Netgear FVS336G User Manual

ProSAFE Dual WAN Gigabit SSL Firewall

VPN

Model FVS336Gv2

Reference Manual

December 2014 202-10619-03

350 East Plumeria Drive San Jose, CA 95134 USA

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Support

Thank you for selecting NETGEAR products.

After installing your device, locate the serial number on the label of your product and use it to register your product at

https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR

recommends registering your product through the NETGEAR website. For product updates and web support, visit

http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR.

Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/general/contact/default.aspx.

Contact your Internet service provider for technical support.

Compliance

For regulatory compliance information, visit http://www.netgear.com/about/regulatory.

See the regulatory compliance document before connecting the power supply.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. © NETGEAR, Inc. All rights reserved.

Chapter 1 Get an Overview of the Features and Hardware and Log In

What Is the ProSAFE Dual WAN Gigabit SSL VPN Firewall?. . . . . . . . . . . . . . . . . 13

Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Two WAN Ports for Increased Reliability and Load Balancing . . . . . . . . . . . . 14

Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . . . . . . . 15

A Powerful, True Firewall with Content Filtering . . . . . . . . . . . . . . . . . . . . . . . 15

Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . . . . . . 16

Extensive Protocol Support. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Easy Installation and Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Hardware Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Back Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Choose a Location for the VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Rack-Mount the VPN Firewall with the Mounting Kit . . . . . . . . . . . . . . . . . . . . . 22

Browser Requirements. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22

Web Management Interface Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Requirements for Entering IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Change the Password for the Default Administrator Account . . . . . . . . . . . . . . 26

Chapter 2 Configure the IPv4 Internet and WAN Settings

Roadmap to Setting Up IPv4 Internet Connections to Your ISPs . . . . . . . . . . . . 29

Configure the IPv4 Internet Connection and WAN Settings. . . . . . . . . . . . . . . . 30

Manage the IPv4 WAN Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Let the VPN Firewall Automatically Detect and Configure an

IPv4 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32

Manually Configure a Static IPv4 Internet Connection. . . . . . . . . . . . . . . . . . 36

Manually Configure a PPPoE IPv4 Internet Connection . . . . . . . . . . . . . . . . . 39

Manually Configure a PPTP IPv4 Internet Connection . . . . . . . . . . . . . . . . . . 44

Configure Load Balancing or Auto-Rollover for IPv4 Interfaces . . . . . . . . . . . . 48

Load Balancing and Auto-Rollover for IPv4 WAN Interfaces . . . . . . . . . . . . . 48

Configure Load Balancing Mode and Optional Protocol Binding

for IPv4 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49

Configure the Auto-Rollover Mode and Failure Detection

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Method for IPv4 Interfaces. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56

Manage Secondary IPv4 WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

Secondary IPv4 WAN Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Add a Secondary WAN Address to a WAN IPv4 Interface. . . . . . . . . . . . . . . . 60

Remove One or More Secondary WAN Addresses. . . . . . . . . . . . . . . . . . . . . . 62

Manage Dynamic DNS Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Dynamic DNS. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63

Managing Advanced WAN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66

Change the Maximum Transmission Unit Size . . . . . . . . . . . . . . . . . . . . . . . . . 66

Change the Port Speed and Duplex Settings . . . . . . . . . . . . . . . . . . . . . . . . . . 68

Change the Advertised MAC Address of the VPN Firewall. . . . . . . . . . . . . . . 70

Set the WAN Connection Type and Corresponding Speeds . . . . . . . . . . . . . . 72

Manage WAN QoS and WAN QoS Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

WAN QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74

Add a Rate Control WAN QoS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Add a Priority Queue WAN QoS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78

Enable WAN QoS and Select the WAN QoS Type . . . . . . . . . . . . . . . . . . . . . . . 80

Change a QoS Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 82

Enable, Disable, or Remove One or More WAN QoS Profiles . . . . . . . . . . . . . 83

Additional WAN-Related Configuration Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Chapter 3 Configure the IPv6 Internet and WAN Settings

Roadmap to Setting Up an IPv6 Internet Connection to Your ISP . . . . . . . . . . . 86

Configure the IPv6 Internet Connection and WAN Settings. . . . . . . . . . . . . . . . 87

IPv6 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87

Manage the IPv6 Routing Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Use a DHCPv6 Server to Configure an IPv6 Internet

Connection Automatically . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

Manually Configure a Static IPv6 Internet Connection. . . . . . . . . . . . . . . . . . 93

Manually Configure a PPPoE IPv6 Internet Connection . . . . . . . . . . . . . . . . . 96

Manage Tunneling for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Manage 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100

Manage ISATAP Automatic Tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102

View the Tunnel Status and Tunnel IPv6 Addresses. . . . . . . . . . . . . . . . . . . . 106

Configure Stateless IP/ICMP Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Stateless IP/ICMP Translation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configure Stateless IP/ICMP Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Configure Auto-Rollover for IPv6 Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . 108

Auto-Rollover for IPv6 WAN Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109

Configure Auto-Rollover Mode for IPv6 WAN Interfaces . . . . . . . . . . . . . . 109

Configure the Failure Detection Method for IPv6 WAN Interfaces. . . . . . . 111

Additional WAN-Related Configuration Tasks. . . . . . . . . . . . . . . . . . . . . . . . . . . 113

What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 113

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Chapter 4 Configure the IPv4 LAN Settings

Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 115

IPv4 LANs and VLANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 115

Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

Assign VLAN Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116

VLAN DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 118

Manage VLAN Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119

Configure Unique VLAN MAC Addresses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Disable the Broadcast of ARP Packets for the Default VLAN. . . . . . . . . . . . 127

Manage IPv4 Multihome LAN IP Addresses on the Default VLAN. . . . . . . . . . 128

IPv4 Multihome LAN IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128

Add a Secondary LAN IPv4 Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129

Change a Secondary LAN IPv4 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130

Remove One or More Secondary LAN IPv4 Addresses. . . . . . . . . . . . . . . . . 131

Manage IPv4 LAN Groups and Hosts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 132

DHCP Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .133

Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133

Change Group Names in the Network Database . . . . . . . . . . . . . . . . . . . . . . 139

Manage the DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .140

IPv4 DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

Enable and Configure the DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . .141

Manage Static IPv4 Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .144

Static IPv4 Routes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144

Add a Static IPv4 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 145

Change a Static IPv4 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .147

Remove One or More Static IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147

Configure the Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . . . . 148

IPv4 Static Route Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151

Chapter 5 Configure the IPv6 LAN Settings

Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

IPv6 LANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153

DHCPv6 LAN Server Concepts and Configuration Roadmap. . . . . . . . . . . . 153

Configure a Stateless DHCPv6 Server Without Prefix

Delegation for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Manage a Stateless DHCPv6 Server with Prefix Delegation for the LAN . 158

Manage a Stateful DHCPv6 Server and IPv6 Address Pools for the LAN .165

Manage the IPv6 Router Advertisement Daemon for the LAN . . . . . . . . . .171

Manage IPv6 Multihome LAN IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

IPv6 Multihome LAN IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180

Add a Secondary LAN IPv6 Address. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181

Change a Secondary LAN IPv6 Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182

Remove One or More Secondary LAN IPv6 Addresses. . . . . . . . . . . . . . . . . 183

Manage the DMZ Port for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .184

IPv6 DMZ . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

Manage a Stateless DHCPv6 Server with Prefix Delegation for the DMZ. 185

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Manage a Stateful DHCPv6 Server and IPv6 Address Pools for the DMZ. 197

Manage Static IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Add a Static IPv6 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204

Change a Static IPv6 Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 206

Remove One or More Static IPv6 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 207

Chapter 6 Customize Firewall Protection

Firewall Protection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 209

Overview of Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . . . . . . 210

Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210

Outbound Rules — Service Blocking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Settings for Outbound Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Inbound Rules — Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 215

Settings for Inbound Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217

Change the Default Outbound Policy for LAN WAN Traffic . . . . . . . . . . . . . . . 220

Change the Default LAN WAN Outbound Policy for IPv4 Traffic . . . . . . . . 220

Change the Default LAN WAN Outbound Policy for IPv6 Traffic . . . . . . . . 222

Add LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Add LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Add LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

Add DMZ WAN Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Add DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 233

Add DMZ WAN Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

Add LAN DMZ Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Add LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242

Add LAN DMZ Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

Manage Existing Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252

Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 253

Examples of Outbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

Configure Other Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 265

Manage Protection Against Common Network Attacks . . . . . . . . . . . . . . . . 266

Manage VPN Pass-Through. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269

Set Limits for IPv4 Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 272

Manage Time-Out Periods for TCP, UDP, and ICMP Sessions . . . . . . . . . . . 274

Manage Multicast Pass-Through . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 276

Manage the Application Level Gateway for SIP Sessions . . . . . . . . . . . . . . . 278

Manage Firewall Objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 279

Firewall Objects. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Manage Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 280

Manage Service Groups. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284

Manage IP Address Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Define a Schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292

Manage Quality of Service Profiles for IPv4 Firewall Rules . . . . . . . . . . . . . 293

Default Quality of Service Priorities for IPv6 Firewall Rules . . . . . . . . . . . . 298

Manage Bandwidth Profiles for IPv4 Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . 299

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Chapter 7 Protect Your Network

Manage Content Filtering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Content Filtering Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306

Enable Content Filtering and Select Web Components. . . . . . . . . . . . . . . . . 307

Manage Keywords and Domain Names That Must Be Blocked . . . . . . . . . . 309

Manage Domain Names That You Trust . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Manage Keyword Blocking for LAN Groups . . . . . . . . . . . . . . . . . . . . . . . . . . 311

Enable Source MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Manage IP/MAC Bindings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

IP/MAC Binding Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Manage IP/MAC Bindings for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .315

Manage IP/MAC Bindings for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . .320

Manage Port Triggering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Port Triggering Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Add a Port Triggering Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 326

Change a Port Triggering Rule. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Remove One or More Port Triggering Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 328

Display the Status of Active Port Triggering Rules . . . . . . . . . . . . . . . . . . . . 329

Enable Universal Plug and Play . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Chapter 8 Set Up Virtual Private Networking

With IPSec Connections

Dual WAN Port Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Use the IPSec VPN Wizard for Client and Gateway Configurations. . . . . . . . . 334

IPSec VPN Wizard Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

View the IPSec VPN Wizard Default Values . . . . . . . . . . . . . . . . . . . . . . . . . .335

Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard. . . . . . 336

Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard. . . . . . 340

Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard . . . . . . . . 344

Test the Connection and View Connection and Status Information . . . . . . . . 360

Test the NETGEAR ProSAFE VPN Client VPN Tunnel Connection . . . . . . . . . 361

NETGEAR ProSAFE VPN Client Status and Log Information . . . . . . . . . . . . .362

View the VPN Firewall IPSec VPN Connection Status and

Terminate or Establish Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 363

View the VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .364

Manage IPSec VPN Policies Manually. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365

Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 366

Manage VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 378

Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . . . . . . . 388

Extended Authentication Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 389

Enable and Configure Extended Authentication for VPN Clients. . . . . . . . . 389

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 392

Configure the RADIUS Servers for the VPN Firewall’s RADIUS Client . . . . 392

Assign IPv4 Addresses to Remote Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Mode Config Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 394

Configure Mode Config Operation on the VPN Firewall . . . . . . . . . . . . . . . .395

Configure the NETGEAR ProSAFE VPN Client for Mode Config Operation 402

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 408

Change a Mode Config Record . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 410

Remove One or More Mode Config Records . . . . . . . . . . . . . . . . . . . . . . . . . 411

Manage Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . 411

Keep-Alive and Dead Peer Detection Overview . . . . . . . . . . . . . . . . . . . . . . 412

Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 412

Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 414

Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . 416

Manage the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

PPTP Servers Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 417

Enable and Configure the PPTP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 418

View the Active PPTP Users and Disconnect Active Users . . . . . . . . . . . . . 420

Manage the L2TP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

L2TP Servers Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

Enable and Configure the L2TP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 421

View the Active L2TP Users and Disconnect Active Users. . . . . . . . . . . . . . 423

Chapter 9 Set Up Virtual Private Networking

with SSL Connections

SSL VPN Portals Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

SSL VPN Capabilities. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

SSL Tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

SSL Port Forwarding. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 426

Build and Access an SSL Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 427

Build an SSL Portal Using the SSL VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . . . . 427

SSL VPN Wizard Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 428

Build an SSL Portal with the SSL VPN Wizard . . . . . . . . . . . . . . . . . . . . . . . . . 429

Access a Custom SSL VPN Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 440

View SSL VPN Connection and Status Information . . . . . . . . . . . . . . . . . . . . . . 444

View the VPN Firewall SSL VPN Connection Status and

Disconnect Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 444

View the VPN Firewall SSL VPN Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 445

Manually Set Up or Change an SSL Portal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Manual SSL Configuration Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 446

Manage the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 448

Configure Applications for SSL VPN Port Forwarding. . . . . . . . . . . . . . . . . . 453

Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 459

Manage Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . 467

Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . 473

Chapter 10 Manage Users, Authentication, and VPN Certificates

VPN Firewall’s Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 487

Configure Authentication Domains, Groups, and User Accounts. . . . . . . . . . . 488

Manage Authentication Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 488

Manage Authentication Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 494

Manage User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 498

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Manage User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 504

Change Passwords and Automatic Logout Period . . . . . . . . . . . . . . . . . . . . . 511

Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . . . . . . . 512

VPN Certificates Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 513

Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .514

Manage VPN Self-Signed Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 516

Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . . . . . . . 522

Chapter 11 Optimize Performance and Manage Your System

Performance Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Bandwidth Capacity Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 527

Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 528

Features That Increase Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 530

Use QoS and Bandwidth Assignment to Shift the Traffic Mix . . . . . . . . . . . 533

Monitoring Tools for Traffic Management . . . . . . . . . . . . . . . . . . . . . . . . . . .533

System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 534

Set Up Remote Management Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .534

Use the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 537

Use a Simple Network Management Protocol Manager . . . . . . . . . . . . . . . .538

Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 546

Revert to Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 551

Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 554

Chapter 12 Monitor System Access and Performance

Configure and Enable the WAN IPv4 Traffic Meter . . . . . . . . . . . . . . . . . . . . . . 558

Manage the LAN IPv4 Traffic Meter. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 560

Configure and Enable the Traffic Meter for a LAN IPv4 Address Account. 561

View Traffic Meter Statistics for a LAN Account . . . . . . . . . . . . . . . . . . . . . . 564

Change the Traffic Meter for a LAN Account. . . . . . . . . . . . . . . . . . . . . . . . . 565

Remove One or More LAN Traffic Meter Accounts. . . . . . . . . . . . . . . . . . . . 566

Manage Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . . . . . . . . 567

Logging, Alert, and Event Notification . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Configure and Activate Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 567

Enable and Schedule Emailing of Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .569

Enable the Syslogs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .571

View the Routing Logs, System Logs, and Other Event Logs. . . . . . . . . . . . 573

View the DNS Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 574

View the NTP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 575

Send Syslogs over a VPN Tunnel Between Sites. . . . . . . . . . . . . . . . . . . . . . . 576

View the Status and Statistics of the VPN Firewall and Its Traffic . . . . . . . . . .581

View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 582

View the VPN Connection Status, L2TP Users, and PPTP Users . . . . . . . . . 592

View the VPN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593

View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 593

View the WAN Port Status and Terminate or Establish the

Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 594

Display Internet Traffic by Type of Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . 598

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

View the Attached Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 599

View the DHCP Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 601

Chapter 13 Diagnostics and Troubleshooting

Use the Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604

Diagnostic Utility. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604

Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 604

Trace a Route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 606

Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 608

Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 609

Reboot the VPN Firewall Remotely. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611

Schedule the VPN Firewall to Reboot. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 611

Troubleshoot Basic Functioning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 612

Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . . . . . . . 613

When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . . . . . . . 614

Troubleshoot the ISP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

Check the WAN IP Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 615

Force Your Modem or Router to Recognize the VPN Firewall . . . . . . . . . . . 616

Other ISP Troubleshooting Suggestions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 616

Troubleshoot the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 617

Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . . . . . . . 620

Test the LAN Path to Your VPN Firewall. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 620

Test the Path from Your Computer to a Remote Device . . . . . . . . . . . . . . . . 621

Troubleshoot Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . 621

Access Documentation from the Web Management Interface . . . . . . . . . . . . 622

Appendix A Network Planning for Multiple WAN Ports

What to Consider Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

Planning Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 625

Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . . . . . . . 626

Computer Network Configuration Requirements . . . . . . . . . . . . . . . . . . . . . 626

Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 627

Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 628

Planning for Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 630

Inbound Traffic to a Single WAN Port System . . . . . . . . . . . . . . . . . . . . . . . . 631

Inbound Traffic to a Dual WAN Port System. . . . . . . . . . . . . . . . . . . . . . . . . . 631

Planning for Virtual Private Networks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 632

VPN Telecommuter - Client-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . 634

VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 636

VPN Telecommuter - Client-to-Gateway Through a NAT Router . . . . . . . . 638

Appendix B System Logs and Error Messages

Log Message Terms. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

System Log Messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 642

NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 643

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

System Startup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644

Reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644

Firewall Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 644

IPSec Restart . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

Unicast, Multicast, and Broadcast Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 645

WAN Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .646

Resolved DNS Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

VPN Log Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 650

Traffic Meter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

Routing Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 656

LAN to WAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

LAN to DMZ Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

DMZ to WAN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

WAN to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 657

DMZ to LAN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

WAN to DMZ Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

Other Event Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

Session Limit Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 658

Source MAC Filter Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

Bandwidth Limit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 659

DHCP Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 660

Appendix C Two-Factor Authentication

Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . . . . . 662

What Is Two-Factor Authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 662

NETGEAR Two-Factor Authentication Solutions. . . . . . . . . . . . . . . . . . . . . . . . . 663

Appendix D Default Settings and Technical Specifications

Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 667

Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 672

Index

1. Get an Overview of the Features

and Hardware and Log In

This chapter provides an overview of the features and capabilities of the NETGEAR ProSAFE®

Dual WAN Gigabit SSL VPN Firewall for model FVS336Gv2 and explains how to log in to the device and use its web management interface. The chapter contains the following sections:

• What Is the ProSAFE Dual WAN Gigabit SSL VPN Firewall?

• Key Features and Capabilities

• Package Contents

• Hardware Features

• Choose a Location for the VPN Firewall

• Rack-Mount the VPN Firewall with the Mounting Kit

• Login Requirements

• Log In to the VPN Firewall as an Administrator

• Change the Password for the Default Administrator Account

Note: For more information about the topics covered in this manual, visit the

support website at support.netgear.com.

Note: Firmware updates with new features and bug fixes are made

available from time to time at products can regularly check the site and download new firmware, or you can check for and download new firmware manually. If the features or behavior of your product does not match what is described in this guide, you might need to update your firmware.

downloadcenter.netgear.com. Some

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

What Is the ProSAFE Dual WAN Gigabit SSL VPN Firewall?

The ProSAFE Dual WAN Gigabit SSL VPN Firewall, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through one or two external broadband access devices such as cable or DSL modems or satellite or wireless Internet dishes. Two wide area network (WAN) ports allow you to increase the effective data rate to the Internet by utilizing all WAN ports to carry session traffic or to maintain backup connections in case of failure of your primary Internet connection.

The VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall protects your IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traffic, and traffic with objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunnels.

The VPN firewall is a security solution that protects your network from attacks and intrusions. For example, the VPN firewall provides support for stateful packet inspection (SPI), denial of service (DoS) attack protection, and multi-NAT support. The VPN firewall supports multiple web content filtering options, plus browsing activity reporting and instant alerts—both through email. Network administrators can establish restricted access policies based on time of day, website addresses, and address keywords.

The VPN firewall provides advanced IPSec and SSL VPN technologies for secure and simple remote connections. The use of Gigabit Ethernet LAN and WAN ports ensures high data transfer speeds.

The VPN firewall is a plug-and-play device that you can install and configure in a short time.

Key Features and Capabilities

This section includes the following topics:

• Two WAN Ports for Increased Reliability and Load Balancing

• Advanced VPN Support for Both IPSec and SSL

• A Powerful, True Firewall with Content Filtering

• Security Features

• Autosensing Ethernet Connections with Auto Uplink

• Extensive Protocol Support

• Easy Installation and Management

• Maintenance and Support

The VPN firewall provides the following key features and capabilities:

• Two 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing and failover

protection of your Internet connection, providing increased data rate and increased system reliability

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer

between local network resources and support for up to 200,000 internal or external connections

• Both IPv4 and IPv6 support

• Advanced IPSec VPN and SSL VPN support with support for up to 25 concurrent IPSec

VPN tunnels and up to 10 concurrent SSL VPN tunnels

• Bundled with a single-user license of the NETGEAR ProSAFE VPN Client software

(VPN01L)

• L2TP tunnel and PPTP tunnel support

• Advanced stateful packet inspection (SPI) firewall with multi-NAT support

• Quality of Service (QoS) and SIP 2.0 support for traffic prioritization, voice, and

multimedia

• Extensive protocol support

• One console port for local management

• SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for

the NETGEAR ProSAFE Network Management Software (NMS200) over a LAN connection

• Front panel LEDs for easy monitoring of status and activity

• Flash memory for firmware upgrade

• Internal universal switching power supply

• Rack-mounting kit for 1U rackmounting

Two WAN Ports for Increased Reliability and Load Balancing

The VPN firewall provides two broadband WAN ports. These W AN ports allow you to connect additional broadband Internet lines that can be configured to do the following:

• Load-balance outbound traffic for maximum bandwidth efficiency.

• Provide backup and rollover if one line is inoperable, ensuring that you are never

disconnected.

You can implement the following capabilities with multiple WAN port gateways:

• Single or multiple exposed hosts

• Virtual private networks (VPNs)

For information about planning a network with such capabilities, see Appendix A, Network

Planning for Multiple WAN Ports.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Advanced VPN Support for Both IPSec and SSL

The VPN firewall supports IPSec and SSL virtual private network (VPN) connections:

• IPSec VPN delivers full network access between a central office and branch offices, or

between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.

- IPSec VPN with broad protocol support for a secure connection to other IPSec

gateways and clients.

- Up to 25 simultaneous IPSec VPN connections.

- Bundled with a 30-day trial license for the ProSAFE VPN Client software (VPN01L).

• SSL VPN provides remote access for mobile users to selected corporate resources

without requiring a preinstalled VPN client on their computers.

- Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for

e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.

- Up to 10 simultaneous SSL VPN connections.

- Allows browser-based, platform-independent remote access through a number of

popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple Safari.

- Provides granular access to corporate resources based on user type or group

membership.

A Powerful, True Firewall with Content Filtering

Unlike simple NA T routers, the VPN firewall is a true firewall, using stateful packet inspection (SPI) to defend against hacker attacks. Its firewall features have the following capabilities:

• DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such

as Ping of Death and SYN flood.

• Secure firewall. Blocks unwanted traffic from the Internet to your LAN.

• Content filtering. Prevents objectionable content from reaching your computers. You

can control access to Internet content by screening for web services, web addresses, and keywords within web addresses.

• Schedule policies. Permits scheduling of firewall policies by day and time.

• Logs security incidents. Logs security events such as logins and secure logins. You

can configure the firewall to email the log to you at specified intervals. You can also configure the VPN firewall to send immediate alert messages to your email address or email pager when a significant event occurs.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Security Features

The VPN firewall is equipped with several features designed to maintain security:

• Computers hidden by NAT. NAT opens a temporary path to the Internet for requests

originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.

• Port forwarding with NAT. Although NAT prevents Internet locations from directly

accessing the computers on the LAN, the VPN firewall allows you to direct incoming traffic to specific computers based on the service port number of the incoming request.

• DMZ port. Incoming traffic from the Internet is usually discarded by the VPN firewall

unless the traffic is a response to one of your local computers or a service for which you configured an inbound rule. Instead of discarding this traffic, you can use the dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal four-port 10/100/1000 Mbps switch and two 10/100/1000 WAN ports, the VPN firewall can connect to a 10-Mbps standard Ethernet network, a 100-Mbps Fast Ethernet network, a 1000-Mbps Gigabit Ethernet network, or a combination of these networks. All LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.

The VPN firewall incorporates Auto UplinkTM technology. Each Ethernet port automatically senses whether the Ethernet cable plugged into the port should have a normal connection such as to a computer or an uplink connection such as to a switch or hub. That port then configures itself correctly. This feature eliminates the need for you to think about crossover cables, as Auto Uplink accommodates either type of cable to make the right connection.

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol (RIP). The VPN firewall provides the following protocol support:

• IP address sharing by NAT. The VPN firewall allows many networked computers to

share an Internet account using only a single IP address, which might be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as Network Address Translation (NAT), allows the use of an inexpensive single-user ISP account.

• Automatic configuration of attached computers by DHCP. The VPN firewall

dynamically assigns network configuration information, including IP, gateway, and Domain Name Server (DNS) addresses, to attached computers on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network.

• DNS proxy. When DHCP is enabled and no DNS addresses are specified, the VPN

firewall provides its own address as a DNS server to the attached computers. The firewall

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.

• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the

Internet over a DSL connection by simulating a dial-up connection.

• Quality of Service (QoS). The VPN firewall supports QoS, including traffic prioritization

and traffic classification with Type of Service (ToS) and Differentiated Services Code Point (DSCP) marking.

• Layer 2 Tunneling Protocol (L2TP). A tunneling protocol that is used to support virtual

private networks (VPNs).

• Point to Point Tunneling Protocol (PPTP). Another tunneling protocol that is used to

support VPNs.

Easy Installation and Management

You can install, configure, and operate the VPN firewall within minutes after connecting it to the network. The following features simplify installation and management tasks:

• Browser-based management. Browser-based configuration allows you to easily

configure the VPN firewall from almost any type of operating system, such as Windows, Macintosh, or Linux. Online help documentation is built into the browser-based web management interface.

• Auto-detection of ISP. The VPN firewall automatically senses the type of Internet

connection, asking you only for the information required for your type of ISP account.

• IPSec VPN Wizard. The VPN firewall includes the NETGEAR IPSec VPN Wizard so that

you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

• SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to

let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.

• Diagnostic functions. The VPN firewall incorporates built-in diagnostic functions such

as ping, traceroute, DNS lookup, and remote reboot.

• Remote management. The VPN firewall allows you to log in to the web management

interface from a remote location on the Internet. For security, you can limit remote management access to a specified remote IP address or range of addresses.

• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor

its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:

• Flash memory for firmware upgrades.

• Technical support seven days a week, 24 hours a day. Information about technical

support is available at

Get an Overview of the Features and Hardware and Log In

support.netgear.com.

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Package Contents

The VPN firewall product package contains the following items:

• Dual WAN Gigabit SSL VPN Firewall

• One AC power cable

• One Category 5 (Cat 5) Ethernet cable

• One rack-mounting kit

• ProSAFE Dual WAN Gigabit SSL VPN Firewall FVS336Gv2 Installation Guide

• Resource CD, including the following:

- Application notes and other helpful information

- ProSAFE VPN Client software (VPN01L)

If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer.

Hardware Features

The front panel ports and LEDs, back panel ports, and bottom label of the VPN firewall are described in the following sections:

• Front Panel

• Back Panel

• Bottom Panel with Product Label

Front Panel

Viewed from left to right, the VPN firewall front panel contains the following ports:

• LAN Ethernet ports. Four switched N-way automatic speed negotiating, Auto

MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors

• WAN Ethernet ports. Two independent N-way automatic speed negotiating, Auto

MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors

The front panel also contains three groups of status LEDs, including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are described in the following table.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Power LED

Test LED

Left LAN LEDs

Right LAN LEDs

DMZ LED

Left WAN LEDs

Right WAN LEDs

Internet LEDs

Figure 1. Front panel

Table 1. LED descriptions

LED Activity Description

Power Green Power is supplied to the VPN firewall.

Off Power is not supplied to the VPN firewall.

Test Amber during startup Test mode. The VPN firewall is initializing. After approximately two

minutes, when the VPN firewall has completed its initialization, the Test LED turns off.

Amber during any other time

Blinking amber The VPN firewall is writing to flash memory during a firmware upgrade or

Off The VPN firewall has booted successfully.

LAN Ports

Left LED Green The LAN port detects a link with a connected Ethernet device.

Blinking green The LAN port receives or transmits data. Off The LAN port has no link.

Right LED Green The LAN port operates at 1000 Mbps.

Amber The LAN port operates at 100 Mbps. Off The LAN port operates at 10 Mbps.

DMZ LED Green LAN port 4 operates as a dedicated hardware DMZ port.

Off LAN port 4 operates as a normal LAN port.

The initialization failed or a hardware failure occurred.

when you reset the VPN firewall to defaults.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Table 1. LED descriptions (continued)

LED Activity Description WAN Ports

Left LED Green The WAN port has a valid connection with a device that provides an

Internet connection. Blinking green The WAN port receives or transmits data. Off The WAN port has no physical link, that is, no Ethernet cable is plugged

into the VPN firewall.

Right LED Green The WAN port operates at 1000 Mbps.

Amber The WAN port operates at 100 Mbps. Off The WAN port operates at 10 Mbps.

Internet LED Green The WAN port has a valid Internet connection.

Amber The Internet link is down because the WAN port is in standby mode for

failover. Also, before the connection is up, there is an amber color for a

short period of time. Off The WAN port is either not enabled or has no link to the Internet.

Back Panel

The back panel of the VPN firewall includes a console port, a cable security lock receptacle, a recessed Factory Defaults reset button, and an AC power connection.

Factory Defaults reset button

Console port

Cable security lock receptcle

Figure 2. Back panel

Viewed from left to right, the back panel contains the following components:

• Console port. Port for connecting to an optional console terminal. The port has a DB9

male connector. The default baud rate is 115200 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd. For information about accessing the command-line interface (CLI) using the console port, see

Use the Command-Line Interface on page 537.

• Cable security lock receptacle.

AC power receptacle

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

• Factory Defaults reset button. To reset the VPN firewall to factory default settings, use

a sharp object to press and hold this button for about eight

seconds until the front panel Test LED blinks. All configuration settings are lost and the default password is restored.

• AC power receptacle. (12V, 1.5A).

Bottom Panel with Product Label

The product label on the bottom of the VPN firewall’s enclosure displays factory default settings, regulatory compliance, and other information.

Dual WAN Gigabit SSL VPN Firewall FVS336G v3

This device complies with part 15 of the FCC Rules and Canada ICES-003. Operation is subject to the following two conditions: (1) this device may not cause harmful interference, and (2) this device must accept any interference received, including interference that may cause undesired operation.

CAN ICES-3 (A)/NMB-3(A)

DEFAULT ACCESS

https://192.168.1.1

Input Rating: DC 12V 1.5A

MAC

(internet-1)

MAC

(local)

KCC-NGR-FVS336Gv3 (A)

(internet-2)

Made in China

MAC

SERIAL

Figure 3. Product label on the bottom panel

user name: admin password: password

272-11992-03

Choose a Location for the VPN Firewall

The VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack. Alternatively, you can rack-mount the VPN firewall in a wiring closet or equipment room.

Consider the following when deciding where to position the VPN firewall:

• The unit is accessible, and cables can be connected easily.

• Cabling is away from sources of electrical noise. These include lift shafts, microwave

ovens, and air-conditioning units.

• Water or moisture cannot enter the case of the unit.

• Airflow around the unit and through the vents in the side of the case is not restricted.

Provide a minimum of 25 mm or 1-inch clearance.

• The air is as free of dust as possible.

• Temperature operating limits are not likely to be exceeded. Install the unit in a clean,

air-conditioned environment. For information about the recommended operating temperatures for the VPN firewall, see

Specifications.

Appendix D, Default Settings and Technical

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Rack-Mount the VPN Firewall with the Mounting Kit

Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the mounting brackets using the hardware that is supplied with the mounting kit.

Figure 4. Rack-mounting

Before mounting the VPN firewall in a rack, verify the following:

• You have the correct screws (supplied with the installation kit).

• The rack onto which you plan to mount the VPN firewall is suitably located.

Login Requirements

Before you can log in to VPN firewall, install the VPN firewall in your network by connecting the cables and restarting your network according to the instructions in the ProSAFE Dual WAN Gigabit SSL VPN Firewall FVS336Gv2 Installation Guide. You can download a PDF of this guide from

Browser Requirements

To connect to and configure the VPN firewall, you must use the latest version of a web browser such as Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, or Apple Safari with JavaScript, cookies, and SSL enabled.

Although these web browsers are qualified for use with the VPN firewall’s web management

interface, SSL VPN users must choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Java is required only for the SSL VPN portal, not for the web management interface.

downloadcenter.netgear.com.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Web Management Interface Overview

The following figure shows the menu at the top the web management interface:

First Level: Main navigation menu link (orange)

Second level: Configuration menu link (gray)

Third level: Submenu tab (blue)

Figure 5. Screen menus, option arrows, and buttons

Option arrows: Additional screen for submenu item

IP radio buttons

The web management interface menu consists of the following levels and components:

• First level: Main navigation menu links. The main navigation menu in the orange bar

across the top of the web management interface provides access to all the configuration functions of the VPN firewall and remains constant. When you select a main navigation menu link, the letters are displayed in white against an orange background.

• Second level: Configuration menu links. The configuration menu links in the gray bar

(immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background.

• Third level: Submenu tabs. Each configuration menu item has one or more submenu

tabs that are listed below the gray menu bar. When you select a submenu tab, the text is displayed in white against a blue background.

• Option arrows. On the right side of a screen, a white arrow in a blue circle precedes a

link in blue letters against a white background. This link provides access to additional screens for a submenu item.

• IP radio buttons. The IPv4 and IPv6 radio buttons let you select the IP version for the

feature to be configured onscreen. Four situations can occur:

- Both radio buttons are operational. You can configure the feature

onscreen for IPv4 functionality or for IPv6 functionality. After you have correctly configured the feature for both IP versions, the feature can function with both IP versions simultaneously.

- The IPv4 radio button is operational but the IPv6 radio button is disabled.

You can configure the feature onscreen for IPv4 functionality only.

- The IPv6 radio button is operational but the IPv4 radio button is disabled.

You can configure the feature onscreen for IPv6 functionality only.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

- Both radio buttons are disabled. IP functionality does not apply.

The bottom of each screen provides action buttons. The nature of a screen determines which action buttons are shown.

Most screens and sections of screens provide an accompanying help screen. To open the help screen, click the

All screens that you can access from the SSL VPN menu of the web management interface

display a user portal link in the upper right, above the menu bars ( When you click the User Portal link, the SSL VPN default portal opens. This user portal is not

the same as a custom SSL portal login screen that you can build with the SSL VPN Wizard (see

Build an SSL Portal Using the SSL VPN Wizard on page 427) or manually (see

Manually Set Up or Change an SSL Portal on page 446).

icon.

Requirements for Entering IP Addresses

To connect to the VPN firewall, your computer must be configured to obtain an IP address automatically from the VPN firewall, either an IPv4 address through DHCP or an IPv6 address through DHCPv6, or both.

IPv4 Requirements

The fourth octet of an IP address must be between 0 and 255 (both inclusive). This requirement applies to any IP address that you enter on a screen of the web management interface.

IPv6 Requirements

IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by colons. Any four-digit group of zeros within an IPv6 address can be reduced to a single zero or altogether omitted.

The following errors invalidate an IPv6 address:

• More than eight groups of hexadecimal quartets

• More than four hexadecimal characters in a quartet

• More than two colons in a row

For information about restricted IPv6 address, visit the following Internet Assigned Numbers

Authority (IANA) web page:

http://www.iana.org/assignments/ipv6-address-space/ipv6-address-space.xhtml.

Log In to the VPN Firewall as an Administrator

For you to be able to configure the VPN firewall, you must log in initially as an administrator (admin).

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

 To log in to the VPN firewall:

1. On your computer, launch an Internet browser.

2. In the address field of your browser, enter the IP address that was assigned to the VPN

firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.

The NETGEAR Configuration Manager Login screen displays.

If you connect remotely to the VPN firewall with a browser through an SSL connection for the first time, you might get a message about the SSL certificate.

3. If you get a message about the SSL certificate, follow the directions of your browser to

accept the SSL certificate.

4. In the Username field, type admin.

Use lowercase letters.

5. In the Password / Passcode field, type password.

Use lowercase letters.

Note: In the Domain menu, leave the domain at geardomain.

6. Click the Login button.

The web management interface displays, showing the Router Status screen. The following figure shows the top part of the Router Status screen. For more information, see

View the System Status on page 582.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Note: After five minutes of inactivity (the default login time-out), you are

automatically logged out.

You are now ready to configure the VPN firewall for your specific network environment. However, NETGEAR recommends that you first change the password for the default administrator account to a secure password.

Change the Password for the Default Administrator Account

The most secure password does not contain dictionary words from any language and is a mixture of letters (both uppercase and lowercase), numbers, and selected special characters. The password can be up to 32 space nor any of the following special characters:

` ~ ! # $ & * ( ) - + | \ ; : ' " < >

 To modify the password for the default administrator account from default settings to

secure settings:

1. On your computer, launch an Internet browser.

2. In the address field of your browser, enter the IP address that was assigned to the VPN

firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.

characters in length. However, the password cannot contain a

The NETGEAR Configuration Manager Login screen displays.

3. In the Username field, type admin.

4. In the Password / Passcode field, type password.

5. Click the Login button.

The Router Status screen displays.

Get an Overview of the Features and Hardware and Log In

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

6. Select Users > Users.

The Users screen displays.

7. In the List of Users table, click the Edit button for the admin default user.

The Edit Users screen displays.

8. Select the Check to Edit Password check box.

9. Configure a new password:

• In the Enter Y our Password field, type admin.

• In the New Password field, type a new and secure password.

• In the Confirm New Password field, repeat the new password.

10. Click the Apply button.

Your settings are saved.

Get an Overview of the Features and Hardware and Log In

2. Configure the IPv4 Internet and

WAN Settings

This chapter explains how to configure the IPv4 Internet and WAN settings. The chapter

contains the following sections:

• Roadmap to Setting Up IPv4 Internet Connections to Your ISPs

• Configure the IPv4 Internet Connection and WAN Settings

• Configure Load Balancing or Auto-Rollover for IPv4 Interfaces

• Manage Secondary IPv4 WAN Addresses

• Manage Dynamic DNS Connections

• Managing Advanced WAN Options

• Manage WAN QoS and WAN QoS Profiles

• Additional WAN-Related Configuration Tasks

• What to Do Next

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

Roadmap to Setting Up IPv4 Internet Connections to Your ISPs

Typically, the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide secure connections. To complement the firewall protection, NETGEAR recommends that you use a gateway security appliance such as a NETGEAR ProSECURE® STM appliance.

The tasks that are required to complete the Internet connection of your VPN firewall depend on whether you use an IPv4 connection, an IPv6 connection, or both to your Internet service provider (ISP). For information about setting up an IPv6 connection, see

Configure the IPv6 Internet and WAN Settings.

Note: The VPN firewall supports simultaneous IPv4 and IPv6 connections.

Chapter 3,

Setting up IPv4 Internet connections to your ISP or ISPs includes seven tasks, five of which are optional.

 Complete these tasks:

1. Configure the IPv4 routing mode. Select either NAT or classical routing.

This task is described in Manage the IPv4 WAN Routing Mode on page 30.

2. Configure the IPv4 Internet connections to your ISPs. Connect to one or more ISPs by

configuring up to two WAN interfaces. You have four configuration options. These tasks are described in the following sections:

• Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection

on page 32

• Manually Configure a Static IPv4 Internet Connection on page 36

• Manually Configure a PPPoE IPv4 Internet Connection on page 39

• Manually Configure a PPTP IPv4 Internet Connection on page 44

3. (Optional) Configure either load balancing or auto-rollover. By default, the WAN

interfaces are configured for primary (single) WAN mode. You can select load balancing or auto-rollover and a failure detection method. If you configure load balancing, you can also configure protocol binding.

This task is described in Configure Load Balancing or Auto-Rollover for IPv4 Interfaces on page 48.

4. (Optional) Configure secondary WAN addresses on the WAN interfaces. Configure

aliases for each WAN interface. This task is described in Manage Secondary IPv4 WAN Addresses on page 59.

5. (Optional) Configure Dynamic DNS on the WAN interfaces. If necessary, configure your

fully qualified domain names.

Configure the IPv4 Internet and WAN Settings

ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2

This task is described in Manage Dynamic DNS Connections on page 63.

6. (Optional) Configure advanced WAN options. If necessary, change the factory default

MTU size, port speed and duplex settings, advertised MAC address of the VPN firewall, and WAN connection type and corresponding upload and download connection speeds. These are advanced features, and you usually do not need to change the settings.

These tasks are described in Managing Advanced WAN Options on page 66.

7. (Optional) Configure the WAN traffic meters.

This task is described in Configure and Enable the WAN IPv4 Traffic Meter on page 558.

Configure the IPv4 Internet Connection and WAN Settings

To set up your VPN firewall for secure IPv4 Internet connections, you must determine the IPv4 WAN mode (see Internet connection to your ISP on the WAN ports.

The following sections provide information about configuring the IPv4 Internet connection and WAN settings:

Manage the IPv4 WAN Routing Mode) and then configure the IPv4

• Manage the IPv4 WAN Routing Mode

• Let the VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection

• Manually Configure a Static IPv4 Internet Connection

• Manually Configure a PPPoE IPv4 Internet Connection

• Manually Configure a PPTP IPv4 Internet Connection

Manage the IPv4 WAN Routing Mode

By default, IPv4 is supported and functions in NAT mode but can also function in classical routing mode. IPv4 functions the same way in IPv4-only mode that it does in IPv4/IPv6 mode. The latter mode adds IPv6 functionality (see

The following sections provide information about managing the IPv4 routing mode:

• Network Address Translation Overview

• Classical Routing

• Change the IPv4 WAN Routing Mode

Network Address Translation Overview

Network Address T ranslation (NAT) allows all computers on your LAN to share a single public Internet IP address. From the Internet, only a single device (the VPN firewall) and a single IP address exist. Computers on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.

Manage the IPv6 Routing Mode on page 88).

Configure the IPv4 Internet and WAN Settings

+ 661 hidden pages