NETGEAR FVS318N User Manual

5 (1)

ProSafe Wireless-N 8-Port

Gigabit VPN Firewall

FVS318N

Reference Manual

350 East Plumeria Drive

San Jose, CA 95134

USA

July, 2012 202-10836-04 v1.0

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

© 2011–2012 NETGEAR, Inc. All rights reserved.

No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc.

Technical Support

Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR

Phone (Other Countries): Check the list of phone numbers at

http://support.netgear.com/app/answers/detail/a_id/984.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. Other brand and product names are registered trademarks or trademarks of their respective holders. © 2012 NETGEAR, Inc. All rights reserved.

Statement of Conditions

To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use, or application of, the product(s) or circuit layout(s) described herein.

Revision History

Publication

Version

Publish Date

Comments

 

Part Number

 

 

 

 

 

 

 

 

 

202-10836-04

1.0

July, 2012

Added the following features:

 

 

 

 

• Stateless IP/ICMP Translation (see Configure Stateless IP/ICMP

 

 

 

 

Translation)

 

 

 

 

• Option to turn bandwidth profiles on and off (see Create

 

 

 

 

Bandwidth Profiles)

 

 

 

 

• Support for SNMPv3 (see Use a Simple Network Management

 

 

 

 

Protocol Manager)

 

 

 

 

The following screens provide new information:

 

 

 

 

• LAN WAN Rules screen (see Configure LAN WAN Rules)

 

 

 

 

• Router Status screen (see Router Status Screen)

 

 

 

 

• Detailed Status screen (see Detailed Status Screen)

 

 

 

 

 

 

202-10836-03

1.0

April, 2012

Added the PPPoE IPv6 feature (see Configure a PPPoE IPv6

 

 

 

 

Internet Connection)

 

 

 

 

 

 

202-10836-02

1.0

March, 2012

Added the following menus and features:

 

 

 

 

• New and improved general menu structure with IPv4 and IPv6

 

 

 

 

radio buttons

 

 

 

 

• New LAN IPv6 configuration menu with the LAN Setup (IPv6)

 

 

 

 

screen (see Manage the IPv6 LAN) and a new screen, the LAN

 

 

 

 

Multi-homing (IPv6) screen (see Configure IPv6 Multihome LAN

 

 

 

 

IP Addresses on the Default VLAN)

 

 

 

 

• IPv6 DMZ (Enable and Configure the DMZ Port for IPv4 and

 

 

 

 

IPv6 Traffic)

 

 

 

 

 

 

2

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

(continued)

IPv6 firewall rules (see Configure LAN WAN Rules, Configure DMZ WAN Rules, Configure LAN DMZ Rules, and Examples of Firewall Rules)

IPv6 attack checks (see Attack Checks)

IPv6/MAC bindings (see Set Up IP/MAC Bindings)

Simplified wireless settings submenus for easier configuration (see Chapter 4, Wireless Configuration and Security)

IPSec VPN IPv6 address support (see Chapter 6, Virtual Private Networking Using IPSec and L2TP Connections)

IPSec VPN autoinitiate support (see Manually Add or Edit a VPN Policy)

SSL VPN IPv6 address support (see Chapter 7, Virtual Private Networking Using SSL Connections)

User login restrictions based on IPv6 addresses (see Configure Login Restrictions Based on IPv6 Addresses)

IPv6 remote management access (see Configure Remote Management Access)

IPv6 address resolution for NTP servers (see Configure Date and Time Service)

IPv6 diagnostics (see Diagnostics Utilities)

Extensive list of factory default settings (see Appendix A, Default Settings and Technical Specifications)

202-10836-01 1.0 September 2011 First publication

3

Contents

Chapter 1 Introduction

What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? . 10 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 12 A Powerful, True Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . . 13 Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14 Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Choose a Location for the Wireless VPN Firewall . . . . . . . . . . . . . . . . . . . 19 Log In to the Wireless VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . . . . 22 Requirements for Entering IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Chapter 2 IPv4 and IPv6 Internet and Broadband Settings

Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 Tasks to Set Up an IPv4 Internet Connection to Your ISP . . . . . . . . . . . 25 Tasks to Set Up an IPv6 Internet Connection to Your ISP . . . . . . . . . . . 26 Configure the IPv4 Internet Connection and WAN Settings. . . . . . . . . . . . 26 Configure the IPv4 WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Let the Wireless VPN Firewall Automatically Detect and

Configure an IPv4 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . 28 Manually Configure an IPv4 Internet Connection . . . . . . . . . . . . . . . . . . 31 Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Configure the IPv6 Internet Connection and WAN Settings. . . . . . . . . . . . 37 Configure the IPv6 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38 Use a DHCPv6 Server to Configure an IPv6 Internet Connection . . . . . 39 Configure a Static IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . . . 41 Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . . 43 Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Configure ISATAP Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . 47 View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . 49

4

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Configure Stateless IP/ICMP Translation . . . . . . . . . . . . . . . . . . . . . . . .49 Configure Advanced WAN Options and Other Tasks. . . . . . . . . . . . . . . . .50 Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . .53 Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53 What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53

Chapter 3 LAN Configuration

Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . .54 Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55 Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . .56 VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57 Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59 Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . .64

Configure IPv4 Multihome LAN IP Addresses on the Default VLAN . . . . .65 Manage IPv4 Groups and Hosts (IPv4 LAN Groups) . . . . . . . . . . . . . . . . .67 Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .68 Change Group Names in the Network Database . . . . . . . . . . . . . . . . . .71 Set Up DHCP Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . .72 Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 DHCPv6 Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .73 Configure the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .75

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . .80 Configure IPv6 Multihome LAN IP Addresses on the Default VLAN . . . . .84 Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic. . . . . . . . . .85 DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .86 DMZ Port for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .89

Configure the IPv6 Router Advertisement Daemon and

Advertisement Prefixes for the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . .93 Manage Static IPv4 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Configure Static IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .98 Configure the Routing Information Protocol . . . . . . . . . . . . . . . . . . . . .100 IPv4 Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 Manage Static IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103

Chapter 4 Wireless Configuration and Security

Overview of the Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106 Wireless Equipment Placement and Range Guidelines . . . . . . . . . . . .107 Configure the Basic Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . .108 Operating Frequency (Channel) Guidelines . . . . . . . . . . . . . . . . . . . . .110 Wireless Data Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .111 Wireless Security Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112 Before You Change the SSID, WEP, and WPA Settings . . . . . . . . . . .114 Configure and Enable Wireless Profiles . . . . . . . . . . . . . . . . . . . . . . . .115 Restrict Wireless Access by MAC Address . . . . . . . . . . . . . . . . . . . . .120 View the Status of a Wireless Profile . . . . . . . . . . . . . . . . . . . . . . . . . .122 Configure Wi-Fi Protected Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . .123

5

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Configure Advanced Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Test Basic Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Chapter 5 Firewall Protection

About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129 Overview of Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . . 129 Outbound Rules (Service Blocking) . . . . . . . . . . . . . . . . . . . . . . . . . . . 130 Inbound Rules (Port Forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133 Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137 Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . 140 Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . 143 Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145 Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . . 148 Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . 150 Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . 155 Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . . 157 Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 159 Examples of Outbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . 164 Configure Other Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Set Limits for IPv4 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 170 Manage the Application Level Gateway for SIP Sessions . . . . . . . . . . 171 Services, Bandwidth Profiles, and QoS Profiles. . . . . . . . . . . . . . . . . . . . 172 Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Preconfigured Quality of Service Profiles. . . . . . . . . . . . . . . . . . . . . . . 177 Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 178 Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . . 182 Enable Source MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183 Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184 Configure Port Triggering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190 Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Chapter 6 Virtual Private Networking

Using IPSec and L2TP Connections

Use the IPSec VPN Wizard for Client and Gateway Configurations . . . . 194 Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard. . . 195 Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard. . . 199 Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard . . . . . 203 Test the Connection and View Connection and Status Information . . . . . 218 Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . . 218 NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . . 220 View the Wireless VPN Firewall IPSec VPN Connection Status . . . . . 220

6

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

View the Wireless VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . .221 Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 Manage IKE Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .222 Manage VPN Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .230 Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .238 Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . .239 User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .240 RADIUS Client and Server Configuration . . . . . . . . . . . . . . . . . . . . . . .240 Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . .243 Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .243 Configure Mode Config Operation on the Wireless VPN Firewall . . . .244 Configure the ProSafe VPN Client for Mode Config Operation . . . . . .251 Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .258 Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . .259 Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . .259 Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .260 Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .261 Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . .262 Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .263 View the Active L2TP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .265

Chapter 7 Virtual Private Networking

Using SSL Connections

SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .266 Overview of the SSL Configuration Process . . . . . . . . . . . . . . . . . . . . . .267 Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .268 Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . .272 Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . .273

Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .273 Add a New Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .274 Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .275 Configure the Client IP Address Range . . . . . . . . . . . . . . . . . . . . . . . .276 Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . .278 Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . .279 Add New Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .279 Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . .280 Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . .282 View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .283 Add an IPv4 or IPv6 SSL VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . .284 Access the New SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . . . .288 View the SSL VPN Connection Status and SSL VPN Log . . . . . . . . . . . .292

Chapter 8 Manage Users, Authentication, and VPN Certificates

The Wireless VPN Firewall’s Authentication Process and Options . . . . .294

Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . .296

Configure Domains. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .296

Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .300

7

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . . 311 Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . . 313 VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315 Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 316 Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . . 320

Chapter 9 Network and System Management

Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322 Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323 Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325 Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . . 328 Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . . 328

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329 Change Passwords and Administrator and Guest Settings . . . . . . . . . 329 Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . . 331 Use the Command-Line Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335 Use a Simple Network Management Protocol Manager. . . . . . . . . . . . 335 Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 340 Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 344

Chapter 10 Monitor System Access and Performance

Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 346 Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . . 349 How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . . 353 View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356 View the VPN Connection Status and L2TP Users . . . . . . . . . . . . . . . 364 View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365 View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366 View the WAN Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 367 View the Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . . 370 View the Status of a Wireless Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 373 Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Trace a Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 375 Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 376 Reboot the Wireless VPN Firewall Remotely . . . . . . . . . . . . . . . . . . . . 377

Chapter 11 Troubleshooting

Basic Functioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379

8

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Power LED Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379 Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .379 LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .380 Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . .380 When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .381 Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .382 Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . .383 Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . .386 Test the LAN Path to Your Wireless VPN Firewall . . . . . . . . . . . . . . . .386 Test the Path from Your Computer to a Remote Device . . . . . . . . . . .387 Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . .388 Address Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . .389 Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . . . .389

Appendix A Default Settings and Technical Specifications

Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .390

Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . .396

Appendix B Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . .400 What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . .400 What Is Two-Factor Authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . .401 NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .401

Appendix C Notification of Compliance (Wired)

Appendix D Notification of Compliance (Wireless)

Index

9

1. Introduction

1

 

 

 

 

This chapter provides an overview of the features and capabilities of the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N and explains how to log in to the device and use its web management interface. The chapter contains the following sections:

What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N?

Key Features and Capabilities

Package Contents

Hardware Features

Choose a Location for the Wireless VPN Firewall

Log In to the Wireless VPN Firewall

Web Management Interface Menu Layout

Requirements for Entering IP Addresses

Note: For more information about the topics covered in this manual, visit the FVS318N support website at http://support.netgear.com.

What Is the ProSafe Wireless-N 8-Port Gigabit VPN

Firewall FVS318N?

The ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N, hereafter referred to as the wireless VPN firewall, connects your local area network (LAN) and wireless LAN (WLAN) to the Internet through an external broadband access device such as a cable or DSL modem, satellite or wireless Internet dish, or another router. A 2.4-GHz radio supports wireless connections in 802.11n mode with support for legacy clients in 802.11b and 802.11g mode.

The wireless VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traffic, and traffic with objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnels.

10

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

The wireless VPN firewall provides advanced IPSec and SSL VPN technologies with support for up to 12 IPSec VPN tunnels and 5 SSL VPN tunnels, as well as L2TP support for easy and secure remote connections. The use of Gigabit Ethernet WAN and LAN ports ensures high data transfer speeds.

Key Features and Capabilities

Wireless Features

Advanced VPN Support for Both IPSec and SSL

A Powerful, True Firewall

Security Features

Autosensing Ethernet Connections with Auto Uplink

Extensive Protocol Support

Easy Installation and Management

Maintenance and Support

The wireless VPN firewall provides the following key features and capabilities:

A single 10/100/1000 Mbps Gigabit Ethernet WAN port

Built-in eight-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources

A wireless radio with up to four wireless profiles

Both IPv4 and IPv6 support

Advanced IPSec VPN and SSL VPN support

L2TP tunnel support

Advanced stateful packet inspection (SPI) firewall with multi-NAT support

SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for the NETGEAR ProSafe Network Management Software (NMS200) over a LANJ connection.

Front panel LEDs for easy monitoring of status and activity

Flash memory for firmware upgrade

Internal universal switching power supply

Wireless Features

The wireless VPN firewall supports the following features:

2.4 GHz radio. 2.4-GHz band support with 802.11b/g/n wireless modes.

Wireless profiles. Support for up to four wireless profiles, each with its own SSID.

Access control. The Media Access Control (MAC) address filtering feature can ensure that only trusted wireless stations can use the wireless VPN firewall to gain access to your LAN.

Introduction

11

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Hidden mode. The SSID is not broadcast, assuring that only clients configured with the correct SSID can connect.

Secure and economical operation. Adjustable power output allows more secure or economical operation.

Advanced VPN Support for Both IPSec and SSL

The wireless VPN firewall supports IPSec and SSL virtual private network (VPN) connections:

IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.

-IPSec VPN with broad protocol support for secure connection to other IPSec gateways and clients.

-Up to 12 simultaneous IPSec VPN connections.

-Bundled with a 30-day trial license for the ProSafe VPN Client software (VPN01L).

SSL VPN provides remote access for mobile users to selected corporate resources without requiring a preinstalled VPN client on their computers.

-Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.

-Up to five simultaneous SSL VPN connections.

-Allows browser-based, platform-independent remote access through a number of popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari.

-Provides granular access to corporate resources based on user type or group membership.

A Powerful, True Firewall

Unlike simple NAT routers, the wireless VPN firewall is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities:

DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and SYN flood.

Secure firewall. Blocks unwanted traffic from the Internet to your LAN.

Schedule policies. Permits scheduling of firewall policies by day and time.

Logs security incidents. Logs security events such as logins and secure logins. You can configure the firewall to email the log to you at specified intervals.

Introduction

12

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Security Features

The wireless VPN firewall is equipped with several features designed to maintain security:

Computers hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.

Port forwarding with NAT. Although NAT prevents Internet locations from directly accessing the computers on the LAN, the wireless VPN firewall allows you to direct incoming traffic to specific computers based on the service port number of the incoming request.

DMZ port. Incoming traffic from the Internet is usually discarded by the wireless VPN firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can use the dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal eight-port 10/100/1000 Mbps switch and 10/100/1000 WAN port, the wireless VPN firewall can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

The wireless VPN firewall incorporates Auto UplinkTM technology. Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub. That port then configures itself correctly. This feature eliminates the need for you to think about crossover cables, as Auto Uplink accommodates either type of cable to make the right connection.

Extensive Protocol Support

The wireless VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). The wireless VPN firewall provides the following protocol support:

IP address sharing by NAT. The wireless VPN firewall allows many networked computers to share an Internet account using only a single IP address, which might be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account.

Automatic configuration of attached computers by DHCP. The wireless VPN firewall dynamically assigns network configuration information, including IP, gateway, and Domain Name Server (DNS) addresses, to attached computers on the LAN using the

Introduction

13

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network.

DNS proxy. When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached computers. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.

PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection.

Quality of Service (QoS). The wireless VPN firewall supports QoS.

Layer 2 Tunneling Protocol (L2TP). A tunneling protocol that is used to support virtual private networks (VPNs).

Easy Installation and Management

You can install, configure, and operate the wireless VPN firewall within minutes after connecting it to the network. The following features simplify installation and management tasks:

Browser-based management. Browser-based configuration allows you to easily configure the wireless VPN firewall from almost any type of operating system, such as Windows, Macintosh, or Linux. Online help documentation is built into the browser-based web management interface.

Auto-detection of ISP. The wireless VPN firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.

IPSec VPN Wizard. The wireless VPN firewall includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

SNMP. The wireless VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.

Diagnostic functions. The wireless VPN firewall incorporates built-in diagnostic functions such as ping, traceroute, DNS lookup, and remote reboot.

Remote management. The wireless VPN firewall allows you to log in to the web management interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses.

Visual monitoring. The wireless VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity.

Introduction

14

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the wireless VPN firewall:

Flash memory for firmware upgrades.

Technical support seven days a week, 24 hours a day. Information about support is available on the NETGEAR website at http://support.netgear.com/app/answers/detail/a_id/212.

Package Contents

The wireless VPN firewall product package contains the following items:

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

One 12V 1A power supply unit for your region

Rubber feet

Ethernet cable

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide

Resource CD, including:

-Application Notes and other helpful information

-30-day trial license for the ProSafe VPN Client software (VPN01L)

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.

Hardware Features

Front Panel

Rear Panel

Bottom Panel with Product Label

The front panel ports and LEDs, rear panel ports, and bottom label of the wireless VPN firewall are described in the following sections.

Front Panel

Viewed from left to right, the wireless VPN firewall front panel contains the following ports:

LAN Ethernet ports. Eight switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.

WAN Ethernet port. One independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet port with an RJ-45 connector.

Introduction

15

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in the following table. Some LED explanation is provided on the front panel.

Power

Left LAN LEDs

Left WAN LED

 

LED

(green, one for each port)

(green)

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Wireless LED

Right LAN LEDs

Right WAN LED

 

 

(one for each port)

 

 

 

DMZ LED

Active WAN LED

Test LED

Figure 1.

 

 

The following table describes the function of each LED.

Table 1. LED descriptions

LED

Activity

Description

 

 

 

Power LED

On (green)

Power is supplied to the wireless VPN firewall.

 

 

 

 

Off

Power is not supplied to the wireless VPN firewall.

 

 

 

Test LED

On (amber) during

Test mode. The wireless VPN firewall is initializing. After approximately 2

 

startup.

minutes, when the wireless VPN firewall has completed its initialization, the

 

 

Test LED goes off.

 

 

 

 

On (amber) during

The initialization has failed, or a hardware failure has occurred.

 

any other time

 

 

 

 

 

Blinking (amber)

The wireless VPN firewall is writing to flash memory (during upgrading or

 

 

resetting to defaults).

 

 

 

 

Off

The wireless VPN firewall has booted successfully.

 

 

 

Introduction

16

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Table 1. LED descriptions (continued)

LED

Activity

Description

 

 

 

LAN Ports

 

 

 

 

 

Left LED

Off

The LAN port has no link.

 

 

 

 

On (green)

The LAN port has detected a link with a connected Ethernet device.

 

 

 

 

Blinking (green)

Data is being transmitted or received by the LAN port.

 

 

 

Right LED

Off

The LAN port is operating at 10 Mbps.

 

 

 

 

On (amber)

The LAN port is operating at 100 Mbps.

 

 

 

 

On (green)

The LAN port is operating at 1000 Mbps.

 

 

 

DMZ LED

Off

Port 8 is operating as a normal LAN port.

 

 

 

 

On (green)

Port 8 is operating as a dedicated hardware DMZ port.

 

 

 

WAN Port

 

 

 

 

 

Left LED

Off

The WAN port has no physical link, that is, no Ethernet cable is plugged into

 

 

the wireless VPN firewall.

 

 

 

 

On (green)

The WAN port has a valid connection with a device that provides an Internet

 

 

connection.

 

Blinking (green)

Data is being transmitted or received by the WAN port.

 

 

 

Right LED

Off

The WAN port is operating at 10 Mbps.

 

 

 

 

On (amber)

The WAN port is operating at 100 Mbps.

 

 

 

 

On (green)

The WAN port is operating at 1000 Mbps.

 

 

 

Active LED

Off

There is no link to the Internet.

 

 

 

 

On (green)

There is a link to the Internet.

 

 

 

Introduction

17

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Rear Panel

The rear panel of the wireless VPN firewall includes the antennas, a cable lock receptacle, a console port, a Reset button, a DC power connection, and a power switch.

 

 

 

Antennas

 

 

 

 

 

 

(1) and (7)

 

 

 

 

 

 

 

(6) Power

 

 

 

 

switch

(2) Security lock

(4) Factory default

 

receptacle

Reset button

 

 

 

 

 

(5) DC power

 

 

 

(3) Console port

receptacle

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Figure 2.

Viewed from left to right, the rear panel contains the following components:

1.Dipole antenna.

2.Cable security lock receptacle.

3.Console port. Port for connecting to an optional console terminal. The port has a DB9 male connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd.

4.Factory default Reset button. Using a sharp object, press and hold this button for about

8 seconds until the front panel Test LED flashes to reset the wireless VPN firewall to factory default settings. All configuration settings are lost, and the default password is restored.

5.DC power plug receptacle. Power input is 12VDC, 1A. The power plug is localized to the country of sale.

6.Power On/Off switch.

7.Dipole antenna.

Introduction

18

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Bottom Panel with Product Label

The product label on the bottom of the wireless VPN firewall’s enclosure displays factory defaults settings, regulatory compliance, and other information.

Figure 3.

Choose a Location for the Wireless VPN Firewall

The wireless VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the wireless VPN firewall in a wiring closet or equipment room.

Consider the following when deciding where to position the wireless VPN firewall:

The unit is accessible, and cables can be connected easily.

Cabling is away from sources of electrical noise. These include lift shafts, microwave ovens, and air-conditioning units.

Water or moisture cannot enter the case of the unit.

Airflow around the unit and through the vents in the side of the case is not restricted. Provide a minimum of 25 mm or 1 inch clearance.

The air is as free of dust as possible.

Temperature operating limits are not likely to be exceeded. Install the unit in a clean, air-conditioned environment. For information about the recommended operating temperatures for the wireless VPN firewall, see Appendix A, Default Settings and Technical Specifications.

Introduction

19

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Log In to the Wireless VPN Firewall

Note: To connect the wireless VPN firewall physically to your network, connect the cables and restart your network according to the instructions in the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide. A PDF of this guide is on the NETGEAR support website at http://support.netgear.com/app/products/model/a_id/19435.

To configure the wireless VPN firewall, you need to use a web browser such as Microsoft Internet Explorer 7.0 or later, Mozilla Firefox 4.0 or later, or Apple Safari 3.0 or later with JavaScript, cookies, and SSL enabled. (Google Chrome is not supported at this time.)

Although these web browsers are qualified for use with the wireless VPN firewall’s web management interface, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is required only for the SSL VPN portal, not for the web management interface.

To log in to the wireless VPN firewall:

1.Start any of the qualified web browsers.

2.In the address field, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays in the browser.

Note: The wireless VPN firewall factory default IP address is 192.168.1.1. If you change the IP address, you need to use the IP address that you assigned to the wireless VPN firewall to log in to the wireless VPN firewall.

Introduction

20

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Figure 4.

3.In the User Name field, type admin. Use lowercase letters.

4.In the Password / Passcode field, type password. Here, too, use lowercase letters.

Note: The wireless VPN firewall user name and password are not the same as any user name or password you might use to log in to your Internet connection.

Note: Leave the domain as it is (geardomain).

5.Click Login. The web management interface displays, showing the Router Status screen. The following figure shows the top part of the Router Status screen. For more information, see View the System Status on page 356.

Note: After 5 minutes of inactivity (the default login time-out), you are automatically logged out.

Introduction

21

NETGEAR FVS318N User Manual

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Figure 5.

Web Management Interface Menu Layout

The following figure shows the menu at the top the web management interface:

3rd level: Submenu tab (blue)

2nd level: Configuration menu link (gray) 1st level: Main navigation menu link (orange)

Figure 6.

IP radio buttons Option arrows: Additional screen for submenu item

The web management interface menu consists of the following components:

1st level: Main navigation menu links. The main navigation menu in the orange bar across the top of the web management interface provides access to all the configuration functions of the wireless VPN firewall, and remains constant. When you select a main navigation menu link, the letters are displayed in white against an orange background.

Introduction

22

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

2nd level: Configuration menu links. The configuration menu links in the gray bar (immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background.

3rd level: Submenu tabs. Each configuration menu item has one or more submenu tabs that are listed below the gray menu bar. When you select a submenu tab, the text is displayed in white against a blue background.

Option arrows. If there are additional screens for the submenu item, links to the screens display on the right side in blue letters against a white background, preceded by a white arrow in a blue circle.

IP radio buttons. The IPv4 and IPv6 radio buttons let you select the IP version for the feature to be configured onscreen. There are four options:

-Both buttons are operational. You can configure the feature onscreen for IPv4 functionality or for IPv6 functionality. After you have correctly configured the feature for both IP versions, the feature can function with both IP versions simultaneously.

-The IPv4 button is operational but the IPv6 button is disabled. You can configure the feature onscreen for IPv4 functionality only.

-The IPv6 button is operational but the IPv4 button is disabled. You can configure the feature onscreen for IPv6 functionality only.

-Both buttons are disabled. IP functionality does not apply.

The bottom of each screen provides action buttons. The nature of the screen determines which action buttons are shown. The following figure shows an example:

Figure 7.

Any of the following action buttons might display onscreen (this list might not be complete):

Apply. Save and apply the configuration.

Reset. Reset the configuration to the previously saved configuration.

Test. Test the configuration.

Auto Detect. Enable the wireless VPN firewall to detect the configuration automatically and suggest values for the configuration.

Cancel. Cancel the operation.

When a screen includes a table, table buttons display to let you configure the table entries. The nature of the screen determines which table buttons are shown. The following figure shows an example:

Figure 8.

Introduction

23

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Any of the following table buttons might display onscreen:

Select All. Select all entries in the table.

Delete. Delete the selected entry or entries from the table.

Enable. Enable the selected entry or entries in the table.

Disable. Disable the selected entry or entries in the table.

Add. Add an entry to the table.

Edit. Edit the selected entry.

Up. Move the selected entry up in the table.

Down. Move the selected entry down in the table.

Apply. Apply the selected entry.

Almost all screens and sections of screens have an accompanying help screen. To open the help screen, click the (question mark) icon.

Requirements for Entering IP Addresses

To connect to the wireless VPN firewall, your computer needs to be configured to obtain an IP address automatically from the wireless VPN firewall, either an IPv4 address through DHCP or an IPv6 address through DHCPv6, or both.

IPv4

The fourth octet of an IP address needs to be between 0 and 255 (both inclusive). This requirement applies to any IP address that you enter on a screen of the web management interface.

IPv6

IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by colons. Any four-digit group of zeroes within an IPv6 address can be reduced to a single zero or altogether omitted.

The following errors invalidate an IPv6 address:

More than eight groups of hexadecimal quartets

More than four hexadecimal characters in a quartet

More than two colons in a row

Introduction

24

2. IPv4 and IPv6 Internet and Broadband

2

Settings

This chapter explains how to configure the Internet and WAN settings. The chapter contains the following sections:

Internet and WAN Configuration Tasks

Configure the IPv4 Internet Connection and WAN Settings

Configure the IPv6 Internet Connection and WAN Settings

Configure Advanced WAN Options and Other Tasks

What to Do Next

Internet and WAN Configuration Tasks

The tasks that are required to complete the Internet connection of your wireless VPN firewall depend on whether you use an IPv4 connection or an IPv6 connection to your Internet service provider (ISP).

Note: The wireless VPN firewall supports simultaneous IPv4 and IPv6 connections.

Tasks to Set Up an IPv4 Internet Connection to Your ISP

Complete these four tasks:

1.Configure the IPv4 WAN mode. Select either NAT or classical routing: see Configure the IPv4 WAN Mode on page 27.

2.Configure the IPv4 Internet connection to your ISP. Connect to your ISP: See one of the following sections:

Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection on page 28

Manually Configure an IPv4 Internet Connection on page 31

You can also program the WAN traffic meter if you wish: see Enable the WAN Traffic Meter on page 346.

25

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

3.(Optional) Configure Dynamic DNS on the WAN port. If required, configure your fully qualified domain names: See Configure Dynamic DNS on page 35.

4.(Optional) Configure the WAN options. If required, change the factory default MTU size, port speed, and MAC address of the wireless VPN firewall: See Configure Advanced WAN Options and Other Tasks on page 50. These are advanced features, and you usually do not need to change the settings.

Tasks to Set Up an IPv6 Internet Connection to Your ISP

Complete these four tasks:

1.Configure the IPv6 WAN mode. Select the IPv4 / IPv6 mode to support both IPv4 and IPv6 traffic: See Configure the IPv6 Routing Mode on page 38.

2.Configure the IPv6 Internet connection to your ISP. Connect to your ISP: See one of the following sections:

Use a DHCPv6 Server to Configure an IPv6 Internet Connection on page 39

Configure a Static IPv6 Internet Connection on page 41

Configure a PPPoE IPv6 Internet Connection on page 43

3.Configure the IPv6 tunnels. Enable 6to4 tunnels and configure ISATAP tunnels: See

Configure 6to4 Automatic Tunneling on page 46 and Configure ISATAP Automatic Tunneling on page 47.

4.(Optional) Configure Stateless IP/ICMP Translation (SIIT). Enable IPv6 devices that do not have permanently assigned IPv4 addresses to communicate with IPv4-only devices: See Configure Stateless IP/ICMP Translation on page 49.

5.(Optional) Configure the WAN options. If required, change the factory default MTU size, port speed, and MAC address of the wireless VPN firewall: See Configure Advanced WAN Options and Other Tasks on page 50. These are advanced features, and you usually do not need to change the settings.

Configure the IPv4 Internet Connection and WAN Settings

Configure the IPv4 WAN Mode

Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection

Manually Configure an IPv4 Internet Connection

Configure Dynamic DNS

To set up your wireless VPN firewall for secure IPv4 Internet connections, you need to determine the IPv4 WAN mode (see the next section) and then configure the IPv4 Internet connection to your ISP on the WAN port. The web management interface offers two connection configuration options, discussed in the following sections:

Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection on page 28

Manually Configure an IPv4 Internet Connection on page 31

IPv4 and IPv6 Internet and Broadband Settings

26

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Configure the IPv4 WAN Mode

By default, IPv4 is supported and functions in NAT mode but can also function in classical routing mode. IPv4 functions the same way in IPv4-only mode that it does in IPv4 / IPv6 mode. The latter mode adds IPv6 functionality (see Configure the IPv6 Routing Mode on page 38).

Network Address Translation

Network Address Translation (NAT) allows all computers on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the wireless VPN firewall) and a single IP address. Computers on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.

Note the following about NAT:

The wireless VPN firewall uses NAT to select the correct computer (on your LAN) to receive any incoming data.

If you have only a single public Internet IP address, you need to use NAT (the default setting).

If your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your computers, and you can map incoming traffic on the other public IP addresses to specific computers on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule.

Classical Routing

In classical routing mode, the wireless VPN firewall performs routing, but without NAT. To gain Internet access, each computer on your LAN needs to have a valid static Internet IP address.

If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to each computer, you can choose classical routing. Or you can use classical routing for routing private IP addresses within a campus environment.

To view the status of the WAN ports, you can view the Router Status screen (see View the System Status on page 356).

Configure the IPv4 Routing Mode

To configure the IPv4 routing mode:

1. Select Network Configuration > WAN Settings. The WAN Mode screen displays:

IPv4 and IPv6 Internet and Broadband Settings

27

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Figure 9.

2. Select the NAT radio button or the Classical Routing radio button.

WARNING:

Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings.

3. Click Apply to save your settings.

Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection

To automatically configure the WAN port for an IPv4 connection to the Internet:

1.Select Network Configuration > WAN Settings > Broadband ISP Settings. In the upper right of the screen, the IPv4 radio button is selected by default. The ISP Broadband Settings screen displays the IPv4 settings:

IPv4 and IPv6 Internet and Broadband Settings

28

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Figure 10.

2.Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.

The autodetect process returns one of the following results:

If the autodetect process is successful, a status bar at the top of the screen displays the results (for example, DHCP service detected).

If the autodetect process senses a connection method that requires input from you, it prompts you for the information. The following table explains the settings that you might have to enter:

IPv4 and IPv6 Internet and Broadband Settings

29

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Table 2. IPv4 Internet connection methods

Connection Method

Manual Data Input Required

 

 

DHCP (Dynamic IP)

No manual data input is required.

 

 

PPPoE

The following fields are required:

 

• Login

 

• Password

 

• Account Name

 

• Domain Name

 

 

PPTP

The following fields are required:

 

• Login

 

• Password

 

• Account Name

 

• Domain Name

 

• My IP Address

 

• Server IP Address

 

 

Fixed (Static) IP

The following fields are required:

 

• IP Address

 

• IP Subnet Mask

 

• Gateway IP Address

 

• Primary DNS Server

 

• Secondary DNS Server

 

 

If the autodetect process does not find a connection, you are prompted either to check the physical connection between your wireless VPN firewall and the cable, DSL line, or satellite or wireless Internet dish, or to check your wireless VPN firewall’s MAC address. For more information, see Configure Advanced WAN Options and Other Tasks on page 50 and Troubleshoot the ISP Connection on page 382.

3.To verify the connection, click the Broadband Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a static IP address configuration.)

Figure 11.

IPv4 and IPv6 Internet and Broadband Settings

30

Loading...
+ 395 hidden pages