How it Works
Netgear
Loading...
FVS336Gv2
User Manual
203 pgs9.97 Mb0
Table of contents
Loading...

Netgear FVS336Gv2 User Manual

ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2

Reference Manual
350 East Plumeria Drive San Jose, CA 95134 USA
April 2010 202-10619-01 v1.0
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
© 2010 NETGEAR, Inc.© 2010 by NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of NETGEAR, Inc. P/N: Part Number TBD v1.0
Technical Support
When you register your product at http://www.netgear.com/register, we can provide you with faster expert technical support and timely notices of product and software upgrades.
NETGEAR, Inc.
350 East Plumeria Drive San Jose, CA 95134 USA
E-mail: support@netgear.com Website: http://www.netgear.com Phone: 1-888-NETGEAR, for US & Canada only. For other countries, see your Support information card.
Trademarks
NETGEAR, the NETGEAR logo, ProSafe, Smart Wizard, and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc. Microsoft, Windows, Windows NT, and Vista are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Additional Copyrights
AES
Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the
following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The copyright holder’s name must not be used to endorse or promote any products derived from this software without his specific prior written permission.
This software is provided “as is” with no express or implied warranties of correctness or fitness for purpose.
Open SSL
Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the
following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions, and the following disclaimer in the documentation and/or other materials provided with the distribution.
2 |
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/).”
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or promote products derived from this software without prior written permission. For written permission, contact openssl-core@openssl.org.
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL” appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS,” AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
/).”
MD5
Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc.
MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided “as is” without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or software.
PPP
Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and
this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th, 2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler.
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
| 3
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution. Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alumni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950 to 1952 in the files
ftp://ds.internic.net/rfc/rfc1950.txt (zlib format), rfc1951.txt (deflate format) and rfc1952.txt (gzip format).
Revision History
Publication Part Number Version Publish Date
202-10619-01 v1.0 April 2010
4 |

Table of Contents

Chapter 1 Introduction
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Front Panel Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Rear Panel Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Default IP Address, Login Name, and Password Location . . . . . . . . . . . . 12
Qualified Web Browsers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Chapter 2 Connecting the VPN Firewall to the Internet
Understanding the Connection Steps . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Logging into the VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Navigating the Menus . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Configuring the Internet Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Automatically Detecting and Connecting. . . . . . . . . . . . . . . . . . . . . . . . 17
Manually Configuring the Internet Connection. . . . . . . . . . . . . . . . . . . . 19
Configuring the WAN Mode (Required for Dual WAN) . . . . . . . . . . . . . . . 22
Network Address Translation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Classical Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring Auto-Rollover Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configuring Load Balancing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configuring Dynamic DNS (Optional) . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Configuring the Advanced WAN Options (Optional) . . . . . . . . . . . . . . . . . 28
Additional WAN Related Configuration . . . . . . . . . . . . . . . . . . . . . . . . . 29
Chapter 3 LAN Configuration
Choosing the VPN Firewall DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . 30
Configuring the LAN Setup Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Managing Groups and Hosts (LAN Groups) . . . . . . . . . . . . . . . . . . . . . . . 34
Viewing the LAN Groups Database. . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Adding Devices to the LAN Groups Database. . . . . . . . . . . . . . . . . . . . 36
Changing Group Names in the LAN Groups Database. . . . . . . . . . . . . 37
Configuring DHCP Address Reservation. . . . . . . . . . . . . . . . . . . . . . . . 37
Configuring Multi Home LAN IP Addresses. . . . . . . . . . . . . . . . . . . . . . . . 38
Configuring Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Configuring Routing Information Protocol (RIP) . . . . . . . . . . . . . . . . . . . . 40
Chapter 4 Firewall Protection and Content Filtering
About Firewall Protection and Content Filtering . . . . . . . . . . . . . . . . . . . . 42
Table of Contents | 5
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Using Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . . . . . . . .43
About Services-Based Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .43
Viewing the Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Setting the Default Outbound Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Creating a LAN WAN Outbound Services Rule . . . . . . . . . . . . . . . . . . .49
Creating a LAN WAN Inbound Services Rule. . . . . . . . . . . . . . . . . . . . .49
Modifying Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .50
Inbound Rules Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .51
Outbound Rules Example. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .53
Configuring Other Firewall Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .54
Configuring Session Limits. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .55
Managing the Application Level Gateway for SIP Sessions. . . . . . . . . .56
Creating Services, QoS Profiles, and Bandwidth Profiles . . . . . . . . . . . . .57
Adding Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .57
Setting Quality of Service (QoS) Priorities . . . . . . . . . . . . . . . . . . . . . . .58
Creating Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .59
Setting a Schedule to Block or Allow Specific Traffic . . . . . . . . . . . . . . . . .61
Blocking Internet Sites (Content Filtering) . . . . . . . . . . . . . . . . . . . . . . . . .62
Configuring Source MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .64
Configuring IP/MAC Address Binding. . . . . . . . . . . . . . . . . . . . . . . . . . . . .65
Configuring Port Triggering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .66
E-Mail Notifications of Event Logs and Alerts. . . . . . . . . . . . . . . . . . . . . . .68
Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .69
Chapter 5 Virtual Private Networking Using IPsec
Considerations for Dual WAN Port Systems . . . . . . . . . . . . . . . . . . . . . . .70
Using the VPN Wizard for Client and Gateway Configurations . . . . . . . . .72
Creating Gateway to Gateway VPN Tunnels with the Wizard . . . . . . . .72
Creating a Client to Gateway VPN Tunnel . . . . . . . . . . . . . . . . . . . . . . .75
Testing the Connections and Viewing Status Information . . . . . . . . . . . . .80
NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . . .80
VPN Firewall VPN Connection Status and Logs . . . . . . . . . . . . . . . . . .82
Managing VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Configuring IKE Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .83
Configuring VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .85
Configuring Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . .86
Configuring XAUTH for VPN Clients. . . . . . . . . . . . . . . . . . . . . . . . . . . .86
User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
RADIUS Client Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .88
Assigning IP Addresses to Remote Users (ModeConfig). . . . . . . . . . . . . .90
Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .90
Configuring Mode Config Operation on the VPN Firewall . . . . . . . . . . .91
Configuring the ProSafe VPN Client for ModeConfig. . . . . . . . . . . . . . .94
Configuring Keepalives and Dead Peer Detection . . . . . . . . . . . . . . . . . . .95
6 | Table of Contents
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Configuring Keepalives. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .95
Configuring Dead Peer Detection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .96
Configuring NetBIOS Bridging with VPN . . . . . . . . . . . . . . . . . . . . . . . . . .97
Chapter 6 Virtual Private Networking Using SSL
Understanding the Portal Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .99
Planning for SSL VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .100
Creating the Portal Layout . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .101
Configuring Domains, Groups, and Users . . . . . . . . . . . . . . . . . . . . . . . .104
Configuring Applications for Port Forwarding. . . . . . . . . . . . . . . . . . . . . .104
Adding Servers. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .105
Adding A New Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Configuring the SSL VPN Client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .106
Configuring the Client IP Address Range. . . . . . . . . . . . . . . . . . . . . . .107
Adding Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . .108
Replacing and Deleting Client Routes . . . . . . . . . . . . . . . . . . . . . . . . .109
Using Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . .109
Adding New Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . .109
Configuring User, Group, and Global Policies . . . . . . . . . . . . . . . . . . . . .110
Viewing SSL VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .112
Adding an SSL VPN Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .113
Chapter 7 Managing Users, Authentication, and Certificates
Adding Authentication Domains, Groups, and Users. . . . . . . . . . . . . . . .116
Creating a Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .117
Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .119
Creating a New User Account . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .120
Setting User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .121
Changing Passwords and Other User Settings . . . . . . . . . . . . . . . . . .123
Managing Certificates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .124
Viewing and Loading CA Certificates. . . . . . . . . . . . . . . . . . . . . . . . . .126
Viewing Active Self Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .126
Obtaining a Self Certificate from a Certificate Authority. . . . . . . . . . . .127
Managing your Certificate Revocation List (CRL) . . . . . . . . . . . . . . . .129
Chapter 8 VPN Firewall and Network Management
Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .131
Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132
Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .134
Using QoS to Shift the Traffic Mix . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .137
Changing Passwords and Administrator Settings . . . . . . . . . . . . . . . . . .137
Enabling Remote Management Access . . . . . . . . . . . . . . . . . . . . . . . . . .139
Using the Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Table of Contents | 7
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Using an SNMP Manager. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .141
Managing the Configuration File. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .143
Reverting to Factory Default Settings. . . . . . . . . . . . . . . . . . . . . . . . . .145
Configuring Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . .146
Chapter 9 Monitoring System Performance
Enabling the Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .149
Activating Notification of Events and Alerts . . . . . . . . . . . . . . . . . . . . . . .150
Viewing the Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .153
Viewing VPN Firewall Configuration and System Status . . . . . . . . . . . . .154
Monitoring VPN Firewall Statistics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .155
Monitoring the Status of WAN Ports. . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Monitoring Attached Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .156
Viewing the DHCP Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .157
Monitoring Active Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .158
Viewing Port Triggering Status. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .159
Monitoring VPN Tunnel Connection Status . . . . . . . . . . . . . . . . . . . . . . .160
Viewing the VPN Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .161
Chapter 10 Troubleshooting
Basic Functions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .162
Power LED Not On. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
LEDs Never Turn Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .163
Troubleshooting the Web Configuration Interface . . . . . . . . . . . . . . . . . .164
Troubleshooting the ISP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . .165
Troubleshooting a TCP/IP Network Using a Ping Utility. . . . . . . . . . . . . .166
Testing the LAN Path to Your VPN Firewall. . . . . . . . . . . . . . . . . . . . .166
Testing the Path from Your PC to a Remote Device . . . . . . . . . . . . . .167
Restoring the Default Configuration and Password . . . . . . . . . . . . . . . . .167
Problems with Date and Time. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Using the Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .168
Appendix A Default Settings and Technical Specifications Appendix B Network Planning for Dual WAN Ports
What You Need to Do Before You Begin . . . . . . . . . . . . . . . . . . . . . . . . .173
Cabling and Computer Hardware Requirements . . . . . . . . . . . . . . . . .174
Computer Network Configuration Requirements . . . . . . . . . . . . . . . . .175
Internet Configuration Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .175
Where Do I Get the Internet Configuration Parameters? . . . . . . . . . . .175
Internet Connection Information Form . . . . . . . . . . . . . . . . . . . . . . . . .176
Overview of the Planning Process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
Virtual Private Networks (VPNs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . .177
8 | Table of Contents
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
The Roll-over Case for Firewalls With Dual WAN Ports. . . . . . . . . . . .177
The Load Balancing Case for Firewalls with Dual WAN Ports . . . . . . .178
Inbound Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .178
Inbound Traffic to Single WAN Port (Reference Case) . . . . . . . . . . . .179
Inbound Traffic to Dual WAN Port Systems . . . . . . . . . . . . . . . . . . . . .179
Virtual Private Networks (VPNs). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .181
VPN Road Warrior (Client-to-Gateway) . . . . . . . . . . . . . . . . . . . . . . . .182
VPN Gateway-to-Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .185
VPN Telecommuter (Client-to-Gateway Through a NAT Router). . . . .187
Appendix C Two Factor Authentication
Why do I need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . .190
What are the benefits of Two-Factor Authentication? . . . . . . . . . . . . .190
What is Two-Factor Authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . .191
NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . .191
Appendix D Related Documents Appendix E Notification of Compliance Index
Table of Contents | 9

Introduction

1
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 connects your LAN to the Internet through one or two external broadband modems. Dual WAN ports allow you to increase throughput to the Internet by using both ports together, or to maintain a backup connection in case your primary Internet connection fails. The FVS336Gv2 incorporates a powerful and flexible firewall to safeguard your network, while providing advanced IPsec and SSL VPN technologies for secure, simple remote connections. The network storage is a plug-and-play device that can be installed and configured within minutes.
This chapter contains the following sections:
Package Contents on this page.
“Front Panel Features” on page 11.
“Rear Panel Features” on page 12.
“Default IP Address, Login Name, and Password Location” on page 12.
“Qualified Web Browsers” on page 13.

Package Contents

The product package should contain the following items:
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 appliance.
One AC power cable.
Rubber feet.
One Category 5 (Cat5) Ethernet cable.
Installation Guide, FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.
Resource CD, including:
Application Notes and other helpful information.
ProSafe VPN Client Software—one user license.
Warranty and Support Information Card.
Chapter 1: Introduction | 10
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
If any parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the FVS336Gv2 for repair.

Front Panel Features

The front panel includes LAN Ethernet ports, WAN Ethernet ports, and four groups of status indicator LEDs, including Power and Test, LAN, WAN1, and WAN2:
Figure 1-1 Front Panel
LAN Ethernet ports: Four switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
WAN Ethernet ports: Two independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors.
The function of each LED is described in the following table:
Table 1-1. LED Descriptions
Object Activity Description
Power
Test
On (Green) Power is supplied to the FVS336Gv2. Off Power is not supplied to the FVS336Gv2. On (Amber) Test mode: The system is initializing or the initialization has failed. Blinking
(Amber) Off The system has booted successfully.
Writing to Flash memory (during upgrading or resetting to defaults).
WAN Ports
ACTIVE
SPEED
On (Green) On (Amber)
Off On (Green) On (Amber) Off
The WAN port has a valid Internet connection. The Internet connection is down or not being used because the WAN
port is in standby for failover. The WAN port is either not enabled or has no link. The WAN port is operating at 1,000 Mbps. The WAN port is operating at 100 Mbps. The WAN port is operating at 10 Mbps.
Chapter 1: Introduction | 11
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Table 1-1. LED Descriptions (Continued)
Object Activity Description LINK/ACT
(Link and Activity)
On (Green) Blinking (Green) Off
The WAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the WAN port. The WAN port has no link.
LAN Ports
SPEED
LINK/ACT (Link and Activity)
On (Green) On (Amber) Off On (Green) Blinking (Green) Off
The LAN port is operating at 1,000 Mbps. The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps. The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link.

Rear Panel Features

The rear panel of the FVS336Gv2 includes Gigabit Ethernet LAN and WAN connections, a cable lock receptacle, power and reset switches, and an AC power connection.
Figure 1-2 Rear Panel
Viewed from left to right, the rear panel contains the following elements:
Cable security lock receptacle.
Factory Defaults button: Using a sharp object, press and hold this button for about ten
seconds until the front panel TEST light flashes to reset the FVS336Gv2 to factory default settings. All configuration settings will be lost and the default password will be restored.
AC power receptacle: Universal AC input (100-240 VAC, 50-60 Hz).

Default IP Address, Login Name, and Password Location

Check the label on the bottom of the network storage’s enclosure if you need a reminder of
12 | Chapter 1: Introduction
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
the following factory default information:
IP address
User name
Password
Figure 1-3 Product Lable

Qualified Web Browsers

To configure the network storage, you must use a Web browser such as Microsoft Internet Explorer 6 or higher, Mozilla Firefox 3 or higher, or Apple Safari 3 or higher with JavaScript, cookies, and you must have SSL enabled.
Although these Web browsers are qualified for use with the network storage’s Web Management Interface for configuring the network storage, SSL VPN users should choose a browser that supports JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that Java is only required for the SSL VPN portal, not the Web Management Interface.
Chapter 1: Introduction | 13

Connecting the VPN Firewall to the Internet

The initial Internet configuration of the VPN firewall, is described in this chapter. This chapter contains the following sections:
Understanding the Connection Steps” on this page.
“Logging into the VPN Firewall” on page 15.
“Navigating the Menus” on page 16.
“Configuring the Internet Connections” on page 17.
“Configuring the WAN Mode (Required for Dual WAN)” on page 22.
“Configuring Dynamic DNS (Optional)” on page 26.
“Configuring the Advanced WAN Options (Optional)” on page 28.
2

Understanding the Connection Steps

Typically, six steps are required to complete the basic Internet connection of your VPN firewall.
1. Connect the network storage physically to your network. Connect the cables and
restart your network according to the instructions in the installation guide. See the Installation Guide, FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN for complete steps. A PDF of the Installation Guide is on the NETGEAR website at:
http://kbserver.netgear.com.
2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your
VPN firewall. You can also change your password and enable remote management at this time. See “Logging into the VPN Firewall” on page 15.
3. Configure the Internet connections to your ISP(s). During this phase, you will
connect to your ISPs. See “Configuring the Internet Connections” on page 17.
4. Configure the WAN mode (required for dual WAN operation). Select either dedicated
(single WAN) mode, auto-rollover mode, or load balancing mode. For load balancing, you can also select any necessary protocol bindings. See “Configuring the WAN Mode
(Required for Dual WAN)” on page 22.
Chapter 2: Connecting the VPN Firewall to the Internet | 14
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified
domain names during this phase (if required). See “Configuring Dynamic DNS
(Optional)” on page 26.
6. Configure the WAN options (optional). Optionally, you can enable each WAN port to
respond to a ping, and you can change the factory default MTU size and port speed. However, these are advanced features and changing them is not usually required. See
“Configuring the Advanced WAN Options (Optional)” on page 28.
Each of these tasks is detailed separately in this chapter. The configuration of firewall and VPN features is described in later chapters.

Logging into the VPN Firewall

To connect to the VPN firewall, your computer needs to be configured to obtain an IP address automatically from the VPN firewall by DHCP. For instructions on how to configure your computer for DHCP, refer to the link to the online document Preparing Your Network in Appendix D.
To connect and log in to the VPN firewall:
1. Start any of the qualified browsers, as detailed in “Qualified Web Browsers” on page 13.
2. Enter https://192.168.1.1 in the address field. The Manager login features appear in the
browser.
3. In the User Name field, type admin
4. In the Password field, type password
Note that both entries are in lower case letters.
Chapter 2: Connecting the VPN Firewall to the Internet | 15
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
5. Click Login. The Web Configuration Manager screen appears, displaying Router Status:

Navigating the Menus

The Web Configuration Manager menus are organized in a layered structure of main categories and submenus:
Main menu. The horizontal orange bar near the top of the page is the main menu,
containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar.
Submenu. The horizontal grey bar immediately below the main menu is the submenu,
containing subcategories of the currently selected primary category.
Tab. Immediately below the submenu bar, at the top of the menu active window, are one
or more tabs, further subdividing the currently selected subcategory if necessary.
Option arrow. To the right of the tabs on some menus are one or more blue dots with an
arrow in the center. Clicking an option arrow brings up either a popup window or an advanced option menu.
You can now proceed to the first configuration task, configuring the VPN firewall’s Internet connections.
16 | Chapter 2: Connecting the VPN Firewall to the Internet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual

Configuring the Internet Connections

To set up your VPN firewall for secure Internet connections, you configure WAN port 1 and WAN port 2. The Web Configuration Manager offers two connection configuration options:
Automatic detection and configuration of the network connection.
Manual configuration of the network connection.
Each option is detailed in the sections following.

Automatically Detecting and Connecting

To automatically configure the WAN ports for connection to the Internet:
1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs
appear, with the WAN1 ISP Settings screen in view.
2. Click Auto Detect at the bottom of the page. Auto Detect will probe the WAN port for a
range of connection methods and suggest one that your ISP appears to support.
Chapter 2: Connecting the VPN Firewall to the Internet | 17
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Note: If you click Auto Detect while the WAN port already has a
connection, you might lose the connection because the VPN firewall will enter its detection mode.
a. If Auto Detect is successful, a status bar at the top of the screen will display the
results.
b. If Auto Detect senses a connection method that requires input from you, it will
prompt you for the information. All methods with their required settings are detailed in the following table.
Table 2-2.
Connection Method Data Required
DHCP (Dynamic IP) No data is required. PPPoE Login (Username, Password);
Account Name, Domain Name (sometimes required).
PPTP Login (Username, Password),
Local IP address, and PPTP Server IP address; Account Name (sometimes required).
Fixed (Static) IP Static IP address, Subnet, and Gateway IP; DNS Server IP addresses.
c. If Auto Detect does not find a connection, you will be prompted to (1) check the
physical connection between your VPN firewall and the cable or DSL line, or to (2) check your VPN firewall’s MAC address (For more information, see “Configuring the
WAN Mode (Required for Dual WAN)” on page 22 and “Troubleshooting the ISP
Connection” on page 165.
3. To verify the connection, click the WAN
Status option arrow at the top right of the
screen. A popup window appears, displaying the connection status of WAN port 1.
18 | Chapter 2: Connecting the VPN Firewall to the Internet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, go to “Manually Configuring the Internet Connection” on page 19 following this section, or see “Troubleshooting the ISP Connection” on page 165.
Note: If the configuration process was successful, you are connected to
the Internet through WAN port 1. If you intend to use the dual WAN capabilities of the VPN firewall, continue with the configuration process for WAN port 2.
4. Click the WAN2 ISP Settings tab.
5. Repeat the previous steps to automatically detect and configure the WAN2 Internet
connection.
6. Open the WAN Status window and verify a successful connection
If your WAN ISP configuration was successful, you can go to “Configuring the WAN Mode
(Required for Dual WAN)” on page 22.
If one or both automatic WAN ISP configurations failed, you can attempt a manual configuration as described in the following section, or see “Troubleshooting the ISP Connection” on page 165.

Manually Configuring the Internet Connection

Unless your ISP automatically assigns your configuration automatically via DHCP, you will need to obtain configuration parameters from your ISP in order to manually establish an Internet connection. The necessary parameters for various connection types are listed in
Table 2-2 on page 18
To manually configure the WAN1 ISP settings:
1. Select Network Configuration > WAN Settings from the menu. The WAN Settings
tabs appear, with the WAN1 ISP Settings screen in view.
2. In the ISP Login options, choose one of these options:
If your ISP requires an initial login to establish an Internet connection, click Yes (this
is the default).
If a login is not required, click No and ignore the Login and Password fields.
3. If you clicked Yes, enter the ISP-provided Login and Password information.
Chapter 2: Connecting the VPN Firewall to the Internet | 19
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
4. In the ISP Type options, select the type of ISP connection you use from the three listed
options. By default, “Other (PPPoE)” is selected, as shown below.
(If your connection is PPPoE or PPTP, your ISP will require an initial login.)
5. If you have installed login software such as WinPoET or Ethernet, then your connection
type is PPPoE. If your ISP uses PPPoE as a login protocol:
a. Select Other (PPPoE). b. Configure the following fields:
Account Name. Valid account name for the PPPoE connection.
Domain Name. Name of your ISP’s domain or your domain name if your ISP has
assigned one. In most cases, you may leave this field blank.
Idle Timeout. Select Keep Connected, to keep the connection always on. To
logout after the connection is idle for a period of time, click Idle Time and in the timeout field enter the number of minutes to wait before disconnecting.
Connection Reset. Select this checkbox to to specify a time when the PPPoE
WAN connection is reset, that is, the connection is disconnected momentarily and then re-established. Enter the hour and minutes in the Disconnect Time fields to specify when the connection should be disconnected. Enter the seconds in the Delay field to specify the period after which the connection should be re-established.
6. If your ISP is Austria Telecom or any other ISP that uses PPTP as a login protocol:
a. Select PPTP. b. Configure the following fields:
Account Name (also known as Host Name or System Name). Enter the valid
account name for the PPTP connection (usually your e-mail name as assigned by your ISP). Some ISPs require entering your full e-mail address here.
Domain Name. Your domain name or workgroup name assigned by your ISP, or
your ISPs domain name. You may leave this field blank.
Idle Timeout. Check the Keep Connected radio button to keep the connection
always on. To logout after the connection is idle for a period of time, click Idle Time and enter the number of minutes to wait before disconnecting in the timeout field. This is useful if your ISP charges you based on the amount of time you have logged in.
20 | Chapter 2: Connecting the VPN Firewall to the Internet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
My IP Address. IP address assigned by the ISP to make the connection with the
ISP server.
Server IP Address. IP address of the PPTP server.
7. Review the Internet (IP) Address options.
8. If your ISP has not assigned a static IP address, click Get dynamically from ISP. The
ISP will automatically assign an IP address to the network storage using DHCP network protocol. The IP address and subnet mask fields will be inactivated. As an option, you can select the following checkboxes:
Client Identifier. Select this checkbox if your ISP requires the Client Identifier
information to assign an IP address using DHCP.
Vendor Class Identifier. Select this checkbox if your ISP requires the Vendor Class
Identifier information to assign an IP address using DHCP.
The ISP will automatically assign an IP address to the VPN firewall using DHCP network protocol.
9. If your ISP has assigned a fixed (static) IP address, select Use Static IP Address, and
configure the following fields:
IP Address. Enter the Static IP address assigned to you, that identifies the VPN
firewall to your ISP.
Subnet Mask. Enter the mask provided by the ISP or your network administrator.
Gateway IP Address. Enter the IP address of the ISP’s gateway, provided by the ISP
or your network administrator.
10. Review the Domain Name Server (DNS)
server options.
If your ISP has not assigned any DNS
addresses, click Get dynamically from ISP.
If your ISP (or your IT department) has
assigned DNS addresses, click Use these DNS Servers and enter the DNS
server IP addresses provided to you in the fields.
11. Click Apply to save any changes to the WAN1 ISP Settings. (Or click Reset to discard
any changes and revert to the previous settings.)
12. Click Test to evaluate your entries.
Chapter 2: Connecting the VPN Firewall to the Internet | 21
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
The VPN firewall will attempt to connect to the NETGEAR website. If a successful connection is made, NETGEAR’s website appears.
13. If you intend to use a dual WAN mode, click the WAN2 ISP Settings tab and configure
the WAN2 ISP settings using the same steps as WAN1.

Configuring the WAN Mode (Required for Dual WAN)

The dual WAN ports of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN can be configured on a mutually exclusive basis for either auto-rollover (for increased system reliability) or load balancing (for maximum bandwidth efficiency), or one port can be disabled.
Auto-Rollover Mode. The selected WAN interface is made primary and the other is the
rollover link. As long as the primary link is up, all traffic is sent over the primary link. Once the primary WAN interface goes down, the rollover link is brought up to send the traffic. Traffic will automatically roll back to the original primary link once the original primary link is back up and running again. If you want to use a redundant ISP link for backup purposes, select the WAN port that will act as the primary link for this mode. Ensure that the backup WAN port has also been configured and that you configure in the WAN Failure Detection Method section of the WAN Mode screen to support Auto-Rollover.
Load Balancing Mode. The VPN firewall distributes the outbound traffic equally among
the WAN interfaces that are functional.
Note: Scenarios could arise when load balancing needs to be bypassed
for certain traffic or applications. If certain traffic needs to travel on a specific WAN interface, configure protocol binding rules for that WAN interface. The rule should match the desired traffic.
Single WAN Port Mode. The selected WAN interface is made primary and the other is
disabled.
Whichever WAN mode you choose, you must also choose either NAT or classical routing, as explained in the following sections.

Network Address Translation

Network Address Translation (NAT) allows all PCs on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the VPN firewall) and a single IP address. PCs on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.
The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any
incoming data.
22 | Chapter 2: Connecting the VPN Firewall to the Internet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
If you only have a single public Internet IP address, you MUST use NAT. (the default
setting).
If your ISP has provided you with multiple public IP addresses, you can use one address
as the primary shared address for Internet access by your PCs, and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule.

Classical Routing

In classical routing mode, the VPN firewall performs routing, but without NAT. To gain Internet access, each PC on your LAN must have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to each PC, you can choose classical routing. Or, you can use classical routing for routing private IP addresses within a campus environment. To learn the status of the WAN ports, you can view the Router Status screen (see <pdf>“Viewing VPN Firewall Configuration and System Status” on page 9-154) or look at the LEDs on the front panel (see “Rear Panel Features” on page 12).

Configuring Auto-Rollover Mode

To use a redundant ISP link for backup purposes, ensure that the backup WAN port has already been configured. Then select the WAN port that will act as the primary link for this mode and configure the WAN Failure Detection Method to support Auto-Rollover.
When the VPN firewall is configured in Auto-Rollover mode, it uses the selected WAN Failure Detection Method to check the connection of the primary link at regular intervals to detect its routing status. Link failure is detected in one of the following ways:
By sending DNS queries to a DNS server, or
By sending a Ping request to an IP address, or
None (no failure detection is performed).
From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the corresponding WAN interface is considered down.
Chapter 2: Connecting the VPN Firewall to the Internet | 23
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
To configure the dual WAN ports for Auto-Rollover:
1. Select Network Configuration > WAN Settings from the menu, and click the WAN Mode
tab. The WAN Mode screen is displayed
2. In the Port Mode section, select Auto-Rollover Using WAN port.
3. From the drop-down list, choose which WAN port will act as the primary link for this
mode.
4. In the WAN Failure Detection Method section, select one of the following detection
failure methods:
DNS lookup using ISP DNS Servers. DNS queries are sent to the DNS server
configured on the WAN ISP screens (see <pdf>“Configuring the Internet Connections” on page 2-17).
DNS lookup using this DNS Server. Enter a public DNS server. DNS queries are
sent to this server through the WAN interface being monitored.
Ping to this IP addresses. Enter a public IP address that will not reject the Ping
request and will not consider Ping traffic to be abusive. Queries are sent to this server through the WAN interface being monitored.
5. Enter a Retry Interval in seconds. The DNS query or Ping is sent periodically after
every test period. The default test period is 30 seconds.
6. Enter the Failover after count. The WAN interface is considered down after the
configured number of queries have failed to elicit a reply. The rollover link is brought up after this. The Failover default is 4 failures.
The default time to roll over after the primary WAN interface fails is 2 minutes (a 30-second minimum test period for a minimum of 4 tests).
7. Click Apply to save your settings.
24 | Chapter 2: Connecting the VPN Firewall to the Internet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Once a rollover occurs, an alert will be generated (see <pdf>“E-Mail Notifications of Event Logs and Alerts” on page 4-68). When the VPN firewall detects that the failed primary WAN interface has been restored, it will automatically rollover again to the primary WAN interface. Alternatively, you can manually force traffic back on the original primary WAN interface by reapplying the Auto-Rollover settings on the WAN Mode screen.

Configuring Load Balancing

To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, either WAN port will carry any outbound protocol unless protocol binding is configured. When a protocol is bound to a particular WAN port, all outgoing traffic of that protocol will be directed to the bound WAN port. For example, if the HTTPS protocol is bound to WAN1 and the FTP protocol is bound to WAN2, then the VPN firewall will automatically route all outbound HTTPS traffic from the computers on the LAN through the WAN1 port. All outbound FTP traffic will be routed through the WAN2 port.
Protocol binding
Protocol binding addresses two issues:
Segregation of traffic between links that are not of the same speed.
High volume traffic can be routed through the WAN port connected to a high speed link and low volume traffic can be routed through the WAN port connected to the low speed link.
Continuity of source IP address for secure connections.
Some services, particularly HTTPS, will cease responding when a client’s source IP address changes shortly after a session has been established.
To configure the dual WAN ports for load balancing with protocol binding:
1. Select Network >WAN Settings from the menu, and click the WAN Mode tab.
2. In the Port Mode section, select Load Balancing.
3. Click view protocol bindings (if required). The WAN1 Protocol Bindings screen is
displayed.
Chapter 2: Connecting the VPN Firewall to the Internet | 25
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Enter the following data in the Add Protocol Binding section on screen: a. Service. From the drop-down list, choose the desired service or application to be
covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services screen (see “Adding Customized Services” on page 57).
b. Source Network. These settings determine which computers on your network are
affected by this rule. Select the desired options:
Any. All PCs and devices on your LAN.
Single address. Enter the required address and the rule will be applied to that
particular PC.
Address range. If this option is selected, you must enter the start and finish fields.
Group 1-Group 8. If this option is selected, the devices assigned to this group will
be affected. (You may also assign a customized name to the group. See Edit Group Names on the Groups and Hosts screen in the LAN Groups submenu.)
c. Destination Network. These settings determine which Internet locations are
covered by the rule, based on their IP address. Select the desired option:
Any. All Internet IP address are covered by this rule.
Single address. Enter the required address in the start field.
Address range. If this option is selected, you must enter the start and finish fields.
4. Click Add to save this rule.
The new Protocol Binding Rule will be enabled and added to the Protocol Binding Table for the WAN1 port.
5. Open the WAN2 Protocol Bindings tab and repeat the previous steps to set protocol
bindings for the WAN2 port.

Configuring Dynamic DNS (Optional)

Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org. (Links to DynDNS, TZO, Oray, and 3322 are provided for your convenience on the Dynamic DNS Configuration screen.) The VPN firewall firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet.
If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently—hence, the need for a commercial DDNS service, which allows you to register an extension to its domain, and restores DNS requests for the resulting FQDN to your frequently-changing IP address.
26 | Chapter 2: Connecting the VPN Firewall to the Internet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
After you have configured your account information in the network storage, whenever your ISP-assigned IP address changes, your network storage will automatically contact your DDNS service provider, log in to your account, and register your new IP address.
You may need to use a fully qualified domain name (FQDN):
For auto-rollover mode, you will need a FQDN to implement features such as exposed
hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address.
For load balancing mode, you may still need a FQDN either for convenience or if you
have a dynamic IP address.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x
or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.
To configure dynamic DNS:
1. Select Network Configuration > Dynamic DNS from the menu and click the Dynamic
DNS Configuration tab. The Dynamic DNS Configuration screen is displayed.
The Current WAN Mode section reports the currently configured WAN mode. (For example, Single Port WAN1, Load Balancing or Auto Rollover.) Only those options that match the configured WAN Mode will be accessible.
2. Select the tab for the DDNS service provider you will use.
Chapter 2: Connecting the VPN Firewall to the Internet | 27
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
3. Click the information or registration link in the upper right corner for registration
information.
4. Access the website of the DDNS service provider and register for an account (for
example, for dyndns.org, go to http://www.dyndns.org).
5. For each WAN port, click the Yes radio button for Change DNS to <your desired DDNS
service> and configure the active fields:
a. Enter the account information for the service you have chosen (for example, user
name, password, key, or domain).
b. If your DDNS provider allows the use of wild cards in resolving your URL, you may
select the Use wildcards checkbox to activate this feature. For example, the wildcard feature will cause address as
c. If your WAN IP address does not change often, you may need to force a periodic
update to the DDNS service to prevent your account from expiring. If it appears, you can select the Update every 30 days checkbox to enable a periodic update.
yourhost.dyndns.org
*.yourhost.dyndns.org to be aliased to the same IP
6. Click Apply to save your configuration.

Configuring the Advanced WAN Options (Optional)

To configure the Advanced WAN options:
1. Select Network Configuration > WAN Settings from the menu. The WAN1 ISP Settings
screen is displayed.
2. Click the Advanced link to the right of the tabs.
The WAN1 Advanced Options screen is displayed:
3. Edit the default
information you want to change.
28 | Chapter 2: Connecting the VPN Firewall to the Internet
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet
networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU. This is rarely required, and should not be done unless you are sure it is necessary for your ISP connection.
b. Port Speed. In most cases, your VPN firewall can automatically determine the
connection speed of the WAN port. If you cannot establish an Internet connection and the WAN Link or Speed LED blinks continuously, you may need to manually select the port speed. AutoSense is the default.
If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100BaseT Half_Duplex; otherwise, select 10BaseT Half_Duplex. Use the half-duplex settings unless you are sure you need full duplex.
c. Router's MAC Address. Each computer or router on your network has a unique
32-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. The default is Use default address. However, if your ISP requires MAC authentication, then select either of these options:
Use this Computer's MAC address to have the VPN firewall use the MAC address
of the computer you are now using, or
Use This MAC Address to manually type in the MAC address that your ISP
expects.
The format for the MAC address is 01:23:45:67:89:AB (numbers 0-9 and either uppercase or lowercase letters A-F). If you select Use This MAC Address and then type in a MAC address, your entry will be overwritten.
4. Click Apply to save your changes.

Additional WAN Related Configuration

If you want the ability to manage the network storage remotely, enable remote
management at this time (see “Enabling Remote Management Access” on page 139). If you enable remote management, we strongly recommend that you change your password (see “Changing Passwords and Administrator Settings” on page 137).
At this point, you can set up the traffic meter for each WAN. See “Enabling the Traffic
Meter” on page 149.
Chapter 2: Connecting the VPN Firewall to the Internet | 29

LAN Configuration

3
This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2.
This chapter contains the following sections
Choosing the VPN Firewall DHCP Options” on this page.
“Configuring the LAN Setup Options” on page 31.
“Managing Groups and Hosts (LAN Groups)” on page 34.
“Configuring Multi Home LAN IP Addresses” on page 38.
“Configuring Static Routes” on page 39.
“Configuring Routing Information Protocol (RIP)” on page 40.

Choosing the VPN Firewall DHCP Options

By default, the network storage will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, WINS Server, and default gateway addresses to all computers connected to the network storage’s LAN. The assigned default gateway address is the LAN address of the network storage. IP addresses will be assigned to the attached PCs from a pool of addresses that you must specify. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.
For most applications, the default DHCP and TCP/IP settings of the VPN firewall are satisfactory. See the link to the online document TCP/IP Networking Basics in Appendix D for information about how to assign IP addresses for your network.
If another device on your network will be the DHCP server, or if you will manually configure the network settings of all of your computers, clear the Enable DHCP server radio box by selecting the Disable DHCP Server radio box. Otherwise, leave it checked.
Specify the pool of IP addresses to be assigned by setting the starting IP address and ending IP address. These addresses should be part of the same IP address subnet as the network storage’s LAN IP address. Using the default addressing scheme, you should define a range
Chapter 3: LAN Configuration | 30
Loading...
+ 173 hidden pages
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use