Netgear FVS336G Reference Manual

Download

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Model FVS336Gv2

CLI Reference Manual

March 2014 202-11378-01

350 East Plumeria Drive San Jose, CA 95134 USA

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Support

Thank you for selecting NETGEAR products.

After installing your device, locate the serial number on the label of your product and use it to register your product at

https://my.netgear.com. You must register your product before you can use NETGEAR telephone support. NETGEAR

recommends registering your product through the NETGEAR website. For product updates and web support, visit

http://support.netgear.com.

Phone (US & Canada only): 1-888-NETGEAR.

Phone (Other Countries): Check the list of phone numbers at http://support.netgear.com/general/contact/default.aspx.

Compliance

For regulatory compliance information, visit http://www.netgear.com/about/regulatory.

See the regulatory compliance document before connecting the power supply.

Trademarks

NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change without notice. © NETGEAR, Inc. All rights reserved.

Revision History

Publication Part Number Publish Date Comments

202-11378-01 March 2014 First publication

Chapter 1 Introduction

Chapter 2 Overview of the Configuration Commands

Command Syntax and Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Command Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

Description of a Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

Common Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Four Categories of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9

Configuration Commands: Four Main Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Configuration Commands: Save Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Commands That Require Saving. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Commands That Do Not Require Saving . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

Global Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Examples of Three Basic Types of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 14

Command Autocompletion and Command Abbreviation . . . . . . . . . . . . . . . . . . 15

Access the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Network Settings Configuration Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Security Settings Configuration Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

System Administrative and Monitoring Settings Configuration Commands . . 25

VPN Settings Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Chapter 3 Net Mode Configuration Commands

General WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

IPv4 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34

IPv6 WAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

IPv6 Tunnel Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

Dynamic DNS Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57

IPv4 LAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59

IPv6 LAN Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

IPv4 DMZ Setup Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

IPv6 DMZ Setup Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

WAN QoS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90

IPv4 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103

IPv6 Routing Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107

Chapter 4 Security Mode Configuration Commands

Security Services Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111

Security Schedules Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

IPv4 Add Firewall Rule and Edit Firewall Rule Commands . . . . . . . . . . . . . . . . . 122

IPv4 General Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 164

IPv6 Firewall Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165

Attack Check and IGMP Passthrough Commands . . . . . . . . . . . . . . . . . . . . . . . 172

Session Limit, Time-Out, and Advanced Commands . . . . . . . . . . . . . . . . . . . . . 177

Address Filter and IP/MAC Binding Commands . . . . . . . . . . . . . . . . . . . . . . . . . 181

Port Triggering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185

UPnP Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 188

Bandwidth Profile Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189

Content Filtering Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

Chapter 5 System Mode Configuration Commands

Remote Management Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 199

SNMP Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 203

Time Zone Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208

WAN Traffic Meter Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 213

Firewall Logs and Email Alerts Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 216

System Reboot Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223

Chapter 6 VPN Mode Configuration Commands

IPSec VPN Wizard Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225

IPSec IKE Policy Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228

IPSec VPN Policy Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234

IPSec VPN Mode Config Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 246

SSL VPN Wizard Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249

SSL VPN Portal Layout Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254

SSL VPN Authentication Domain Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 257

SSL VPN Authentication Group Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261

SSL VPN User Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262

SSL VPN Port Forwarding Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268

SSL VPN Client and Client Route Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . 271

SSL VPN Resource Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 275

SSL VPN Policy Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 278

RADIUS Server Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285

PPTP Server Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287

L2TP Server Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288

Chapter 7 Overview of the Show Commands

Network Settings Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291

Security Settings Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293

Administrative and Monitoring Settings Show Commands. . . . . . . . . . . . . . . . 294

VPN Settings Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295

Chapter 8 Show Commands

Network Settings Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 298

WAN IPv4 and WAN IPv6 Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 298

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

IPv6 Mode, IPv6 Tunnel, and SIIT Show Commands . . . . . . . . . . . . . . . . . . . 302

LAN DHCP Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303

Dynamic DNS Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 304

IPv4 LAN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305

IPv6 LAN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308

DMZ Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Routing Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 312

Network Statistics Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Security Settings Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 313

Services Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314

Schedules Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Firewall Rules Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

Attack Checks and IGMP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Session Limits Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Advanced Firewall Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 319

Address Filter Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320

Port Triggering Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 321

UPnP Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Bandwidth Profiles Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 322

Content Filtering Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 323

Administrative and Monitoring Settings Show Commands. . . . . . . . . . . . . . . . 324

Remote Management Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

SNMP Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 325

Time Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Firmware Version Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

Status Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 327

WAN Traffic Meter Show Command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 330

Logging Configuration Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . 331

Logs Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333

Reboot Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

VPN Settings Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

IPSec VPN Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 334

SSL VPN Show Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 336

SSL VPN User Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339

RADIUS Server Show Command. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

PPTP Server Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 342

L2TP Server Show Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 343

Chapter 9 Utility Commands

Overview Util Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345

Firmware Backup, Restore, and Upgrade Commands . . . . . . . . . . . . . . . . . . . . 345

Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 347

Command List

1. Introduction

This document describes the command-line interface (CLI) for the NETGEAR® ProSAFE® Dual

WAN Gigabit Firewall with SSL & IPsec VPN, model FVS336Gv2.

This chapter introduces the CLI interface. It includes the following sections:

• Command Syntax and Conventions

• Four Categories of Commands

• Configuration Commands: Four Main Modes

• Configuration Commands: Save Commands

• Global Commands

• Examples of Three Basic Types of Commands

• Command Autocompletion and Command Abbreviation

• Access the CLI

Note: For more information about the topics covered in this manual, visit the

support website at support.netgear.com.

Note: For more information about the features that you can configure using

the CLI, see the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual, which you can download

from downloadcenter.netgear.com.

Note: You cannot generate and upload a certificate through the CLI. You

must access the web management interface to manage these tasks.

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Command Syntax and Conventions

A command is one or more words that can be followed by one or more keywords and parameters. Keywords and parameters can be required or optional:

• A keyword is a predefined string (word) that narrows the scope of a command. A keyword

can be followed by an associated parameter or by associated keywords. In many cases, these associated keywords are mutually exclusive, so you must select one of them. In some cases, this manual refers to a group of words as a keyword.

ou must replace the

• A parameter is a variable for which you must type a value.

parameter name with the appropriate value, which might be a name or number. A parameter can be associated with a command or with a keyword.

This manual lists each command by its full command name and provides a brief description of the command. In addition, for each command, the manual provides the following information:

• Format. Shows the command keywords and the required and optional parameters.

• Mode. Identifies the command mode that you must be in to access the command. (With

some minor exceptions, the mode is always described using lowercase letters.)

• Related show command or commands. Identifies and links to the show command or

commands that can display the configured information.

For more complicated commands, in addition to the format, mode, and related show command or commands, the following information is provided:

• Table. Explains the keywords and parameters that you can use for the command.

• Example. Shows a CLI example for the command.

Command Conventions

In this manual, the following type conventions are used:

• A command name is stated in bold type.

• A keyword name is stated in bold type.

• A parameter name is stated in italic type.

The keywords and parameters for a command might include mandatory values, optional values, or choices. distinguish between value types:

Table 1. Command conventions

Symbol Example Description

< > angle brackets <value> Indicate that you must enter a value in place of the brackets

The following table describes the conventions that this manual uses to

and text inside them. (value is the parameter.)

[ ] square brackets [

value] Indicate an optional parameter that you can enter in place of

the brackets and text inside them. (value is the parameter.)

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 1. Command conventions (continued)

Symbol Example Description

{ } curly braces {choice1 | choice2} Indicate that you must select a keyword from the list of

choices. (choice1 and choice1 are keywords.)

| vertical bars choice1 | choice2 Separate the mutually exclusive choices. (choice1 and

choice1 are keywords.)

[ { } ] braces within square brackets

[{choice1 | choice2}] Indicate a choice within an optional element. (choice1 and

choice1 are keywords.)

Description of a Command

The following example describes the net radvd pool lan edit <row id> command:

net radvd pool lan edit is the command name.

<row id> is the required parameter for which you must enter a value after you type the command words.

The command lets you enter the net-config [radvd-pool-lan] mode, from which you can issue the following keywords and parameters:

prefix_type {6To4 {6to4_interface {WAN1 | WAN2} {sla_id <ID number>} | Global-Local-ISATAP {prefix_address <ipv6-address>} {prefix_length <prefix length>}}

prefix_life_time <seconds>

Explanation of the keywords and parameters:

• prefix_type is a keyword.

is either

6to4_interface or Global-Local-ISATAP.

- If you select 6to4_interface, you must specify the WAN interface by typing

WAN1

or WAN2, and you must issue the sla_id keyword and enter a value for

the <ID number> parameter.

- If you select Global-Local-ISATAP, you must issue the prefix_address

keyword and enter a value for the <ipv6-address> parameter, and you must issue the

prefix_length keyword and enter a value for the

<prefix length> parameter

• prefix_life_time

is a keyword and <seconds> is the required parameter for

which you must enter a value.

The required associated keyword that you must select

Command example:

FVS336Gv2> net radvd pool lan edit 12 net-config[radvd-pool-lan]> prefix_type Global-Local-ISATAP net-config[radvd-pool-lan]> prefix_address 10FA:2203:6145:4201:: net-config[radvd-pool-lan]> prefix_length 10 net-config[radvd-pool-lan]> prefix_life_time 3600 net-config[radvd-pool-lan]> save

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Common Parameters

Parameter values might be names (strings) or numbers. To use spaces as part of a name parameter, enclose the name value in double quotes. For example, the expression “System Name with Spaces” forces the system to accept the spaces. Empty strings (“”) are not valid user-defined strings. The following table describes common parameter values and value formatting:

Table 2. Common parameters

Parameter Description

ipaddr

ipv6-address

Character strings Use double quotation marks to identify character strings, for example, “System Name with

This parameter is a valid IPv4 address. You must enter the IP address in the a.b.c.d format, in which each octet is a number in the range from 0 to 255 (both inclusive), for example, 10.12.140.218.

The CLI accepts decimal, hexadecimal, and octal formats through the following input formats (where n is any valid decimal, hexadecimal, or octal number):

• 0xn (CLI assumes hexadecimal format)

• 0n (CLI assumes octal format with leading zeros)

• n (CLI assumes decimal format)

This parameter is a valid IPv6 address. You can enter the IPv6 address in one of the following formats:

• FE80:0000:0000:0000:020F:24FF:FEBF:DBCB

• FE80:0:0:0:20F:24FF:FEBF:DBCB

• FE80::20F:24FF:FEBF:DBCB

• FE80:0:0:0:20F:24FF:128:141:49:32

For additional information, see RFC 3513.

Spaces”.

An empty string (“”) is not valid.

Four Categories of Commands

CLI commands are grouped into four categories:

• Configuration. Configuration commands with four main configuration modes. For more

information, see Configuration Commands: Four Main Modes on page 10. Save commands also fall into this category. For more information, see Configuration

Commands: Save Commands on page 13.

• Show. Show commands that are available for the four main configuration modes. For

more information, see Chapter 7, Overview of the Show Commands and Chapter 8,

Show Commands.

• Utility. See Chapter 9, Utility Commands.

• Global. See Global Commands on page 14.

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Configuration Commands: Four Main Modes

For the configuration commands, the CLI provides four main modes: net, security, system, and vpn. Chapter 2, Overview of the Configuration Commands lists all commands in these modes, and each of these modes is described in detail in a separate chapter (see Chapter 3 through Chapter 6).

The following table lists the main configuration modes, the configuration modes, the features

that you can configure in each configuration mode, and, for orientation, the basic web management interface (GUI) path to the feature.

Table 3. Main configuration modes

__________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path Network configuration commands

net ddns Dynamic DNS Network Configuration > Dynamic DNS

dmz DMZ for IPv4

DMZ for IPv6 ethernet VLAN assignment to LAN interface Network Configuration > LAN Setup ipv6 IPv4 or IPv4/IPv6 mode Network Configuration > WAN Settings ipv6_tunnel IPv6 tunnels Network Configuration > WAN Settings lan IPv4 LAN settings and VLANs

LAN groups for IPv4

Secondary IPv4 LAN addresses

Advanced IPv4 LAN settings

Fixed and reserved DHCP IPv4

addresses

LAN IPv4 traffic meter profiles

IPv6 LAN settings

Secondary IPv6 LAN addresses

IPv6 LAN DHCP address pools

IPv6 prefix delegation for the LAN radvd IPv6 RADVD and pools for the

LAN

IPv6 RADVD and pools for the

DMZ

Network Configuration > DMZ Setup

Network Configuration > LAN Setup

Network Configuration > LAN Setup Network Configuration > DMZ Setup

routing Dynamic IPv4 routes

Static IPv4 routes

Static IPv6 routes

Introduction

Network Configuration > Routing

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 3. Main configuration modes (continued)

__________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path

net (continued)

Security configuration commands

security address_filter Source MAC filters

siit Stateless IP/ICMP Translation Network Configuration > SIIT wan IPv4 WAN (Internet) settings

Secondary IPv4 WAN addresses

IPv6 WAN (Internet) settings

MTU, port speed, and MAC

address, failure detection method,

and upload/download settings wan_settings NAT or Classical Routing

Load balancing settings for IPv4

IP/MAC bindings for IPv4

IP MAC bindings for IPv6 bandwidth Bandwidth profiles Security > Bandwidth Profile content_filter Group filtering

Blocked keywords

Web components

Trusted domains firewall All IPv4 firewall rules

All IPv6 firewall rules Attack checks Session limits and time-outs SIP ALG

Network Configuration > WAN Settings

Security > Address Filter

Security > Content Filtering

Security > Firewall

porttriggering_rules Security > Port Triggering schedules Security > Schedule services Custom services

Service groups LAN and WAN IP groups LAN QoS profiles

upnp Security > UPnP

Security > Services

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 3. Main configuration modes (continued)

__________________________CLI________________________ ___Web Management Interface (GUI)___ Main Mode Submode Feature That You Can Configure Basic Path Administration and monitoring configuration commands

system logging Monitoring > Firewall Logs & E-mail

remote_management Administration > Remote Management snmp Administration > SNMP schedule_reboot Monitoring > Diagnostics time Administration > Time Zone traffic_meter WAN traffic meters Monitoring > Traffic Meter

VPN configuration commands

vpn ipsec IPSec Wizard

IKE policies

VPN policies

Mode Config records

RADIUS servers l2tp L2TP server VPN > L2TP Server pptp PPTP server VPN > PPTP Server sslvpn SSL Wizard

SSL policies

Resources and resource objects

Portal layouts

SSL VPN clients

Client routes

Port forwarding

Domains

Groups

User accounts

User login and IP policies

VPN > IPSec VPN

VPN > SSL VPN

Users

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Configuration Commands: Save Commands

The following table describes the configuration commands that let you save or cancel configuration changes in the CLI. You can use these commands in any of the four main configuration modes. These commands are not preceded by a period.

Table 4. Save commands

Command Description

save

exit

cancel

Save the configuration changes. Save the configuration changes and exit the current configuration mode. Roll back the configuration changes.

Commands That Require Saving

After you issue a command that includes the word configure, add, or edit, you enter a configuration mode from which you can issue keywords and associated parameters.

These are examples of commands for which you must save your changes:

• net lan ipv4 configure <vlan id> lets you enter the net-config [lan-ipv4]

configuration mode. After you make your changes, issue save or changes.

• security content_filter trusted_domain add lets you enter the

security-config [approved-urls] configuration mode. After you make your changes, issue save or exit to save your changes.

• vpn sslvpn users groups add lets you enter the vpn-config [user-groups]

configuration mode. After you make your changes, issue save or changes.

exit to save your

Commands That Do Not Require Saving

You do not need to save your changes after you issue a command that deletes, disables, or enables a row ID, name, IP address, or MAC address, or that lets you make a configuration change without entering another configuration mode.

These are examples of commands that you do not need to save:

• net lan dhcp reserved_ip delete <mac address>

• vpn ipsec vpnpolicy disable <vpn policy name>

• security firewall ipv4 enable <row id>

• security firewall ipv4 default_outbound_policy {Allow | Block}

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Global Commands

The following table describes the global commands that you can use anywhere in the CLI. These commands must be preceded by a period.

Table 5. Global CLI commands

Command Description

.exit

.help

.top

.reboot

.history

Exit the current session. Display an overview of the CLI syntax. Return to the default command mode or root. Reboot the system. Display the command-line history of the current session.

Examples of Three Basic Types of Commands

You can encounter the following three basic types of commands in the CLI:

• Entry commands to enter a configuration mode. Commands that let you enter a

configuration mode from which you can configure various keywords and associated parameters and keywords. For example, the net wan wan1 ipv4 configure command lets you enter the net-config [wan1-ipv4] mode, from which you can configure the IPv4 WAN settings.

This type of command is the most common in the CLI and is always indicated by two steps in this manual, each one showing the format and mode:

Step 1 Format

net wan wan ipv4 configure <wan interface>

Mode net

Step 2 Format This section shows the keywords and associated parameters, for example:

isp_connection_type {STATIC | DHCPC | PPPoE | PPTP}

Mode net-config [wan1-ipv4]

Sometimes, you must enter a parameter to enter a configuration mode. For example, security schedules edit <row id> requires you to enter the row ID (that is, the row number in the table that contains all the schedules) for the schedule that you want to modify . Then, you enter the security-config [schedules] mode, from which you can modify various keywords and associated parameters and keywords.

• Commands with a single parameter. Commands that require you to supply one or more

parameters and that do not let you enter another configuration mode. usually a row number or a name. For example, security firewall ipv4 delete

The parameter is

<row id> requires you to enter the row ID (that is, the row number in the table that contains all the firewall rules) for the firewall rule that you want to delete.

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

For this type of command, the manual shows the format and mode:

Format Mode security

security firewall ipv4 delete <row id>

• Commands without parameters. Commands that do not require you to supply a

parameter after the command and that do not let you enter another configuration mode. For example, util restore_factory_defaults does not require parameters.

For this type of command, the manual shows the format and mode:

Format Mode util

util restore_factory_defaults

Command Autocompletion and Command Abbreviation

Command autocompletion finishes spelling a command when you type enough letters of the command to uniquely identify the command keyword. You must type all of the required keywords and parameters before you can use autocompletion.

Press either of the following keys to let the current command autocomplete. If the command prefix is not unique, press the key again to display possible completions.

• Enter or Return key . Autocompletes, syntax-checks, and

a syntax error occurs, the offending part of the command is highlighted and explained.

• Spacebar. Autocompletes, or if the command is already resolved, inserts a space.

then executes the command. If

The following table describes the key combinations that you can use to edit commands or increase the speed of command entry. Access this list from the CLI by issuing .help

Table 6. CLI editing conventions

Key or Key Sequence Description Invoking context-sensitive help

? Displays context-sensitive help. The information that displays consists either of a list of

possible command completions with summaries or of the full syntax of the current command. When a command is resolved, a subsequent repeat of the help key displays a detailed reference.

Autocompleting

Note: Command autocompletion finishes spelling the command when you type enough letters of a command to

uniquely identify the command keyword. However, you must type all of the required keywords and parameters before you use autocompletion.

Enter (or Return) Autocompletes, syntax-checks, and then executes a command. If a syntax error

occurs, the of command prefix is not unique, press the key again to display possible completions.

fending part of the command line is highlighted and explained. If the

Introduction

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 6. CLI editing conventions (continued)

Key or Key Sequence Description

Spacebar Autocompletes, or if the command is already resolved, inserts a space. If the command

prefix is not unique, press the key again to display possible completions.

Moving around

Ctrl-A Go to the beginning of the line. Ctrl-E Go to the end of the line. Up arrow Go to the previous line in the history buffer. Down arrow Go to the next line in the history buffer. Left arrow Go backward one character. Right arrow Go forward one character.

Deleting

Ctrl-C Delete the entire line. Ctrl-D Delete the next character. Ctrl-K Delete all characters to the end of the line from where the cursor is located. Backspace Delete the previous character.

Invoking escape sequences

!! Substitute the previous line. !N Substitute the Nth line, in which N is the absolute line number as displayed in the

output of the history command.

!-N Substitute the line that is located N lines before the current line, in which N is a relative

number in relation to the current lint.

Access the CLI

You can access the CLI by logging in with the same user credentials (user name and password) that you use to access the web management interface. FVS336Gv2> is the CLI prompt.

FVS336Gv2 login: admin Password: ************************************************ Welcome to FVS336Gv2 Command Line Interface ************************************************ FVS336Gv2>

Introduction

2. Overview of the Configuration

Commands

This chapter provides an overview of all configuration commands in the four configuration

command modes. The keywords and associated parameters that are available for these commands are explained in Chapter 3 through Chapter 6. The chapter includes the following sections:

• Network Settings Configuration Commands

• Security Settings Configuration Commands

• System Administrative and Monitoring Settings Configuration Commands

• VPN Settings Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Network Settings Configuration Commands

Enter the net ? command at the CLI prompt to display the submodes in the net mode. The following table lists the submodes and their commands in alphabetical order:

Table 7. Net mode configuration commands

Submode Command Name Purpose

ddns

dmz

ethernet

ipv6

ipv6_tunnel

net ddns configure Enable, configure, or disable DDNS service. net dmz ipv4 configure Enable, configure, or disable the IPv4 DMZ. net dmz ipv6 configure Enable, configure, or disable the IPv6 DMZ. net dmz ipv6 pool configure <ipv6 address> Configure a new or existing IPv6 DMZ DHCP

address pool.

net dmz ipv6 pool delete < ipv6 address> Delete an IPv6 DMZ DHCP address pool. net ethernet configure <interface name or

number> net ipv6 ipmode configure Configure the IP mode (IPv4 only or

net ipv6_tunnel isatap add Configure a new IPv6 ISATAP tunnel. net ipv6_tunnel isatap delete <row id> Delete an IPv6 ISATAP tunnel. net ipv6_tunnel isatap edit <row id> Configure an existing IPv6 ISATAP tunnel. net ipv6_tunnel six_to_four configure Enable or disable automatic (6to4) tunneling. net lan dhcp reserved_ip configure

Configure a VLAN for a LAN interface.

IPv4/IPv6).

Bind a MAC address to an IP address for DHCP reservation or change an existing binding, and assign a LAN group.

lan

net lan dhcp reserved_ip delete <mac address>

net lan ipv4 advanced configure Configure advanced LAN settings such as the

net lan ipv4 configure <vlan id> Configure a new or existing VLAN. net lan ipv4 default_vlan Configure the default VLAN for each port. net lan ipv4 delete <vlan id> Delete a VLAN. net lan ipv4 disable <vlan id> Disable a VLAN. net lan ipv4 enable <vlan id> Enable a VLAN. net lan ipv4 multi_homing add Configure a new secondary IPv4 address. net lan ipv4 multi_homing delete <row id> Delete a secondary IPv4 address.

Delete the binding of a MAC address to an IP address.

MAC address for VLANs and

ARP broadcast.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 7. Net mode configuration commands (continued)

Submode Command Name Purpose

net lan ipv4 multi_homing edit <row id> Configure an existing secondary IPv4

address.

lan (continued)

net lan ipv4 traffic_meter configure <ip address>

net lan ipv4 traffic_meter delete <row id> Delete a traffic meter profile. net lan ipv6 configure Configure the IPv6 LAN address settings and

net lan ipv6 multi_homing add Configure a new secondary IPv6 address. net lan ipv6 multi_homing delete <row id> Delete a secondary IPv6 address. net lan ipv6 multi_homing edit <row id> Configure an existing secondary IPv6

net lan ipv6 pool add Configure a new IPv6 LAN DHCP address

net lan ipv6 pool delete <row id> Delete an IPv6 LAN DHCP address pool. net lan ipv6 pool edit <row id> Configure an existing IPv6 LAN DHCP

net lan ipv6 prefix_delegation add Configure a new prefix for IPv6 LAN prefix

net lan ipv6 prefix_delegation delete <row id> Delete a prefix for IPv6 LAN prefix delegation. net lan ipv6 prefix_delegation edit <row id> Configure an existing prefix for IPv6 LAN

Configure a traffic meter profile for an IPv4 address.

DHCPv6.

address.

pool.

address pool.

delegation.

prefix delegation.

protocol binding

net lan lan_groups edit <row id> <new group name>

net protocol_binding add Configure a new protocol binding. net protocol_binding delete Delete a protocol binding. net protocol_binding disable Disable a protocol binding. net protocol_binding edit <row id> Configure an existing protocol binding. net protocol_binding enable Enable a protocol binding.

Change an existing LAN default group name.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 7. Net mode configuration commands (continued)

Submode Command Name Purpose

net qos configure Configure the QoS mode for the WAN

interfaces.

net qos profile add Configure a new WAN QoS profile.

qos

radvd

net qos profile delete <row id> Delete a WAN QoS profile. net qos profile disable <row id> Disable a WAN QoS profile. net qos profile edit <row id> Configure an existing WAN QoS profile. net qos profile enable <row id> Enable a WAN QoS profile. net radvd configure dmz Configure the IPv6 RADVD for the DMZ. net radvd configure lan Configure the IPv6 RADVD for the LAN. net radvd pool dmz add Configure a new IPv6 RADVD pool for the

DMZ.

net radvd pool dmz delete <row id> Delete an IPv6 RADVD pool from the DMZ. net radvd pool dmz edit <row id> Configure an existing IPv6 RADVD pool for

the DMZ.

net radvd pool lan add Configure a new IPv6 RADVD pool for the

LAN.

net radvd pool lan delete <row id> Delete an IPv6 RADVD pool from the LAN. net radvd pool lan edit <row id> Configure an existing IPv6 RADVD pool for

the LAN.

net routing dynamic configure Configure RIP and the associated MD5 key

information.

routing

siit

wan

net routing static ipv4 configure <route name> Configure a new or existing IPv4 static route. net routing static ipv4 delete <route name> Delete an IPv4 static route. net routing static ipv4 delete_all Delete all IPv4 routes. net routing static ipv6 configure <route name> Configure a new or existing IPv6 static route. net routing static ipv6 delete <route name> Delete an IPv6 static route. net routing static ipv6 delete_all Delete all IPv6 routes. net siit configure Configure Stateless IP/ICMP Translation. net wan port_setup ipv4 configure <wan

interface>

net wan port_setup ipv6 configure <wan interface>

Configure the failover method, MTU, port speed, and MAC address of an IPv4 W interface.

Configure the failure detection ping settings of an IPv6 W

AN interface.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 7. Net mode configuration commands (continued)

Submode Command Name Purpose

net wan wan ipv4 configure <wan interface> Configure the ISP settings of an IPv4 WAN

interface.

wan (continued)

wan_settings

net wan wan ipv4 secondary_address add <wan interface>

net wan wan ipv4 secondary_address delete <row id>

net wan wan ipv6 configure <wan interface> Configure the ISP settings of an IPv6 WAN

net wan_settings load_balancing configure Configure the load balancing settings for two

net wan_settings wanmode configure Configure the mode of IPv4 routing (NA

Configure a secondary IPv4 WAN address.

Delete a secondary IPv4 WAN address.

interface.

AN interfaces that are configured for IPv4.

classical routing) between the WAN interface and LAN interfaces.

Security Settings Configuration Commands

Enter the security ? command at the CLI prompt to display the submodes in the security mode. The following table lists the submodes and their commands in alphabetical order:

Table 8. Security mode configuration commands

Submode Command Name Purpose

T or

address_filter

security address_filter ip_or_mac_binding add Configure a new IP/MAC binding rule. security address_filter ip_or_mac_binding

delete <row id> security address_filter ip_or_mac_binding edit

<row id> security address_filter ip_or_mac_binding

enable_email_log <ip version> security address_filter mac_filter configure Configure the source MAC address filter. security address_filter mac_filter source add Configure a new MAC source address. security address_filter mac_filter source delete

Delete an IP/MAC binding rule.

Configure an existing IP/MAC binding rule.

Configure the email log for IP/MAC Binding violations.

Delete a MAC source address.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 8. Security mode configuration commands (continued)

Submode Command Name Purpose

bandwidth

content_filter

security bandwidth enable_bandwidth_profiles {Y | N}

security bandwidth profile add Configure a new bandwidth profile. security bandwidth profile delete <row id> Delete a bandwidth profile. security bandwidth profile edit <row id> Configure an existing bandwidth profile. security content_filter block_group disable Remove content filtering from groups. security content_filter block_group enable Apply content filtering to groups. security content_filter blocked_keywords add Configure a new blocked keyword. security content_filter blocked_keywords delete

<row id> security content_filter blocked_keywords edit

<row id> security content_filter content_filtering configure Configure web content filtering. security content_filter trusted_domain add Configure a new trusted domain. security content_filter trusted_domain delete

<row id> security content_filter trusted_domain edit

Enable or disable bandwidth profile globally.

Delete a blocked keyword.

Configure an existing blocked keyword.

Delete a trusted domain.

Configure an existing trusted domain.

firewall

security firewall advanced algs Configure SIP support for the ALG. security firewall attack_checks configure ipv4 Configure WAN and LAN security attack

checks for IPv4 traf

security firewall attack_checks configure ipv6 Configure W

for IPv6 traffic.

security firewall attack_checks vpn_passthrough configure

security firewall igmp alternate_networks add Configure a new alternate network. security firewall igmp alternate_networks delete Delete an alternate network. security firewall igmp configure Enable or disable multicast pass-through

security firewall ipv4 add_rule dmz_wan inbound

security firewall ipv4 add_rule dmz_wan outbound

Configure VPN pass-through for IPv4 traffic.

for IPv4 traf Configure a new IPv4 DMZ W

inbound firewall rule. Configure a new IPv4 DMZ WAN

outbound firewall rule.

fic.

AN security attack checks

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 8. Security mode configuration commands (continued)

Submode Command Name Purpose

security firewall ipv4 add_rule lan_dmz inbound Configure a new IPv4 LAN DMZ inbound

firewall rule.

firewall (continued)

security firewall ipv4 add_rule lan_dmz outbound

security firewall ipv4 add_rule lan_wan inbound Configure a new IPv4 LAN WAN

security firewall ipv4 add_rule lan_wan outbound

security firewall ipv4 default_outbound_policy {Allow | Block}

security firewall ipv4 delete <row id> Delete an IPv4 firewall rule. security firewall ipv4 disable <row id> Disable an IPv4 firewall rule. security firewall ipv4 edit_rule dmz_wan

inbound <row id> security firewall ipv4 edit_rule dmz_wan

outbound <row id> security firewall ipv4 edit_rule lan_dmz inbound

<row id> security firewall ipv4 edit_rule lan_dmz

outbound <row id> security firewall ipv4 edit_rule lan_wan inbound

Configure a new IPv4 LAN DMZ outbound firewall rule.

inbound firewall rule. Configure a new IPv4 LAN WAN

outbound firewall rule. Configure the default outbound policy for

IPv4 traf

Configure an existing IPv4 DMZ W inbound firewall rule.

Configure an existing IPv4 DMZ WAN outbound firewall rule.

Configure an existing IPv4 LAN DMZ inbound firewall rule.

Configure an existing IPv4 LAN DMZ outbound firewall rule.

Configure an existing IPv4 LAN WAN inbound firewall rule.

fic.

security firewall ipv4 edit_rule lan_wan outbound <row id>

security firewall ipv4 enable <row id> Enable an IPv4 firewall rule. security firewall ipv6 configure Configure a new IPv6 firewall rule. security firewall ipv6 default_outbound_policy

{Allow | Block} security firewall ipv6 delete <row id> Delete an IPv6 firewall rule. security firewall ipv6 disable <row id> Disable an IPv6 firewall rule. security firewall ipv6 edit <row id> Configure an existing IPv6 firewall rule. security firewall ipv6 enable <row id> Enable an IPv6 firewall rule. security firewall session_limit configure Configure global session limits. security firewall session_settings configure Configure global session time-outs.

Configure an existing IPv4 LAN WAN outbound firewall rule.

Configure the default outbound policy for IPv6 traf

fic.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 8. Security mode configuration commands (continued)

Submode Command Name Purpose

security porttriggering_rules add Configure a new port triggering rule.

porttriggering_rules

schedules

services

security porttriggering_rules delete <row id> Delete a port triggering rule. security porttriggering_rules edit <row id> Configure an existing port triggering rule. security schedules edit {1 | 2 | 3} Configure one of the three security

schedules.

security services add Configure a new custom service. security services delete <row id> Delete a custom service. security services edit <row id> Configure an existing custom service. security services ip_group add Configure a new LAN or WAN IP group. security services ip_group add_ip_to

<group name> security services ip_group delete <row id> Delete a LAN or WAN IP group. security services ip_group delete_ip <row id> Remove an IP address from a LAN or

security services ip_group edit <row id> Configure an existing LAN or W

security services qos_profile add Add a QoS profile. security services qos_profile delete <row id> Delete a QoS profile.

Add an IP address to a LAN or WAN IP group.

AN IP group.

AN IP

group.

security services qos_profile edit <row id> Configure an existing QoS profile. security services service_group add Add a service group. security services service_group edit <row id> Delete a service group. security services service_group delete <row id> Configure an existing service group.

upnp security upnp configure Configure UPnP.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

System Administrative and Monitoring Settings Configuration Commands

Enter the system ? command at the CLI prompt to display the submodes in the system mode. The following table lists the submodes and their commands in alphabetical order:

Table 9. System mode configuration commands

Submode Command Name Purpose

system logging configure Configure routing logs for accepted and

dropped IPv4 and IPv6 packets.

logging

system logging remote configure Configure email logs and alerts, schedule

email logs and alerts, and configure a syslog server

system remote_management https

remote_management

schedule_reboot system schedule_reboot configure Schedule the VPN firewall to be rebooted.

snmp

time

traffic_meter

configure system remote_management telnet

configure

system snmp remote_snmp enable Enable or disable SNMP access from the

system snmp sys configure Configure the SNMP system information. system snmp trap configure <ip address> Configure an SNMP agent and community. system snmp trap delete <ipaddress> Delete an SNMP agent. system snmp trapevent edit Change the default SNMP trap events. system snmp v3_users edit Change the default SNMPv3 users. system time configure Configure the system time, date, and NTP

system traffic_meter configure <wan interface>

Configure remote management over HTTPS.

Configure remote management over T

AN.

servers. Configure the W

AN traffic meter.

elnet.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

VPN Settings Configuration Commands

Enter the vpn ? command at the CLI prompt to display the submodes in the vpn mode. The following table lists the submodes and their commands in alphabetical order:

Table 10. Configuration commands: vpn mode

Submode Command Name Purpose

vpn ipsec ikepolicy configure <ike policy name> Configure a new or existing manual IPSec

IKE policy.

vpn ipsec ikepolicy delete <ike policy name> Delete an IPSec policy vpn ipsec mode_config configure <record name> Configure a new or existing Mode Config

record.

vpn ipsec mode_config delete <record name> Delete a Mode Config record. vpn ipsec radius configure Configure the RADIUS servers. vpn ipsec vpnpolicy configure <vpn policy name> Configure a new or existing auto IPSec

ipsec

vpn ipsec vpnpolicy connect <vpn policy name> Establish a VPN connection. vpn ipsec vpnpolicy delete <vpn policy name> Delete an IPSec VPN policy vpn ipsec vpnpolicy disable <vpn policy name> Disable an IPSec VPN policy. vpn ipsec vpnpolicy drop <vpn policy name> Terminate an IPSec VPN connection. vpn ipsec vpnpolicy enable <vpn policy name> Enable an IPSec VPN policy. vpn ipsec wizard configure <Gateway | VPN_Client> Configure the IPSec VPN wizard for a

l2tp vpn l2tp server configure Configure the L2TP server. pptp vpn pptp server configure Configure the PPTP server.

VPN policy or manual IPSec VPN policy

gateway-to-gateway or gateway-to-VPN client connection.

sslvpn

vpn sslvpn client ipv4 Configure the SSL client IPv4 address

range.

vpn sslvpn client ipv6 Configure the SSL client IPv6 address

range.

vpn sslvpn policy add Configure a new SSL VPN policy. vpn sslvpn policy delete <row id> Delete an SSL VPN policy. vpn sslvpn policy edit <row id> Configure an existing SSL VPN policy. vpn sslvpn portal_layouts add Configure a new SSL VPN portal layout. vpn sslvpn portal_layouts delete <row id> Delete an SSL VPN portal layout.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 10. Configuration commands: vpn mode (continued)

Submode Command Name Purpose

vpn sslvpn portal_layouts edit <row id> Configure an existing SSL VPN portal

layout.

vpn sslvpn portal_layouts set_default <row id> Configure the default SSL VPN portal

layout.

vpn sslvpn portforwarding appconfig add Configure a new SSL port forwarding

application.

vpn sslvpn portforwarding appconfig delete <row id> Delete an SSL VPN port forwarding

application.

vpn sslvpn portforwarding hostconfig add Configure a new host name for an SSL port

forwarding application.

sslvpn (continued)

vpn sslvpn portforwarding hostconfig delete <row id>

vpn sslvpn resource add Add a new SSL VPN resource. vpn sslvpn resource configure add

<resource name> vpn sslvpn resource configure delete <row id> Delete an SSL VPN resource object. vpn sslvpn resource delete <row id> Delete an SSL VPN resource. vpn sslvpn route add Add an SSL VPN client route. vpn sslvpn route delete <row id> Delete an SSL VPN client route. vpn sslvpn users domains add Configure a new authentication domain. vpn sslvpn users domains delete <row id> Delete an authentication domain. vpn sslvpn users domains

disable_Local_Authentication {Y | N} vpn sslvpn users domains edit <row id> Configure an existing authentication

vpn sslvpn users groups add Configure a new authentication group. vpn sslvpn users groups delete <row id> Delete an authentication group.

Delete a host name for an SSL port forwarding application.

Configure an SSL VPN resource object.

Enable or disable local authentication for users.

domain.

vpn sslvpn users groups edit <row id> Configure an existing authentication group. vpn sslvpn users users add Add a new user account. vpn sslvpn users users browser_policies <row id> Configure the client browsers from which a

user is either allowed or denied access.

vpn sslvpn users users delete <row id> Delete a user account. vpn sslvpn users users edit <row id> Configure an existing user account.

Overview of the Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Table 10. Configuration commands: vpn mode (continued)

Submode Command Name Purpose

sslvpn (continued)

vpn sslvpn users users ip_policies configure <row id>

vpn sslvpn users users ip_policies delete <row id> Delete a source IP address for a user. vpn sslvpn users users login_policies <row id> Configure the login policy for a user. vpn sslvpn wizard configure Configure the SSL VPN wizard for an SSL

Configure source IP addresses from which a user is either allowed or denied access.

portal.

Overview of the Configuration Commands

3. Net Mode Configuration

Commands

This chapter explains the configuration commands, keywords, and associated parameters in the

net mode. The chapter includes the following sections:

• General WAN Commands

• IPv4 WAN Commands

• IPv6 WAN Commands

• IPv6 Tunnel Commands

• Dynamic DNS Command

• IPv4 LAN Commands

• IPv6 LAN Commands

• IPv4 DMZ Setup Command

• IPv6 DMZ Setup Commands

• WAN QoS Commands

• IPv4 Routing Commands

• IPv6 Routing Commands

IMPORTANT:

After you issue a command that includes the word configure, add, or edit, you must save (or cancel) your changes. For more information, see Configuration Commands: Save Commands on page 13.

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

General WAN Commands

This section describes the following commands:

• net wan port_setup ipv4 configure <wan interface>

• net wan port_setup ipv6 configure <wan interface>

net wan port_setup ipv4 configure <wan interface>

This command configures the advanced WAN settings for an IPv4 W AN interface, that is, the MTU, port speed, MAC address, failure detection method, and upload and download settings of the VPN firewall. After you issue the net wan port_setup ipv4 configure command to specify one of the two WAN interfaces (that is, WAN1 or WAN2), you enter the net-config [port_setup_ipv4] mode and then you can configure the advanced settings for the specified interface in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

net wan port_setup ipv4 configure <wan interface>

def_mtu {Default | Custom {mtu_size <number>}}

port_speed {Auto_Sense | 10_BaseT_Half_Duplex |

10_BaseT_Full_Duplex | 100_BaseT_Half_Duplex | 100_BaseT_Full_Duplex | 1000_BaseT_Full_Duplex}

mac_type {Use-Default-Mac | Use-This-Computers-Mac | Use-This-Mac {mac_address <mac address>}}

failover_method type {None | WAN-DNS {failover_method retry_interval <seconds>} {failover_method retry_attempts <number>}| CUSTOM-DNS {failover_method dns_ipaddress_wan <ipaddress>} {failover_method retry_interval <seconds>} {failover_method retry_attempts <number>}| Ping {failover_method ping_ipaddress_wan <ipaddress>} {failover_method retry_interval <seconds>} {failover_method

retry_attempts <number>}}

upload_download wan_conn_type {DSL | ADSL | T1 | T3 | Other} upload_download upload_speed_type {56-Kbps | 128-Kbps |

256-Kbps | 384-Kbps | 512-Kbps | 768-Kbps | 1500-Kbps | 1544-Kbps | 10-Mbps | 44.736-Mbps | 100-Mbps | 1-Gbps | Custom {upload_download upload_speed <speed>}}

upload_download download_speed_type {56-Kbps | 128-Kbps | 256-Kbps | 384-Kbps | 512-Kbps | 768-Kbps | 1500-Kbps | 1544-Kbps | 10-Mbps | 44.736-Mbps | 100-Mbps | 1-Gbps | Custom {upload_download download_speed <speed>}}

Mode net-config [port_setup_ipv4]

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

MTU

def_mtu Default or Custom Specifies whether the default MTU or a custom

mtu_size number The size of the default MTU in bytes for the WAN

Port speed

port_speed Auto_Sense,

MAC address

Associated Keyword to Select or Parameter to Type

10_BaseT_Half_Duplex, 10_BaseT_Full_Duplex, 100_BaseT_Half_Duplex, 100_BaseT_Full_Duplex,

1000_BaseT_Full_Duplex

Description

MTU is used. If you select Custom, you must issue the mtu_size keyword and specify the size of the MTU.

port:

• If you configured IPv4 mode, type a number

between 68 and 1500 bytes.

• If you configured IPv4/IPv6 mode, type a

number between 1280 and 1500 bytes.

Specifies the port speed and duplex mode of the W

AN port.

The keywords are self-explanatory.

mac_type Use-Default-Mac,

Use-This-Computers-Mac, or Use-This-Mac

mac_address mac address The MAC address that the ISP requires for MAC

Specifies the source for the MAC address. The default setting is Use-Default-Mac.

If your ISP requires MAC authentication and another MAC address was previously registered with your ISP

Use-This-Computers-Mac

If you select the latter keyword, you must issue the mac_address keyword and specify the MAC address that is expected by your ISP.

authentication when the mac_type keyword is set to Use-This-Mac.

, select either

or Use-This-Mac.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

Failure detection method

failover_method type

failover_method retry_interval

Associated Keyword to Select or Parameter to Type

None, WAN-DNS, CUSTOM-DNS, or Ping

seconds The retry interval in seconds, from 5 to 999

Description

Specifies the type of failover method for IPv4 connections. Y method:

• None. No failover method is configured.

• WAN-DNS. DNS queries are sent to the DNS

server that you configure through the net wan

wan ipv4 configure <wan interface> command.

• CUSTOM-DNS. DNS queries are sent to the

DNS server that you must specify with the failover_method dns_ipaddress_wan keyword.

• Ping. Pings are sent to a server with a public

IP address that you must specify with the failover_method ping_ipaddress_wan keyword.

For all three failover methods, you also must issue the failover_method retry_interval keyword to specify and interval and the and failover_method retry_attempts keywords to specify the number of attempts.

seconds. periodically after every test period.

ou can specify only one type of

The DNS query or ping is sent

failover_method retry_attempts

failover_method dns_ipaddress_wan

failover_method ping_ipaddress_wan

Upload and download settings

upload_download wan_conn_type

upload_download upload_speed_type

number The number of failover attempts, from 2 to 999.

ipaddress The address of the DNS server to which the DNS

ipaddress The ping address to which the pings are sent if the

DSL, ADSL, T1, T3, or Other

56-Kbps, 128-Kbps, 256-Kbps, 384-Kbps, 512-Kbps, 768-Kbps, 1500-Kbps, 1544-Kbps, 10-Mbps, 44.736-Mbps, 100-Mbps, 1-Gbps, or Custom

The primary W after the specified number of queries fails to elicit a

. The backup interface is brought up after this

reply situation has occurred.

queries are sent if the failover method is set to CUSTOM-DNS.

failover method is set to Ping.

Specifies the type of WAN connection that the VPN firewall uses to connect to the Internet.

Specifies the maximum upload speed that is provided by your ISP. If you select Custom, you must specify the speed in Kbps with the upload_download upload_speed keyword.

AN interface is considered down

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

upload_download upload_speed

upload_download download_speed_type

upload_download download_speed

Associated Keyword to Select or Parameter to Type

speed The upload speed in Kbps if the type of WAN

56-Kbps, 128-Kbps, 256-Kbps, 384-Kbps, 512-Kbps, 768-Kbps, 1500-Kbps, 1544-Kbps, 10-Mbps, 44.736-Mbps, 100-Mbps, 1-Gbps, or Custom

speed The download speed in Kbps if the type of W

Command example:

FVS336Gv2> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]> net-config[port_setup_ipv4]>

net wan port_setup ipv4 configure WAN1

Description

connection is Custom. Specifies the maximum download speed that is

provided by your ISP. If you select Custom, you must specify the speed in Kbps with the

upload_download download_speed

keyword.

connection is Custom.

def_mtu Custom mtu_size 1498 port_speed 1000_BaseT_Full_Duplex mac_type Use-This-Computers-Mac failover_method type Ping failover_method ping_ipaddress_wan 10.147.38.217 failover_method retry_interval 30 failover_method retry_attempts 4 upload_download wan_conn_type DSL upload_download upload_speed_type 1-Gbps upload_download download_speed_type 1-Gbps save

Related show command: show net wan port_setup ipv4 <wan interface>

net wan port_setup ipv6 configure <wan interface>

This command configures the advanced WAN settings for an IPv6 W AN interface, that is, the failure detection ping settings. After you issue the net wan port_setup ipv6 configure command to specify one of the two WAN interfaces (that is, WAN1 or WAN2), you enter the net-config [port_setup_ipv6] mode and then you can configure the failure detection ping settings.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [port_setup_ipv6]

net wan port_setup ipv6 configure <wan interface>

ping_ipaddress_wan <ipv6-address>} {retry_interval <seconds>} {retry_attempts <number>}

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to

Select or Parameter to Type

ping_ipaddress_wan ipv6-address

retry_interval seconds

retry_attempts number

Description

The IPv6 ping address to which the pings are sent. The retry interval in seconds, from 5 to 999

seconds. test period.

The number of failover attempts, from 2 to 999. The primary W after the specified number of queries fails to elicit a reply situation occurs.

The ping is sent periodically after every

AN interface is considered down

The backup interface is brought up after this

Command example:

FVS336Gv2> net-config[port_setup_ipv6]> net-config[port_setup_ipv6]> net-config[port_setup_ipv6]> net-config[port_setup_ipv6]>

net wan port_setup ipv6 configure WAN1

ping_ipaddress_wan fec1::1 retry_interval 30 retry_attempts 4 save

Related show command: show net wan port_setup ipv6 <wan interface>

IPv4 WAN Commands

This section describes the following commands:

• net wan_settings wanmode configure

• net wan wan ipv4 configure <wan interface>

• net wan wan ipv4 secondary_address add <wan interface>

• net wan wan ipv4 secondary_address delete <row id>

• net wan_settings load_balancing configure

• net protocol_binding add

• net protocol_binding edit <row id>

• net protocol_binding delete

• net protocol_binding disable

• net protocol_binding enable

net wan_settings wanmode configure

This command configures the mode of IPv4 routing between the WAN interface and LAN interfaces. After you issue the net wan_settings wanmode configure command, you enter the net-config [routing-mode] mode and then you can configure NAT or classical routing.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

WARNING:

Changing the mode of IPv4 routing causes all LAN–WAN and DMZ–WAN inbound firewall settings to revert to default settings.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [routing-mode]

Keyword Associated Keyword

type NAT or

net wan_settings wanmode configure

type {NAT | Classical_Routing}

Description

to Select

Specifies the IPv4 routing mode.

Classical_Routing

Command example:

FVS336Gv2> net-config[routing-mode]> net-config[routing-mode]>

net wan_settings wanmode configure

NAT save

Related show command: show net wan_settings wanmode

net wan wan ipv4 configure <wan interface>

This command configures the IPv4 settings for a WAN interface. After you issue the net wan wan ipv4 configure command to specify one of the two WAN interfaces (that is,

WAN1 or W AN2), you enter the net-config [wan-ipv4] mode. First, specify the ISP connection type (you can select only a single type). Then, for the selected ISP connection type, configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. If you select a static ISP connection type, no further configuration is required.

Step 1 Format

Mode net

Step 2 Format isp_connection_type {static | dhcp | pppoe | pptp} Yes

net wan wan ipv4 configure <wan interface>

isp_login_required {Y | N}

static ip_address <ipaddress> static subnet_mask <subnet mask> static gateway_address <ipaddress> static primary_dns <ipaddress> static secondary_dns <ipaddress>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

dhcpc account_name <account name> dhcpc domain_name <domain name> dhcpc client_identifier {Y | N} dhcpc vendor_identifier {Y | N} dhcpc get_dns_from_isp {Y | N {dhcpc primary_dns <ipaddress>}

[dhcpc secondary_dns <ipaddress>]}

pppoe username <user name> pppoe password <password> pppoe AccountName <account name> pppoe DomainName <domain name> pppoe connectivity_type {keepalive | idletimeout {pppoe idletime

<minutes>}} pppoe get_ip_dynamically {Y | N {pppoe static_ip <ipaddress>}

{pppoe subnet_mask <subnet mask>}} pppoe get_dns_from_isp {Y | N {pppoe primary_dns <ipaddress>}

[pppoe secondary_dns <ipaddress>]}

pptp username <user name> pptp password <password> pptp AccountName <account name> pptp DomainName <domain name> pptp connectivity_type {keepalive | idletimeout

{pptp idle_time <seconds>}} pptp my_address <ipaddress> pptp server_address <ipaddress> pptp get_ip_dynamically {Y | N {pptp static_ip <ipaddress>}

{pptp subnet_mask <subnet mask>}} pppoe get_dns_from_isp {Y | N {pptp primary_dns <ipaddress>}

[pptp secondary_dns <ipaddress>]}

connection_reset {N | Y {reset_hour <hour>} {reset_min <minutes>} {delay_in_reset <seconds>}}

Mode net-config [wan-ipv4]

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

isp_connection_type static, dhcp, pppoe, or

isp_login_required Y or N If the type of ISP connection is PPPoE or

Static

static ip_address ipaddress The static IP address.

Associated Keyword to Select or Parameter to Type

pptp

Yes

Description

Specifies the type of ISP connection. You can specify only one type of connection, and you must confirm your selection by typing Yes (that is, Yes, and not just Y):

• static. Configure the keywords and

parameters that are shown in the Static section of this table.

• dhcp. Configure the keywords and

parameters that are shown in the DHCPC section of this table.

• pppoe. Configure the keywords and

parameters that are shown in the PPPoE section of this table.

• pptp. Configure the keywords and

parameters that are shown in the PPTP section of this table.

PPTP

, enforces the ISP login requirement or

allows ISP access without login.

static subnet_mask subnet mask The subnet mask that is associated with the

static IP address.

static gateway_address ipaddress The IP address of the ISP gateway static primary_dns ipaddress The IP address of the primary DNS server. static secondary_dns ipaddress The IP address of the optional secondary

DNS server

DHCPC

dhcpc account_name account name The ISP account name (alphanumeric

string).

dhcpc domain_name domain name The ISP domain name (alphanumeric string). dhcpc client_identifier Y or N Enables or disables the DHCP

client-identifier option. If enabled, the DHCP client-identifier is sent to the ISP server default, the option is not sent.

dhcpc vendor_identifier Y

or N Enables or disables the DHCP

vendor-class-identifier option. If enabled, the DHCP vendor-class-identifier is sent to the ISP server

. By default, the option is not sent.

. By

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

dhcpc get_dns_from_isp Y or N Specifies whether or not the IP address of

dhcpc primary_dns ipaddress The IP address of the primary DNS server if

dhcpc secondary_dns ipaddress The IP address of the optional secondary

PPPoE

pppoe username user name The user name (alphanumeric string) to log

pppoe password password The password (alphanumeric string) to log in

Associated Keyword to Select or Parameter to Type

Description

the DNS server is dynamically received from the ISP. If you select N, you must issue the dhcpc primary_dns keyword and enter the IP address of the primary DNS server. For a secondary DNS server, issue the dhcpc secondary_dns keyword, and enter the IP address.

your IP address is not dynamically received from the ISP

DNS server if your IP address is not dynamically received from the ISP

in to the PPPoE service, if required.

to the PPPoE service, if required.

pppoe AccountName account name The PPPoE account name (alphanumeric

string).

pppoe DomainName domain name The PPPoE domain name (alphanumeric

string).

pppoe connectivity_type keepalive

idletimeout

pppoe idle_time minutes The idle time-out period in minutes, from 5 to

pppoe get_ip_dynamically Y or N Specifies whether or not the IP address is

pppoe static_ip ipaddress The static IP address if your IP address is not

pppoe subnet_mask subnet mask The subnet mask if your IP address is not

Specifies the type of PPPoE connection. If you select idletimeout, you must issue the idle_time keyword and enter the idle time-out in minutes.

999 minutes.

dynamically received from the ISP select N, you must issue the pppoe static_ip keyword and enter the static IP address, and issue the pppoe subnet_mask keyword and enter the subnet mask.

dynamically received from the ISP

dynamically received from the ISP.

. If you

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

pppoe get_dns_from_isp Y or N Specifies whether or not the IP address of

pppoe primary_dns ipaddress The IP address of the primary DNS server if

pppoe secondary_dns ipaddress The IP address of the optional secondary

PPTP

pptp username user name The user name (alphanumeric string) to log

pptp password password The password (alphanumeric string) to log in

Associated Keyword to Select or Parameter to Type

Description

the DNS server is dynamically received from the ISP. If you select N, you must issue the pppoe primary_dns keyword and enter the IP address of the primary DNS server. For a secondary DNS server, issue the pppoe secondary_dns keyword, and enter the IP address.

your IP address is not dynamically received from the ISP

DNS server if your IP address is not dynamically received from the ISP

in to the PPTP service, if required.

to the PPTP service, if required.

pptp AccountName account name The PPPoE account name (alphanumeric

string).

pptp DomainName domain name The PPPoE domain name (alphanumeric

string).

pptp connectivity_type keepalive

idletimeout

pptp idle_time minutes The idle time-out period in minutes (5 to

pptp my_address ipaddress The IP address that was assigned by the ISP

pptp server_address ipaddress The IP address of the PPTP server. pptp get_ip_dynamically Y or N Specifies whether or not the IP address is

Specifies the type of PPTP connection. If you select idletimeout, you must issue the pptp idle_time keyword and enter the idle time-out period.

999), if the PPTP connection is configured

for idle time-out.

to make a connection with the ISP’ server

dynamically received from the ISP

N, you must issue the pptp

select static_ip keyword and enter the static IP address, and issue the pptp subnet_mask keyword and enter the subnet mask.

s PPTP

. If you

pptp static_ip ipaddress

Net Mode Configuration Commands

The static IP address if your IP address is not dynamically received from the ISP.

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

pptp subnet_mask subnet mask The subnet mask if your IP address is not

pptp get_dns_from_isp Y or N Specifies whether or not the IP address of

pptp primary_dns ipaddress The IP address of the primary DNS server if

pptp secondary_dns ipaddress The IP address of the optional secondary

Connection Reset

connection_reset Y

Associated Keyword to Select or Parameter to Type

or N Specifies whether or not the connection is

Description

dynamically received from the ISP.

the DNS server is dynamically received from the ISP. If you select pptp primary_dns keyword and enter the IP address of the primary DNS server secondary DNS server pptp secondary_dns keyword, and enter the IP address.

your IP address is not dynamically received from the ISP

DNS server if your IP address is not dynamically received from the ISP

automatically reset. If it is reset, you must issue the reset_hour and reset_min keywords and enter the hour and minutes after which the connection is reset. must issue the delay_in_reset keyword and enter the number of seconds of delay.

N, you must issue the

. For a

, issue the

ou also

reset_hour hour The hour at which the connection is reset. reset_min minutes The minutes at which the connection is reset.

delay_in_reset seconds

After the connection resets, the number of seconds of delay before a connection attempt is made.

Command example:

FVS336Gv2> net wan wan ipv4 configure WAN2 net-config[wan-ipv4]> isp_connection_type dhcp net-config[wan-ipv4]> dhcpc client_identifier Y net-config[wan-ipv4]> dhcpc get_dns_from_isp N net-config[wan-ipv4]> dhcpc primary_dns 10.124.56.118 net-config[wan-ipv4]> dhcpc secondary_dns 10.124.56.132 net-config[wan-ipv4]> save

Related show commands: show net wan wan ipv4 setup <wan interface> and show net wan wan

ipv4 status <wan interface>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net wan wan ipv4 secondary_address add <wan interface>

This command configures a secondary IPv4 WAN address. After you issue the net wan wan ipv4 secondary_address add command to specify one of the two WAN interfaces

(that is, WAN1 or WAN2), you enter the net-config [wan-secondary-address] mode and then you can configure the secondary WAN address and subnet mask in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [wan-secondary-address]

Keyword Associated

ip_address ipaddress

subnet_mask subnet mask

net lan ipv4 multi_homing add {WAN1 | WAN2}

ip_address <ipaddress> subnet_mask <subnet mask>

Description

Parameter to Type

The secondary IPv4 address for the selected WAN interface. The subnet mask for the secondary IP address.

Command example:

FVS336Gv2> net-config[wan-secondary-address]> net-config[wan-secondary-address]> net-config[wan-secondary-address]>

net wan wan ipv4 secondary_address add WAN2

ip_address 10.168.50.1 subnet_mask 255.255.255.0 save

Related show command: show net wan wan ipv4 secondary_addresses <wan interface>

net wan wan ipv4 secondary_address delete <row id>

This command deletes a secondary IPv4 WAN address by deleting its row ID

Format Mode net

Related show command: show net wan wan ipv4 secondary_addresses <wan interface>

net wan wan ipv4 secondary_address delete <row id>

net wan_settings load_balancing configure

This command configures the load balancing settings for two WAN interfaces that are configured for IPv4. After you issue the net wan_settings load_balancing configure command, you enter the net-config [load-balancing] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. However, note that the setting of the wan_mode_type keyword determines which other keywords and parameters you can apply.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Note: You can configure the load balancing settings only if the net ipv6

ipmode configure command is set to IPv4_Only.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [load-balancing]

Keyword Associated Keyword to

Common settings

wan_mode_type Primary-WAN or

net wan_settings load-balancing configure

wan_mode_type {Primary-WAN {primary_wan_interface {WAN1 | WAN2}}

{auto_rollover {N | Y {secondary_wan_interface {WAN1 | WAN2}}}} | Load-Balancing {loadbal_algo {Round-Robin | Weighted-LB}}}

Select or Parameter to Type

Load-Balancing

Description

Specifies the load balancing settings:

• Primary-WAN. One WAN interface is made

the primary interface. The other three interfaces are disabled. WAN interface can be made the rollover link.

The remaining two interfaces are disabled. Configure the keywords and parameters that are shown in the Primary WAN mode and auto-rollover mode settings section of this table.

• Load-Balancing. The

distributes the outbound traf the WAN interfaces that are functional. Configure the keywords and parameters that are shown in the Load balancing settings section of this table, that is, issue the loadbal_algo keyword and specify the load balancing method.

As an option, another

VPN firewall

fic equally among

Primary WAN mode and auto-rollover mode settings

primary_wan_interface WAN1 or WAN2 Specifies the interface that functions as the

primary W

auto_rollover Y or N Enables or disables auto-rollover mode. Issue the

secondary_wan_interface keyword to

specify the secondary WAN interface.

secondary_wan_interface WAN1 or

WAN2 The interface that functions as the secondary

AN interface if auto-rollover mode is enabled.

AN interface.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to

Select or Parameter to Type

Load balancing settings

loadbal_algo Round-Robin or

Weighted-LB

Command example:

FVS336Gv2> net-config[load-balancing]> net-config[load-balancing]> net-config[load-balancing]> net-config[load-balancing]> net-config[load-balancing]>

net wan_settings load_balancing configure WAN1

wan_mode_type Primary-WAN primary_wan_interface WAN1 auto_rollover Y secondary_wan_interface WAN2 save

Description

Specifies the load balancing method:

• Round-robin. With round-robin load

balancing, new traffic connections are sent over a WAN link in a serial method irrespective of bandwidth or link speed. load-balancing method ensures that a single WAN interface does not carry a disproportionate distribution of sessions.

• Weighted LB. With weighted load

balancing, balance weights are calculated based on W bandwidth. This load-balancing algorithm.

AN link speed and available WAN

is the most efficient

This

Related show command: show net wan port_setup ipv4 <wan interface>

net protocol_binding add

This command configures a new protocol binding, that is, it binds a service to a WAN interface. After you issue the net protocol_binding add command, you enter the net-config [protocol-binding] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

net protocol_binding add

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 2 Format

Mode net-config [protocol-binding]

Keyword (might consist of two separate words)

service_name default_services

service_name {default_services <default service name> | {custom_services <custom service name>}

local gateway {WAN1 | WAN2} source_network_type {address_wise {ANY | SINGLE_ADDRESS

{source_network_start_ip <ipaddress>} | ADDRESS_RANGE {source_network_start_ip <ipaddress>} {source_network_end_ip <ipaddress>}} | group_wise <group name>}

destination_network_type {address_wise {ANY | SINGLE_ADDRESS {destination_network_start_ip <ipaddress>} | ADDRESS_RANGE {destination_network_start_ip <ipaddress>} {destination_network_end_ip <ipaddress>}} | group_wise <group name>}

Associated Keyword to Select or Parameter to Type

ANY, AIM, BGP, BOOTP_CLIENT, BOOTP_SERVER, CU-SEEME:UDP, CU-SEEME:TCP, DNS:UDP, DNS:TCP, FINGER, FTP, HTTP, HTTPS, ICMP-TYPE-3, ICMP-TYPE-4, ICMP-TYPE-5, ICMP-TYPE-6, ICMP-TYPE-7, ICMP-TYPE-8, ICMP-TYPE-9, ICMP-TYPE-10, ICMP-TYPE-11, ICMP-TYPE-13, ICQ, IMAP2, IMAP3, IRC, NEWS, NFS, NNTP, PING, POP3, PPTP, RCMD, REAL-AUDIO, REXEC, RLOGIN, RTELNET, RTSP:TCP, RTSP:UDP, SFTP, SMTP, SNMP:TCP, SNMP:UDP, SNMP-TRAPS:TCP, SNMP-TRAPS:UDP, SQL-NET, SSH:TCP, SSH:UDP, STRMWORKS, TACACS TELNET, TFTP, RIP, IKE, SHTTPD, IPSEC-UDP-ENCAP, IDENT, VDOLIVE, SSH, SIP-TCP, SIP-UDP, NFS-TCP, or RPC-TCP

Description

Specifies the default service and protocol to which the protocol binding applies.

service_name custom_services custom service name The custom service that you configure

with the security services add command and to which the protocol binding applies.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

local_gateway WAN1 or WAN2 Specifies the interface to which the

source_network_type address_wise

source_network_start_ip ipaddress The following two options are

source_network_end_ip ipaddress The end IP address if the

Associated Keyword to Select or Parameter to Type

ANY, SINGLE_ADDRESS, or ADDRESS_RANGE

Description

service is bound. Specifies the type of LAN source

address. The address_wise and group_wise keywords are mutually exclusive.

available:

• The IP address if the

source_network_type address_wise keywords are set to SINGLE_ADDRESS.

• The start IP address if the

source_network_type address_wise keywords are set to ADDRESS_RANGE.

source_network_type group_wise

destination_network_type address_wise

destination_network_start_ip ipaddress The following two options are

group name The name of the LAN group or LAN IP

ANY, SINGLE_ADDRESS, or ADDRESS_RANGE

group. The default name (Group1, Group2, Group3, and so on) or a custom name that you specify with the net lan

lan_groups edit <row id> <new group name> command. The

LAN IP group name is a name that you specify with the security services

ip_group add command.

The address_wise and group_wise keywords are mutually

exclusive. Specifies the type of WAN destination

address. The address_wise and group_wise keywords are mutually exclusive.

available:

• The IP address if the

source_network_type address_wise keywords are set to SINGLE_ADDRESS.

• The start IP address if the

source_network_type address_wise keywords are set

to ADDRESS_RANGE.

group name is either a

LAN

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

destination_network_end_ip ipaddress The end IP address if the

destination_network_type group_wise

Associated Keyword to Select or Parameter to Type

group name The name of the WAN IP group. The

Description

source_network_type address_wise keywords are set to ADDRESS_RANGE.

AN IP group name is a name that

you specify with the security services

ip_group add

The address_wise and group_wise keywords are mutually

exclusive.

command.

Command example:

FVS336Gv2> net-config[protocol-binding]> net-config[protocol-binding]> net-config[protocol-binding]> net-config[protocol-binding]> net-config[protocol-binding]> net-config[protocol-binding]>

net protocol_binding add

service_name default_services FTP local_gateway WAN1 source_network_type address_wise ANY

destination_network_type address_wise SINGLE_ADDRESS

destination_network_start_ip 10.122.178.214 save

Related show command: show net protocol_binding setup

net protocol_binding edit <row id>

This command configures an existing protocol binding, that is, it binds a service to a WAN interface. After you issue the net protocol_binding edit command to specify the row to be edited, you enter the net-config [protocol-binding] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

net protocol_binding edit <row id>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 2 Format

Mode net-config [protocol-binding]

Keyword (might consist of two separate words)

service_name default_services

service_name {default_services <default service name> | {custom_services <custom service name>}

local gateway {WAN1 | WAN2} source_network_type {address_wise {ANY | SINGLE_ADDRESS

{source_network_start_ip <ipaddress>} | ADDRESS_RANGE {source_network_start_ip <ipaddress>} {source_network_end_ip <ipaddress>}} | group_wise <group name>}

Associated Keyword to Select or Parameter to Type

Description

Specifies the default service and protocol to which the protocol binding applies.

service_name custom_services custom service name The custom service that you configure

with the security services add command and to which the protocol binding applies.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

local_gateway WAN1 or WAN2 Specifies the interface to which the

source_network_type address_wise

source_network_start_ip ipaddress The following two options are

source_network_end_ip ipaddress The end IP address if the

Associated Keyword to Select or Parameter to Type

ANY, SINGLE_ADDRESS, or ADDRESS_RANGE

Description

service is bound. Specifies the type of LAN source

address. The address_wise and group_wise keywords are mutually exclusive.

available:

• The IP address if the

source_network_type address_wise keywords are set to SINGLE_ADDRESS.

• The start IP address if the

source_network_type address_wise keywords are set to ADDRESS_RANGE.

source_network_type group_wise

destination_network_type address_wise

destination_network_start_ip ipaddress The following two options are

group name The name of the LAN group or LAN IP

group.

The LAN group name is either a default name (Group1, Group2, Group3, and so on) or a custom name that you specify with the net lan

lan_groups edit <row id> <new group name> command.

LAN IP group name is a name that you specify with the security services

ip_group add command.

The address_wise and group_wise keywords are mutually

exclusive.

ANY, SINGLE_ADDRESS, or ADDRESS_RANGE

Specifies the type of WAN destination address. The address_wise and group_wise keywords are mutually exclusive.

available:

• The IP address if the

source_network_type address_wise keywords are set to SINGLE_ADDRESS.

• The start IP address if the

source_network_type address_wise keywords are set

to ADDRESS_RANGE.

The

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

destination_network_end_ip ipaddress The end IP address if the

destination_network_type group_wise

Associated Keyword to Select or Parameter to Type

group name The name of the WAN IP group. The

Description

source_network_type address_wise keywords are set to ADDRESS_RANGE.

AN IP group name is a name that

you specify with the security services

ip_group add command.

The address_wise and group_wise

exclusive.

keywords are mutually

Related show command: show net protocol_binding setup

net protocol_binding delete

This command deletes a protocol binding by deleting its row ID

Format Mode net

net protocol_binding delete <row id>

Related show command: show net protocol_binding setup

net protocol_binding disable

This command disables a protocol binding by specifying its row ID.

Format Mode security

Related show command: show net protocol_binding setup

net protocol binding disable <row id>

net protocol_binding enable

This command enables a protocol binding by specifying its row ID.

Format Mode security

Related show command: show net protocol_binding setup

net protocol binding enable <row id>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

IPv6 WAN Commands

This section describes the following commands:

• net ipv6 ipmode configure

• net wan wan ipv6 configure <wan interface>

• net siit configure

net ipv6 ipmode configure

This command configures the IPv6 mode. After you issue the net ipv6 ipmode configure command, you enter the net-config [mode] mode and then you can configure the

IP mode. You can select support for IPv4 only or for both IPv4 and IPv6.

WARNING:

Changing the IP mode causes the VPN firewall to reboot.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [mode]

Keyword Associated Keyword to

ip_type IPv4_Only or IPv4/IPv6

Command example:

FVS336Gv2> net-config[mode]> net-config[mode]>

Related show command: show net ipv6 ipmode setup

net ipv6 ipmode configure

ip_type {IPv4_Only | IPv4/IPv6}

Description

Select

Specifies the IPv6 routing mode.

ip_type IPv4/IPv6 save

net wan wan ipv6 configure <wan interface>

This command configures the IPv6 settings for a WAN interface. After you issue the net wan wan ipv6 configure command to specify one of the two WAN interfaces (that is, WAN1

or WAN2), you enter the net-config [wan-ipv6] mode. First, specify the ISP connection type (you can select only a single type). Then, for the selected ISP connection type, configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 1 Format

Mode net

Step 2 Format

Mode net-config [wan-ipv6]

net wan wan ipv6 configure

isp type {STATIC | DHCPC | PPPoE}

static ip_address <ipv6-address> static prefix <prefix-length> static gateway_address <ipv6-address> static primary_dns <ipv6-address> static secondary_dns <ipv6-address>

dhcpc stateless_mode_enable {StatelessAddrAutoConfig [prefix_delegation_enable {Y | N}] | StatefulAddrAutoConfig}

pppoe user_name <user name> pppoe password <password> pppoe dhcpv6_option {Disable-DHCPv6 {pppoe primary_dns

<ipv6-address>} {pppoe secondary_dns <ipv6-address>} | DHCPv6-StatelessMode | DHCPv6-StatefulMode | DHCPv6-Prefix-Delegation}

Keyword (might consist of two separate words)

isp type STATIC, DHCPC, or PPPoE Specifies the type of ISP connection:

Static

static ip_address ipv6-address The IPv6 address of the WAN

static prefix prefix-length The prefix length (integer) for the static

static gateway_address ipv6-address The IPv6 address of the gateway. static primary_dns ipv6-address The IPv6 address of the primary DNS

Associated Keyword to Select or Parameter to Type

Description

• STATIC. Configure the keywords

and parameters that are shown in the Static section of this table.

• DHCPC. Configure the keywords

and parameters that are shown in the DHCPC section of this table.

• PPPoE. Configure the keywords

and parameters that are shown in the PPPoE section of this table.

interface.

address.

server

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

static secondary_dns ipv6-address The IPv6 address of the secondary

DHCPC

dhcpc stateless_mode_enable StatelessAddrAutoConfig

prefix_delegation_enable

PPPoE

pppoe user_name user name

Associated Keyword to Select

or Parameter to Type

StatefulAddrAutoConfig

Y or N Enables or disables prefix delegation if

The PPPoE user name that is provided

Description

DNS server.

Specifies the type of DHCPv6 mode (stateless or stateful). If you set the dhcpc stateless_mode_enable keywords to StatelessAddrAutoConfig, you have the option to set the dhcpc prefix_delegation_enable keywords and associated parameter

the dhcpc stateless_mode_enable keywords are set to StatelessAddrAutoConfig. Prefix delegation allows the ISP’ DHCPv6 server to assign a prefix.

by the ISP

s stateful

pppoe password

password

The PPPoE password that is provided by the ISP.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

pppoe dhcpv6_option Disable-DHCPv6,

Associated Keyword to Select or Parameter to Type

DHCPv6-StatelessMode, DHCPv6-StatefulMode, or DHCPv6-Prefix-Delegation

Description

Specifies the DHCPv6 server options for the PPPoE configuration:

• Disable-DHCPv6. DHCPv6 is

disabled.

pppoe primary_dns and pppoe secondary_dns keywords and

specify DNS servers to receive an IP address from the ISP.

• DHCPv6-StatelessMode. The

VPN firewall generates its own IP address by using a combination of locally available information and router advertisements, but receives DNS server information from the ISP’ Router advertisements include a prefix that identifies the subnet that is associated with the WAN port. The IP address is formed by combining this prefix and the MAC address of the WAN port. The IP address is a dynamic address.

• DHCPv6-StatefulMode. The

VPN firewall obtains an interface address, configuration information such as DNS server information, and other parameters from the ISP’ address is a dynamic address.

• DHCPv6-Prefix-Delegation.

The VPN firewall obtains a prefix from the ISP’s DHCPv6 server through prefix delegation. VPN firewall’s own stateless DHCPv6 server can assign this prefix to its IPv6 LAN clients.

ou must issue the

s DHCPv6 server

. The IP

The

pppoe primary_dns ipv6-address The IPv6 address of the primary DNS

server if the DHCPv6 server option is

Disable-DHCPv6.

pppoe secondary_dns ipv6-address

The IPv6 address of the secondary DNS server if the DHCPv6 server option is Disable-DHCPv6.

Command example:

FVS336Gv2> net-config[wan-ipv6]> isp type DHCPC net-config[wan-ipv6]> net-config[wan-ipv6]> net-config[wan-ipv6]> save

net wan wan ipv6 configure WAN2

dhcpc stateless_mode_enable StatelessAddrAutoConfig prefix_delegation_enable Y

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Related show commands: show net wan wan ipv6 setup <wan interface> and show net wan wan

ipv6 status <wan interface>

net siit configure

This command enables and configures Stateless IP/ICMP Translation (SIIT). After you issue the net siit configure command, you enter the net-config [siit] mode and then you can enable SIIT and configure the IPv4 address.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [siit]

Keyword Associated Keyword to

enable Y or N Enables or disables SIIT. ipv4_address subnet mask The IPv4 address for the SIIT configuration.

net siit configure

enable {Y | N} ipv4_address <ipaddress>

Description

Select or Parameter to Type

Command example:

FVS336Gv2> net-config[siit]> net-config[siit]> net-config[siit]>

net siit configure

enable Y ipv4_address 192.168.5.117 save

Related show command: show net siit setup

IPv6 Tunnel Commands

This section describes the following commands:

• net ipv6_tunnel isatap add

• net ipv6_tunnel isatap edit <row id>

• net ipv6_tunnel isatap delete <row id>

• net ipv6_tunnel six_to_four configure

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net ipv6_tunnel isatap add

This command configures a new ISATAP tunnel. After you issue the net ipv6_tunnel isatap add command, you enter the net-config [isatap-tunnel] mode and then you can

configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Note: To be able to configure an ISATAP tunnel, you first must set the IP

mode to IPv4/IPv6 (see the net ipv6 ipmode configure command).

Step 1 Format

Mode net

Step 2 Format

Mode net-config [isatap-tunnel]

Keyword Associated Keyword to

subnet_prefix subnet prefix

end_point_type

ipv4_address ipaddress

net ipv6_tunnel isatap add

subnet_prefix <subnet prefix> end_point_type {LAN | Other_IP {ipv4_address <address>}}

Select or Parameter to Type

LAN

or Other_IP Specifies the local endpoint IP address for the tunnel that

Command example:

FVS336Gv2> net-config[isatap-tunnel]> net-config[isatap-tunnel]> net-config[isatap-tunnel]> net-config[isatap-tunnel]>

net ipv6_tunnel isatap add

subnet_prefix 2004:: end_point_type Other_IP ipv4_address 10.29.33.4 save

Description

The IPv6 64-bit subnet prefix (string) that is assigned to the logical ISATAP subnet for this intranet.

is initiated on the VPN firewall. The endpoint can be the LAN interface or a specific LAN IPv4 address. If you select Other_IP, you also must issue the ipv4_address keyword to specify an IPv4 address.

The IPv4 address of a local endpoint that is not a LAN IPv4 address.

Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net ipv6_tunnel isatap edit <row id>

This command configures an existing ISA T AP tunnel. After you issue the net ipv6_tunnel isatap edit command to specify the row to be edited, you enter the net-config

[isatap-tunnel] mode and then you can change one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [isatap-tunnel]

Keyword Associated Keyword to

subnet_prefix subnet prefix

end_point_type

ipv4_address ipaddress

net ipv6_tunnel isatap edit <row id>>

subnet_prefix <subnet prefix> end_point_type {LAN | Other_IP {ipv4_address <address>}}

Description

Select or Parameter to Type

The IPv6 64-bit subnet prefix (string) that is assigned to the logical ISATAP subnet for this intranet.

LAN

or Other_IP Specifies the local endpoint IP address for the tunnel that

The IPv4 address of a local endpoint that is not a LAN IPv4 address.

Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status

net ipv6_tunnel isatap delete <row id>

This command deletes an ISATAP tunnel by deleting its row ID.

Note: Before you can delete an ISATAP tunnel, you first must set the IP

mode to IPv4/IPv6 (see the net ipv6 ipmode configure command).

Format Mode net

Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status

net ipv6_tunnel isatap delete <row id>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net ipv6_tunnel six_to_four configure

This command enables or disables automatic tunneling, which allows traffic from an IPv6 LAN to be tunneled through an IPv4 WAN to reach an IPv6 network. After you issue the net ipv6_tunnel six_to_four configure command, you enter the net-config [six-to-four-tunnel] mode and then you can configure automatic tunneling.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [six-to-four-tunnel]

Keyword Associated Keyword

automatic_tunneling_enable Y or N

Command example:

FVS336Gv2> net-config[six-to-four-tunnel]> net-config[six-to-four-tunnel]>

Related show commands: show net ipv6_tunnel setup and show net ipv6_tunnel status

net ipv6_tunnel six_to_four configure

automatic_tunneling_enable {Y | N}

Description

to Select

Enables or disables automatic tunneling.

automatic_tunneling_enable Y save

Dynamic DNS Command

This section describes the net ddns configure command.

net ddns configure

This command enables, configures, or disables Dynamic DNS (DDNS) service. After you issue the net ddns configure command, you enter the net-config [ddns] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer. Before you specify a keyword, you must specify the WAN interface to which the configuration applies.

Step 1 Format

Mode net

net ddns configure

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 2 Format

Mode net-config [ddns]

Keyword (might consist of two separate words)

{wan1 | wan2} enable

{wan1 | wan2} hostname host name

{wan1 | wan2} username user name

{wan1 | wan2} enable {Disable | DynDNS | TZO | DNS_Oray | 3322_DDNS}

{wan1 | wan2} hostname <host name> {wan1 | wan2} username <user name> {wan1 | wan2} password <password> {wan1 | wan2} wild_flag_enable {Y | N} {wan1 | wan2} time_update_enable {Y | N}

Associated Keyword to

Select or Parameter to Type

Disable, DynDNS, TZO, DNS_Oray, or 3322_DDNS

Description

Specifies whether DDNS is disabled or enabled with a particular service. Use the Disable keyword to disable DDNS after you have first enabled the service. other keywords represent DDNS service providers and are self-explanatory.

Configures a host name (string) for a DDNS server.

Configures a user name (string) for a DDNS server.

The

{wan1 | wan2} password password

{wan1 | wan2}

wild_flag_enable

{wan1 | wan2} time_update_enable

or N

Enables or disables the use of wildcards

Y or N Enables or disables the automatic update

Command example:

FVS336Gv2> net-config[ddns]> net-config[ddns]> net-config[ddns]> net-config[ddns]> net-config[ddns]> net-config[ddns]> net-config[ddns]>

net ddns configure

wan2 enable DynDNS wan2 hostname adminnetgear.dyndns.org wan2 username jaybrown wan2 password 4hg!RA278s wan2 wild_flag_enable N wan2 time_update_enable Y save

Related show command: show net ddns setup

Configures a password (string) for a DDNS server.

for DDNS.

of the DDNS service after 30 days.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

IPv4 LAN Commands

This section describes the following commands:

• net lan ipv4 configure <vlan id>

• net lan ipv4 delete <vlan id>

• net lan ipv4 disable <vlan id>

• net lan ipv4 enable <vlan id>

• net ethernet configure <interface name or number>

• net lan ipv4 default_vlan

• net lan ipv4 advanced configure

• net lan dhcp reserved_ip configure <mac address>

• net lan dhcp reserved_ip delete <mac address>

• net lan lan_groups edit <row id> <new group name>

• net lan ipv4 multi_homing add

• net lan ipv4 multi_homing edit <row id>

• net lan ipv4 multi_homing delete <row id>

• net lan ipv4 traffic_meter configure <ip address>

• net lan ipv4 traffic_meter delete <row id>

net lan ipv4 configure <vlan id>

This command configures a new or existing VLAN, that is, a VLAN ID and a VLAN profile. After you issue the net lan ipv4 configure command to specify a new or existing VLAN ID, you enter the net-config [lan-ipv4] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format profile_name <name>

net lan ipv4 configure <vlan id>

port_membership {[port 1 {Y | N}] | [port 2 {Y | N}] | [port 3 {Y | N}] | [port 4 {Y | N}]}

static address <ipaddress> static subnet_mask <subnet mask> dhcp dhcp_mode {None | DHCP-Server | DHCP-Relay} proxy dns_enable {Y | N} inter_vlan_routing {Y | N}

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

dhcp domain_name <domain name> dhcp start_address <ipaddress> dhcp end_address <ipaddress> dhcp primary_dns <ipaddress> dhcp secondary_dns <ipaddress> dhcp wins_server <ipaddress> dhcp lease_time <hours> enable_ldap {Y | N} ldap_serverip <ipaddress> ldap_search_base <search base> ldap_port <number>

dhcp relay_gateway <ipaddress>

Mode net-config [lan-ipv4]

Keyword (might consist of two separate words)

profile_name name The name of the VLAN profile.

port_membership port1

port_membership port2

port_membership port3

port_membership port4 static address ipaddress The static IPv4 address for the VLAN. static subnet_mask subnet mask The IPv4 subnet mask for the VLAN profile. dhcp dhcp_mode None, DHCP-Server, or

Associated Keyword to Select or Parameter to Type

Y or N

DHCP-Relay

Description

Specifies whether or not the port is a member of the VLAN. individually.

Specifies the DHCP mode for the devices that are connected to the VLAN:

• None. The

further DHCP configuration is required.

• DHCP-Server. Configure the keywords and

parameters that are shown in the DHCP server section of this table.

• DHCP-Relay. Configure the keywords and

parameters that are shown in the DHCP relay section of this table.

ou must specify each port

DHCP server is disabled. No

proxy dns_enable Y or N Enables or disables the LAN DNS proxy. inter_vlan_routing Y or N Enables or disables inter-VLAN routing.

DHCP server

dhcp domain_name domain name The FQDN or domain name of the DHCP server.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

dhcp start_address ipaddress The start IP address for the DHCP address

dhcp end_address ipaddress The end IP address for the DHCP address

dhcp primary_dns ipaddress The IP address of the primary DNS server for the

dhcp secondary_dns ipaddress The IP address of the secondary DNS server for

dhcp wins_server ipaddress The IP address of the WINS server for the DHCP

dhcp lease_time hours The DHCP lease time in hours.

enable_ldap Y ldap_serverip ipaddress The IP address of the LDAP server. ldap_search_base search base The search base (string) for LDAP ldap_port number The port number for the LDAP server.

DHCP relay

Associated Keyword to Select or Parameter to Type

or N Enables or disables LDAP.

Description

range.

DHCP server

the DHCP server.

server.

dhcp relay_gateway ipaddress

Command example:

FVS336Gv2> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]> net-config[lan-ipv4]>

net lan ipv4 configure 4

profile_name Marketing port_membership port 1 Y port_membership port 3 Y port_membership port 4 Y static address 192.168.1.1 static subnet_mask 255.255.255.0 dhcp dhcp_mode DHCP-Relay dhcp relay_gateway 10.172.214.198 proxy dns_enable N inter_vlan_routing Y save

Related show command: show net lan ipv4 setup

The IP address of the DHCP relay gateway.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net lan ipv4 delete <vlan id>

This command deletes a VLAN by deleting its ID. You cannot delete VLAN 1, the default

VLAN

Format Mode net

Related show command: show net lan ipv4 setup

net lan ipv4 delete <vlan id>

net lan ipv4 disable <vlan id>

This command disables a VLAN by specifying its ID. You cannot disable VLAN 1, the default

VLAN

Format Mode net

Related show command: show net lan ipv4 setup

net lan ipv4 disable <vlan id>

net lan ipv4 enable <vlan id>

This command enables a VLAN by specifying its ID. VLAN 1, the default VLAN, is always enabled.

Format Mode net

Related show command: show net lan ipv4 setup

net lan ipv4 enable <vlan id>

net ethernet configure <interface name or number>

This command configures a VLAN for a LAN interface. After you issue the net ethernet configure command to specify a LAN interface, you enter net-config [ethernet] mode and

then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

net ethernet configure <interface name or number>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 2 Format

Mode net-config [ethernet]

Keyword Associated Keyword to

vlanid number

vlan-enable

native-vlan

vlanid <number> vlan-enable {Y | N} native-vlan {Y | N}

Description

Select or Parameter to Type

The VLAN ID.

Y or N Enables or disables the VLAN for this interface. Y or N Enables or disables the default (native) VLAN for this

interface.

Command example:

FVS336Gv2> net-config[ethernet]> net-config[ethernet]> net-config[ethernet]> net-config[ethernet]>

net ethernet configure eth0

vlanid 12 vlan-enable Y native-vlan N save

Note: To enter the net-config [ethernet] mode, you can issue the net

ethernet configure command with either an interface name such as eth0 or an interface number such as 0.

Related show command: show net ethernet

net lan ipv4 default_vlan

This command configures the default VLAN for each port. After you issue the net lan ipv4 default_vlan command, you enter the net-config [lan-ipv4-defvlan] mode and then

you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format port1 <vlan name>

Mode net-config [lan-ipv4-defvlan]

net lan ipv4 default_vlan

port2 <vlan name> port3 <vlan name> port4 <vlan name>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated

Parameter to T ype

port1

port2

vlan name

port3

port4

Description

Specifies the default VLAN name. Y ou must specify the name for each port individually

Command example:

FVS336Gv2> net-config[lan-ipv4-defvlan]> net-config[lan-ipv4-defvlan]> net-config[lan-ipv4-defvlan]> net-config[lan-ipv4-defvlan]> net-config[lan-ipv4-defvlan]>

net lan ipv4 default_vlan

port1 Default port2 Default port3 Management port4 Sales save

Related show command: show net lan ipv4 setup

net lan ipv4 advanced configure

This command configures advanced LAN settings such as the MAC address for VLANs and

ARP broadcast. After you issue the net lan ipv4 advanced configure command,

you enter the net-config [lan-ipv4-adv] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format vlan_mac_offset_type {Same | Unique}

Mode net-config [lan-ipv4-adv]

Keyword Associated

vlan_mac_offset_type

enable_arp_broadcast

net lan ipv4 advanced configure

enable_arp_broadcast {Y | N}

Description

Keyword to Select

Same or Unique Specifies the MAC address for VLANs:

• Same.

• Unique. Each VLAN (up to 16 VLANs) is assigned a

or N Enables or disables the broadcast of ARP packets.

All VLAN profiles use the same MAC address as the LAN ports. (All LAN ports share the same MAC address.)

unique MAC address.

Command example:

FVS336Gv2> net-config[lan-ipv4-adv]>

net lan ipv4 advanced configure

vlan_mac_offset_type Same

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net-config[lan-ipv4-adv]> net-config[lan-ipv4-adv]>

enable_arp_broadcast Y save

Related show command: show net lan ipv4 advanced setup

net lan dhcp reserved_ip configure <mac address>

This command binds a MAC address to an IP address for DHCP reservation or lets you edit an existing binding. The command also assigns the device or computer to which the MAC address belongs to one of eight LAN groups. After you issue the net lan dhcp reserved_ip configure command to configure the MAC address, you enter the net-config [dhcp-reserved-ip] mode and then you can configure the IP address for the binding configuration.

Step 1 Format

Mode net

Step 2 Format

net lan dhcp reserved_ip configure

ip_mac_name <device name> ip_addr_type {Fixed_set_on_PC | Dhcp_Reserved_IP} ip_address <ipaddress> group_name {Group1 | Group2 | Group3 | Group4 | Group5 | Group6 |

Group7 | Group8 | <custom group name>} vlan_profile <vlan name>

Mode net-config [dhcp-reserved-ip]

Keyword Associated Keyword to

Select or Parameter to Type

ip_mac_name device name

ip_addr_type

ip_address ipaddress

group_name Group1, Group2,

vlan_profile

Fixed_set_on_PC or Dhcp_Reserved_IP

Group3, Group4, Group5, Group6, Group7, or Group8, or

custom group name vlan name The name of the VLAN to which the computer or device

Description

The name of the computer or device. Specifies the IP address type:

• Fixed_set_on_PC. The

assigned on the computer or device.

• Dhcp_Reserved_IP. The

wireless VPN firewall always assigns the specified IP address to this client during the DHCP negotiation.

The IP address to be bound to the specified MAC address. VLAN to which the computer or device is assigned.

Specifies the group to which the computer or device must be assigned.

You can also enter a custom group name that you specify with the net lan lan_groups edit <row id>

<new group name> command.

must be assigned.

The IP address must be in the IP subnet of the

IP address

DHCP server

is statically

of the

Net Mode Configuration Commands

Command example:

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

FVS336Gv2> net-config[dhcp-reserved-ip]> net-config[dhcp-reserved-ip]> net-config[dhcp-reserved-ip]> net-config[dhcp-reserved-ip]> net-config[dhcp-reserved-ip]>

net lan dhcp reserved_ip configure AA:BB:CC:1A:2B:3C

ip_addr_type Dhcp_Reserved_IP ip_address 192.168.27.219 group_name Group3 vlan_profile Default save

Related show commands: show net lan dhcp reserved_ip setup and show net lan dhcp

leased_clients list

net lan dhcp reserved_ip delete <mac address>

This command deletes the binding of a MAC address to an IP address.

Format Mode net

Related show commands: show net lan dhcp reserved_ip setup and show net lan dhcp

leased_clients list

net lan dhcp reserved_ip delete <mac address>

net lan lan_groups edit <row id> <new group name>

This command specifies an IPv4 LAN group name, that is, it changes a default group name such as Group1, Group2, or Group3. You must specify both the row id that represents the group (for example, 2 for Group2, or 5 for Group5) and the new name for the group.

Format Mode net

Related show command: show net lan lan_groups

net lan lan_group edit <row id> <new group name>

net lan ipv4 multi_homing add

This command configures a new IPv4 alias, that is, a secondary IPv4 address. After you issue the net lan ipv4 multi_homing add command, you enter the net-config [lan-ipv4-multihoming] mode and then you can configure the secondary address and subnet mask in the order that you prefer.

Step 1 Format

Mode net

net lan ipv4 multi_homing add

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 2 Format

Mode net-config [lan-ipv4-multihoming]

Keyword Associated

ip_address The secondary IPv4 address for the LAN. subnet_mask The subnet mask for the secondary IPv4 address.

ip_address <ipaddress> subnet_mask <subnet mask>

Description

Parameter to Type

ipaddress

subnet mask

Command example:

FVS336Gv2> net-config[lan-ipv4-multihoming]> net-config[lan-ipv4-multihoming]> net-config[lan-ipv4-multihoming]>

net lan ipv4 multi_homing add

ip_address 192.168.16.110 subnet_mask 255.255.255.248 save

Related show command: show net lan ipv4 multiHoming

net lan ipv4 multi_homing edit <row id>

This command configures an existing IPv4 alias, that is, a secondary IPv4 address. After you issue the net lan ipv4 multi_homing edit command to specify the row to be edited, you enter the net-config [lan-ipv4-multihoming] mode and then you can configure the secondary address and subnet mask in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [lan-ipv4-multihoming]

Keyword Associated

ip_address The secondary IPv4 address for the LAN. subnet_mask The subnet mask for the secondary IPv4 address.

net lan ipv4 multi_homing edit

ip_address <ipaddress> subnet_mask <subnet mask>

Description

Parameter to Type

ipaddress

subnet mask

Related show command: show net lan ipv4 multiHoming

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net lan ipv4 multi_homing delete <row id>

This command deletes a secondary IPv4 address by specifying its row ID.

Format Mode net

net lan ipv4 multi_homing delete <row id>

Related show command: show net lan ipv4 multiHoming

net lan ipv4 traffic_meter configure <ip address>

This command configures a LAN traffic meter profile for an IP address. When the traffic limit is reached, further traffic for that IP address is blocked. After you issue the net lan ipv4 traffic_meter configure command to specify the IP address, you enter the net-config [lan-ipv4-traffic-meter] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

net lan ipv4 traffic_meter configure <ip address>

direction {Downloadonly | BothDirections} limit <number>

counter {RestartCounter | SpecificTime {day_of_month <day>}

{time_hour <hour>} {time_meridiem {AM | PM}} {time_minute <minute>}}

send_email_report {Y | N}

send_email_alert {Y | N}

Mode net-config [lan-ipv4-traffic-meter]

Keyword Associated Keyword to Select or

Parameter to Type

Traffic meter configuration

direction Downloadonly or BothDirections Specifies the type of traffic limit:

limit number The limit for the traffic meter in MB.

Net Mode Configuration Commands

Description

• Downloadonly. The

applies to downloaded traffic only.

• BothDirections. The

limit applies to both downloaded and uploaded traf

The maximum limit that you can enter is 256,000 MB (about 250 GB).

fic.

traffic

limit

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to Select or

Parameter to Type

Traffic counter configuration

counter SpecificTime or RestartCounter Specifies how the traffic counter is

day_of_month day The day in the format DD (01 to 31)

time_hour hour The hour in the format HH (00 to 12)

Description

restarted:

• SpecificTime. Restarts the

traf

fic counter on a specific day

and time.

day_of_month, time_hour, time_meridiem, and time_minute keywords and

associated parameters.

• RestartCounter. Restarts the

traf command.

that the traf keyword applies only if you set the

counter keyword to SpecificTime.

that the traf keyword applies only if you set the

counter keyword to SpecificTime.

You must set the

fic counter after you save the

fic counter restarts.

This

time_meridiem AM or PM Specifies the meridiem for the hour

that the traf keyword applies only if you set the

counter keyword to SpecificTime.

time_minute minutes The minutes in the format MM (00 to

59) that the traf

This keyword applies only if you set the

counter keyword to

SpecificTime.

send_email_report Y or N Specifies whether or not an email

report is sent when the traf restarts.

Action when limit is reached

send_email_alert Y

or N

Specifies whether or not an email alert is sent when the traffic limit is reached and further traffic is blocked.

fic counter restarts.

fic counter

This

Command example:

FVS336Gv2> net-config[lan-ipv4-traffic-meter]> net-config[lan-ipv4-traffic-meter]> net-config[lan-ipv4-traffic-meter]>

net lan ipv4 traffic_meter configure 192.168.11.204

direction BothDirections limit 45000 counter RestartCounter

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net-config[lan-ipv4-traffic-meter]> net-config[lan-ipv4-traffic-meter]> net-config[lan-ipv4-traffic-meter]>

Related show commands: show net lan ipv4 traffic_meter setup and show net lan ipv4 traffic_meter

detailed_setup <row id>

send_email_report N send_email_alert N save

net lan ipv4 traffic_meter delete <row id>

This command deletes a LAN traffic meter profile by specifying its row ID.

Format Mode net

Related show command: show net lan ipv4 traffic_meter setup

net lan ipv4 traffic_meter delete <row id>

IPv6 LAN Commands

This section describes the following commands:

• net lan ipv6 configure

• net lan ipv6 pool add

• net lan ipv6 pool edit <row id>

• net lan ipv6 pool delete <row id>

• net lan ipv6 multi_homing add

• net lan ipv6 multi_homing edit <row id>

• net lan ipv6 multi_homing delete <row id>

• net radvd configure lan

• net radvd pool lan add

• net radvd pool lan edit <row id>

• net radvd pool lan delete <row id>

• net lan ipv6 prefix_delegation add

• net lan ipv6 prefix_delegation edit <row id>

• net lan ipv6 prefix_delegation delete <row id>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net lan ipv6 configure

This command configures the IPv6 LAN address settings and DHCPv6. After you issue the net lan ipv6 configure command, you enter the net-config [lan-ipv6] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [lan-ipv6]

Keyword (consists of two separate words)

static address ipv6-address The link-local IPv6 address. static prefix_length prefix length The IPv6 prefix length (integer) of the

dhcp server_enable Y or N Enables or disables DHCPv6. If you enable

net lan ipv6 configure

static address <ipv6-address> static prefix_length <prefix length> dhcp server_enable {N | Y {dhcp mode {Stateless | Stateful}}} dhcp prefix_delegation_enable {Y | N} dhcp domain name <domain name> dhcp server_preference <number> dhcp dns_type {useDnsProxy | useDnsFromISP | useEnteredDns

{dhcp primary_dns <ipv6-address>} [dhcp secondary_dns <ipv6-address>]}

dhcp rebind_time <seconds>

Associated Keyword to Select or Parameter to Type

Description

link-local IPv6 address.

DHCPv6, you also must issue the dhcp mode keywords to specify a stateless or stateful DCHPv6 server and configure the server

dhcp mode Stateless or Stateful Specifies the DHCPv6 mode (stateless or

stateful).

dhcp prefix_delegation_enable

dhcp domain_name domain name The server domain name (string) or FQDN

dhcp server_preference number The preference number (integer) of the

or N Enables or disables prefix delegation. This

option is available only if the dhcp mode keywords are set to Stateless. For information about how to configure prefixes, see the net lan ipv6 prefix_delegation add command.

for the DHCP server

DHCP server.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (consists of two separate words)

dhcp dns_type useDnsProxy,

dhcp primary_dns ipv6-address The IPv6 address for the primary DNS server

dhcp secondary_dns ipv6-address The IPv6 address for the secondary DNS

dhcp rebind_time seconds The lease time in seconds (integer), from 0 to

Associated Keyword to

Select or Parameter to Type

useDnsFromISP, or useEnteredDns

Description

Specifies the DNS server type. If you select

useEnteredDns, you also must issue the dhcp primary_dns keyword and associated parameter. The dhcp secondary_dns keyword and associated

parameter are optional.

in the DHCP configuration if the dhcp

dns_type keywords are set to useEnteredDns.

server in the DHCP configuration if the dhcp dns_type keywords are set to useEnteredDns.

604800 seconds.

Command example:

FVS336Gv2> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]> net-config[lan-ipv6]>

net lan ipv6 configure

static address fec0::3 static prefix_length 64 dhcp server_enable Y dhcp mode Stateless dhcp prefix_delegation_enable Y dhcp domain name netgear.com dhcp server_preference 236 dhcp dns_type useDnsProxy dhcp rebind_time 43200 save

Related show command: show net lan ipv6 setup

net lan ipv6 pool add

This command configures a new IPv6 DHCP address pool for the LAN. After you issue the net lan ipv6 pool add command, you enter the net-config [lan-ipv6-pool] mode and then you can configure the IPv6 start and end addresses and the IPv6 prefix length for the IPv6 pool in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format start_address <ipv6-address>

Mode net-config [lan-ipv6-pool]

net lan ipv6 pool add

end_address <ipv6-address> prefix_length <prefix length>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated

Parameter to Type

start_address The start address of the IPv6 address pool. end_address The end address of the IPv6 address pool. prefix_length The prefix length for the IPv6 address pool.

ipv6-address

prefix length

Description

Command example:

FVS336Gv2> net-config[lan-ipv6-pool]> net-config[lan-ipv6-pool]> net-config[lan-ipv6-pool]> net-config[lan-ipv6-pool]>

net lan ipv6 pool add

start_address 2001::1025 end_address 2001::1030 prefix_length 56 save

Related show command: show net lan ipv6 setup

net lan ipv6 pool edit <row id>

This command configures an existing IPv6 DHCP address pool for the LAN. After you issue the net lan ipv6 pool edit command to specify the row to be edited, you enter the net-config [lan-ipv6-pool] mode and then you can configure the IPv6 start and end addresses and the IPv6 prefix length for the IPv6 pool in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format start_address <ipv6-address>

Mode net-config [lan-ipv6-pool]

Keyword Associated

start_address The start address of the IPv6 address pool. end_address The end address of the IPv6 address pool. prefix_length The prefix length for the IPv6 address pool.

net lan ipv6 pool edit <row id>

end_address <ipv6-address> prefix_length <prefix length>

Description

Parameter to Type

ipv6-address

prefix length

Related show command: show net lan ipv6 setup

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net lan ipv6 pool delete <row id>

This command deletes an IPv6 DHCP address pool by specifying its row ID.

Format Mode net

net lan ipv6 pool delete <row id>

Related show command: show net lan ipv6 setup

net lan ipv6 multi_homing add

This command configures a new IPv6 alias, that is, a secondary IPv6 address. After you issue the net lan ipv6 multi_homing add command, you enter the net-config [lan-ipv6-multihoming] mode and then you can configure the secondary address and IPv6 prefix length in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [lan-ipv6-multihoming]

Keyword Associated

net lan ipv6 multi_homing add

ip_address <ipv6-address> prefix_length <prefix length>

Description

Parameter to Type

ip_address The secondary IPv6 address for the LAN. prefix_length The prefix length for the secondary IPv6 address.

ipv6-address

prefix length

Command example:

FVS336Gv2> net-config[lan-ipv6-multihoming]> net-config[lan-ipv6-multihoming]> net-config[lan-ipv6-multihoming]>

net lan ipv6 multi_homing add

ip_address 2002::1006 prefix_length 10 save

Related show command: show net lan ipv6 multiHoming

net lan ipv6 multi_homing edit <row id>

This command configures an existing IPv6 alias, that is, a secondary IPv6 address. After you issue the net lan ipv6 multi_homing edit command to specify the row to be edited, you enter the net-config [lan-ipv6-multihoming] mode and then you can configure the secondary address and IPv6 prefix length in the order that you prefer.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 1 Format

Mode net

Step 2 Format

Mode net-config [lan-ipv6-multihoming]

Keyword Associated

ip_address The secondary IPv6 address for the LAN. prefix_length The prefix length for the secondary IPv6 address.

net lan ipv6 multi_homing edit <row id>

ip_address <ipv6-address> prefix_length <prefix length>

Description

Parameter to Type

ipv6-address

prefix length

Related show command: show net lan ipv6 multiHoming

net lan ipv6 multi_homing delete <row id>

This command deletes a secondary IPv6 address by specifying its row ID.

Format

net lan ipv6 multi_homing delete <row id>

Mode net

Related show command: show net lan ipv6 multiHoming

net radvd configure lan

This command configures the Router Advertisement Daemon (RADVD) for the link-local advertisements of IPv6 router addresses and prefixes in the LAN. After you issue the net radvd configure lan command, you enter the net-config [radvd-lan] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format net radvd configure lan

Mode net

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 2 Format

Mode net-config [radvd-lan]

Keyword Associated Keyword to

enable

mode

enable {Y | N} mode {Unsolicited-Multicast | Unicast-Only} interval <seconds> flags {Managed | Other} preference {Low | Medium | High} mtu <number> life_time <seconds>

Select or Parameter to Type

Y or N Enables the RADVD process to allow stateless

Unsolicited-Multicast or Unicast-Only

Description

autoconfiguration of the IPv6 LAN or disables the RADVD process.

Specifies the advertisement mode:

• Unsolicited-Multicast. Allows

unsolicited multicast and unicast communication with the hosts. Router advertisements (RAs) are sent to all interfaces at the rate that is defined by the interval keyword and parameter

• Unicast-Only. Responds to unicast packet

requests only. No unsolicited packets are advertised.

interval seconds

flags

preference

mtu number

life_time seconds

Managed

Low, Medium, or High Specifies the VPN firewall’s preference in relation

Command example:

FVS336Gv2> net-config[radvd-lan]> net-config[radvd-lan]> net-config[radvd-lan]> net-config[radvd-lan]>

net radvd configure lan

enable Y mode Unsolicited-Multicast interval 60 flags Managed

or Other

The interval in seconds (integer) between unsolicited multicast RAs. Enter a period from 10 to 1800 seconds.

Specifies the flag:

• Managed.

used for autoconfiguration of the address.

• Other. The

for autoconfiguration of other (that is, nonaddress) information.

to other hosts and routers in the LAN. The MTU size (integer) that is used in the RAs to

ensure that all nodes in the network use the same MTU size.

The advertisement lifetime in seconds (integer) of the route.

The DHCPv6 stateful protocol is

The default is 1500 seconds.

The default is 3600 seconds.

The default is 30 seconds.

DHCPv6 stateful

protocol is used

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net-config[radvd-lan]> net-config[radvd-lan]> net-config[radvd-lan]> net-config[radvd-lan]>

preference Medium mtu 1496 life_time 7200 save

Related show command: show net radvd lan setup

net radvd pool lan add

This command configures the IPv6 RADVD pool of advertisement prefixes for the LAN. After you issue the net radvd pool lan add command, you enter the net-config [radvd-pool-lan] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [radvd-pool-lan]

net radvd pool lan add

prefix_type {6To4 {6to4_interface {WAN1 | WAN2} {sla_id

<ID number>} | Global-Local-ISATAP {prefix_address <ipv6-address>} {prefix_length <prefix length>}}

prefix_life_time <seconds>

Keyword Associated Keyword to

Select or Parameter to Type

prefix_type 6To4 or

Global-Local-ISATAP

6to4_interface WAN1 or WAN2 Specifies the WAN interface on which the 6to4 prefix is

sla_id ID number The site-level aggregation identifier (SLA ID) (integer) in

prefix_address ipv6-address The IPv6 address for a global, local, or ISATAP prefix. prefix_length prefix length The IPv6 prefix length (integer) for a global, local, or

Description

Specifies the prefix type for communication between the interfaces:

• 6To4. The

issue the 6to4_interface keyword and specify the WAN interface and the sla_id keyword and specify the interface ID.

• Global-Local-ISATAP. The prefix is for a global,

local, or ISAT prefix, not the site-local or link-local prefix. You must issue the prefix_address and prefix_length keywords and associated parameters.

added.

the 6to4 address prefix is the ID of the interface from which the advertisements are sent.

ISA

TAP prefix.

number of contiguous, higher-order bits of the address that make up the network portion of the address.

prefix is

This is a decimal value that indicates the

for a 6to4 address. You must

AP address. This must be a global

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to

Select or Parameter to Type

prefix_life_time seconds The period in seconds (integer) during which the

Description

requesting router is allowed to use the prefix.

Command example:

FVS336Gv2> net-config[radvd-pool-lan]> net-config[radvd-pool-lan]> 6to4_interface net-config[radvd-pool-lan]> net-config[radvd-pool-lan]> net-config[radvd-pool-lan]>

net radvd pool lan add

prefix_type 6To4

WAN1 sla_id 67 prefix_life_time 3600 save

Related show command: show net radvd lan setup

net radvd pool lan edit <row id>

This command configures an existing IPv6 RADVD address pool for the LAN. After you issue the net radvd pool lan edit command to specify the row to be edited, you enter the net-config [radvd-pool-lan] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [radvd-pool-lan]

Keyword Associated Keyword to

prefix_type 6To4 or

6to4_interface WAN1 or WAN2 Specifies the WAN interface on which the 6to4 prefix is

net radvd pool lan edit <row id>

prefix_type {6To4 {6to4_interface {WAN1 | WAN2} {sla_id

<ID number>} | Global-Local-ISATAP {prefix_address <ipv6-address>} {prefix_length <prefix length>}}

prefix_life_time <seconds>

Description

Select or Parameter to Type

Specifies the prefix type for communication between the

Global-Local-ISATAP

interfaces:

• 6To4. The

issue the 6to4_interface keyword and specify the WAN interface and the sla_id keyword and specify the interface ID.

• Global-Local-ISATAP. The prefix is for a global,

local, or ISAT prefix, not the site-local or link-local prefix. You must issue the prefix_address and prefix_length keywords and associated parameters.

added.

prefix is

for a 6to4 address. You must

AP address. This must be a global

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to

Select or Parameter to Type

sla_id ID number The site-level aggregation identifier (SLA ID) (integer) in

prefix_address ipv6-address The IPv6 address for a global, local, or ISATAP prefix. prefix_length prefix length The IPv6 prefix length (integer) for a global, local, or

prefix_life_time seconds The period in seconds (integer) during which the

Description

the 6to4 address prefix is the ID of the interface from which the advertisements are sent.

ISA

TAP prefix.

number of contiguous, higher-order bits of the address that make up the network portion of the address.

requesting router is allowed to use the prefix.

This is a decimal value that indicates the

Related show command: show net radvd lan setup

net radvd pool lan delete <row id>

This command deletes an RADVD address pool for the LAN by deleting its row ID

Format

net radvd pool lan delete <row id>

Mode net

Related show command: show net radvd lan setup

net lan ipv6 prefix_delegation add

This command configures a new IPv6 prefix for LAN prefix delegation. For information about how to enable prefix delegation for the IPv6 LAN, see the After you issue the net lan ipv6 prefix_delegation add command, you enter the net-config [lan-prefix-delegation] mode and then you can configure the IPv6 prefix and IPv6 prefix length in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [lan-prefix-delegation]

net lan ipv6 prefix_delegation add

prefix <prefix> prefix_length <prefix length>

net lan ipv6 configure command.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated

Parameter to Type

prefix The IPv6 prefix. prefix_length The prefix length for the IPv6 prefix.

prefix

prefix length

Description

Command example:

FVS336Gv2> net-config[lan-prefix-delegation]> net-config[lan-prefix-delegation]> net-config[lan-prefix-delegation]>

net lan ipv6 prefix_delegation add

prefix 2001:db8:: prefix_length 64 save

Related show command: show net lan ipv6 setup

net lan ipv6 prefix_delegation edit <row id>

This command configures an existing IPv6 prefix for LAN prefix delegation. After you issue the net lan ipv6 prefix_delegation edit command to specify the row to be edited, you enter the net-config [lan-prefix-delegation] mode and then you can configure the IPv6 prefix and IPv6 prefix length in the order that you prefer.

Step 1 Format

Mode net

net lan ipv6 prefix_delegation edit <row id>

Step 2 Format

Mode net-config [lan-prefix-delegation]

Keyword Associated

prefix The IPv6 prefix. prefix_length The prefix length for the IPv6 prefix.

prefix <prefix> prefix_length <prefix length>

Description

Parameter to Type

prefix

prefix length

Related show command: show net lan ipv6 setup

net lan ipv6 prefix_delegation delete <row id>

This command deletes an IPv6 prefix for LAN prefix delegation by deleting its row ID

Format Mode net

Related show command: show net lan ipv6 setup

net lan ipv6 prefix_delegation delete <row id>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

IPv4 DMZ Setup Command

This section describes the net dmz ipv4 configure command.

net dmz ipv4 configure

This command enables, configures, or disables the IPv4 DMZ. After you issue the net dmz ipv4 configure command, you enter the net-config [dmz-ipv4] mode and then you can

configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

net dmz ipv4 configure

enable_dmz {Y | N} ip_address <ipaddress> subnet_mask <subnet mask> dhcp_mode {None | DHCP-Server | DHCP-Relay} dns_proxy_enable {Y | N}

domain_name <domain name> starting_ip_address <ipaddress> ending_ip_address <ipaddress> primary_dns_server <ipaddress> secondary_dns_server <ipaddress> wins_server <ipaddress> lease_time <hours> enable_ldap {Y | N} ldap_serverip <ipaddress> ldap_search_base <search base> ldap_port <number>

relay_gateway <ipaddress>

Mode net-config [dmz-ipv4]

Keyword Associated Keyword to

Select or Parameter to Type

enable_dmz Y or N Enables or disables the DMZ. ip_address ipaddress The IP address of the DMZ port. subnet_mask subnet mask The subnet mask of the DMZ port.

Net Mode Configuration Commands

Description

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to

Select or Parameter to Type

dhcp_mode

dns_proxy_enable Y or N Enables or disables the DNS proxy.

DHCP server

domain_name domain name The server domain name (string) or FQDN for the

starting_ip_address ipaddress The start IP address for the DHCP address pool. ending_ip_address ipaddress The end IP address for the DHCP address pool. primary_dns_server ipaddress The IP address of the primary DNS server in the

None, DHCP-Serves or DHCP-Relay

Description

Specifies the DHCP mode:

• None. DHCP is disabled for the DMZ.

• DHCP-Server. DHCP is enabled for the DMZ.

ou can configure all keywords and parameters except the relay_gateway keyword and associated parameter.

• DHCP-Relay. Addresses are

DMZ by a DHCP relay. Configure the relay_gateway keyword and associated parameter.

DHCP server

DMZ DHCP configuration.

assigned in the

secondary_dns_server ipaddress The IP address of the secondary DNS server in

the DMZ DHCP configuration.

wins_server ipaddress The IP address of the WINS server in the DMZ

DHCP configuration.

lease_time hours The duration in hours for which an IP address is

leased.

enable_ldap Y ldap_serverip ipaddress The IP address of the LDAP server. ldap_search_base search base The search base (string) for LDAP. ldap_port number The port number for the LDAP server.

DHCP relay

relay_gateway ipaddress

or N Enables or disables LDAP.

Set the DHCP relay gateway server.

Command example:

FVS336Gv2> net-config[dmz-ipv4]> net-config[dmz-ipv4]> net-config[dmz-ipv4]> net-config[dmz-ipv4]> net-config[dmz-ipv4]> net-config[dmz-ipv4]>

net dmz ipv4 configure

enable_dmz ip_address 10.126.32.59 subnet_mask 2525.255.255.0 dhcp_mode None dns_proxy_enable Y save

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Related show command: show net dmz ipv4 setup

IPv6 DMZ Setup Commands

This section describes the following commands:

• net dmz ipv6 configure

• net dmz ipv6 pool configure <ipv6 address>

• net dmz ipv6 pool delete < ipv6 address>

• net radvd configure dmz

• net radvd pool dmz add

• net radvd pool dmz edit <row id>

• net radvd pool dmz delete <row id>

net dmz ipv6 configure

This command enables, configures, or disables the IPv6 DMZ. After you issue the net dmz ipv6 configure command, you enter the net-config [dmz-ipv6] mode and then you can

configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format enable_dmz {Y | N}

net dmz ipv6 configure

static ip_address <ipv6-address> static prefix_length <prefix length>

dhcp server_enable {N | Y {dhcp dhcp_mode {Stateless | Stateful}}}

dhcp domain name <domain-name> dhcp server_preference <number> dhcp dns_type {useDnsProxy | useDnsFromISP | useEnteredDns

{dhcp primary_dns <ipv6-address>} [dhcp secondary_dns <ipv6-address>]}

dhcp lease_time <seconds>

Mode net-config [dmz-ipv6]

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

enable_dmz

static ip_address ipv6-address

static prefix_length prefix length

DHCPv6 server

dhcp server_enable

dhcp dhcp_mode

dhcp domain_name domain name

dhcp server_preference number

dhcp dns_type

Associated Keyword to Select or Parameter to Type

Y or N Enables or disables the DMZ.

Y or N Enables or disables the DHCP server for the

Stateless or Stateful Specifies the DHCPv6 mode.

useDnsProxy, useDnsFromISP, or useEnteredDns

Description

The IPv6 address of the DMZ port. The prefix length (integer) for the DMZ port.

DMZ.

The server domain name (string) for the DHCP server

The preference number (integer) of the DHCP server.

Specifies the DNS server type. If you select

useEnteredDns primary_dns keywords and associated

parameter keywords and associated parameter are optional.

, you also must issue the dhcp

. The dhcp secondary_dns

dhcp primary_dns ipv6-address

dhcp secondary_dns ipv6-address

dhcp lease_time seconds

Command example:

FVS336Gv2> net-config[dmz-ipv6]> net-config[dmz-ipv6]> static net-config[dmz-ipv6]> static net-config[dmz-ipv6]> net-config[dmz-ipv6]> net-config[dmz-ipv6]> net-config[dmz-ipv6]> net-config[dmz-ipv6]> net-config[dmz-ipv6]> net-config[dmz-ipv6]>

net dmz ipv6 configure

enable_dmz Y

ip_address 2001:176::1

prefix_length 64 dhcp server_enable Y dhcp dhcp_mode Stateful dhcp domain_name netgear.com dhcp server_preference 210 dhcp dns_type useDnsProxy dhcp lease_time 43200 save

Related show command: show net dmz ipv6 setup

The IPv6 address for the primary DNS server in the DMZ configuration.

The IPv6 address of the secondary DNS server in the DMZ configuration.

The duration in seconds for which an IP address is leased.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

net dmz ipv6 pool configure <ipv6 address>

This command configures a new or existing IPv6 DHCP address pool for the DMZ. After you issue the net dmz ipv6 pool configure command to specify the IPv6 start address of the IPv6 pool, you enter the net-config [dmz-ipv6-pool] mode and then you can configure the IPv6 end address and the IPv6 prefix length for the IPv6 pool in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [dmz-ipv6-pool]

Keyword Associated

ending_ip_address The end address of the IPv6 address pool. prefix_length The prefix length for the IPv6 address pool.

net dmz ipv6 pool configure <ipv6-address>

ending_ip_address <ipv6-address> prefix_length <prefix length>

Description

Parameter to Type

ipv6-address

prefix length

Command example:

FVS336Gv2> net-config[dmz-ipv6-pool]> net-config[dmz-ipv6-pool]> net-config[dmz-ipv6-pool]>

net dmz ipv6 pool configure 2001::1100

ending_ip_address 2001::1120 prefix_length 56 save

Related show command: show net dmz ipv6 setup

net dmz ipv6 pool delete < ipv6 address>

This command deletes an IPv6 DHCP address pool for the DMZ by deleting the start address of the pool.

Format Mode net

Related show command: show net dmz ipv6 setup

net dmz ipv6 pool delete <ipv6-address>

net radvd configure dmz

This command configures the router advertisement daemon (RADVD) process for the link-local advertisements of IPv6 router addresses and prefixes in the DMZ. After you issue the net radvd configure dmz command, you enter the net-config [radvd-dmz] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 1 Format

Mode net

Step 2 Format

Mode net-config [radvd-dmz]

Keyword Associated Keyword to

enable

mode

net radvd configure dmz

enable {Y | N} mode {Unsolicited-Multicast | Unicast-Only} interval <seconds> flags {Managed | Other} preference {Low | Medium | High} mtu <number> life_time <seconds>

Select or Parameter to Type

Y or N Enables the RADVD process to allow stateless

Unsolicited-Multicast or Unicast-Only

Description

autoconfiguration of the IPv6 DMZ or disables the RADVD process.

Specifies the advertisement mode:

• Unsolicited-Multicast. Allows

unsolicited multicast and unicast communication with the hosts. Router advertisements (RAs) are sent to all interfaces at the rate that is defined by the interval keyword and associated parameter

• Unicast-Only. Responds to unicast packet

requests only. No unsolicited packets are advertised.

interval seconds

flags

preference

mtu number

life_time seconds

Managed

Low, Medium, or High Specifies the VPN firewall’s preference in relation

Net Mode Configuration Commands

The interval in seconds (integer) between unsolicited multicast RAs. Enter a period from 10 to 1800 seconds.

or Other Specifies the flag:

• Managed. Specifies that the DHCPv6 stateful

protocol is used for autoconfiguration of the address.

• Other. Specifies that the DHCPv6 stateful

protocol is used for autoconfiguration of other (that is, nonaddress) information.

to other hosts and routers in the DMZ. The MTU size (integer) that is used in the RAs to

ensure that all nodes in the network use the same MTU size.

The advertisement lifetime in seconds (integer) of the route.

The default is 1500 seconds.

The default is 3600 seconds.

The default is 30 seconds.

Command example:

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

FVS336Gv2> net-config[radvd-dmz]> net-config[radvd-dmz]> net-config[radvd-dmz]> net-config[radvd-dmz]> net-config[radvd-dmz]> net-config[radvd-dmz]> net-config[radvd-dmz]>

net radvd configure dmz

enable Y mode Unicast-Only flags Managed preference High mtu 1500 life_time 7200 save

Related show command: show net radvd dmz setup

net radvd pool dmz add

This command configures the IPv6 RADVD pool of advertisement prefixes for the DMZ. After you issue the net radvd pool dmz add command, you enter the net-config [radvd-pool-dmz] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

net radvd pool dmz add

prefix_type {6To4 {6to4_interface {WAN1 | WAN2} {sla_id

<ID number>} | Global-Local-ISATAP {prefix_address <ipv6-address>} {prefix_length <prefix length>}}

prefix_life_time <seconds>

Mode net-config [radvd-pool-dmz]

Keyword Associated Keyword to

Select or Parameter to Type

prefix_type 6To4 or

Global-Local-ISATAP

6to4_interface WAN1 or WAN2 Specifies the WAN interface on which the 6to4 prefix is

sla_id ID number The site-level aggregation identifier (SLA ID) (integer) in

prefix_address ipv6-address The IPv6 address for a global, local, or ISATAP prefix.

Description

Specifies the prefix type for communication between the interfaces:

• 6To4. The

issue the 6to4_interface keyword and specify the WAN interface and the sla_id keyword and specify the interface ID.

• Global-Local-ISATAP. The prefix is for a global,

local, or ISAT prefix, not the site-local or link-local prefix. You must issue the prefix_address and prefix_length keywords and associated parameters.

added.

the 6to4 address prefix is the ID of the interface from which the advertisements are sent.

prefix is

for a 6to4 address. You must

AP address. This must be a global

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to

Select or Parameter to Type

prefix_length prefix length The IPv6 prefix length (integer) for a global, local, or

prefix_life_time seconds The period in seconds (integer) during which the

Description

ISATAP prefix. number of contiguous, higher-order bits of the address that make up the network portion of the address.

requesting router is allowed to use the prefix.

This is a decimal value that indicates the

Command example:

FVS336Gv2> net-config[radvd-pool-dmz]> net-config[radvd-pool-dmz]> net-config[radvd-pool-dmz]> net-config[radvd-pool-dmz]> net-config[radvd-pool-dmz]>

net radvd pool dmz add

prefix_type Global-Local-ISATAP prefix_address 2002:3a2b prefix_length 64 prefix_life_time 3600 save

Related show command: show net radvd dmz setup

net radvd pool dmz edit <row id>

This command configures an existing IPv6 RADVD address pool for the DMZ. After you issue the net radvd pool dmz edit command to specify the row to be edited, you enter the net-config [radvd-pool-dmz] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [radvd-pool-dmz]

net radvd pool dmz edit <row id>

prefix_type {6To4 {6to4_interface {WAN1 | WAN2} {sla_id

<ID number>} | Global-Local-ISATAP {prefix_address <ipv6-address>} {prefix_length <prefix length>}}

prefix_life_time <seconds>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword Associated Keyword to

Select or Parameter to Type

prefix_type

6to4_interface

sla_id ID number

prefix_address ipv6-address

prefix_length prefix length

6To4 or Global-Local-ISATAP

WAN1 or WAN2 Specifies the WAN interface on which the 6to4 prefix is

Description

Specifies the prefix type for communication between the interfaces:

• 6To4. The

issue the 6to4_interface keyword and specify the WAN interface and the sla_id keyword and specify the interface ID.

• Global-Local-ISATAP. The prefix is

local, or ISATAP address. This must be a global prefix, not the site-local or link-local prefix. You must issue the prefix_address and prefix_length keywords and associated parameters.

added. The site-level aggregation identifier (SLA ID) (integer) in

the 6to4 address prefix is the ID of the interface from which the advertisements are sent.

The IPv6 address for a global, local, or ISATAP prefix. The IPv6 prefix length (integer) for a global, local, or

ISA

TAP prefix.

number of contiguous, higher-order bits of the address that make up the network portion of the address.

prefix is

This is a decimal value that indicates the

for a 6to4 address. You must

for a global,

prefix_life_time seconds

The period in seconds (integer) during which the requesting router is allowed to use the prefix.

Related show command: show net radvd dmz setup

net radvd pool dmz delete <row id>

This command deletes an RADVD address pool for the DMZ by deleting its row ID

Format Mode net

Related show command: show net radvd dmz setup

net radvd pool dmz delete <row id>

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

WAN QoS Commands

This section describes the following commands:

• net qos configure

• net qos profile add

• net qos profile edit <row id>

• net qos profile delete <row id>

• net qos profile disable <row id>

• net qos profile enable <row id>

net qos configure

This command configures the QoS mode for the WAN interfaces. After you issue the net qos configure command, you enter the net-config [network-qos] mode and then you can

enable QoS and set the QoS mode to rate control or priority. The configured QoS mode determines which WAN QoS profiles can be active, that is, you

can add both rate control and priority WAN QoS profiles (see the net qos profile add command), but only the profiles for the configured QoS mode can be active. For example, if you set the QoS mode to priority, only the profiles with a priority configuration can be active.

Step 1 Format

Mode net

Step 2 Format

Mode net-config [network-qos]

Keyword Associated

enable Y or N Enables or disables QoS for all WAN interfaces. qos_type Rate-Control or

Related show command: show net qos setup

net qos configure

enable {Y | N} qos_type {Rate-Control | Priority}

Description

Keyword to Select

Specifies whether QoS uses rate control or priority profiles.

Priority

net qos profile add

This command configures a new WAN QoS profile. After you issue the net qos profile add command, you enter the net-config [network-qos-profile] mode and then you can

configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 1 Format

Mode net

Step 2 Format The following settings apply to both rate control profiles and priority profiles:

net qos profile add

qos_type {Rate-Control | Priority} interface {WAN1 | WAN2} service_name {default_services <default service name> |

{custom_services <custom service name>} diffserv_qos_match <number> diffserv_qos_remark <number>

The following settings apply only to rate control profiles:

direction_for_rate_control {Inbound | Outbound | Both} congestion_priority {Default | High | Medium-high | Medium | Low} hosts {Single-IP-Address {hosts_start_ip <ipaddress>} |

IP-Address-Range {hosts_start_ip <ipaddress>} {hosts_end_ip <ipaddress>} | Group {hosts_group {Group1 | Group2 | Group3 | Group4 | Group5 | Group6 | Group7 | Group8}}}

bandwidth_allocation {Shared | Individual} outbound_min_bandwidth <bandwidth> outbound_max_bandwidth <bandwidth> inbound_min_bandwidth <bandwidth> inbound_max_bandwidth <bandwidth>

The following settings apply only to priority profiles:

direction_for_priority {Inbound-Traffic | Outbound-Traffic} priority {Low | High}

Mode net-config [network-qos-profile]

Keyword (might consist of two separate words)

Common settings

qos_type Rate-Control or

interface WAN1 or WAN2 Specifies the interface to which the profile

Associated Keyword to Select or Parameter to Type

Priority

Description

Specifies the type of profile:

• Rate-Control. Configure the

keywords and parameters that are shown in the Common settings section and Rate control profile settings section of this table.

• Priority. Configure the keywords

and parameters that are shown in the Common settings section and Priority profile settings section of this table.

applies.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

service_name default_services

Associated Keyword to Select or Parameter to Type

Description

Specifies the default service and protocol to which the profile applies.

service_name custom_services

diffserv_qos_match number (Optional) The DSCP value, from 0

diffserv_qos_remark number

custom service name The custom service that you configure

with the security services add command and to which the profile applies.

through 63. Packets are classified against this value.

(Optional) The DSCP value, from 0 through 63. Packets are marked with this value.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

Rate control profile settings

direction_for_rate_control Inbound, Outbound, or

Associated Keyword to Select or Parameter to Type

Both

Description

Specifies the direction to which rate control applies:

• Inbound. Rate control applies to

inbound packets only the inbound_min_bandwidth and inbound_max_bandwidth keywords and specify the bandwidth that is allocated.

• Outbound. Rate control applies to

outbound packets only issue the

outbound_min_bandwidth and outbound_max_bandwidth

keywords and specify the bandwidth that is allocated.

• Both. Rate control applies to both

inbound and outbound packets. must issue the

inbound_min_bandwidth, inbound_max_bandwidth, outbound_min_bandwidth, and outbound_max_bandwidth

keywords and specify the bandwidth that is allocated.

You must issue

You must

congestion_priority Default, High,

Medium-high, Medium, or Low

Specifies the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall:

• Default.

the ToS field in the packet’s IP header.

• High. This

following DSCP values: AF41, AF42,

AF43, AF44, and CS4.

• Medium-high. This

the following DSCP values: AF31,

AF32, AF33, AF34, and CS3.

• Medium. This

following DSCP values: AF21, AF22,

AF23, AF24, and CS2.

• Low. This queue includes the following

DSCP values: AF11, AF12, AF13,

AF14, CS1, 0, and all other values.

raffic is mapped based on

includes the

queue

includes

queue

includes the

queue

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

hosts Single-IP-Address,

Associated Keyword to Select or Parameter to Type

IP-Address-Range, or Group

Description

Specifies the IP address, range of IP addresses, or group to which the profile applies:

• Single-IP-Address. The

applies to a single IP address. Issue the hosts_start_ip specify the IP address.

• IP-Address-Range. The profile

applies to an IP address range. Issue the hosts_start_ip hosts_end_ip keywords to specify the start and end IP addresses of the range. In addition, issue the bandwidth_allocation keyword to specify if bandwidth is shared between all IP addresses in the range or is allocated to each IP address in the range.

• Group. The

Issue the hosts_group keyword to specify the group. In addition, issue the bandwidth_allocation keyword to specify if bandwidth is shared between all members of the group or is allocated to each member in the group.

applies to a group.

profile

keyword to

and

hosts_start_ip ipaddress The following two options are available:

• The IP address if the hosts keyword

is set to Single-IP-Address.

• The start IP address if the hosts

keyword is set to

IP-Address-Range.

hosts_end_ip ipaddress The end IP address if the hosts keyword

is set to IP-Address-Range.

hosts_group Group1, Group2, Group3,

Group4, Group5, Group6, Group7, or Group8

Specifies the group if the hosts keyword is set to Group.

Note: You cannot enter group names that

you specify with the net lan lan_groups edit

<row id> <new group name> command.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

bandwidth_allocation Shared or Individual Specifies how bandwidth is allocated.

outbound_min_bandwidth bandwidth The outbound minimum bandwidth in

outbound_max_bandwidth bandwidth The outbound maximum bandwidth in

inbound_min_bandwidth bandwidth The inbound minimum bandwidth in Kbps,

Associated Keyword to Select or Parameter to Type

Description

These options apply when the hosts keyword is set to IP-Address-Range or to group.

• Shared. The bandwidth

among all IP addresses in a range or all members of a group.

• Individual. The

allocated to each IP address in the range or each member of a group.

Kbps, from 0 to 100,000. applies if the

direction_for_rate_control

keyword is set to outbound

Kbps, from 100 to 100,000. applies if the

direction_for_rate_control

keyword is set to outbound

from 0 to 100,000. the

direction_for_rate_control

keyword is set to inbound or both.

This option applies if

is shared

bandwidth

This option

or both.

This option

or both.

inbound_max_bandwidth bandwidth The inbound maximum bandwidth in

Priority profile settings

direction_for_priority Inbound-Traffic or

Outbound-Traffic

Kbps, from 100 to 100,000. applies if the

direction_for_rate_control

keyword is set to inbound

Specifies the direction to which the priority queue applies:

• Inbound-Traffic. The

queue applies to inbound traffic only.

• Outbound-Traffic. The priority

queue applies to outbound traffic only.

This option

or both.

priority

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

priority Low or High Specifies the priority queue that

Associated Keyword to Select or Parameter to Type

Description

determines the allocation of bandwidth:

• Low.

• High.

Note: By default, all services are

assigned the medium-priority queue in which they share 30 percent of the interface bandwidth.

All services that are assigned a low-priority queue share 10 percent of interface bandwidth.

All services that are assigned a high-priority queue share 60 percent of interface bandwidth.

Command example:

FVS336Gv2> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]> net-config[network-qos-profile]>

net qos profile add

qos_type Rate-Control

interface WAN2

service_name default_services http direction_for_rate_control Inbound congestion_priority High hosts IP-Address-Range hosts_start_ip 192.168.110.2 hosts_end_ip 192.168.110.199 bandwidth_allocation Shared inbound_min_bandwidth 7500 inbound_max_bandwidth 15000 diffserv_qos_match 5 diffserv_qos_remark 12 save

Related show command: show net qos setup

net qos profile edit <row id>

This command configures an existing WAN QoS profile. After you issue the net qos profile edit command to specify the row to be edited, you enter the net-config

[network-qos-profile] mode and then you can configure one keyword and associated parameter or associated keyword at a time in the order that you prefer.

Step 1 Format

Mode net

net qos profile edit <

Net Mode Configuration Commands

row id>

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Step 2 Format The following settings apply to both rate control profiles and priority profiles:

qos_type {Rate-Control | Priority} interface {WAN1 | WAN2} service_name {default_services <default service name> |

{custom_services <custom service name>} diffserv_qos_match <number> diffserv_qos_remark <number>

The following settings apply only to rate control profiles:

direction_for_rate_control {Inbound | Outbound | Both} congestion_priority {Default | High | Medium-high | Medium | Low} hosts {Single-IP-Address {hosts_start_ip <ipaddress>} |

IP-Address-Range {hosts_start_ip <ipaddress>} {hosts_end_ip <ipaddress>} | Group {hosts_group {Group1 | Group2 | Group3 | Group4 | Group5 | Group6 | Group7 | Group8}}}

bandwidth_allocation {Shared | Individual} outbound_min_bandwidth <bandwidth> outbound_max_bandwidth <bandwidth> inbound_min_bandwidth <bandwidth> inbound_max_bandwidth <bandwidth>

The following settings apply only to priority profiles:

direction_for_priority {Inbound-Traffic | Outbound-Traffic} priority {Low | High}

Mode net-config [network-qos-profile]

Keyword (might consist of two separate words)

Common settings

qos_type Rate-Control or

interface WAN1 or WAN2 Specifies the interface to which the profile

Associated Keyword to Select or Parameter to Type

Priority

Description

Specifies the type of profile:

• Rate-Control. Configure the

keywords and parameters that are shown in the Common settings section and Rate control profile settings section of this table.

• Priority. Configure the keywords

and parameters that are shown in the Common settings section and Priority profile settings section of this table.

applies.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

service_name default_services

Associated Keyword to Select or Parameter to Type

Description

Specifies the default service and protocol to which the profile applies.

service_name custom_services

diffserv_qos_match number (Optional) The DSCP value, from 0

diffserv_qos_remark number

custom service name The custom service that you configure

with the security services add command and to which the profile applies.

through 63. Packets are classified against this value.

(Optional) The DSCP value, from 0 through 63. Packets are marked with this value.

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

Rate control profile settings

direction_for_rate_control Inbound, Outbound, or

Associated Keyword to Select or Parameter to Type

Both

Description

Specifies the direction to which rate control applies:

• Inbound. Rate control applies to

inbound packets only the inbound_min_bandwidth and inbound_max_bandwidth keywords and specify the bandwidth that is allocated.

• Outbound. Rate control applies to

outbound packets only issue the

outbound_min_bandwidth and outbound_max_bandwidth

keywords and specify the bandwidth that is allocated.

• Both. Rate control applies to both

inbound and outbound packets. must issue the

inbound_min_bandwidth, inbound_max_bandwidth, outbound_min_bandwidth, and outbound_max_bandwidth

keywords and specify the bandwidth that is allocated.

You must issue

You must

congestion_priority Default, High,

Medium-high, Medium, or Low

Specifies the priority queue that determines the allocation of excess bandwidth and the classification level of the packets among other priority queues on the VPN firewall:

• Default.

the ToS field in the packet’s IP header.

• High. This

following DSCP values: AF41, AF42,

AF43, AF44, and CS4.

• Medium-high. This

the following DSCP values: AF31,

AF32, AF33, AF34, and CS3.

• Medium. This

following DSCP values: AF21, AF22,

AF23, AF24, and CS2.

• Low. This queue includes the following

DSCP values: AF11, AF12, AF13,

AF14, CS1, 0, and all other values.

raffic is mapped based on

includes the

queue

includes

queue

includes the

queue

Net Mode Configuration Commands

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Keyword (might consist of two separate words)

hosts Single-IP-Address,

Associated Keyword to Select or Parameter to Type

IP-Address-Range, or Group

Description

Specifies the IP address, range of IP addresses, or group to which the profile applies:

• Single-IP-Address. The

applies to a single IP address. Issue the hosts_start_ip specify the IP address.

• IP-Address-Range. The profile

• Group. The

applies to a group.

profile

keyword to

and

hosts_start_ip ipaddress The following two options are available:

• The IP address if the hosts keyword

is set to Single-IP-Address.

• The start IP address if the hosts

keyword is set to

IP-Address-Range.

hosts_end_ip ipaddress The end IP address if the hosts keyword

is set to IP-Address-Range.

hosts_group Group1, Group2, Group3,

Group4, Group5, Group6, Group7, or Group8

Specifies the group if the hosts keyword is set to Group.

Note: You cannot enter group names that

you specify with the net lan lan_groups edit

<row id> <new group name> command.

Net Mode Configuration Commands

100

Netgear FVS336G Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

ProSAFE Dual WAN Gigabit Firewall with SSL & IPsec VPN

Contents

1. Introduction

Command Syntax and Conventions

Command Conventions

Description of a Command

Common Parameters

Four Categories of Commands

Configuration Commands: Four Main Modes

Configuration Commands: Save Commands

Commands That Require Saving

Commands That Do Not Require Saving

Global Commands

Examples of Three Basic Types of Commands

Command Autocompletion and Command Abbreviation

Access the CLI

Network Settings Configuration Commands

Security Settings Configuration Commands

System Administrative and Monitoring Settings Configuration Commands

VPN Settings Configuration Commands

General WAN Commands

IPv4 WAN Commands

IPv6 WAN Commands

IPv6 Tunnel Commands

Dynamic DNS Command

IPv4 LAN Commands

IPv6 LAN Commands

IPv4 DMZ Setup Command

IPv6 DMZ Setup Commands

WAN QoS Commands