 202-10090-01, April 2005
Configuring WAN Setup Options
The WAN Setup options let you configure a DMZ server, change the MTU size and enable the wireless router to respond to a Ping on the WAN port. These options are discussed below.

Testing the Path from Your PC to a Remote Device
After verifying that the LAN path works correctly, test the path from your PC to a remote device. From the Windows run menu, type:
PING -n 10 <IP address>
where <IP address> is the IP address of a remote device such as your ISPs DNS server. If the path is functioning correctly, replies as in the previous section are displayed. If you do not receive replies: Check that your PC has the IP address of your router listed as the default gateway. If the IP configuration of your PC is assigned by DHCP, this information will not be visible in your PCs Network Control Panel. Verify that the IP address of the router is listed as the default gateway as described in Verifying TCP/IP Properties on page C-6. Check to see that the network address of your PC (the portion of the IP address specified by the netmask) is different from the network address of the remote device. Check that your cable or DSL modem is connected and functioning.
7-6 202-10090-01, April 2005
If your ISP assigned a host name to your PC, enter that host name as the Account Name in the Basic Settings menu. Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem. If this is the case, you must configure your router to clone or spoof the MAC address from the authorized PC.
Restoring the Default Configuration and Password
This section explains how to restore the factory default configuration settings, changing the routers administration password to password and the IP address to 192.168.1.1. You can erase the current configuration and restore factory defaults in two ways: Use the Erase function of the router (see Erasing the Configuration on page 5-8). Use the Default Reset button on the rear panel of the router. Use this method for cases when the administration password or IP address is not known.
To restore the factory default configuration settings without knowing the administration password or IP address, you must use the Default Reset button on the rear panel of the router.
Press and hold the Default Reset button until the Test LED turns on (about 5 seconds). Release the Default Reset button and wait for the router to reboot.
Problems with Date and Time
The E-Mail menu in the Content Filtering section displays the current date and time of day. The WGT624 v3 wireless router uses the Network Time Protocol (NTP) to obtain the current time from one of several Network Time Servers on the Internet. Each entry in the log is stamped with the date and time of day. Problems with the date and time function can include: Date shown is January 1, 2003. Cause: The router has not yet successfully reached a Network Time Server. Check that your Internet access settings are configured correctly. If you have just completed configuring the router, wait at least five minutes and check the date and time again. Time is off by one hour. Cause: The router does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked Adjust for Daylight Savings Time.

7-8 202-10090-01, April 2005
Appendix A Technical Specifications
This appendix provides technical specifications for the WGT624 vMbps Wireless Firewall Router.
Network Protocol and Standards Compatibility
Data and Routing Protocols:

Power Adapter

TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) 120V, 60 Hz, input 240V, 50 Hz, input 230V, 50 Hz, input 100V, 50/60 Hz, input 12 V DC @ 1 A output, 22W maximum 28 x 175 x 118 mm (1.1 x 6.89 x 4.65 in.) 0.3 kg (0.66 lb)
North America: United Kingdom, Australia: Europe: Japan: All regions (output):

Physical Specifications

Dimensions: Weight:
Environmental Specifications
Operating temperature: Operating humidity:

0 to 40 C

(32 to 104 F)
90% maximum relative humidity, noncondensing
Technical Specifications 202-10090-01, April 2005
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3 Electromagnetic Emissions

Meets requirements of:

FCC Part 15 Class B VCCI Class B EN (CISPR 22), Class B

Interface Specifications

LAN: WAN: Wireless Radio Data Rates Frequency Data Encoding: Maximum Computers Per Wireless Network: Operating Frequency Ranges:
10BASE-T or 100BASE-Tx, RJ-45 10BASE-T or 100BASE-Tx, RJ-45 1, 2, 5.5, 6, 9, 12, 18, 24, 36, 48, 54, and 108 Mbps Auto Rate Sensing 2.4-2.5 GHz Direct Sequence Spread Spectrum (DSSS) Limited by the amount of wireless network traffic generated by each node. Typically 30-70 nodes. 2.412~2.462 GHz (US) 2.412~2.484 GHz (Japan) 2.412~2.472 GHz (Europe ETSI) 40-bits (also called 64-bits), 128-bits WEP data encryption

Encryption:

A-2 202-10090-01, April 2005

Technical Specifications

Appendix B Network, Routing, Firewall, and Basics
This chapter provides an overview of IP networks, routing, and networking.

Related Publications

As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet. The RFC documents outline and define the standard protocols and procedures for the Internet. The documents are listed on the World Wide Web at www.ietf.org and are mirrored and indexed at many other sites worldwide.

Basic Router Concepts

Large amounts of bandwidth can be provided easily and relatively inexpensively in a local area network (LAN). However, providing high bandwidth between a local network and the Internet can be very expensive. Because of this expense, Internet access is usually provided by a slower-speed wide-area network (WAN) link such as a cable or DSL modem. In order to make the best use of the slower WAN link, a mechanism must be in place for selecting and transmitting only the data traffic meant for the Internet. The function of selecting and forwarding this data is performed by a router.

What is a Router?

A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic. Routers vary in performance and scale, number of routing protocols supported, and types of physical WAN connection they support. The WGT624 vMbps Wireless Firewall Router is a small office router that routes the IP protocol over a single-user broadband connection.
Network, Routing, Firewall, and Basics 202-10090-01, April 2005 B-1
Routing Information Protocol
One of the protocols used by a router to build and maintain a picture of the network is the Routing Information Protocol (RIP). Using RIP, routers periodically update one another and check for changes to add to the routing table. The WGT624 v3 wireless router supports both the older RIP-1 and the newer RIP-2 protocols. Among other improvements, RIP-2 supports subnet and multicast protocols. RIP is not required for most home applications.
IP Addresses and the Internet
Because TCP/IP networks are interconnected across the world, every machine on the Internet must have a unique address to make sure that transmitted data reaches the correct destination. Blocks of addresses are assigned to organizations by the Internet Assigned Numbers Authority (IANA). Individual users and small organizations may obtain their addresses either from the IANA or from an Internet service provider (ISP). You can contact IANA at www.iana.org. The Internet Protocol (IP) uses a 32-bit address structure. The address is usually written in dot notation (also called dotted-decimal notation), in which each group of eight bits is written in decimal form, separated by decimal points. For example, the following binary address:

00001100 00000111

is normally written as:

195.34.12.7

Note: The number 192.68.135.127 is not assigned because it is the broadcast address of the first subnet. The number 192.68.135.128 is not assigned because it is the network address of the second subnet.
The following table lists the additional subnet mask bits in dotted-decimal notation. To use the table, write down the original class netmask and replace the 0 value octets with the dotted-decimal value of the additional subnet bits. For example, to partition your Class C network with subnet mask 255.255.255.0 into 16 subnets (4 bits), the new subnet mask becomes 255.255.255.240.
Table 7-1. Netmask Notation Translation Table for One Octet
Number of Bits Dotted-Decimal Value 254 255
The following table displays several common netmask values in both the dotted-decimal and the masklength formats.

Table 7-2.

Dotted-Decimal 255.0.0.0 255.255.0.0 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255

Netmask Formats

Masklength /8 /16 /24 /25 /26 /27 /28 /29 /30 /31 /32
Configure all hosts on a LAN segment to use the same netmask for the following reasons:
B-6 Network, Routing, Firewall, and Basics 202-10090-01, April 2005
So that hosts recognize local IP broadcast packets When a device broadcasts to its segment neighbors, it uses a destination address of the local network address with all ones for the host address. In order for this scheme to work, all devices on the segment must agree on which bits comprise the host address.
So that a local router or bridge recognizes which addresses are local and which are remote

Private IP Addresses

If your local network is isolated from the Internet (for example, when using NAT), you can assign any IP addresses to the hosts without problems. However, the IANA has reserved the following three blocks of IP addresses specifically for private networks:

Internet Security and Firewalls
When your LAN connects to the Internet through a router, an opportunity is created for outsiders to access or disrupt your network. A NAT router provides some protection because by the very nature of the process, the network behind the router is shielded from access by outsiders on the Internet. However, there are methods by which a determined hacker can possibly obtain information about your network or at the least can disrupt your Internet access. A greater degree of protection is provided by a firewall router.

What is a Firewall?

A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur. When an incident is detected, the firewall can log details of the attempt, and can optionally send email to an administrator notifying them of the incident. Using information from the log, the administrator can take action with the ISP of the hacker. In some types of intrusions, the firewall can fend off the hacker by discarding all further packets from the hackers IP address for a period of time.
Stateful Packet Inspection Unlike simple Internet sharing routers, a firewall uses a process called stateful packet inspection to ensure secure firewall filtering to protect your network from attacks and intrusions. Since user-level applications such as FTP and web browsers can create complex patterns of network traffic, it is necessary for the firewall to analyze groups of network connection states. Using Stateful Packet Inspection, an incoming packet is intercepted at the network layer and then analyzed for state-related information associated with all network connections. A central cache within the firewall keeps track of the state information associated with all network connections. All traffic passing through the firewall is analyzed against the state of these connections in order to determine whether or not it will be allowed to pass through or rejected. Denial of Service Attack A hacker may be able to prevent your network from operating or communicating by launching a Denial of Service (DoS) attack. The method used for such an attack can be as simple as merely flooding your site with more requests than it can handle. A more sophisticated attack may attempt to exploit some weakness in the operating system used by your router or gateway. Some operating systems can be disrupted by simply sending a packet with incorrect length information.

Ethernet Cabling

Most Ethernet networks now use unshielded twisted pair (UTP) cabling. UTP cable has eight wires arranged in four twisted pairs, and terminated with an RJ45 connector. Normal straightthrough UTP Ethernet cable follows the EIA568B standard as described in Table B-1.

Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window.
Double-click the Network icon in the Control Panel window. The Network panel will display. Select the Protocols tab to continue.
Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button.
C-14 202-10090-01, April 2005
The TCP/IP Properties dialog box now displays. Click the IP Address tab. Select the radio button marked Obtain an IP address from a DHCP server. Click OK. This completes the configuration of TCP/IP in Windows NT. Restart the PC. Repeat these steps for each PC with this version of Windows on your network.
Verifying TCP/IP Properties for Windows XP, 2000, and NT4
To check your PCs TCP/IP configuration:
On the Windows taskbar, click the Start button, and then click Run. The Run window opens.
Type cmd and then click OK. A command window opens
Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: The IP address is between 192.168.1.2 and 192.168.1.254 The subnet mask is 255.255.255.0
C-15 202-10090-01, April 2005
The default gateway is 192.168.1.1

Type exit

Configuring the Macintosh for TCP/IP Networking
Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP.

MacOS 8.6 or 9.x

From the Apple menu, select Control Panels, then TCP/IP. The TCP/IP Control Panel opens:
From the Connect via box, select your Macintoshs Ethernet interface. From the Configure box, select Using DHCP Server. You can leave the DHCP Client ID box empty.
Close the TCP/IP Control Panel. Repeat this for each Macintosh on your network.

MacOS X

From the Apple menu, choose System Preferences, then Network.

2. 3. 4.

If not already selected, select Built-in Ethernet in the Configure list. If not already selected, Select Using DHCP in the TCP/IP tab. Click Save.
Verifying TCP/IP Properties for Macintosh Computers
After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.

If the decrypted text does not match the original challenge text (the access point and station do not share the same WEP Key), then the access point will refuse to authenticate the station and the station will be unable to communicate with either the 802.11 network or Ethernet network.
D-4 202-10090-01, April 2005
Shared Key Authentication Steps
1) Authentication request sent to AP 2) AP sends challenge text Client 3) Client encrypts attempting challenge text and to connect sends it back to AP 4) AP decrypts, and if correct, authenticates client 5) Client connects to network

Access Point

Figure 7-5: Shared key authentication
Overview of WEP Parameters
Before enabling WEP on an 802.11 network, you must first consider what type of encryption you require and the key size you want to use. Typically, there are three WEP Encryption options available for 802.11 products: 1. Do Not Use WEP: The 802.11 network does not encrypt data. For authentication purposes, the network uses Open System Authentication. 2. Use WEP for Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the network uses Open System Authentication. 3. Use WEP for Authentication and Encryption: A transmitting 802.11 device encrypts the data portion of every packet it sends using a configured WEP Key. The receiving device decrypts the data using the same WEP Key. For authentication purposes, the wireless network uses Shared Key Authentication. Note: Some 802.11 access points also support Use WEP for Authentication Only (Shared Key Authentication without data encryption).

Key Size

The IEEE 802.11 standard supports two types of WEP encryption: 40-bit and 128-bit. The 64-bit WEP data encryption method allows for a five-character (40-bit) input. Additionally, 24 factory-set bits are added to the forty-bit input to generate a 64-bit encryption key. The 24 factory-set bits are not user-configurable). This encryption key will be used to encrypt/decrypt all data transmitted via the wireless interface. Some vendors refer to the 64-bit WEP data encryption as 40-bit WEP data encryption since the user-configurable portion of the encryption key is 40 bits wide. The 128-bit WEP data encryption method consists of 104 user-configurable bits. Similar to the forty-bit WEP data encryption method, the remaining 24 bits are factory set and not user configurable. Some vendors allow passphrases to be entered instead of the cryptic hexadecimal characters to ease encryption key entry. 128-bit encryption is stronger than 40-bit encryption, but 128-bit encryption may not be available outside of the United States due to U.S. export regulations. When configured for 40-bit encryption, 802.11 products typically support up to four WEP Keys. Each 40-bit WEP Key is expressed as 5 sets of two hexadecimal digits (0-9 and A-F). For example, 90 is a 40-bit WEP Key. When configured for 128-bit encryption, 802.11 products typically support four WEP Keys but some manufacturers support only one 128-bit key. The 128-bit WEP Key is expressed as 13 sets of two hexadecimal digits (0-9 and A-F). For example, 90 AB CD EF 90 is a 128-bit WEP Key.

Table D-1:

64-bit (24+40) 128-bit (24+104)
Encryption Key Sizes # of Hexadecimal Digits

Encryption Key Size

Example of Hexadecimal Key Content
4C72F08AE1 4C72F08AE19D57A3FF6B260037
Note: Typically, 802.11 access points can store up to four 128-bit WEP Keys but some 802.11 client adapters can only store one. Therefore, make sure that your 802.11 access and client adapters configurations match.
D-6 202-10090-01, April 2005
WEP Configuration Options
The WEP settings must match on all 802.11 devices that are within the same wireless network as identified by the SSID. In general, if your mobile clients will roam between access points, then all of the 802.11 access points and all of the 802.11 client adapters on the network must have the same WEP settings. Note: Whatever keys you enter for an AP, you must also enter the same keys for the client adapter in the same order. In other words, WEP key 1 on the AP must match WEP key 1 on the client adapter, WEP key 2 on the AP must match WEP key 2 on the client adapter, and so on. Note: The AP and the client adapters can have different default WEP Keys as long as the keys are in the same order. In other words, the AP can use WEP key 2 as its default key to transmit while a client adapter can use WEP key 3 as its default key to transmit. The two devices will communicate as long as the APs WEP key 2 is the same as the clients WEP key 2 and the APs WEP key 3 is the same as the clients WEP key 3.

Wireless Channels

The wireless frequencies used by 802.11b/g networks are discussed below. IEEE 802.11b/g wireless nodes communicate with each other using radio frequency signals in the ISM (Industrial, Scientific, and Medical) band between 2.4 GHz and 2.5 GHz. Neighboring channels are 5 MHz apart. However, due to spread spectrum effect of the signals, a node sending signals using a particular channel will utilize frequency spectrum 12.5 MHz above and below the center channel frequency. As a result, two separate wireless networks using neighboring channels (for example, channel 1 and channel 2) in the same general vicinity will interfere with each other. Applying two channels that allow the maximum channel separation will decrease the amount of channel cross-talk, and provide a noticeable performance increase over networks with minimal channel separation. The radio frequency channels used in 802.11b/g networks are listed in Table D-2:

Table D-2: Channel

Collision avoidance

A network node characteristic for proactively detecting that it can transmit a signal without risking a collision, thereby ensuring a more reliable connection.

Crossover cable

A special cable used for networking two computers without the use of a hub. Crossover cables may also be required for connecting a cable or DSL modem to a wireless gateway or access point. Instead of the signals transferring in parallel paths from one set of plugs to another, the signals "crossover." If an eight-wire cable was being used, for instance, the signal would start on pin one at one end of the cable and end up on pin eight at the other end. They "cross-over" from one side to the other.
CSMA-CA (Carrier Sense Multiple Action)
CSMA/CA is the principle medium access method employed by IEEE 802.11 WLANs. It is a "listen before talk": method of minimizing (but not eliminating) collisions caused by simultaneous transmission by multiple radios. IEEE 802.11 states collision avoidance method rather than collision detection must be used, because the standard employs half duplex radiosradios capable of transmission or receptionbut not both simultaneously. Unlike conventional wired Ethernet nodes, a WLAN station cannot detect a collision while transmitting. If a collision occurs, the transmitting station will not receive an ACKnowledge packet from the intended receive station. For this reason, ACK packets have a higher priority than all other network traffic. After completion of a data transmission, the receive station will begin transmission of the ACK packet before any other node can begin transmitting a new data packet. All other stations must wait a longer pseudo randomized period of time before transmitting. If an ACK packet is not received, the transmitting station will wait for a subsequent opportunity to retry transmission
CSMA-CD (Carrier Sense Multiple Action/Collision Detection)
A method of managing traffic and reducing noise on an Ethernet network. A network device transmits data after detecting that a channel is available. However, if two devices transmit data simultaneously, the sending devices detect a collision and retransmit after a random time delay.
DHCP (Dynamic Host Configuration Protocol)
A utility that enables a server to dynamically assign IP addresses from a predefined list and limit their time of use so that they can be reassigned. Without DHCP, an IT Manager would have to manually enter in all the IP addresses of all the computers on the network. When DHCP is used, whenever a computer logs onto the network, it automatically gets an IP address assigned to it.

Diversity: antenna

This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas. When used near a radio or TV receiver, it may become the cause of radio interference. Read instructions for correct handling.

Customer Support

Refer to the Support Information Card that shipped with your WGT624 vMbps Wireless Firewall Router.

World Wide Web

NETGEAR maintains a World Wide Web home page that you can access at the universal resource locator (URL) http://www.netgear.com. A direct connection to the Internet and a Web browser such as Internet Explorer or Netscape are required.

-iii v3.0, December 2005

Product and Publication Details
Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: WGT624 v3 December 2005 router WGT624 vMbps Wireless Firewall Router Home English 202-10090-03 v.15

-iv v3.0, December 2005

Contents
Chapter 1 About This Manual Audience, Scope, Conventions, and Formats...1-1 How to Use This Manual...1-2 How to Print this Manual....1-2 Chapter 2 Introduction Key Features....2-1 802.11g Wireless Networking...2-2 A Powerful, True Firewall with Content Filtering..2-2 Security....2-3 Autosensing Ethernet Connections with Auto Uplink..2-3 Extensive Protocol Support...2-4 Easy Installation and Management...2-4 Maintenance and Support...2-5 Package Contents....2-5 The Routers Front Panel....2-6 The Routers Rear Panel....2-7 Chapter 3 Connecting the Router to the Internet Initial Configuration....3-1 Logging Into Your Router...3-4 Changing Your Configuration...3-6 Internet Settings...3-6 Using the Smart Setup Wizard...3-10 NETGEAR Product Registration, Support, and Documentation.. 3-11

-v v3.0, December 2005

Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3 Chapter 4 Content Filtering Trend Micro Home Network Security...4-1 Service Settings...4-2 Parental Controls....4-3 Blocking Access to Internet Sites...4-8 Blocking Access to Internet Services....4-9 Configuring a User Defined Service...4-10 Configuring Services Blocking by IP Address Range.. 4-11 Scheduling When Blocking Will Be Enforced... 4-11 Configuring E-Mail Alert and Web Access Log Notifications..4-12 Viewing Logs of Web Access or Attempted Web Access..4-14 Chapter 5 Wireless Configuration Observing Performance, Placement, and Range Guidelines...5-1 Implementing Appropriate Wireless Security...5-2 Understanding Wireless Settings...5-3 Information to Gather Before Changing the Wireless Settings..5-8 Default Factory Settings...5-9 How to Set Up and Test Basic Wireless Connectivity..5-10 How to Configure WEP... 5-11 How to Configure WPA-PSK/WPA2-PSK Wireless Security..5-14 How to Restrict Wireless Access by MAC Address..5-15 Chapter 6 Maintenance Viewing Wireless Router Status Information..6-1 Viewing a List of Attached Devices...6-4 Upgrading the Router Software...6-4 Configuration File Management...6-6 Backing Up and Restoring the Configuration...6-6 Erasing the Configuration....6-7 Changing the Administrator Password...6-7 Chapter 7 Advanced Configuration Configuring Port Forwarding to Local Servers...7-1 -vi v3.0, December 2005

A Powerful, True Firewall with Content Filtering
Unlike simple Internet sharing NAT routers, the WGT624 v3 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include: Denial of Service (DoS) protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing. Blocks unwanted traffic from the Internet to your LAN. Blocks access from your LAN to Internet locations or services that you specify as off-limits, including Parental Controls provided by Trend Micro Home Network Security Services (Microsoft Internet Explorer V 5.5 or higher with ActiveX support is required). Logs security incidents.

2-2 v3.0, December 2005

The WGT624 v3 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the router to email the log to you at specified intervals. You can also configure the router to send immediate alert messages to your email address or email pager whenever a significant event occurs. The WGT624 v3 prevents objectionable content from reaching your computers. The router allows you to control access to Internet content by screening for keywords within web addresses. You can configure the router to log and report attempts to access objectionable Internet sites.

Security

The WGT624 v3 wireless router is equipped with several features designed to maintain security, as described in this section. Computers Hidden by NAT NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN. Port Forwarding with NAT Although NAT prevents Internet locations from directly accessing the computers on the LAN, the router allows you to direct incoming traffic to specific computers based on the service port number of the incoming request, or to one designated DMZ host computer. You can specify forwarding of single ports or ranges of ports.
Autosensing Ethernet Connections with Auto Uplink
With its internal 4-port 10/100 switch, the WGT624 v3 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The router incorporates Auto UplinkTM technology. Each Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.

Internet Settings

To change the Internet settings, click Basic Settings on the left menu bar. One of the following screens appears:

3-6 v3.0, December 2005

Basic Settings, No Login
Basic Settings, Login Required

Figure 3-7

The Basic Settings pages allow you to configure, upgrade and check the status of your NETGEAR Wireless Router. Click an item in the leftmost column. The current settings or information for that area appear in the center column. Helpful information related to the selected Settings page appears in this column. If you are using Internet Explorer, you may click an item in the center column to jump directly to the related help section; otherwise, scroll down until you reach it. For the most current documentation, go to: http://kbserver.netgear.com/products_automatic/WGT624v3.asp Note: If you are setting up the router for the first time, the default settings may work for you with no changes.
Does Your Internet Connection Require A Login?: Select this option based on the type of account you have with your ISP. If you need to enter login information every time you connect to the Internet or you have a PPPoE account with your ISP, select Yes. Otherwise, select No. Note: If you have installed PPP software such as WinPoET (from Earthlink) or Enternet (from PacBell), then you have PPPoE. Select Yes. After selecting Yes and configuring your router, you will not need to run the PPP software on your computer to connect to the Internet.
Internet Service Provider: Select the service provided by your ISP. "Other" (PPPoE) is the most common. "PPTP" is used in Austria and other European countries. "Telstra BigPond" is for Australia only. Login: This is usually the name that you use in your e-mail address. For example, if your main mail account is JerAB@ISP.com, then put JerAB in this box.
Some ISPs (like Mindspring, Earthlink, and T-DSL) require that you use your full e-mail address when you log in. If your ISP requires your full e-mail address, then type it in the Login box. Password: Type the password that you use to log in to your ISP. Service Name: If your ISP provided a Service Name, enter it here. Otherwise, this may be left blank. Idle Timeout: An idle Internet connection will be terminated after this time period.
If this value is zero (0), then the connection will be "kept alive" by re-connecting immediately whenever the connection is lost. Internet IP Address: If you log in to your service or your ISP did not provide you with a fixed IP address, the router will find an IP address for you automatically when you connect. Select Get dynamically from ISP. If you have a fixed (static, permanent) IP address, your ISP will have provided you with an IP address. Select Use static IP address and type in the IP Address. Account Name (also known as Host Name or System Name): For most users, type your account name or user name in this box. For example, if your main mail account is JerAB@ISP.com, then put JerAB in this box. If your ISP has given you a specific Host name, then type it (for example, CCA7324-A). Domain Name: For most users, you may leave this box blank, unless required by your ISP. You may type the domain name of your ISP. For example, if your ISP's mail server is mail.xxx.yyy.zzz, you would type xxx.yyy.zzz as the Domain Name.

Blocking Access to Internet Sites
The WGT624 v3 wireless router allows you to restrict access based on web addresses and web address keywords. Up to 255 entries are supported in the Keyword list. The Block Sites menu is below:

Figure 4-3

To enable keyword blocking, select either Per Schedule or Always, then click Apply. If you want to block by schedule, be sure that a time period is specified in the Schedule menu. To add a keyword or domain, type it in the Keyword box, click Add Keyword, then click Apply. To delete a keyword or domain, select it from the list, click Delete Keyword, then click Apply. Keyword application examples: If the keyword "XXX" is specified, the URL <http://www.badstuff.com/xxx.html> is blocked. If the keyword.com is specified, only websites with other domain suffixes (such as.edu or.gov) can be viewed. If you wish to block all Internet browsing access during a scheduled period, enter the keyword. and set the schedule in the Schedule menu.

4-8 v3.0, December 2005

To specify a Trusted User, enter that computers IP address in the Trusted User box and click Apply. You may specify one Trusted User, which is a computer that will be exempt from blocking and logging. Since the Trusted User will be identified by an IP address, you should configure that computer with a fixed IP address. Note: A particular Web site can be blocked by either Netgear keyword blocking or Home Network Security parental controls (see Parental Controls on page 4-3). A Netgear trusted IP address will be overridden by Home Network Security parental controls.
Blocking Access to Internet Services
The WGT624 v3 wireless router allows you to block the use of certain Internet services by computers on your network. This is called services blocking or port filtering. The Block Services menu is shown below:

Figure 4-4

Services are functions performed by server computers at the request of client computers. For example, web servers serve web pages, time servers serve time and date information, and game hosts serve data about other players moves. When a computer on your network sends a request for service to a server computer on the Internet, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (web server) request. To enable service blocking, select either Per Schedule or Always, then click Apply. If you want to block by schedule, be sure that a time period is specified in the Schedule menu.
Content Filtering v3.0, December 2005 4-9
To specify a service for blocking, click Add. The Block Services Setup menu will appear, as shown below:

Figure 4-5

From the Service Type list, select the application or service to be allowed or blocked. The list already displays several common services, but you are not limited to these choices. To add any additional services or applications that do not already appear, select User Defined.

Implementing Appropriate Wireless Security
Note: Indoors, computers can connect over 802.11b/g wireless networks at ranges of up to 500 feet. Such distances can allow for others outside of your immediate area to access your network. Unlike wired network data, your wireless data transmissions can be received well beyond your walls by anyone with a compatible adapter. For this reason, use the security features of your wireless equipment. The WGT624 v3 wireless router provides highly effective security features which are covered in detail in this chapter. Deploy the security features appropriate to your needs.

WGT624 v3

4) WPA-PSK: Strong security 5) WPA2-PSK: Very strong security

Figure 5-1

There are several ways you can enhance the security of you wireless network. Restrict Access Based on MAC (Media Access Control) address. You can restrict access to only trusted computers o that unknown computers cannot wirelessly connect to the WGT624 v3. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed. Turn Off the Broadcast of the Wireless Network Name SSID. If you disable broadcast of the SSID, only devices that have the correct SSID can connect. This nullifies the wireless network discovery feature of some products such as Windows XP, but the data is still fully exposed to a determined snoop using specialized test equipment like wireless sniffers.
5-2 v3.0, December 2005 Wireless Configuration
Wired Equivalent Privacy (WEP) data encryption. Provides data security. WEP Shared Key authentication and WEP data encryption will block all but the most determined eavesdropper. Wi-Fi Protected Access - Pre Shared Key (WPA-PSK and WPA2-PSK). Provide strong data security. WPA-PSK and WPA2-PSK will block eavesdropping. Because these are new standards, wireless device driver and software availability may be limited. Turn Off the Wireless LAN. If you disable the wireless LAN, wireless devices cannot communicate with the router at all. You might choose to turn off the wireless the LAN when you are away and the others in the household all use wired connections.
Understanding Wireless Settings
To configure the Wireless settings of your wireless router, click the Wireless Settings link in the Setup section of the main menu. The Wireless Settings menu will appear in one of three forms, depending on your security settings, as shown below.

WPA-PSK WPA-Pre-shared Key does perform authentication. WPA-PSK uses TKIP (Temporal Key WPA2-PSK Integrity Protocol) data encryption and WPA2-PSK uses AES (Advanced Encryption Standard) data encryption. Both dynamically change the encryption keys, making them nearly impossible to circumvent. Enter a word or group of printable characters in the Passphrase box. These characters are case sensitive. Note: Not all wireless adapter configuration utilities support WPA. Furthermore, client software is required on the client. Windows XP Service Pack 2 and Windows XP Service Pack 1 with the WPA patch do include the client software that supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA.
Note: If you do not see the WPA2-PSK [AES] and WPA-PSK [TKIP] + WPA2PSK[AES] options on your Wireless Settings menu, you need to update the router software. See Upgrading the Router Software on page 6-4 for details. To configure the advanced wireless settings of your firewall, click the Wireless Settings link in the Advanced section of the main menu. The Advanced Wireless Settings menu appears, as shown in the following diagram.

5-6 v3.0, December 2005

Figure 5-3
Enable Wireless Router Radio. If you disable the wireless router radio, wireless devices cannot connect to the WGT624 v3. Enable SSID Broadcast. If you disable broadcast of the SSID, only devices that have the correct SSID can connect. Disabling SSID broadcast nullifies the wireless network discovery feature of some products such as Windows XP. Wireless Card Access List. When the Trusted PCs Only radio button is selected, the WGT624 v3 checks the MAC address of the wireless station and only allows connections to computers identified on the trusted computers list. 108Mbps Settings. Disable Advanced 108Mbps Features: disables data compression, packet bursting, and large frame support. Enable eXtended Range: provides singnificantly longer range than basic 802.11, maintaining connectivity even when signals have to pass through dense walls, floors, or other barriers. XR products require no additional configuration and are fully compatible with standard 802.11 technologies. Note: The Fragmentation Threshold, CTS/RTS Threshold, and Preamble Mode options are reserved for wireless testing and advanced configuration only. Do not change these settings.
Information to Gather Before Changing the Wireless Settings
Before customizing your wireless settings, print this form and record the following information. If your working with an existing wireless network, the person who set up or is responsible for the network will be able to provide this information. Otherwise, you will choose the settings for your wireless network. Either way, record the settings for your wireless network in the spaces below. Wireless Network Name (SSID): ______________________________ The SSID identifies the wireless network. You can use up to 32 alphanumeric characters. The SSID is case sensitive. The SSID in the wireless adapter card must match the SSID of the wireless router. In some configuration utilities (such as in Windows XP), the term wireless network name is used instead of SSID. If WEP Authentication is Used, circle one: Open System, Shared Key, or Auto. Note: If you select Shared Key, the other devices in the network will not connect unless they are also set to Shared Key and are configured with the correct key. WEP Encryption key size. Choose one: 64-bit or 128-bit. Again, the encryption key size must be the same for the wireless adapters and the wireless router. Data Encryption (WEP) Keys. There are two methods for creating WEP data encryption keys. Whichever method you use, record the key values in the spaces below. Passphrase method. ______________________________ These characters are case sensitive. Enter a word or group of printable characters and click Generate Keys. Not all wireless devices support the passphrase method. Manual method. These values are not case sensitive. For 64-bit WEP, enter 10 hex digits (any combination of 0-9 or a-f). For 128-bit WEP, enter 26 hex digits. Key 1: ___________________________________ Key 2: ___________________________________ Key 3: ___________________________________ Key 4: ___________________________________

Figure 5-7

5-14 v3.0, December 2005
2. Enter a word or group of 8-63 printable characters in the Passphrase box. 3. Click Apply to save your settings.
How to Restrict Wireless Access by MAC Address
To restrict access based on MAC addresses, follow these steps: 1. Log in to the WGT624 v3 wireless router at its default LAN address of http://192.168.1.1 with its default user name of admin and default password of password, or using whatever LAN address and password you have set up. Note: When configuring the wireless router from a wireless computer whose MAC address is not in the Trusted PC list, if you select Turn Access Control On, you will lose your wireless connection when you click Apply. You must then access the wireless router from a wired computer or from a wireless computer which is on the access control list to make any further changes. 2. Click the Wireless Settings link in the Advanced section of the main menu. 3. From the Wireless Settings menu, click Setup Access List to display the Wireless Card Access Setup menu shown below.

Figure 5-8

4. Select the Turn Access Control On check box.
5. Click Add to add a wireless device to the wireless access control list. The Available Wireless Cards list displays.

Figure 5-9

6. In the Available Wireless Cards list, either select from the list of cards the WGT624 v3 has found in your area, or enter the MAC address and device name for a device you plan to use. You can usually find the MAC address printed on the wireless adapter. Note: You can copy and paste the MAC addresses from the wireless routers Attached Devices menu into the MAC Address box of this menu. To do this, configure each wireless computer to obtain a wireless link to the wireless router. The computer should then appear in the Attached Devices menu. 7. Click Add to add this wireless device to the Wireless Card Access List. The screen changes back to the list screen. Repeat these steps for each additional device you wish to add to the list. 8. Repeat steps 5-7 for each additional device you wish to add to the list. 9. Be sure to click Apply to save your wireless card access list settings. Now, only devices on this list will be allowed to wirelessly connect to the WGT624 v3.

5-16 v3.0, December 2005

Chapter 6 Maintenance
This chapter describes how to use the maintenance features of your WGT624 vMbps Wireless Firewall Router. These features can be found under the Maintenance heading in the main menu of the browser interface.
Viewing Wireless Router Status Information
The Router Status menu provides a limited amount of status and usage information. From Maintenance section of the main menu, select Router Status to view the Router Status screen, shown below.
Maintenance v3.0, December 2005

Figure 6-1

This screen shows the following parameters:

Table 6-1. Menu 3.2 - Wireless Router Status Fields
Field Account Name Firmware Version Internet Port MAC Address IP Address Description This field displays the Host Name assigned to the router. This field displays the router firmware version. These parameters apply to the Internet (WAN) port of the router. This field displays the Media Access Control address being used by the Internet (WAN) port of the router. This field displays the IP address being used by the Internet (WAN) port of the router. If no address is shown, the router cannot connect to the Internet.

6-2 v3.0, December 2005

Maintenance
Reference Manual for the 108 Mbps Wireless Firewall Router WGT624 v3 Table 6-1. Menu 3.2 - Wireless Router Status Fields (continued)
Field DHCP Description If set to None, the router is configured to use a fixed IP address on the WAN. If set to Client, the router is configured to obtain an IP address dynamically from the ISP. This field displays the IP Subnet Mask being used by the Internet (WAN) port of the router. Displays the address of the current Domain Name Server These parameters apply to the Local (WAN) port of the router. This field displays the Media Access Control address being used by the LAN port of the router. This field displays the IP address being used by the Local (LAN) port of the router. The default is 192.168.1.1. Identifies if the routers built-in DHCP server is active for the LAN attached devices. This field displays the IP Subnet Mask being used by the Local (LAN) port of the router. The default is 255.255.255.0 These parameters apply to the Wireless port of the router. This field displays the wireless network name (SSID) being used by the wireless port of the router. The default is NETGEAR. This field displays the geographic region where the router being used. It may be illegal to use the wireless features of the router in some parts of the world. Identifies if the channel the wireless port is using. See Wireless Communications in Appendix B for a link to a document that details the frequencies used on each channel. Indicates the current mode (g & b, g only, b only, or Auto 108 Mbps) Indicates if the Access Point feature of the router is enabled. If not enabled, wireless devices will not be able to connect to the network. Indicates if the wireless router is broadcasting its SSID.
IP Subnet Mask Domain Name Server LAN Port MAC Address IP Address DHCP IP Subnet Mask Wireless Port Name (SSID) Region

Channel

Mode Wireless AP Broadcast Name
Viewing a List of Attached Devices
The Attached Devices menu contains a table of all IP devices that the router has discovered on the local network. From the main menu of the browser interface, under the Maintenance heading, select Attached Devices to view the table shown below:

6-6 v3.0, December 2005

Erasing the Configuration
It is sometimes desirable to restore the router to the factory default settings. This can be done by using the Erase function, which will restore all factory settings. After an erase, the router's password will be password, the LAN IP address will be 192.168.1.1, and the router's DHCP client will be enabled. To erase the configuration, click Erase. To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the rear panel of the router. See Restoring the Default Configuration and Password on page 8-7.
Changing the Administrator Password
The default password for the routers web Configuration Manager is password. Netgear recommends that you change this password to a more secure password. From the main menu of the browser interface, under the Maintenance heading, select Set Password to display the menu shown below.

Figure 6-5

To change the password, first enter the old password, and then enter the new password twice. Click Apply.

6-8 v3.0, December 2005

Chapter 7 Advanced Configuration
This chapter describes how to configure the advanced features of your WGT624 vMbps Wireless Firewall Router. These features can be found under the Advanced heading in the main menu of the browser interface.
Configuring Port Forwarding to Local Servers
Although the router causes your entire local network to appear as a single machine to the Internet, you can make a local server (for example, a web server or game server) visible and available to the Internet. This is done using the Port Forwarding menu. From the Advanced section of the main menu, click Port Forwarding / Port Triggering to view the port forwarding menu, shown below.

Figure 7-1

Note: If you are unfamiliar with networking and routing, see Internet Networking and TCP/IP Addressing in Appendix B, for a link to a tutorial that will help you become more familiar with the terms and procedures used in this manual.
. the Port Forwarding menu to configure the router to forward incoming protocols to computers on your local network. In addition to servers for specific applications, you can also specify a Default DMZ Server to which all other incoming protocols are forwarded. The DMZ Server is configured in the WAN Setup Menu.

Advanced Configuration v3.0, December 2005
Before starting, you'll need to determine which type of service, application or game you'll provide and the IP address of the computer that will provide each service. Be sure the computers IP address never changes. To configure port forwarding to a local server: 1. From the Service Name box, select the service or game that you will host on your network. If the service does not appear in the list, see the following section, Adding a Port Forwarding Custom Service. 2. Enter the IP address of the local server in the corresponding Server IP Address box. 3. Click Add.
Adding a Port Forwarding Custom Service
To define a service, game or application that does not appear in the Service Name list, you must determine what port numbers are used by the service. For this information, you may need to contact the manufacturer of the program that you wish to use. When you have the port number information, follow these steps: 1. Click Add Custom Service. 2. Enter the first port number in an unused Starting Port box. 3. To forward only one port, enter it again in the Ending Port box. To specify a range of ports, enter the last port to be forwarded in the End Port box. 4. Enter the IP address of the local server in the corresponding Server IP Address box. 5. Type a name for the service. 6. Click Apply at the bottom of the menu.
Editing or Deleting a Port Forwarding Entry
To edit or delete a Port Forwarding entry, follow these steps. 1. In the table, select the button next to the service name. 2. Click Edit Service or Delete Service.

7-2 v3.0, December 2005

Advanced Configuration
Local Web and FTP Server Example
If a local computer with a private IP address of 192.168.1.33 acts as a web and FTP server, configure the Ports menu to forward HTTP (port 80) and FTP (port 21) to local address 192.168.1.33 In order for a remote user to access this server from the Internet, the remote user must know the IP address that has been assigned by your ISP. If this address is 172.16.1.23, for example, users can access your web server by directing the browser to http://172.16.1.23. The assigned IP address can be found in the Maintenance Status Menu, where it is shown as the WAN IP Address. Some considerations for this application are: If your accounts IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. If the IP address of the local computer is assigned by DHCP, it may change when the computer is rebooted. To avoid this, you can manually configure the computer to use a fixed address. Local computers must access the local server using the computers local LAN address (192.168.1.33 in this example). Attempts by local computers to access the server using the external IP address (172.16.1.23 in this example) will fail.

Figure 7-3

Connect Automatically, as Required. Normally, this option should be enabled. An Internet connection will be made automatically after each timeout, whenever Internet-bound traffic is detected. This provides connection on demand and is potentially cost-saving. If disabled, you must connect manually, using the Connection Status button on the Router Status screen. This manual connection will stay up all the time without timeouts.
Disable SPI Firewall. Normally, this option should be Enabled, so that your local network will be protected by the Stateful Packet Inspection (SPI) firewall included in the WGT624 v3. However, certain communications functions like VPN may require turning off the SPI feature. Note: When SPI Firewall is disabled, you must use the Passive mode in the computer FTP client to connect to the FTP server.
Setting Up a Default DMZ Server.
The default DMZ server feature is helpful when using some online games and videoconferencing applications that are incompatible with NAT. The router is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local computer can run the application properly if that computers IP address is entered as the default DMZ server. Note: DMZ servers pose a security risk. A computer designated as the default DMZ server loses much of the protection of the firewall, and is exposed to exploits from the Internet. If compromised, the DMZ server can be used to attack your network. Incoming traffic from the Internet is normally discarded by the router unless the traffic is a response to one of your local computers or a service that you have configured in the Ports menu. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the Default DMZ Server. The WAN Setup menu lets you configure a Default DMZ Server. To assign a computer or server to be a Default DMZ server, follow these steps: 1. Click WAN Setup link on the Advanced section of the main menu. 2. Type the IP address for that server. To remove the default DMZ server, clear the Default DMZ Server checkbox. 3. Click Apply.

7-14 v3.0, December 2005

To edit or delete a reserved address entry: 1. Click the button next to the reserved address you want to edit or delete. 2. Click Edit or Delete.
How to Configure Static Routes
Static routes provide additional routing information to your router. Under normal circumstances, the router has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple routers or multiple IP subnets located on your network. From the main menu of the browser interface, under Advanced, click Static Routes to view the Static Route menu, shown below.

Figure 7-7

To add or edit a Static Route: 1. Click Add to open the Add/Edit Menu, shown below.
Figure 7-8 Advanced Configuration v3.0, December 2005 7-15
2. Type a route name for this static route in the Route Name box under the table. (This is for identification purpose only.) 3. Select Private if you want to limit access to the LAN only. The static route will not be reported in RIP. 4. Select Active to make this route effective. 5. Type the Destination IP Address of the final destination. 6. Type the IP Subnet Mask for this destination. If the destination is a single host, type 255.255.255.255. 7. Type the Gateway IP Address, which must be a router on the same LAN segment as the router. 8. Type a number between 1 and 15 as the Metric value. This represents the number of routers between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1. 9. Click Apply to have the static route entered into the table. As an example of when a static route is needed, consider the following case: Your primary Internet access is through a cable modem to an ISP. You have an ISDN router on your home network for connecting to the company where you are employed. This routers address on your LAN is 192.168.1.100. Your companys network is 134.177.0.0.
When you first configured your router, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.1.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your router will forward your request to the ISP. The ISP forwards your request to the company where you are employed, and the request will likely be denied by the companys firewall. In this case you must define a static route, telling your router that 134.177.0.0 should be accessed through the ISDN router at 192.168.1.100. The static route would look like Figure 7-8. In this example: The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.0.x addresses. The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN router at 192.168.1.100. A Metric value of 1 will work since the ISDN router is on the LAN.

Private is selected only as a precautionary security measure in case RIP is activated.
Enabling Remote Management Access
Using the Remote Management page, you can allow a user or users on the Internet to configure, upgrade and check the status of your WGT624 v3 wireless router. Note: Be sure to change the router's default configuration password to a very secure password. The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both upper and lower case), numbers, and symbols. Your password can be up to 30 characters.

Figure 7-9

To configure your router for Remote Management: 1. Select the Turn Remote Management On check box. 2. Specify which external addresses will be allowed to access the routers remote management. Note: For enhanced security, restrict access to as few external IP addresses as practical.
Advanced Configuration v3.0, December 2005 7-17
a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access. 3. Specify the Port Number that will be used for accessing the management interface. Web browser access normally uses the standard HTTP service port 80. For greater security, you can change the remote management web interface to a custom port by entering that number in the box provided. Choose a number between 1024 and 65535, but do not use the number of any common service port. The default is 8080, which is a common alternate for HTTP. 4. Click Apply to have your changes take effect. Note: When accessing your router from the Internet, you will type your router's WAN IP address into your browser's Address (in IE) or Location (in Netscape) box, followed by a colon (:) and the custom port number. For example, if your external address is 134.177.0.123 and you use port number 8080, you must enter http:// 134.177.0.123:8080 in your browser.
Using Universal Plug and Play (UPnP)
Universal Plug and Play (UPnP) helps devices, such as Internet appliances and computers, access the network and connect to other devices as needed. UPnP devices can automatically discover the services from other registered UPnP devices on the network.

7-18 v3.0, December 2005

Figure 7-10
Turn UPnP On: UPnP can be enabled or disabled for automatic device configuration. The default setting for UPnP is enabled. If disabled, the router will not allow any device to automatically control the resources, such as port forwarding (mapping), of the router. Advertisement Period: The Advertisement Period is how often the router will broadcast its UPnP information. This value can range from 1 to 1440 minutes. The default period is 30 minutes. Shorter durations will ensure that control points have current device status at the expense of additional network traffic. Longer durations may compromise the freshness of the device status but can significantly reduce network traffic. Advertisement Time To Live: The time to live for the advertisement is measured in hops (steps) for each UPnP packet sent. The time to live hop count is the number of steps a broadcast packet is allowed to propagate for each UPnP advertisement before it disappears. The number of hops can range from 1 to 255. The default value for the advertisement time to live is 4 hops, which should be fine for most home networks. If you notice that some devices are not being updated or reached correctly, then it may be necessary to increase this value a little. UPnP Portmap Table: The UPnP Portmap Table displays the IP address of each UPnP device that is currently accessing the router and which ports (Internal and External) that device has opened. The UPnP Portmap Table also displays what type of port is opened and if that port is still active for each IP address.