Netgear N600 Wireless Router User Manual

							Security Settings51
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
3. 
Your router creates an entry in its internal session table describing th\
is communication 
session between your computer and the web server at www.example.com. Bef\
ore sending 
the web page request message to www.example.com, your router stores the \
original 
information and then modifies the source information in the request mess\
age, performing 
Network Address Translation (NAT):
•     The source address is replaced with your router’s public IP address. \
This is  necessary because your computer uses a private IP address that is not gl\
obally 
unique and cannot be used on the Internet.
•      The source port number is changed to a number chosen by the router, such\
 as 33333. 
This is necessary because two computers could independently be using the\
 same 
session number.
Your router then sends this request message through the Internet to the \
web server at 
www.example.com.
4.  The web server at www.example.com composes a return message with the req\
uested web 
page data. The return message contains the following address and port in\
formation.  The 
web server then sends this reply message to your router.
Source address . The IP address of www.example.com.
Source port number . 80, which is the standard port number for a web server process.
Destination address. The public IP address of your router.
Destination port number. 33333.
5.  Upon receiving the incoming message, your router checks its session tabl\
e to determine 
whether there is an active session for port number 33333. Finding an act\
ive session, the 
router then modifies the message to restore the original address informa\
tion replaced by 
N

AT. Your router sends this reply message to your computer, which displays th\
e web 
page from www.example.com.  The message now contains the following address and port 
information.
Source address . The IP address of www.example.com.
Source port number . 80, which is the standard port number for a web server process.
Destination address. Your computer’s IP address.
Destination port number. 5678, which is the browser session that made the initial 
request.
6.  When you finish your browser session, your router eventually detects a p\
eriod of inactivity in 
the communications. Your router then removes the session information fro\
m its session 
table, and incoming traffic is no longer accepted on port number 33333.
Port Triggering to Open Incoming Ports
In the preceding example, requests are sent to a remote computer by your\
 router from a 
particular service port number, and replies from the remote computer to \
your router are 
directed to that port number. If the remote server sends a reply back to\
 a different port 
number, your router does not recognize it and discards it. However, some\
 application servers 
(such as FTP and IRC servers) send replies back to multiple port numbe\
rs. Using the port  
						

							Security Settings52
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
triggering function of your router, you can tell the router to open addi\
tional incoming ports 
when a particular outgoing port originates a session.
An example is Internet Relay Chat (IRC). Your computer connects to an \
IRC server at  destination port 6667. The IRC server not only responds to your originat\
ing source port, but 
also sends an “identify” message to your computer on port 113. Usi\
ng port triggering, you can 
tell the router, “When you initiate a session with destination port 6\
667, you have to also allow 
incoming traffic on port 113 to reach the originating computer.” Usin\
g steps similar to the 
preceding example, the following sequence shows the effects of the port \
triggering rule you 
have defined:
1.  You open an IRC client program to start a chat session on your computer.\
 
2.  Your IRC client composes a request message to an IRC server using a dest\
ination port 
number of 6667, the standard port number for an IRC server process. Your\
 computer then 
sends this request message to your router.
3.  Your router creates an entry in its internal session table describing th\
is communication 
session between your computer and the IRC server. Your router stores the\
 original 
information, performs Network Address Translation (NAT) on the source \
address and port, 
and sends this request message through the Internet to the IRC server. 
4.  Noting your port triggering rule and having observed the destination por\
t number of 6667, 
your router creates an additional session entry to send any incoming por\
t 113 traffic to your 
computer.
5.  The IRC server sends a return message to your router using the NAT-assig\
ned source port 
(as in the previous example, let’s say port 33333) as the destinati\
on port. The IRC server 
also sends an “identify” message to your router with destination p\
ort 113.
6.  Upon receiving the incoming message to destination port 33333, your rout\
er checks its 
session table to determine whether there is an active session for port n\
umber 33333. 
Finding an active session, the router restores the original address info\
rmation replaced by 
NAT and sends this reply message to your computer.
7.  Upon receiving the incoming message to destination port 113, your router\
 checks its session 
table and learns that there is an active session for port 113, associate\
d with your computer. 
The router replaces the message’s destination IP address with your co\
mputer’s IP address 
and forwards the message to your computer.
8.  When you finish your chat session, your router eventually senses a perio\
d of inactivity in the 
communications. The router then removes the session information from its\
 session table, 
and incoming traffic is no longer accepted on port numbers 33333 or 113.\
To configure port triggering, you need to know which inbound ports the a\
pplication needs. 
Also, you need to know the number of the outbound port that will trigger\
 the opening of the  inbound ports. You can usually determine this information by contacting \
the publisher of the 
application, or user groups or newsgroups.
Note:  Only one computer at a time can use the triggered application. 
						

							Security Settings53
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
Port Forwarding to Permit External Host Communications
In both of the preceding examples, your computer initiates an applicatio\
n session with a 
server computer on the Internet. However, you might need to allow a clie\
nt computer on the 
Internet to initiate a connection to a server computer on your network. \
Normally, your router 
ignores any inbound traffic that is not a response to your own outbound \
traffic. You can 
configure exceptions to this default rule by using the port forwarding f\
eature. 
A typical application of port forwarding can be shown by reversing the c\
lient-server 
relationship from the previous web server example. In this case, a remot\
e computer’s 
browser needs to access a web server running on a computer in your local\
 network. Using 
port forwarding, you can tell the router, “When you receive incoming \
traffic on port 80 (the 
standard port number for a web server process), forward it to the local\
 computer at 
192.168.1.123.” The following sequence shows the effects of the port \
forwarding rule you 
have defined:
1. 
The user of a remote computer opens a browser and requests a web page fr\
om 
www.example.com, which resolves to the public IP address of your router.\
 The remote 
computer composes a web page request message with the following destinat\
ion 
information: 
Destination address . The IP address of www.example.com, which is the address of your 
router.
Destination port number. 80, which is the standard port number for a web server 
process.
The remote computer then sends this request message through the Internet\
 to your 
router.
2.  Your router receives the request message and looks in its rules table fo\
r any rules covering 
the disposition of incoming port 80 traffic. Your port forwarding rule s\
pecifies that incoming 
port 80 traffic should be forwarded to local IP address 192.168.1.123. T\
herefore, your router 
modifies the destination information in the request message:
The destination address is replaced with 192.168.1.123.
Your router then sends this request message to your local network.
3.  Your web server at 192.168.1.123 receives the request and composes a ret\
urn message 
with the requested web page data. Your web server then sends this reply \
message to your 
router.
4.  Your router performs Network Address Translation (NAT) on the source I\
P address, and 
sends this request message through the Internet to the remote computer, \
which displays the 
web page from www.example.com.
To configure port forwarding, you need to know which inbound ports the a\
pplication needs. 
You usually can determine this information by contacting the publisher o\
f the application or 
the relevant user groups and newsgroups.
How Port Forwarding Differs from Port Triggering
The following points summarize the differences between port forwarding a\
nd port triggering: 
						

							Security Settings54
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
•     Port triggering can be used by any computer on your network, although on\
ly one 
computer can use it at a time.
•     Port forwarding is configured for a single computer on your network.
•     Port triggering does not need to know the computer’s IP address in ad\
vance. The IP  address is captured automatically.
•      Port forwarding requires that you specify the computer’s IP address d\
uring configuration, 
and the IP address can never change.
•     Port triggering requires specific outbound traffic to open the inbound p\
orts, and the  triggered ports are closed after a period of no activity.
•     Port forwarding is always active and does not need to be triggered.
Configure Port Forwarding to Local Servers
Using the port forwarding feature, you can allow certain types of incomi\
ng traffic to reach 
servers on your local network. For example, you might want to make a loc\
al web server, FTP 
server, or game server visible and available to the Internet.
Use the Port Forwarding screen to configure the router to forward specif\
ic incoming protocols 
to computers on your local network. In addition to servers for specific \
applications, you can 
also specify a default DMZ server to which all other incoming protocols \
are forwarded.
Before starting, you need to determine which type of service, applicatio\
n, or game you want 
to provide, and the local IP address of the computer that will provide t\
he service. The server 
computer has to always have the same IP address.
Tip:  To ensure that your server computer always has the same IP address, 
use the reserved IP address feature of your product.
To configure port forwarding:
1.  Select  Content Filtering > Port Forwarding/Port Triggering  to display the following 
screen:
Figure 22.  Setting up port forwarding
2.  Select the  Port Forwarding radio button as the service type.
3.  From the Service Name list, select the service or game that you will hos\
t on your network. If 
the service does not appear in the list, see  Add a Custom Service on page 55. 
						

							Security Settings55
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
4. 
In the corresponding Server IP Address field, enter the last digit of th\
e IP address of your 
local computer that will provide this service. 
5.  Click  Add. The service appears in the list in the screen.
Add a Custom Service
To define a service, game, or application that does not appear in the Se\
rvice Name list, you 
have to first determine which port number or range of numbers is used by\
 the application. 
You can usually determine this information by contacting the publisher o\
f the application or 
user groups or newsgroups. 
When you have the port number information, follow these steps:
1. Select  Content Filtering > Port Forwarding/Port Triggering .
2.  Select the Port Forwarding radio button as the service type.
3.  Click the Add Custom Service button to display the following screen:
Figure 23.  Set up custom services
4. In the Service Name field, enter a descriptive name. 
5.  In the Protocol field, select the protocol. If you are unsure, select  TCP/UDP.
6.  In the Starting Port  field, enter the beginning port number. 
•     If the application uses a single port, enter the same port number in the\
 Ending Port  field.
•     If the application uses a range of ports, enter the ending port number o\
f the range in  the Ending Port field.
7.  In the Server IP Address field, enter the IP address of your local computer that will provide 
this service.
8.  Click  Apply . The service appears in the list in the Port Forwarding/Port Triggering\
 screen.
Edit or Delete a Port Forwarding Entry
To edit or delete a port forwarding entry:
1. In the table, select the button next to the service name.
2.  Click  Edit Service or  Delete Service.
Application Example: Making a Local Web Server Public
If you host a web server on your local network, you can use port forward\
ing to allow web 
requests from anyone on the Internet to reach your web server.  
						

							Security Settings56
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
To make a local web server public:
1. 
Assign your web server either a fixed IP address or a dynamic IP address\
 using DHCP 
address reservation. In this example, your router will always give your \
web server an IP 
address of 192.168.1.33. 
2.  In the Port Forwarding screen, configure the router to forward the HTTP \
service to the local 
address of your web server at 192.168.1.33. HTTP (port 80) is the standard protocol for web 
servers.
3.  (Optional) Register a host name with a Dynamic DNS service, and config\
ure your router to 
use the name. To access your web server from the Internet, a remote user\
 has to know the 
IP address that has been assigned by your ISP. However, if you use a Dyn\
amic DNS 
service, the remote user can reach your server by a user-friendly Intern\
et name, such as 
mynetgear.dyndns.org.
Configure Port Triggering
Port triggering is a dynamic extension of port forwarding that is useful\
 in these cases:
•     More than one local computer needs port forwarding for the same applicat\
ion (but not 
simultaneously).
•      An application needs to open incoming ports that are different from the \
outgoing port.
When port triggering is enabled, the router monitors outbound traffic lo\
oking for a specified 
outbound “trigger” port. When the router detects outbound traffic \
on that port, it remembers 
the IP address of the local computer that sent the data. The router then\
 temporarily opens the 
specified incoming port or ports, and forwards incoming traffic on the t\
riggered ports to the 
triggering computer. 
While port forwarding creates a static mapping of a port number or range\
 to a single local 
computer, port triggering can dynamically open ports to any computer tha\
t needs them and 
can close the ports when they are no longer needed.
Note:  If you use applications such as multiplayer gaming, peer-to-peer  connections, real-time communications such as instant messaging, 
or remote assistance (a feature in Windows XP), you should also 
enable Universal Plug and Play (UPnP).
To configure port triggering, you need to know which inbound ports the a\
pplication needs. 
Also, you need to know the number of the outbound port that will trigger\
 the opening of the  inbound ports. You can usually determine this information by contacting \
the publisher of the 
application or user groups or newsgroups.
To set up port triggering: 
1.  Select  Content Filtering > Port Forwarding/Port Triggering  to display the following 
screen: 
						

							Security Settings57
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
2. 
Select the Port Triggering radio button to display the port triggering information.
Figure 24.  Set up port triggering
3. Clear the Disable Port Triggering check box.
Note:   If the Disable Port Triggering check box is selected after you 
configure port triggering, port triggering is disabled. However, any 
port triggering configuration information you added to the router is 
retained even though it is not used.
4.  In the  Port Triggering Timeout  field, enter a value up to 9999 minutes. This value controls 
the inactivity timer for the designated inbound ports. The inbound ports\
 close when the 
inactivity time expires. This is required because the router cannot be s\
ure when the 
application has terminated.
5.  Click  Add Service. 
Figure 25.  Add a service for port triggering
6. In the Service Name field, type a descriptive service name. 
7.  In the Service User field, select  Any (the default) to allow this service to be used by any 
computer on the Internet. Otherwise, select  Single address, and enter the IP address of 
one computer to restrict the service to a particular computer. 
8.  Select the service type, either  TCP or UDP or both (TCP/UDP). If you are not sure, select 
TCP/UDP.
9.  In the Triggering Port  field, enter the number of the outbound traffic port that will cause th\
e 
inbound ports to be opened.  
						

							Security Settings58
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
10. 
Enter the inbound connection port information in the  Connection Type, Starting Port, and 
Ending Port  fields.
11.  Click  Apply . The service appears in the Port Triggering Portmap table. 
Configure Services
Services are functions performed by server computers at the request of c\
lient computers. For 
example, web servers serve web pages, time servers serve time and date i\
nformation, and 
game hosts serve data about other players’ moves. When a computer on \
the Internet sends a 
request for service to a server computer, the requested service is ident\
ified by a service or 
port number. This number appears as the destination port number in the t\
ransmitted IP 
packets. For example, a packet that is sent with destination port number\
 80 is an HTTP (web 
server) request. 
The service numbers for many common protocols are defined by the Interne\
t Engineering 
Task Force (IETF at http://www.ietf.org/ ) and published in RFC1700, “Assigned Numbers.” 
Service numbers for other applications are typically chosen from the ran\
ge 1024 to 65535 by 
the authors of the application. Although the wireless modem router alrea\
dy holds a list of 
many service port numbers, you are not limited to these choices.
To create your own service definitions:
1.  Select  Content Filtering > Services  to display the following screen:
Figure 26.  Services screen
•     To create a new service, click the  Add Custom Service button to display the Add 
Services screen.
•      To edit a service, select its button on the left side of the table, and \
click  Edit Service.
•     To delete a service, select its button on the left side of the table, an\
d click  Delete 
Service.
2.  Use the following screen to define or edit a service.
Figure 27.  Add Services screen
•     Name . Enter a meaningful name for the service. 
						

							Security Settings59
 N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700
•     
Type. Select the correct type for this service. If in doubt, select  TCP/UDP. The options 
are TCP, UDP, TCP/UDP.
•     Start Port and End Port. If a port range is required, enter the range here. If a single  port is required, enter the same value in both fields.
3.  Click  Apply to save your changes.
Set the Time Zone
The wireless modem router uses the Network Time Protocol (NTP) to obta\
in the current time 
and date from one of several network time servers on the Internet.
To set the time zone:
1. Select  Content Filtering > Schedule  to display the following screen:
Figure 28.  Schedule screen
2. Select your time zone. This setting determines the blocking schedule and\
 time-stamping of 
log entries. 
3.  If your time zone is in daylight savings time, select the  Adjust for Daylight Savings Time 
check box to add one hour to standard time.
Note:   If your region uses daylight savings time, select Adjust for Daylight 
Savings Time on the first day and clear it after the last day.
4.  The wireless modem router has a list of NETGEAR NTP servers. If you woul\
d prefer to use 
a particular NTP server as the primary server, select the  Use this NTP Server check box, 
and enter its IP address.
5.  Click  Apply to save your settings. 
						

							Security Settings60
N600 Wireless Dual Band Gigabit ADSL2+ Modem Router DGND3700 
Schedule Firewall Services
If you enabled services blocking in the Block Services screen or port fo\
rwarding in the Port 
Forwarding/Port Triggering screen, you can set up a schedule for when bl\
ocking occurs or 
when access is not restricted. 
To schedule firewall services:
1. 
Select  Content Filtering > Schedule  to display the following screen:
Figure 29.  Schedule screen
2. To block Internet services based on a schedule, select  Every Day, or select one or more 
days. If you want to limit access completely for the selected days, sele\
ct All Day . Otherwise, 
to limit access during certain times for the selected days, enter times \
in the  Start Time and 
End Time  fields.
Note:  Enter the values in 24-hour time format. For example, 10:30 a.m. 
would be 10   hours and 30 minutes, and 10:30 p.m. would be 22 
hours and 30 minutes. If you set the start time after the end time, the \
schedule is effective through midnight the next day.
3.  Click  Apply to save your settings.
Enable Security Event Email Notification
To receive logs and alerts by email, provide your email information in t\
he E-mail screen, and 
specify which alerts you want to receive and how often.