How it Works
NETGEAR
Loading...
FVS338
Application Note
5 pgs82.7 Kb0
Application Note
3 pgs58.87 Kb0
Data Sheet
2 pgs390.84 Kb0
Installation Manual
2 pgs129.63 Kb0
Network Setup Manual
8 pgs426.99 Kb0
Reference Guide
218 pgs4.64 Mb0
REFERENCE MANUAL
230 pgs6.1 Mb0
Reference Manual
200 pgs3.4 Mb0
Reference Manual
10 pgs132.7 Kb0
User Manual
178 pgs5.24 Mb0
User Manual
198 pgs6.95 Mb0
User Manual
2 pgs315.89 Kb0
User Manual
174 pgs6.99 Mb0
Table of contents
Loading...

NETGEAR FVS338 User Manual

Download

FVS338 ProSafe VPN Firewall 50 Reference Manual

NETGEAR, Inc.
4500 Great America Parkway Santa Clara, CA 95054 USA
January 2007 202-10046-04 v1.0
© 2006 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR, the NETGEAR logo and ProSafe are trademarks and/or registered trademarks of Netgear, Inc. Microsoft, Windows, and Wi ndow s NT are registered trademar ks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try to correct the interference by one or more of the following measures:
Reorient or relocate the receiving antenna.
Increase the separation between the equipment and receiver.
Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
Consult the dealer or an experienced radio/TV technician for help.
EU Regulatory Compliance Statement
ProSafe VPN Firewall 50 is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das ProSafe VPN Firewall 50 gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe VPN Firewall 50 has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however , be subject to certain restricti ons. Please refer to the notes in the operating instructions.
ii
v1.0, January 2007
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference. Read instructions for correct handling.
Additional Copyrights
AES Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted
subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. The copyright holder's name must not be used to endorse or promote any products derived from this software without his specific prior written permission.
This software is provided 'as is' with no express or implied warranties of correctness or fitness for purpose.
v1.0, January 2007
iii
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the following acknowledgment: “This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or promote products derived from this software without prior written permission. For written permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This product includes software written by Tim Hudson (tjh@cryptsoft.com).
iv
v1.0, January 2007
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as "derived from the RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of this software or the suitability of this software for any particular purpose. It is provided "as is" without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or software.
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University. The name of the University may not be used to endor s e or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler.
This software is provided 'as-is', without any express or implied warranty. In no event will the authors be held liable for any damages arising from the use of this software. Permission is granted to anyone to use this software for any purpose, including commercial applications, and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote the original software. If you use this software in a product, an acknowledgment in the product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu The data format used by the zlib library is described by RFCs (Request for Comments) 1950
to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt and rfc1952.txt (gzip format)
(zlib format), rfc1951.txt (deflate format)
v1.0, January 2007
v
Product and Publication Details
Model Number: FVS338 Publication Date: January 2007 Product Family: VPN firewall Product Name: ProSafe VPN Firewall 50 Home or Business Product: Business Language: English Publication Part Number: 202-10046-04 Publication Version Number 1.0
vi
v1.0, January 2007

Contents

About This Manual
Conventions, Formats and Scope ...................................................................................xiii
How to Use This Manual ..................................................................................................xiv
How to Print this Manual ..................................................................................................xiv
Revision History ..................... ... .......................................... .......................................... ...xv
Chapter 1 Introduction
Key Features ..................................................................................................................1-1
Full Routing on Both the Broadband and Serial WAN Ports ....................................1-2
A Powerful, True Firewall with Content Filtering ......................................................1-2
Security ....................................................................................................................1-2
Autosensing Ethernet Connections with Auto Uplink ...............................................1-3
Extensive Protocol Support ......................................................................................1-3
Easy Installation and Management ..........................................................................1-4
Maintenance and Support .................. .... ... ... ... .......................................... ... .... ... ... ..1-4
Package Contents ..........................................................................................................1-4
Router Hardware Components ................................. ...................................................... 1-5
Router Front Panel ...................................................................................................1-5
Router Rear Panel ...................................................................................................1-6
Rack Mounting Hardware .........................................................................................1-7
Factory Default Login .....................................................................................................1-7
Chapter 2 Connecting the FVS338 to the Internet
Connecting the VPN Firewall to Your Network ................ ... ... .... ... ... ... .... ... ... ... ... .... ... ... ..2-1
Logging in to the VPN Firewall ................................................................................2-1
Configuring your Internet Connection ......................................................................2-2
Setting the Router’s MAC Address (Advanced Options) ....................................... ..2-7
Manually Configuring Your Internet Connection ..... .......................... ........................2-9
v1.0, January 2007
vii
Programming the Traffic Meter (if Desired) ............................................................2-12
Configuring the WAN Mode ..........................................................................................2-15
Configuring Dynamic DNS (If Needed) .........................................................................2-16
Chapter 3 LAN Configuration
Configuring Your LAN (Local Area Network) ..................................................................3-1
Using the VPN Firewall as a DHCP Server ...................................... ... ... ... ... .... ... ... ..3-1
Configuring Multi-Home LAN IPs .............................................................................3-4
Managing Groups and Hosts .................................... .......................................... .... ... ... ..3-5
Creating the Network Database ...... ... .... ... ... .......................................... ... ... .... ... ... ..3-5
Setting Up Address Reservation ..................... ......................................................... 3-8
Configuring Static Routes ...............................................................................................3-8
Static Route Example ...............................................................................................3-9
RIP Configuration ...................................................................................................3-10
Chapter 4 Firewall Protection and Content Filtering
About Firewall Security ...................................................................................................4-1
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-1
Services-Based Rules ........................................ .... ... ... ... .........................................4-2
Outbound Rules (Service Blocking) ...................................................................4-2
Inbound Rules (Port Forwarding) ......................................................................4-4
Order of Precedence for Firewall Rules ...................................................................4-6
Setting LAN WAN Rules ........................ ... .... ... ... ... ... .... ... ... ... .........................................4-7
LAN WAN Outbound Services Rules .......................................................................4-8
LAN WAN Inbound Services Rules ..........................................................................4-9
Attack Checks .................................... ....................................... ... .... ... ... ... ... .... ......4-10
Inbound Rules Examples .......................................................................................4-12
Hosting A Local Public Web Server .................................................................4-12
Allowing Videoconference from Restricted Addresses ....................................4-13
Setting Up One-to-One NAT Mapping ................................................... .... ... ...4-13
Specifying an Exposed Host ........ .... ... ... ..........................................................4-15
Outbound Rules Example – Blocking Instant Messenger ......................................4-16
Adding Customized Services ........................................................................................4-17
Specifying Quality of Service (QoS) Priorities .................... ... .... ... ... ... .... ... ... ... ... .... ... ...4-19
Setting a Schedule to Block or Allow Traffic .......................... .... ... ... ... ..........................4-20
viii
v1.0, January 2007
Setting Block Sites (Content Filtering) ................ .................................................... ......4-21
Enabling Source MAC Filtering ....................................................................................4-23
Setting Up Port Triggering .. ... ... ... .... ... ... ... ....................................................................4-24
E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-27
Administrator Information .............................................................................................4-31
Chapter 5 Virtual Private Networking
Dual WAN Port Systems .................................................................................................5-1
Setting up a VPN Connection using the VPN Wizard .....................................................5-2
Creating a VPN Tunnel to a Gateway ......................................................................5-2
Creating a VPN Tunnel Connection to a VPN Client ...... .... ... ... ... .... ........................5-3
IKE Policies ........................................................ ... ....................................... ... ... .... ... .....5-4
IKE Policy Operation ............. .... ... ... .......................................... ... .... ... ... ... ... .... ... ... ..5-4
IKE Policy Table ........................ ... ... ... .... .......................................... ........................5-5
VPN Policies .......................... ... ... .... ... ... ... .... ...................................... .... ... ... ... ... .... ... .....5-5
VPN Policy Operation ........... .... ... ... .......................................... ... .... ... ... ... ... .... ... ... ..5-6
VPN Policy Table ................... .... ... ... ... .... .......................................... ........................5-6
VPN Tunnel Connection Status ................................................................................5-7
Creating a VPN Gateway Connection: Between FVS338 and FVX538 .........................5-8
Configuring the FVS338 ...........................................................................................5-8
Configuring the FVX538 .........................................................................................5-11
Testing the Connection ...........................................................................................5-12
Creating a VPN Client Connection: VPN Client to FVS338 ....................... ... ... ... .... ... ...5-12
Configuring the FVS338 .........................................................................................5-13
Configuring the VPN Client .......................................... ... .... ... ... ... .... ... ... ................5-14
Testing the Connection ...........................................................................................5-19
Extended Authentication (XAUTH) Configuration ............................ ................... ..........5-20
Configuring XAUTH for VPN Clients ......................................................................5-21
User Database Configuration .... ... ... ... .... .......................................... ... ... ... .............5-22
RADIUS Client Configuration .................................................................................5-23
Manually Assigning IP Addresses to Remote Users (ModeConfig) .............................5-25
ModeConfig Operation ...........................................................................................5-26
Setting Up ModeConfig ................... ... .... ... ... ..........................................................5-26
Configuring the ProSafe VPN Client for ModeConfig .......................................... ...5-30
Certificates ................................... ................. ................ ................ ................ ................5-33
v1.0, January 2007
ix
Trusted Certificates (CA Certificates) .....................................................................5-33
Self Certificates ......................................................................................................5-34
Managing your Certificate Revocation List (CRL) .. ... ... ..........................................5-37
Chapter 6 Router and Network Management
Performance Management .................................................... .... ... ... ... .... ... ... ..................6-1
VPN Firewall Features That Reduce Traffic .............................................................6-1
Service Blocking ................................................. .......................................... ..... 6-2
Block Sites .........................................................................................................6-3
Source MAC Filtering ........................................................................................6-4
VPN Firewall Features That Increase Traffic ...........................................................6-4
Port Forwarding ........................................................ .... ... ... ... .... ... ... ... ...............6-4
Port Triggering ....................... ... ... .... ... ...............................................................6-6
VPN Tunnels ................................................ .......................................... ............6-6
Using QoS to Shift the Traffic Mix ............................................................................6-7
Tools for Traffic Management .......... ... .......................................... ............................6-7
Administration ..................................... ............................................. ...............................6-7
Changing Passwords and Settings ..........................................................................6-7
Enabling Remote Management Access ...................................................................6-9
Using a SNMP Manager ........................................................................................6-11
Settings Backup and Firmware Upgrade ...............................................................6-12
Backup and Restore Settings ..........................................................................6-13
Router Upgrade ...............................................................................................6-14
Setting the Time Zone ........ ... .... ... ... .......................................... ... .... ... ...................6-15
Monitoring the Router ............................................................ .... ... ... ... .... ... ... ... ... ..........6-16
Enabling the Traffic Meter ......................................................................................6-16
Setting Login Failures and Attacks Notification ................................ ...................... 6-18
Monitoring Attached Devices ....... ... ....... ................................................................6-20
Viewing Port Triggering Status ...............................................................................6-21
Viewing Router Configuration and System Status .................................................6-22
Monitoring WAN Ports Status .......................... ... .... ... ... ... .......................................6-23
Monitoring VPN Tunnel Connection Status ............................................................6-24
VPN Logs ........... ... ... .... ... ... ... ....................................... ... .... ... ... ... .... ... ...................6-25
DHCP Log ..............................................................................................................6-25
Performing Diagnostics ...... ... .... ... ... ... .... ................................................................6-26
x
v1.0, January 2007
Chapter 7 Troubleshooting
Basic Functions ..............................................................................................................7-1
Power LED Not On ...................................................................................................7-1
LEDs Never Turn Off ................................................................................................7-2
LAN or Internet Port LEDs Not On ......... ... ... ... ... .... ... ... .......................................... ..7-2
Troubleshooting the Web Configuration Interface ..........................................................7-2
Troubleshooting the ISP Connection ..............................................................................7-4
Troubleshooting a TCP/IP Network Using a Ping Utility .................................................7-5
Testing the LAN Path to Your Firewall ......................................................................7-5
Testing the Path from Your PC to a Remote Device ................................................7-6
Restoring the Default Configuration and Password ............... .........................................7-7
Problems with Date and Time .........................................................................................7-7
Appendix A Default Settings and Technical Specifications
Appendix B Related Documents
Index
v1.0, January 2007
xi
xii
v1.0, January 2007

About This Manual

The NETGEAR® Pr oSafe™ VPN Fir ewall 50 FVS338 Reference Manual describes how to install, configure and troubleshoot the ProSafe VPN Firewall 50. The information in this manual is intended for readers with intermediate computer and Internet skills.

Conventions, Formats and Scope

The conventions, formats, and scope of this manual are described in the following paragraphs.
Typographical Conventions. This manual uses the following typographical conventions:
Italics Emphasis, books, CDs, file and server names, extensions
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italics URL links
Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
equipment.
v1.0, January 2007
xiii
FVS338 ProSafe VPN Firewall 50 Reference Manual
Danger: This is a safety warning. Failure to take heed of this notice may result in
personal injury or death.
Scope. This manual is written for the VPN firewall according to these specifications:
Product Version ProSafe VPN Firewall 50 Manual Publication Date January 2007
For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Documents”.
Note: Updates to this product are available on the NETGEAR, Inc. website at
http://kbserver.netgear.com/products/FVS338.asp.

How to Use This Manual

The HTML version of this manual includes the following:
Buttons, and , for browsing forwards or backwards through the manual one page at a time
A button that displays the table of contents and an button. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual.
A button to access the full NETGEAR, Inc. online knowledge base for the product model.
Links to PDF versions of the full manual and individual chapters.

How to Print this Manual

To print this manual you can choose one of the following options, according to your needs.
Printing a Page from HTML. Each page in the HTML version of the manual is dedicated to a major topic. Select File > Print from the browser menu to print the page contents.
xiv
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page.
Click the PDF of This Chapter link at the top left of any page in the chapter you want to print. The PDF version of the chapter you were viewing opens in a browser window.
Click the print icon in the upper left of your browser window.
Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link
at the top left of any page.
Click the Complete PDF Manual link at the top left of any page in the manual. The PDF version of the complete manual opens in a browser window.
Click the print icon in the upper left of your browser window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.

Revision History

Part Number
202-10046-02 1.0 Product update: New firmware and new user Interface 202-10046-03 1.0 Remove Tr end Micro
Version Number
Description
v1.0, January 2007
xv
FVS338 ProSafe VPN Firewall 50 Reference Manual
xvi
v1.0, January 2007
Chapter 1
Introduction
The ProSafe VPN Firewall 50 with 8 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.
The FVS338 is a complete security solution that protects your network from attacks and intrusions. For example, the FVX538 provides support for Stateful Packet Inspection, Denial of Service (DoS) attack protection and multi-NAT support.The VPN firewall supports multiple Web content filtering options, plus browsing activity reporting and instant alerts—both, via e-mail. Network administrators can establish restricted access policies based on time-of-day, Website addresses and address keywords, and share high-speed cable/DSL Internet access for a local network.
The FVS338 is a plug-and-play device that can be installed and configured within minutes.

Key Features

The VPN firewall provides the following features:
One 10/100 Mbps port for an Ethernet connection to a broadband W AN device, such as a cable modem or DSL modem, and one serial port for a dial-up modem connection to the Internet through the public switched telephone network (PSTN).
Dual WAN ports (one broadband and one serial) provide for increased system reliability.
Support for up to 50 VPN tunnels.
Easy, web-based setup for installation and management.
URL keyword Content Filtering and Site Blocking Security.
Quality of Service (QoS) support for traffic prioritization.
Built in 8-port 10/100 Mbps switch.
Extensive Protocol Support.
Login capability.
SNMP for manageability.
Front panel LEDs for easy monitoring of status and activity.
Flash memory for firmware upgrade.
Introduction 1-1
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Full Routing on Both the Broadband and Serial WAN Ports

You can install, configure, and operate the FVS338 to take full advantage of a variety of routing options on both the serial and broadband WAN ports, including:
Internet access via either the serial or broadband port.
Auto rollover connectivity (fail-over) through an analog modem connected to the serial port If the broadband Internet connection fails, after waiting for an pre-specified amount of time the FVS338 can automatically establish a backup dial-up Internet connection via the serial port on the firewall.

A Powerful, True Firewall with Content Filtering

Unlike simple Internet sharing NAT routers, the FVS338 is a true firewall, using stateful packet inspection to defend against hacker attacks. Its firewall features include:
DoS protection. Automatically detects and thwarts DoS attacks such as Ping of Death, SYN Flood, LAND Attack, and IP Spoofing.
Blocks unwanted traffic from the Internet to your LAN.
Blocks access from your LAN to Internet locations or services that you specify as off-limits.
Logs security incidents. The FVS338 will log security events such as blocked incoming traffic, port scans, attacks, and administrator logins. Y ou can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
With its URL keyword filtering feature, the FVS338 prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.

Security

The VPN firewall is equipped with several features designed to maintain security, as described in this section.
PCs Hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the PCs on the LAN.
1-2 Introduction
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Port Forwarding with NAT. Although NAT prevents Internet locations from directly accessing the PCs on the LAN, the firewall allows you to direct incoming traffic to specific PCs based on the service port number of the incoming request. You can specify forwarding of single ports or ranges of ports.
Exposed Host (Software DMZ). Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.

Autosensing Ethernet Connections with Auto Uplink

With its internal 8-port 10/100 switch, the FVS338 can connect to either a 10 Mbps standard Ethernet network or a 100 Mbps Fast Ethernet network. Both the LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation.
The firewall incorporates Auto Uplink whether the Ethernet cable plugged into the port should have a ‘normal’ connection such as to a PC or an ‘uplink’ connection such as to a switch or hub. That port will then configure itself to the correct configuration. This feature also eliminates the need to worry about crossover cables, as Auto Uplink will accommodate either type of cable to make the right connection.
TM
technology. Each Ethernet port will automatically sense

Extensive Protocol Support

The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and Routing Information Protocol
IP Address Sharing by NAT. The VPN firewall allows several networked PCs to share an Internet account using only a single IP address, which may be statically or dynamically assigned by your Internet service provider (ISP). This technique, known as NAT, allows the use of an inexpensive single-user ISP account.
Automatic Configuration of Attached PCs by DHCP. The VPN firewall dynamically assigns network configuration information, including IP, gateway, and domain name server (DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of PCs on your local network.
DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN.
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by simulating a dial-up connection. This feature eliminates the need to run a login program such as EnterNet or WinPOET on your PC.
Introduction 1-3
(RIP).
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Easy Installation and Management

You can install, configure, and operate the ProSafe VPN Firewall 50 within minutes after connecting it to the network. The following features simplify installation and management tasks:
Browser-based management. Browser-based configuration allows you to easily configure your firewall from almost any type of personal computer, such as Windows, Macintosh, or Linux. A user-friendly Setup Wizard is provided and online help documentation is built into the browser-based Web Management Interface.
Smart Wizard. The VPN firewall automatically senses the type of Internet connection, asking you only for the information required for your type of ISP account.
VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager. The SNMP system configuration lets you change the system variables for MIB2.
Diagnostic functions. The firewall incorporates built-in diagnostic functions such as Ping, Trace Route, DNS lookup, and remote reboot.
Remote management. The firewall allows you to securely login to the Web Management Interface from a remote location on the Internet. For additional security, you can limit remote management access to a specified remote IP address or range of addresses, and you can choose a nonstandard port number.
Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity.

Maintenance and Support

NETGEAR offers the following features to help you maximize your use of the VPN firewall:
Flash memory for firmware upgrade
Free technical support seven days a week, twenty-four hours a day

Package Contents

The product package should contain the following items:
1-4 Introduction
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
ProSafe VPN Firewall 50.
•AC power adapter.
Category 5 Ethernet cable.
Resource CD, including: – Application Notes and other helpful information. – ProSafe VPN Client Software – one user license.
Warranty and Support Information Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair.

Router Hardware Components

Following is a description of the front and rear panels of the FVS338, including instructions for installing the FVS338 using the rack mounting hardware.

Router Front Panel

The ProSafe VPN Firewall 50 front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.
Local LEDs
Figure 1-1
Power
LED
Test LED
Modem
LED
Internet
LEDs
The table below describes each item on the front panel and its operation.
Introduction 1-5
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 1-1. Object Descriptions
Object Activity Description
Power LED On (Green)
Off
Test LED On (Amber)
Blinking (Amber) Off
MDM LED On (Green)
Blinking (Green) Off
Internet LEDs
Link/Act LED
On (Green) Blinking (Green) Off
100 LED
On (Green) Off
Local LEDs Link/Act LED
On (Green) Blinking (Green) Off
100 LED
On (Green) Off
Power is supplied to the router. Power is not supplied to the router.
Test mode: The system is initializing or the initialization has failed. Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully.
The serial port has successfully connected to an ISP and received an IP Address. Server data is being transmitted or received by the serial port. The serial port has no link.
The WAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the WAN port. The WAN port has no link.
The WAN port is operating at 100 Mbps. The WAN port is operating at 10 Mbps.
The LAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the LAN port. The LAN port has no link.
The LAN port is operating at 100 Mbps. The LAN port is operating at 10 Mbps.

Router Rear Panel

The rear panel of the ProSafe VPN Firewall 50 (Figure 1-2) contains the On/Off switch and AC power connection.
LOCAL
5
FACTORY
DEFAULTS
678MODEM
Figure 1-2
Viewed from left to right, the rear panel contains the following elements:
1-6 Introduction
v1.0, January 2007
INTERNET
1234
12VDC 1.2A
FVS338 ProSafe VPN Firewall 50 Reference Manual
Modem port – serves as the WAN2 Internet port through the public switched telephone network (PSTN).
Factory Defaults reset button.
Local ports – 8-port RJ-45 10/100 Mbps Fast Ethernet Switch, N-way automatic speed negotiation, auto MDI/MDIX.
Internet port – serves as the WAN1 Internet port. One RJ-45 WAN port, N-way automatic speed negotiation, Auto MDI/MDIX.
•On/Off switch
DC power in (12 VDC, 1.2A)

Rack Mounting Hardware

The FVS338 can be mounted either on a desktop (using included rubber feet) or in a 19-inch rack (using the included rack mounting hardware illustrated in Figure 1-3).
Figure 1-3

Factory Default Login

Check the label on the bottom of the FVS338’s enclosure if you forget the following factory default information:
IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN
•User name: admin
Password: password
Introduction 1-7
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
LAN IP Address User Name Password
Figure 1-4
To log in to the FVS338 once it is connected:
1. Open a Web b r owser.
2. Enter http://192.168.1.1 as the URL.
Figure 1-5
3. Once the login screen displays (Figure 1-5), enter the following:
admin for User Name
password for Password
1-8 Introduction
v1.0, January 2007
Chapter 2
Connecting the FVS338 to the Internet
This section provides instructions for connecting the VPN firewall. Setting up VPN tunnels are covered in Chapter 5, “Virtual Private Networking”:
1. Connect the firewall physically to your network. Connect the cables, turn on your router and wait for the T est LED to go out. Make sure your Ethernet and LAN LEDs are lit. (See the FVS338 ProSafe VPN Firewall 50 Installation Guide on your Resource CD.)
2. Log in to the firewall. After logging in, you are ready to set up and configure your firewall. You can also change your password and enable remote management at this time.
3. Configure the Internet connections to your ISPs. During this phase, you will connect to your ISPs. You can also program the WAN traffic meters at this time if desired.
4. Configure the WAN mode. Select either Primary Broadband with Dialup as backup or
Use only single WAN port—and select the WAN port from the pull-down menu—either Broadband or Dial-up.
5. Configure dynamic DNS on the WAN ports (if needed). Configure your fully qualified domain names during this phase (if required).
6. Configure the WAN options (if needed). Optionally, you can enable each WAN port to respond to a ping. You can also change the factory default MTU size, port speed, and uplink bandwidth. However, these are advanced features and changing them is not usually required.

Connecting the VPN Firewall to Your Network

To physically connect your VPN firewall, refer to the IFVS338 ProSafe VPN Fir ewall 50 Installation Guide (a copy is also available on your Resource CD).

Logging in to the VPN Firewall

Note: To connect to the firewall, your computer needs to be configured to obtain an IP
address automatically via DHCP.
v1.0, January 2007
2-1
FVS338 ProSafe VPN Firewall 50 Reference Manual
To log in to the VPN firewall:
1. Open a Internet Explorer, Netscape® Navigator, or Firefox browser. In the browser window, enter http://192.168.1.1 in the address field. The FVS338 login screen will display.
Figure 2-1
2. Enter admin for the User Name and password for the Password, both in lower case letters.The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.
3. Click Login. The Broadband ISP Settings screen will display.
Note: You might want to enable remote management at this time so that you can log
in remotely in the future to manage the firewall. See “Enabling Remote
Management Access” on page 6-9 for more information. Remote management
enable is cleared with a factory default reset. If you enable remote management, you are strongly advised to change your password (see
“Changing Passwords and Settings” on page 6-7).

Configuring your Internet Connection

You can configure both Broadband ISP Settings and Dialup ISP Settings.from the WAN Settings menu.
To configure your Broadband ISP Settings:
1. Select Network Configuration from the main menu and WAN Settings from the submenu. The Broadband ISP Settings screen will display.
2-2 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 2-2
2. Click Auto Detect at the bottom of the screen to automatically detect the type of Internet connection provided by your ISP. Auto Detect will probe for different connection methods and suggest one that your ISP will most likely support.
When Auto Detect successfully detects an active Internet service, it reports which connection type it discovered. The options are described in the following table.
Table 2-1. Internet connection methods
Connection Method Data Required
PPPoE Login (Username, Password). PPTP Login (Username, Password), Local IP, and PPTP Server IP. BigPond Cable Login Username, Password), Account Name, and Server IP.
Connecting the FVS338 to the Internet 2-3
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 2-1. Internet connection methods
Connection Method Data Required
DHCP (Dynamic IP) No data is required. Fixed IP IP address and related data supplied by your ISP.
3. Click Connection Status at the top right of the screen to verify your Broadband connection status. Click Connect if connection not already present.
Figure 2-3
If Auto Detect does not find a connection, you will be prompted to check the physical connection between your firewall and the cable or DSL line or to check your Router’s MAC address (see “Setting the Router’s MAC Address (Advanced Options)” on page 2-7).
4. Set up the traffic meter for ISP1 if desired. See “Programming the Traffic Meter (if Desired)”
on page 2-12.
Note: At this point in the configuration process, you are now connected to the Internet
through the broadband Ethernet WAN. Optionally, you can continue with the configuration of the dialup ISP serial WAN interface.
The Dialup Settings screen will assist you in setting up the router to access the Internet connection using a dialup modem. Since the Dialup ISP Settings must be configured manually, you will need all of your ISP settings information before you begin.
To configure the Dialup ISP serial WAN port:
2-4 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
1. Select Network Configuration from the main menu, WAN Settings from the submenu and click the Dialup ISP Settings tab to display the Dialup settings screen.
Figure 2-4
2. Enter the following Dialup Account settings: a. Account/User name: Enter the account name or the user name provided by your ISP. This
name will be used to log in to the ISP server.
b. Password: The account password for the dialup ISP c. Telephone: The telephone number or access number to dial for connectivity. Type in the
number using the format described in your modem's user manual.
d. Alternative Telephone: An alternative number which will be dialed if the first is not
available (optional).
Connecting the FVS338 to the Internet 2-5
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
3. Specify the method to use for your Dial-up Connection Status. The VPN firewall can automatically dial to the ISP when a connection is needed or can be configured to wait for manual intervention.:
a. Check the Connect automatically disconnect after idle for ___ min. radios box for the
modem to connect automatically . Specify t he idle minute amount. The router will connect whenever an outbound connection request is made from a computer on the LAN. The connection will be terminated if there is no data transfer during the specified time interval.
b. Check the Connect and disconnect manually radio box to disable auto dialing and allo w
manual control over connecting via dial-up. To connect manually, click the DIAL-Up
Status link at the top and then click Connect or Disconnect.
4. Internet (IP Address). DialUp ISPs usually assign the IP address automatically when
connecting. a. The default setting of Get Dynamically from ISP will configure the router to accept the
ISP assigned IP address.
b. If your ISP has assigned a static IP address, select the Use Static IP Address radio box
and enter the IP address in the IP Address field.
5. Check the Get Automatically From ISP radio box to use ISP assigned DNS server addresses (default). To use different DNS addresses, check the Use These DNS Servers radio box and type in the DNS server IP addresses in the Primary DNS Server and Secondary DNS Server (optional) fields.
6. Click Apply to save your settings or Cancel to revert to the previous settings.
7. Enter any modem specific parameters to tune the router for different modems: c. Serial Line Speed: Select the baud rate with which the serial port of the router and the
modem connect. Available speeds range from 4.8Kbps to 460.8Kbps.
d. Modem Type: If your modem type is listed in the pull-down menu, select it. For most
56Kbps modems, the U.S. Robotics 56K FAX EXT PnP selection should work. If this does not work, select User Defined Modem and type in the Initial String for your modem. The Initial string is usually defined in the modem’s user manual.
e. Dial-up Type: Check the Tone radio box if your phone line supports touch tone dialing;
select Pulse for pulse mode dialing. Select Other – use Dial String to configure additional options such as Auto-Answer, etc. (consult your modem manual for dial strings).
2-6 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Set up the traffic meter for the Dialup ISP if desired (see “Programming the Traffic Meter (if
Desired)” on page 2-12).
Note: The response time of your serial port Internet connection will be slower
than a broadband Internet connection.
Tip: If you experience connectivity problems with the Dialup ISP, try a different
baud rate setting and ensure that the modem parameters you selected match the modem connected to the FVS338.

Setting the Router’s MAC Address (Advanced Options)

Each computer or router on your network has a unique 48-bit local Ethernet address. This is also referred to as the computer's MAC (Media Access Control) address. The default is set to Use Default Address. If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, then you must enter that address.
To change the router’s default MAC Address:
1. Select Network Configuration from the main menu, Broadband ISP Settings from the submenu and click the Advanced link. Check the radio box for either:
a. Use This computer’s MAC address, if this is the address your ISP expects, or b. Use this MAC Address and enter the MAC address that your ISP expects.
The format for the MAC address is XX:XX:XX:XX:XX:XX where X is a number from 0 to 9 (inclusive) or an alphabetical letter between A and F (inclusive).
2. Click Apply to save your settings or Cancel to revert to the previous settings
You may also change the default MTU Size and Port Speed for the Broadband link on this screen, based on the following criteria:
MTU Size. The standard MTU (Maximum Transmit Unit) value for Ethernet networks is either 1500 Bytes or 1492 Bytes for PPPoE connections. Some ISPs may ask you to reduce the MTU, but this is rarely required, and should not be done unless required by your ISP.
Port Speed. In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port speed.
Connecting the FVS338 to the Internet 2-7
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
This could occur on some older broadband modems. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100BaseT; otherwise, select 10BaseT. Use the half-duplex settings if full-duplex modes do not work.
Figure 2-5
You can also change the standard MTU (Maximum Transmit Unit) value for dialup modems from the Dialup ISP Settings screen. THe standard value is 576 bytes, but some ISPs may require that you reduce the MTU. However, this is rarely required, and should not be done unless specifically required by the ISP,
To change the MTU va lue for your dialup modem:
1. Select Network Configuration from the main menu, WAN Settings from the submenu and the Dialup ISP Settings tab. Click the Advanced link on the Dialup ISP Settings screen.
2. Select the Custom radio box and enter the MTU value, in bytes.
3. Click Apply to save your settings.
2-8 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
.
Figure 2-6

Manually Configuring Your Internet Connection

If you know your Broadband ISP connection type, you can bypass the Auto Detect feature and connect your router manually . Ensure that yo u have all of the relevant connection information such as IP Addresses, account information, type of ISP connection, etc., before you begin. Unless your ISP automatically assigns your configuration automatically via DHCP, you will need the configuration parameters from your ISP
Connecting the FVS338 to the Internet 2-9
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 2-7
To manually configure your WAN1 ISP settings:
1. Does your Internet connection require a login? If you need to enter login information every time you connect to the Internet through your ISP, select Yes. Otherwise, select No.
2. What type of IPS connection do you use? If your connection is PPPoE, PPTP or BigPond Cable, then you must login. Check the Yes radio box. The text box fields that require data entry will be highlighted, based on the connection that you selected. If your ISP has not assigned any login information, then choose the No radio box and skip this section. For example:
Austria (PPTP): If your ISP is Austria Telecom or any other ISP that uses PP TP for l ogin,
select this. Then, fill in the following highlighted fields: – Account Name (also known as Host Name or System Name): Enter the valid account
name for the PP TP connection (usually your email “ID” assigned by your ISP). Some ISPs require entering your full email address here.
2-10 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Domain Name: Your domain name or workgroup name assigned by your ISP, or your
ISPs domain name. You may leave this field blank.
Idle Timeout: Check the Keep Connected radio box to keep the connection always
on. To logout after the connection is idle for a period of time, select Idle Time and enter the number of minutes to wait before disconnecting in the timeout field. This is useful if your ISP charges you based on the amount of time you have logged in.
My IP Address: IP address assigned by the ISP to make the connection with the ISP
server.
Server IP Address: IP address of the PPTP server.
Other (PPPoE): If you have installed login software such as WinPoET or Enternet, then
your connection type is PPPoE. Select this connection and configure the following fields: – Account Name: Valid account name for the PPPoE connection – Domain Name: Name of your ISPs domain or your domain name if your ISP has
assigned one. You may leave this field blank.
Idle Timeout: Select Keep Connected, to keep the connection always on. To logout
after the connection is idle for a period of time, select Idle Time and enter the number of minutes to wait before disconnecting, in the timeout field.
BigPond Cable: If your ISP is Telstra BigPond Cable, select this option and fill in the
Login Server and Idle Timeout fields. The Login Server is the IP address of the local BigPond Login Server in your area. You can find login server information at http://www.netgear.com.sg/support/bigpond.asp
3. If your ISP has assigned a fixed (static or permanent) IP address, select the Use Static IP Address radio box and fill in the following fields:
a. IP Address: Static IP address assigned to you. This will identify the router to your ISP. b. Subnet Mask: This is usually provided by the ISP or your network administrator. c. Gateway IP Address: IP address of the ISP’s gateway. This is usually provided by the ISP
or your network administrator.
If your ISP has not assigned a Static IP address, select the Get dynamically from ISP radio box. The ISP will automatically assign an IP address to the router using DHCP network protocol.
Connecting the FVS338 to the Internet 2-11
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
4. If your ISP has not assigned any Domain Name Servers (DNS) addresses, select the Get dynamically from ISP radio box. If your ISP has assigned DNS addresses, select the Use these DNS Servers radio box. Ensure that you fill in valid DNS server IP addresses in the
fields. Incorrect DNS entries may cause connectivity issues.
Note: Domain name servers (DNS) convert Internet names such as www .google.com,
www.netgear.com, etc. to Internet addresses called IP addresses. Incorrect settings here will result in connectivity problems.
5. Click Apply to save the settings or click Cancel to revert to the previous settings.
6. Click Test to try and connect to the NETGEAR Web site. If you connect successfully and your
settings work, then you may click Logout or go on and configure additional settings. You can also click on the Broadband Status link or the Current IP Address link to check on
connection status and current IP address.

Programming the Traffic Meter (if Desired)

The traffic meter is useful when an ISP charges by traffic volume ov er a given period of time or if you want to look at traffic types over a period of time.
To enable the traffic meter:
1. From the primary menu, select Monitoring, and then select T raffic Meter from the secondary menu. The Broadband Traffic Meter screen will display. Fill out the information described in Table 2-2.
2. Click Apply to apply the settings or click Cancel to return to the previous settings.
3. Select the Dialup Traffic Meter tab and repea t st eps 1 through 3 to set the Traffic Meter the
the Dialup port (if required).
2-12 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 2-8
Connecting the FVS338 to the Internet 2-13
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 2-2. Traffic Meter Settings
Parameter Description
Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the
Router's Broadband or Dialup port. Broadband or Dialup can be selected by clicking the appropriate tap; the entire configuration is specific to each interface.
• No Limit - If this is selected specified restriction will not be applied when traffic limit is reached.
• Download only - If this is selected the specified restriction will be applied to the incoming traffic only
• Both Directions - If this is selected the specified restriction will be applied to both incoming and outgoing traffic only
Enable Monthly Limit Use this if your ISP charges for additional tra ffic. If enabled , enter the monthly
volume limit and select the desired behavior when the limit is reached. Note: Both incoming and outgoing traffic are included in the limit.
Increase this month's limit
This month's limit This displays the limit for the current month. Restart traffic
counter Restart Counter at a
Specific Time
Send E-mail Report before restarting counter
When limit is reached
Internet Traffic Statistics
Traffic by Protocol Click this link if you want to know more details of the Internet Traffic. The volume of
Use this to temporarily increase the Traffic Limit if you have reached the monthly limit, but need to continue accessing the Internet. Check the checkbox and enter the desired increase. (The checkbox will automatically be cleared when saved so the increase is only applied once.)
This determines when the traffic counter restarts. Choose the desired time and day of the month.
Check this radio button to restart the Traffic Counter at a specific time and day of the month. Fill in the time fields and select AM or PM and the day of the month from the pull-down menus.
If checked, an E-mail report will be sent immediately before restarting the counter. You must configure the E-mail screen in order for this function to work (see “E-Mail
Notifications of Event Logs and Alerts” on page 4-27).
Select the desired option:
• Block all traffic – all access to and from the Internet will be blocked.
• Block all traffic except E-mail – Only E-mail traffic will be allowed. All other traffic will be blocked.
• If using this option, you may also select the Send E-mail alert option. You must configure the E-mail screen in order for this function to work.
This displays statistics on Internet Traffic via the WAN port. If you have not enabled the Traffic Meter, these statistics are not available.
traffic for each protocol will be displayed in a sub-window.Traffic counters are updated in MBytes scale, counter starts only when traffic passed is at least 1MB.
2-14 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Configuring the WAN Mode

The WAN Mode screen allows you to configure how your router uses your external Internet connections; for example, your WAN port or dialup modem connections.
NAT. NAT is the technology which allows all PCs on your LAN to share a single Internet IP
address. Viewed from the Internet, the WAN port on the VPN firewall is configured with a single IP address—the “public” address. PCs on your LAN can use any “private” IP address range, and these IP addresses are not visible from the Internet.
The Router uses NAT to select the correct PC (on your LAN) to receive any incoming data
and hides internal IP addresses from computers on the Internet. – If you only have a single Internet IP address, you MUST use NAT. NAT is the default setting. Select NAT if your ISP has assigned only one IP address to you.
The computers that connect through the router must then be assigned IP addresses from a private subnet (for example: 192.168.1.0).
Classical Routing. In this mode, the Router performs Routing, but without NAT. To gain
Internet access, each PC on your LAN must have a valid Internet IP address. If your ISP has allocated many IP addresses to you, and you have assigned one of these
addresses to each PC, you can choose Classical Routing. Or, you can use Classical Routing for routing private IP addresses within a campus environment. Otherwise, selecting this method will not allow Internet access through this Router.
Note: The router will delete all inbound firewall rules when switching between NAT
and Classical Routing.
To configure the WAN Mode:
1. Select Network Configuration from the main menu and WAN Mode from the submenu. The WAN Mode screen will display.
2. Check either the NAT or Classical Routing radio box. NAT is the default.
3. Select the Port Mode. The Port Mode settings allow you to configure your router to use only
one WAN port or to select the Dialup port as a backup.
If you are connected to only one ISP, then check the Use only single WAN port and select
the WAN port that is connected to your ISP from the pull down menu.
Connecting the FVS338 to the Internet 2-15
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
If you have both ISP links connected for Internet connectivity, check the Primary
Broadband with Dialup as backup for auto-rollover.
4. The WAN Failure Detection Method must be configured to notify the router of a link failure if
you are using Dialup as a backup to engage auto-rollover. The router checks the connection of the primary link at regular intervals to detect its status. Check the radio box of one the following methods to detect link failure:
Select DNS lookup using configured DNS Servers to detect failure of the Broadband
link, using the DNS servers configured in the Broadband ISP Settings screen.
Select DNS lookup using this DNS Server and enter the IP address of the DNS server to
specify a DNS server for detecting WAN failure
Select Ping to this IP address and enter an IP address to detect WAN failure by pinging to
an IP address. Ensure that this destination host is reliable.
If a failure is detected on the primary broadband connection, the secondary dialup connec tion connects to the Internet. When the primary connection is detected as back online, the secondary dialup connection disconnects.
5. Enter a Test Period, in seconds, to tell the router how often it should run the configured detection method. The default is 30 seconds.
6. Enter the number of router failures that should occur before the router rolls-over to the Dialup port. The default is 4.
7. Enter Apply to save your settings or Cancel to revert to the previous settings.

Configuring Dynamic DNS (If Needed)

Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not be available since private addresses cannot be routed on the Internet.
Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com or Iego.net.
Once you have registered your domain name to their IP address, all FQDN traffic will be directed to your frequently-changing IP address. (For rollover mode, you will need a fully qualified domain name to implement features such as exposed hosts and virtual private networks regardless of whether you have a fixed or dynamic IP address.)
2-16 Connecting the FVS338 to the Internet
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
This router firmware includes software that notifies dynamic DNS servers of changes in the WAN IP address, so that the services running on this network can be accessed by others on the Internet. After you have configured your account information in the firewall, whenever your ISP-assigned IP address changes, your firewall will automatically contact your dynamic DNS service provider, log in to your account, and register your new IP address.
To configure a Dynamic DNS address:
1. Select Network Configuration from the main menu and Dynamic DNS from the submenu. The Dynamic DNS Configuration screen displays. The WAN Mode section displays the currently configured WAN Mode: Single Port or Auto-Rollover.
Figure 2-9
If you have configured Single Port, choose a DNS service provider , then fill out the DDNS section for that port. If you have enabled Auto-Rollover, choose a service provider and complete both sections. (Only those options that match the configured WAN Mode will be accessible.)
Connecting the FVS338 to the Internet 2-17
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
2. Check the Dynamic DNS Service radio box you want to enable. The fields corresponding to the selection you have selected will be highlighted. Each DNS service provider requires its own parameters.
3. Access the Web site of one of the DDNS servic e providers and set up an account. A link to each DDNS provider is opposite the DNS Configuration screen name.
4. After setting up your account, return to the Dynamic DNS Configuration screen and fill in the required fields for the DDNS service you selected:
a. In the Host and Domain Name field, enter the entire FQDN name that your dynamic DNS
service provider gave you (for example: <yourname>.dyndns.org).
b. Enter the User Name, User email Address, or Account Name requested by the DDNS
Service to identify you when logging into your DDNS account.
c. Enter the Password, or User Key, for your DDNS account. d. If your dynamic DNS provider allows the use of wild cards in resolving your URL, you
may check the Use wildcards radio box to activate this feature. For example, the wildcard feature will cause *.yourhost.dyndns.org to be aliased
to the same IP address as yourhost.dyndns.org
5. Click Apply to save your configuration or click Cancel your settings and revert to the previous settings.
2-18 Connecting the FVS338 to the Internet
v1.0, January 2007
Chapter 3
LAN Configuration
This chapter describes how to configure LAN Setup, LAN Groups and Routing (Static IP) features of your ProSafe VPN Firewall 50. These features can be found under the Network Configuration menu of the router interface.

Configuring Your LAN (Local Area Network)

By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server, allowing it to assign IP, DNS server, WINS Server, and default gateway addresses to all computers connected to the firewall LAN. The assigned default gateway address is the LAN address of the firewall. IP addresses will be assigned to the attached PCs from a pool of addresses specified in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.

Using the VPN Firewall as a DHCP Server

For most applications, the default DHCP and TCP/IP settings of the firewall are satisfactory. See the link to “Preparing a Computer for Network Access:” in Appendix B for an explanation of DHCP and information about how to assign IP addresses for your network.
The firewall will deliver the following parameters to any LAN device that requests DHCP:
An IP Address from the range you have defined
Subnet Mask
Gateway IP Address (the firewall’s LAN IP address)
Primary DNS Server (the firewall’s LAN IP address)
WINS Server (if you entered a WINS server address in the DHCP Setup menu)
Lease Time (date obtained and duration of lease).
The LAN Setup screen allows you to configure the LAN on your router. The default values are suitable for most users and situations.
LAN Configuration 3-1
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
To modify your LAN setup:
1. Select Network Configuration from the main menu and LAN Setup from the submenu. The LAN Setup screen will display.
Figure 3-1
2. Enter the IP Address of your router (factory default: 192.168.1.1). (Always make sure that the LAN Port IP address and DMZ port IP address are in different subnets.)
3. Enter the IP Subnet Mask. The subnet mask specifies the network number portion of an IP address. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the router).
4. Check the Enable DHCP Server radio button. By default, the router will function as a DHCP (Dynamic Host Configuration Protocol) server, providing TCP/IP configuration for all computers connected to the router's LAN. If another device on your network will be the DHCP server, or if you will manually configure all devices, check the Disable DHCP Server radio button. Enable DHCP Server is the default. If Enabled is selected, enter the following parameters:
a. Enter the Domain Name of the router (this is optional).
3-2 LAN Configuration
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
b. Enter the Starting IP Address. This address specifies the first of the contiguous addresses
in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between this address and the Ending IP Address. The IP address 192.168.1.2 is the default start address.
c. Enter the Ending IP Address. This address specifies the last of the contiguous addresses
in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP address between the Starting IP address and this IP address. The IP address 192.168.1.100 is the default ending address.
Note: The Starting and Ending DHCP addresses should be in the same “network”
as the LAN TCP/IP address of the router (the IP Address in LAN TCP/IP
Setup section).
d. Enter a WINS Server IP address. This box can specify the Windows NetBios Server IP if
one is present in your network. This field is optional.
e. Enter a Lease Time. This specifies the duration for which IP addresses will be leased to
clients.
f. Check the Enable DNS Proxy radio box. This is optional—the default is enabled. If
enabled, the VPN firewall will provide a LAN IP Address for DNS address name resolution.
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.1, you must enter http://10.0.0.1 in your browser to connect to the web management interface.
5. Click Apply to save your settings.
6. Click Reset to discard any changes and revert to the previous configuration.
Note: Once you have completed the LAN IP setup, all outbound traffic is allowed
and all inbound traffic is discarded. To change these traffic rules, refer to
Chapter 4, “Firewall Protection and Content Filtering.”
LAN Configuration 3-3
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Configuring Multi-Home LAN IPs

If you have computers that are using different IP address ranges in the LAN (for example,
172.16.2.0 or 10.0.0.0), then you can add “aliases” to the LAN port which give computers on those
networks access to the Internet. This allows the firewall to act as a gateway to additional logical subnets on your LAN.
To add a secondary LAN IP address:
1. Select Network Configuration from the main menu and LAN Setup from the secondary menu. Click the Multi Home LAN IPs Setup link (see Figure 3-2 on page 3-4) The Secondary LAN IP Setup screen will display.
2. Enter the Secondary IP address and Subnet Mask and click Add. The Secondary IP address will be added to the Available Secondary LAN IPs table.
Note: Additional IP addresses cannot be configured in the DHCP server. The hosts on
the secondary subnets must be manually configured with IP addresses, gateway IP and DNS server IP addresses.
Figure 3-2
Tip: The Secondary LAN IP address will be assigned to the LAN interface of the
router and can be used as a gateway by the secondary subnet.
3-4 LAN Configuration
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Managing Groups and Hosts

The Known PCs and Devices table on the Groups and Hosts screen contains a list of all known PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this router. Collectively, these entries make up the Network Database. The Network Database is created in two ways:
Using the DHCP Server. The router’s DHCP server will accept and respond to DHCP client requests from PCs and other network devices. Every computer that is responded to will be added to the Network Database in the Known PCs and Devices table.
Scanning the Network. The router will scan the local network periodically, using standard methods such as ARP and NetBIOS, to detect active computers or devices which are not DHCP clients. For computers that do not support the NetBIOS protocol, the name will be displayed in the known PCs and Devices table as “Unknown”.

Creating the Network Database

The Network Database offers a number of advantages:
Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just select the desired PC or device.
No need to reserve an IP address for a PC in the DHCP Server. All IP address assignments made by the DHCP Server will be maintained until the PC or device is removed from the database, either by expiry (inactive for a long time) or by you.
No need to use a Fixed IP on PCs. Because the address allocated by the DHCP Server will never change, you don't need to assign a fixed IP to a PC to ensure it always has the same IP address.
MAC-level Control over PCs. The Network Database uses the MAC address to identify each PC or device. So changing a PC's IP address does not affect any restrictions on that PC.
Group and Individual Control over PCs – You can assign PCs to Groups and apply restrictions to each Group using the Firewall
Rules screen (see “Services-Based Rules” on page 4-2).
You can also select the Groups to be covered by the Block Sites feature (see “Setting
Block Sites (Content Filtering)” on page 4-21).
If necessary, you can also cre ate Firewall Rules to apply to a single PC (see “Enabling
Source MAC Filtering” on page 4-23). Because the MAC address is used to identify each
PC, users cannot avoid these restrictions by changing their IP address.
LAN Configuration 3-5
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC.
This Known PCs and Devices table lists entries in the Network Database. For each computer or device, the following fields are displayed:
Name: The name of the PC or device. For computers that do not support the NetBIOS protocol, this will be listed as “Unknown” (you can edit the entry manually to add a meaningful name). If the computer was assigned an IP address by the DHCP server, then the Name will be appended by an asterisk.
IP Address: The current IP address of the computer. For DHCP clients of the router, this IP address will not change. If a computer is assigned a static IP addresses, you will need to update this entry manually if the IP address on the computer has been changed.
MAC Address: The MAC address of the PC’s network interface.
Group: Each PC or device can be assigned to a single group. By default, a computer is assigned to Group 1, unless a different group is selected from the Group pull-down menu .
Action: Allows modification of the selected entry by clicking Edit.
To add computers to the network database manually:
1. Select Network Configuration from the main menu and LAN Groups from the submenu. The Groups and Hosts screen will display.
2. In the Add Known PCs and Devices table, enter the name of the PC or device.
3. Enter the IP Address T ype. Select Reserved (DHCP Client) to direct the router to reserve the
IP address for allocation by the DHCP server. Select Fixed (Set on PC) if the IP address is statically assigned on the computer.
Note: When specifying a Reserved IP address, make sure that you select an IP
address outside of the DHCP Server pool of addresses.
4. Enter the IP Address that this computer or device is assigned. If the IP Address Type is Reserved (DHCP Client), the router will reserve the IP address for the associated MAC address.
5. Enter the MAC Address of the computer. The MAC address should be in the form: xx:xx:xx:xx:xx:xx (for example: 00:80:48:2a:8b:c0)
6. From the Group pull-down menu, select the group to which the computer will be assigned.
7. Click Add to add the new entry to the network database in the Known PCs and Devices table.
3-6 LAN Configuration
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
To edit an entry in the Known PCs and Devices table:
1. Click Edit adjacent to the entry you want to modify. The Edit Known PCs and Devices
screen will display. Make your modifications to the entry.
2. Click Apply to save your settings. The changes will appear the Known PCs and Devices table.
To edit a Group Name in the Network Database:
1. On the Groups and Hosts screen, click the Edit Group Names link.
2. Check the radio button by the group name you want to modify an d type in a suitable name.
3. Click Apply to save the settings.
Figure 3-3
LAN Configuration 3-7
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Setting Up Address Reservation

When you specify a reserved IP address for a device on the LAN (based on the MAC address of the device), that computer or device will always receive the same IP address each time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points that require permanent IP settings. The Reserved IP address that you select must be outside of the DHCP Server pool.
To reserve an IP addre ss, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see “Creating the Network Database” on page 3-5).
Note: The reserved address will not be assigned until the next time the PC contacts the
firewall's DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and renew.

Configuring Static Routes

Static Routes provide additional routing information to your firewall. Under normal circumstances, the firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes. You must configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on your network.
To add or edit a Static Route:
1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display.
2. Click Add. The Add Static Route screen will display.
3. Enter a name for the static route in the Route Name field (for identification purpose only).
4. Determine whether the route is
Active or Inactive. A route can be added to the table and made inactive, if not needed.
This allows routes to be used as needed without deleting the entry and re-adding it. An inactive route is not broadcast if RIP is enabled. Select the Active radio box to make this route effective.
Private: Determine whether the route can be shared with other routers when RIP is
enabled. If Yes, then the route will not be shared in a RIP broadcast or multicast. Check the Private radio box if you want to limit access to the LAN only. The static route will not be advertised in RIP.
3-8 LAN Configuration
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
5. Type the Destination IP Address or network of the route’s final destination.
6. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter
255.255.255.255.
Figure 3-4
7. From the Interface pull-down menu, selection the physical network interface (Broadband, Dialup, or LAN) through which this route is accessible.
8. Enter the Gateway IP Address (which must be a firewall on the same LAN segment as the firewall) of the gateway through which the destination host or network can be reached.
9. Enter the Metric value that determines the priority of the route. If multiple routes to the same destination exist, the route with the lowest metric is chosen. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
10. Click Apply to save the static route to the Static Routes table.

Static Route Example

For example, a static route is needed if:
Your primary Internet access is throug h a cable modem to an ISP.
LAN Configuration 3-9
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
You have an ISDN firewall on your home network for connecting to the company where you are employed. This firewall’s address on your LAN is 192.168.1.100.
Your company’s network is 134.177.0.0.
When you first configured your firewall, two implicit static routes were created. A default route was created with your ISP as the gateway, and a second static route was created to your local network for all 192.168.1.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 network, your firewall will forward your request to the ISP. The ISP forwards your request to the company where you are employed, and the request will likely be denied by the company’s firewall.
In this case you must define a static route, telling your firewall that 134.177.0.0 should be accessed through the ISDN firewall at 192.168.1.100.
In this example:
The Destination IP Address and IP Subnet Mask fields specify that this static route applies to all 134.177.x.x addresses.
The Gateway IP Address fields specifies that all traffic for these addresses should be forwarded to the ISDN firewall at 192.168.1.100.
A Metric value of 1 will work since the ISDN firewall is on the LAN.
Private is selected only as a precautionary security measure in case RIP is activated.

RIP Configuration

RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) and is commonly used in internal networks. It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default.
3-10 LAN Configuration
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 3-5
To enable RIP:
1. Select Network Configuration from the main menu and Routing from the submenu. The Routing screen will display.
2. Click the RIP Configuration link. The RIP Configuration screen will display.
3. From the RIP Direction pull-down menu, select the direction for the router to send and
receive RIP packets:
Both – the router broadcasts its routing table and also processes RIP information received
from other routers.
Out Only – the router broadcasts its routing table periodically but does not accept RIP
information from other routers.
In Only – the router accepts RIP information from other routers, but does not broadcast its
routing table.
LAN Configuration 3-11
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
None – the router neither broadcasts its route table nor does it accept any RIP packets
from other routers. This effectively disables RIP.
4. Select the RIP Version from the pull-down menu:
RIP-1 – classful routing and does not include subnet information. This is the most
commonly supported version.
RIP-2 – supports subnet information. Both RIP-2B and RIP-2M send the routing data in
RIP-2 format:
RIP-2B – uses subnet broadcasting.
RIP-2M – uses multicasting (see Note below).
5. RIP authentication is disabled by default. To enable authentication for RIP-2B or RIP-2M, a. Check the Yes radio button. b. Input MD5 keys and effective and end dates for the First Key Parameters and Second
Key Parameters for MD5 based authentication between routers.
6. Click Apply to save your settings.
Note: Multicasting can reduce the load on non-router machines because they do
not listen to the RIP multicast address and will not receive the RIP packets. However, if one router uses multicasting, then all routers on your network must use multicasting. For RIP-2B and RIP-2M you can select the type of authentication as NONE or MD5. If you select MD5 then you need to enter additional parameters.
3-12 LAN Configuration
v1.0, January 2007
Chapter 4
Firewall Protection and Content Filtering
The ProSafe VPN Firewall 50 provides you with Web content filtering options such as Block Sites and Keyword Blocking. Parents and network administrators can establish restricted access policies based on time-of-day, Web addresses and Web address keywords. You can also block Internet access by applications and services, such as chat or games. It also provides various firewall activity reports and instant alerts via e-mail.

About Firewall Security

A firewall is a special category of router that protects one network (the “trusted” network, such as your LAN) from another (the untrusted network, such as the Internet), while allowing communication between the two.
A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.

Using Rules to Block or Allow Specific Kinds of Traffic

Firewall rules are used to block or allow specific traffic passing through from one side to the other. You can configure up to 600 rules on the FVS338. Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVS338 are:
Inbound: Block all access from outside except responses to requests from the LAN side.
Firewall Protection and Content Filtering 4-1
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Outbound: Allow all access from the LAN side to the outside.

Services-Based Rules

The rules to block traffic are based on the traffic’s category of service.
Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless the traffic is in response to a request from the LAN side. The firewall can be configured to allow this otherwise blocked traffic.
Outbound Rules (service blocking). Outbound traffic is normally allowed unless the firewall is configured to disallow it.
Customized Services. Additional services can be added to the list of services in the factory default list. These added services can then have rules defined for them to either allow or block that traffic.
Quality of Service (QoS). Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system.
Outbound Rules (Service Blocking)
The FVS338 allows you to block the use of certain Internet services by PCs on your network. This is called service blocking or port filtering.
Note: See “Enabling Source MAC Filtering” on page 4-23 for yet another way to block
outbound traffic from selected PCs that would otherwise be allowed by the firewall.
4-2 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 4-1. Outbound Rules Fields
Item Description
Services Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-17).
Action Select the desired action for outgoing connections covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise Allow
• ALLOW always
• ALLOW by schedule, otherwise Block Note: Any outbound traffic which is not blocked by rules you create will be allowed by the Default rule. ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That is, you wish to allow a subset of traffic that is currently blocked by another rule.
Select Schedule Select the desired time schedule (i.e., Schedule1, Schedule2, or Schedule3) that will
be used by this rule.
• This drop down menu gets activated only when “BL OCK by schedu le, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
• Use schedule page to configure the time schedules (see “Setting a Schedule to
Block or Allow Traffic” on page 4-20).
LAN users These settings determine which computers on your network are affected by this rule.
Select the desired options:
• Any – All PCs and devices on your LAN.
• Single address - Enter the required address and the rule will be applied to that particular PC.
• Address range – If this option is selected, you must enter the start and finish fields.
• Groups – Select the Group you wish this rule to apply to. You can use the Network Database screen to assign PCs to Groups. See “Managing Groups and Hosts” on
page 3-5.
WAN Users These settings determine which Internet locations are covered by the rule, based on
their IP address. Select the desired option:
• Any – All Internet IP address are covered by this rule.
• Single address – Enter the required address in the start fields.
• Address range – If this option is selected, you must enter the start and finish fields.
Firewall Protection and Content Filtering 4-3
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 4-1. Outbound Rules Fields (continued)
Item Description
QoS Priority This setting determines the priority of a service, which in turn, determines the quality
of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e, leaves it as None), then the native priority of the service will be applied to the policy. 6 is the highest priority. See “Specifying Quality of
Service (QoS) Priorities” on page 4-19.
Log This determines whether packets covered by this rule are logged. Select the desired
action:
• Always – always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
• Never – never log traffic considered by this rule, whether it matches or not.
Inbound Rules (Port Forwarding)
Because the FVS338 uses Network Address Translation (NAT), your network presents only one IP address to the Internet and outside users cannot directly address any of your local computers. However, by defining an inbound rule you can make a local server (for example, a Web server or game server) visible and available to the Internet. The rule tells the firewall to direct inbound traffic for a particular service to one local server based on the destination port number. This is al so known as port forwarding.
Whether or not DHCP is enabled and how the PCs will access the server’s LAN address impact the Inbound Rules. For example:
If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP
address may change periodically as the DHCP lease expires. Consider using Dyamic DNS (under Network Configuration) so that external users can always find your network (see
“Configuring Dynamic DNS (If Needed)” on page 2-16.
If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN Groups menu (under Network Configuration) to keep the PC’s IP address constant (see “Setting Up Address
Reservation” on page 3-8).
Local PCs must access the local server using the local LAN address of the PC. Attempts by local PCs to access the server using the external WAN IP address will fail.
Note: See “Setting Up Port Triggering” on page 4-24 for yet another way to allow
certain types of inbound traffic that would otherwise be blocked by the firewall.
4-4 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 4-2. Inbound Rules Fields
Item Description
Services Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the Services menu (see “Adding Customized Services” on page 4-17).
Action Select the desired action for packets covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise Allow
• ALLOW always
• ALLOW by schedule, otherwise Block Note: Any inbound traffic which is not allowed by rules you create will be blocked by the Default rule.
Select Schedule Select the desired time schedule (i.e., Schedule1, Schedule2, or Schedule3) that will
be used by this rule.
• This drop down menu gets activated only when “BL OCK by schedu le, otherwise Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
• Use schedule page to configure the time schedules.
LAN Server This LAN address determines which computer on your network is hosting this service
rule. (You can also translate this address to a port number.).
Translate to Port Number
WAN Users These settings determine which Internet locations are covered by the rule, based on
WAN Destination IP Address
QoS Priority This setting determines the priority of a service, which in turn, determines the quality
Log This determines whether packets covered by this rule are logged. Select the desired
Check the “Translate to Port Number” and enter a port number if you want to assign the LAN Server to a specific port.
their IP address. Select the desired option:
• Any – All Internet IP address are covered by this rule.
• Single address – Enter the required address in the start fields.
• Address range – If this option is selected, you must enter the start and finish fields.
These settings determine the destination IP address applicable to incoming traffic. This is the public IP address that will map to the internal server; it can either be the address of the WAN1 or WAN2 ports or another public IP address
of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.e, leaves it as None), then the native priority of the service will be applied to the policy. See “Specifying Quality of Service (QoS)
Priorities” on page 4-19.
action:
• Always – always log traffic considered by this rule, whether it matches or not. This is useful when debugging your rules.
• Never – never log traffic considered by this rule, whether it matches or not.
.
Firewall Protection and Content Filtering 4-5
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Note: Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP.
Remember that allowing inbound services opens holes in your VPN firewall. Only enable those ports that are necessary for your network. It is also advisable to turn on the server application security and invoke the user password or privilege levels, if provided.

Order of Precedence for Firewall Rules

As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 4-1
Figure 4-1
For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules at the bottom. In some cases, the order of precedence of two or more rules may be important in determining the disposition of a packet. For example, you should place the most strict rules at the top (those with the most specific services or addresses). The Up and Down buttons allow you to relocate a defined rule to a new position in the table.
4-6 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Setting LAN WAN Rules

The Default Outbound Policy is to allow all traffic from and to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from either going out from the LAN to the Internet (Outbound) or coming in from the Internet to the LAN (Inbound). The default policy can be changed to block all outbound traffic and enable only specific services to pass through the router.
To change the Default Outbound Policy:
1. Select Security from the main menu and Firewall Ru les from the submenu. The LAN WAN Rules screen will display.
2. Change the Default Outbound Policy by selecting Block Always from the drop-down menu and click Apply.
Figure 4-2
To make changes to an existing outbound or inbound service rule:
1. In the Action column adjacent to the rule click:
Edit – to make any changes to the rule definition of an existing rule. The Outbound
Service screen will display containing the data for the selected rule (see Figure 4-3 on
page 4-9).
Up – to move the rule up one position in the table rank.
Firewall Protection and Content Filtering 4-7
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Down – to move the rule down one position in the table rank.
2. Check the radio box adjacent to the rule and click:
Click Disable to disable the rule. The “!” Status icon will change from green to grey,
indicating that the rule is disabled. (By default, when a rule is added to the table it is automatically enabled.)
Click Delete to delete the rule.
3. Click Select All to select all rules. A check will appear in the radio box for each rule.

LAN WAN Outbound Services Rules

You may define additional rules that will specify exceptions to the default rules. By adding custom rules, you can block or allow access based on the service or application, source or destinat ion IP addresses, and time of day.
You can also tailor these rules to your specific needs (see “Administrator Information” on page 4-
31).
Note: This feature is for Advanced Administrators only! Incorrect configuration will
cause serious problems.
To create a new outbound service rule:
1. Click Add under the Outbound Services Table. The Add LAN WAN Outbound Service screen will display.
2. Complete the Outbound Service screen, and save the data (see Table 4-1 on page 4-3).
3. Click Reset to cancel your settings and return to the previous settings.
4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table.
4-8 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
.
Figure 4-3

LAN WAN Inbound Services Rules

This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. WAN Users: Whether all WAN addresses or specific IP addresses are included in the rule.
To create a new inbound service rule:
1. Click Add under the Inbound Services Table. The Add LAN WAN Inbound Service screen will display.
2. Complete the Add WAN LAN Inbound Services screen (see Table 4-2 on page 4-5).
3. Click Reset to cancel your settings and return to the previous settings.
4. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Inbound Services table.
5. Click Apply to save your settings. The new rule will be added to the Inboun d Services table.
Firewall Protection and Content Filtering 4-9
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 4-4

Attack Checks

This screen allows you to specify whether or not the router should be protected against common attacks in the LAN and WAN networks. The various types of attack checks are listed on the
Attack Checks screen and defined below:
WAN Security Checks
Respond To Ping On Internet Ports. When enabled, the router will respond to a “Ping”
from the Internet. This can be used as a diagnostic tool and shouldn’t be used unless you have a specific diagnostic reason to do so.
Enable Stealth Mode . If enabled, the router will not respond to port scans from the WAN,
thus making it less susceptible to discovery and attacks.
Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker
sends a succession of SYN requests to a target system. When the system responds, the attacker doesn’t complete the connections, thus leaving the connection half-open and flooding the server with SYN messages. No legitimate connections can then be made.
When enabled, the router will drop all invalid TCP packets and will be protected from a SYN flood attack.
4-10 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
LAN Security Checks. A UDP flood is a form of denial of service attack that can be initiated when one machine sends a large number of UDP packets to random ports on a remote host. As a result, the distant host will (1) check for the application listening at that port, (2) verify that no application is listening at that port, and then (3) reply with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, thus making the attacker’s network location anonymous.
If enabled, the router will not accept more than 20 simultaneous, active UDP connections from a single computer on the LAN.
VPN Pass through. When the router is in NAT mode, all packets going to the Remote VPN Gateway are first filtered through NAT and then encrypted per the VPN policy.
For example, if a VPN Client or Gateway on the LAN side of this router wants to connect to another VPN endpoint on the WAN (placing this router between two VPN end points), encrypted packets will be sent to this router. Since this router filters the encrypted packets through NAT, the packets will become invalid unless VPN Pass through is enabled.
When enabled, the VPN tunnel will pass the VPN traffic without any filtering. Tunnels can be –IPSec –PPTP –L2TP
To select the appropriate chec kbox for your requirement:
1. Select Security from the main menu, Firewall Rules from the submenu and then the Attack Checks tab. The Attack Checks screen will display.
2. Check the radio boxes of the Attack Checks you wish to initiate.
3. Click Apply to save your settings
Firewall Protection and Content Filtering 4-11
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
.
Figure 4-5

Inbound Rules Examples

Hosting A Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day. This rule is shown in Figure 4-6:
Figure 4-6
4-12 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown to the right, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
Figure 4-7
Setting Up One-to-One NAT Mapping
In this example, we will configure multi-NAT to support multiple public IP addresses on one W AN interface. By creating an inbound rule, we will configure the firewall to host an additional public IP address and associate this address with a Web server on the LAN.
Tip: If your ISP allows you to have more than one public IP address for your use, you
can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses will be used as the primary IP address of the router. This address will be used to provide Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers.
To configure the FVS338 for additional IP addresses:
1. Select Security from the main menu and Firewall Ru les from the submenu.
2. Click Add under the Inbound Services table. The Add LAN WAN Inbound Service screen
will display.
Firewall Protection and Content Filtering 4-13
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
3. From the service pull-down menu, select the HTTP service for a Web server.
4. From the Action pull-down menu, select Allow Always.
5. In the Send to LAN Server field, enter the local IP address of your Web server PC.
6. From the Public Destination IP Address pull down menu, choose Other Public IP Address.
7. Enter one of your public Internet addresses that will be used by clients on the Internet to reach
your Web server.
8. Click Apply. The rule will display in the Inbound Services table shown in Figure 4-9.
Figure 4-8
Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 4-9). This rule is different from a normal inbound port forwarding rule in that the Des tination box contains an IP Address other than your normal WAN IP Address.
4-14 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
.
Figure 4-9
To test the connection from a PC on the Internet, type http://<IP_address>, where <IP_address> is the public IP address you have mapped to your Web server. You should see the home page of your Web server.
Specifying an Exposed Host
Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined.
To expose one of the PCs on your LAN as this host:
1. Create an inbound rule that allows all protocols.
2. Place the rule below all other inbound rules.
Note: For security, NETGEAR strongly recommends that you avoid creating an exposed
host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
Firewall Protection and Content Filtering 4-15
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
1. Select All protocols and ALLOW Always (or Al low by Schedule)
2. Place rule below all other inbound rules
Figure 4-10
Outbound Rules Example – Blocking Instant Messenger
Outbound rules let you prevent users from using applications such as AOL Instant Messenger, Real Audio or other non-essential sites.
If you want to block AOL Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period.
4-16 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
.
Figure 4-11

Adding Customized Services

Services are functions performed by server computers at the request of client computers. You can configure up to 125 custom services.
For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number. This number appears as the destination port number in the transmitted IP packets. For example, a packet that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC1700, “Assigned Internet Protocol Numbers.” Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Although the FVS338 already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules. The Services menu shows a list of services that you have defined, as shown in Figure 4-12.
To define a new service, first you must determine which port number or range of numbers is used by the application. This information can usually be determined by contacting the publisher of the application or from user groups of newsgroups. When you have the port number information, you can enter it on the Services screen.
Firewall Protection and Content Filtering 4-17
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 4-12
To add a service:
1. Select Security from the main menu and Services from the submenu. The Services screen will display.
2. In the Add Custom Service table, enter a descriptive name for the service (this is for your convenience).
3. Select the Layer 3 Protocol that the service uses as its transport protocol. It can be TCP, UDP or ICMP.
4. Enter the first TCP or UDP port of the range that the service uses. If the service uses only one port, then the Start Port and the Finish Port will be the same.
5. Enter the last port of the range that the service uses. If the service only uses a single port number, enter the same number in both fields.
6. Click Add. The new custom service will be added to the Custom Services Table.
4-18 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
To edit the parameters of a service:
1. In the Custom Services T able, click the Edit icon adjacent to the service you want to edit. The Edit Service screen will display.
2. Modify the parameters you wish to change.
3. Click Reset to cancel the changes and restore the previous settings.
4. Click Apply to confirm your changes. The modified service will display in the Custom
Services Table.

Specifying Quality of Service (QoS) Priorities

The Quality of Service (QoS) Priorities setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. The user can change this priority:
•On the Services screen in the Customer Services Table for customized services (see
Figure 4-12).
•On the LAN WAN Outbound Services screen (see Figure 4-11).
The QoS priority definition for a service determines the queue that is used for the traffic passing through the VPN firewall. A priority is assigned to IP packets using this service. Priorities are defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards, RFC 1349. A ToS priority for traffic passing through the VPN firewall is one of the following:
Normal-Service: No special priority given to the traffic. The IP packets for services with this priority are marked with a ToS value of 0.
Minimize-Cost: Used when data has to be transferred over a link that has a lower “cost”. The IP packets for services with this priority are marked with a ToS value of 1.
Maximize-Reliability: Used when data needs to travel to the destination over a reliable link and with little or no retransmission. The IP packets for services with this priority are marked with a ToS value of 2.
Maximize-Throughput: Used when the volume of data transferred during an interval is important even if the latency over the link is high. The IP packets for services with this priority are marked with a ToS value of 4.
Minimize-Delay: Used when the time required (latency) for the packet to reach the destination must be low. The IP packets for services with this priority are marked with a ToS value of 8.
Firewall Protection and Content Filtering 4-19
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Setting a Schedule to Block or Allow Traffic

If you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3.
To invoke rules and block keywords or Internet domains bas ed on a schedule:
1. Select Security from the main menu and Schedule from the sub-menu. The Schedule 1 screen will display.
2. Check the radio button for All Days or Specific Days. If you chose Specific Days, check the radio button for each day you want the schedule to be in effect.
3. Check the radio button to schedule the time of day: All Day, or Specific Times. If you chose Specific Times, enter the Start Time and End Time fields (Hour , Minute, AM/PM), which will limit access during certain times for the selected days.
4. Click Reset to cancel your settings and revert to the previous settings.
5. Click Apply to save your settings to Schedule 1.
Repeat these 5 steps to set to a schedule for Schedule 2 and Schedule 3.
Figure 4-13
4-20 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Setting Block Sites (Content Filtering)

If you want restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
Several types of blocking are available:
Web Components blocking. You can block the following Web component types: Proxy , Java, ActiveX, and Cookies. Even sites on the Trusted Domains list will be subject to Web Components blocking when the blocking of a particular Web component is enabled.
Keyword (and domain name) blocking. You can specify up to 32 words that, should they appear in the W eb site name (URL) or in a newsgroup n ame, will cause that site or newsgroup to be blocked by the VPN firewall.
You can apply the keywords to one or more groups. Requests from the PCs in the groups for which keyword blocking has been enabled will be blocked. Blocking does not occur for the PCs that are in the groups for which keyword blocking has not been enabled.
You can bypass Keyword bloc king for trusted domains by adding the exact matching domain to the list of Trusted Domains. Access to the domains or keywords on this list by PCs, even those in the groups for which keyword blocking has been enabled, will still be allowed without any blocking.
Keyword Blocking application examples:
If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked, as is the newsgroup alt.pictures.XXX.
If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or .gov) can be viewed.
If you wish to block all Internet browsing access, enter the keyword “.”.
To enable Content Filtering:
1. Select Security from the main menu and Block Sites from the sub-menu. The Block Sites screen will display.
2. Check the Yes radio button to enable Content Filtering.
3. Check the radio boxes of any Web Components you wish to block.
4. Check the radio buttons of the groups to which you wish to apply Keyword Blocking. Click Enable to activate Keyword blocking (or disable to deactivate Keyword Blocking).
Firewall Protection and Content Filtering 4-21
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
5. Build your list of blocked Keywords or Domain Names in the Blocked Keyword fields. After each entry , click Add. The Keyword or Domain name will be added to the Blocked Keywords table. (You can also edit an entry by clicking Edit in the Action column adjacent to the entry.)
6. Build a list of Trusted Domains in the Trusted Domains fields. After each entry, click Add. The Trusted Domain will appear in the Trusted Domains table. (You can also edit any entry by clicking Edit in the Action column adjacent to the entry.)
7. Click Reset to cancel your changes and revert to the previous settings.
8. Click Apply to save your settings.
Figure 4-14
4-22 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Enabling Source MAC Filtering

Source MAC Filter allows you to filter out traffic coming from certain known machines or devices.
By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default.
When enabled, traffic will be dropped coming from any computers or devices whose MAC addresses are listed in Available MAC Addresses to be Blocked table.
Figure 4-15
Note: For additional ways of restricting outbound traffic, see “LAN WAN Outbound
Services Rules” on page 4-8.
To enable MAC filtering and add MAC addresses to be blocked:
1. Select Security from the main menu and Sour ce MAC Filter from the sub-menu. The Source MAC Filter screen will display.
2. Check the Yes radio box in the MAC Filtering Enable section.
Firewall Protection and Content Filtering 4-23
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
3. Build your list of Source MAC Addresses to be block by entering the first MAC address in the MAC Address field in the form xx:xx:xx:xx:xx:xx where x is a numeric (0 to 9) or an
alphabet between and a and f (inclusive), for example: 00:e0:4c:69:0a:
4. Click Add. The Mac Address will be added to the Available MAC Addresses to be Blocked table. (You can edit the MAC address by clicking Edit in the Action column adjacent to the MAC Address.)
5. Click Reset to cancel a MAC address entry before adding it to the table.
6. When you have completed adding MAC addresses, click Apply to save your settings

Setting Up Port Triggering

Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires that you know the port numbers used by the Application.
Once configured, Port Triggering operates as follows:
1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.
2. The VPN firewall records this connection, opens the an INCOMING port or ports associated with this entry in the Port Triggering table, and associates them with the PC.
3. The remote system receives the PCs request and responds using the different port numbers that you have now opened.
4. The VPN firewall matches the response to the previous request, and forwards the response to the PC.
Without Port Triggering, this response would be treated as a new connection request rather than a response. As such, it would be handled in accordance with the Port Forwarding rules:
Only one PC can use a Port Triggering application at any time.
After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router canno t be sure when the application has terminated.
Note: For additional ways of allowing inbound traffic, see “LAN WAN Inbound
Services Rules” on page 4-9.
4-24 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
To add a Port triggering rule:
1. Select Security from the main menu and Port Triggering from the submenu. The Port Triggering screen will display.
1. Enter a user-defined name for this rule in the Name field.
2. From the Enable pull-down menu, indicate if the rule is enabled or disabled.
Figure 4-16
3. From the Protocol pull-down menu, select either TCP or UDP protocol.
4. In the Outgoing (Trigger) Port Range fields; a. Enter the Start Port range (1 - 65534).
Firewall Protection and Content Filtering 4-25
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
b. Enter the End Port range (1 - 65534).
5. In the Incoming (Response) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534).
6. Click Add. The Port Triggering Rule will be added to the Port Triggering Rules table.
To edit or modify a rule:
1. Click Edit in the Action column opposite the rule you wish to edit. The Edit Port Triggering Rule screen will display.
2. Modify any of the fields for this rule.
3. Click Reset to cancel any changes and return to the previous settings.
4. Click Apply to save your modifications. Your changes will appear in the Port Tr iggering Rules table.
To check the status of the Port Triggering rules, click the Status link on the Port Triggering screen..
Figure 4-17
4-26 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

E-Mail Notifications of Event Logs and Alerts

The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified email address. For example, your VPN firewall will log security-related events such as: accepted and dropped packets on different segments of your LAN; denied incoming and outgoing service requests; hacker probes and Login attempts; and other general information based on the settings you input on the Firewall Logs & E-mail screen. In addition, if you have set up Content Filtering on the Block Sites screen (see
“Setting Block Sites (Content Filtering)” on page 4-21), a log will be generated when someone on
your network tries to access a blocked site. You must have e-mail notification enabled to receive the logs in an e-mail message. If you don't
have e-mail notification enabled, you can view the logs on the Logs screen (see Figure 4-18 on
page 4-28). Selecting all events will increase the size of the log, so it is good practice to select only
those events which are required.
Firewall Protection and Content Filtering 4-27
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
:
Figure 4-18
To set up Firewall Logs and E-mail alerts:
1. Select Monitoring from the main menu an d then Fir ewall Logs & E-mail from the submenu. The Firewall Logs & E-mail screen will display.
2. Enter the name of the log in the Log Identifier field. Log Identifier is a mandatory field used to identify the log messages. The ID appended to log messages.
3. Enter a Schedule for sending the logs. From the Unit pull-down menu, select: Never, Hourly, Daily, or Weekly. Then fill in the Day and Time fields that correspond to your selection.
4-28 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
4. In the Security Logs section, check the network segments radio box for which you would like logs to be sent (for example, LAN to WAN under Dropped Packets).
5. In the System Logs section, check the radio box for the type of system events to be logged.
6. Check the Yes radio box to enable E-mail Logs. Then enter: a. E-mail Server address – Enter the outgoing E-mail SMTP mail server address of your
ISP (for example, 172.16.1.10). If you leave this box blank, no logs will be sent to you.
b. Return E-mail Address – Enter the e-mail address of the user. c. Send To E-mail Address – Enter the e-mail address where the logs and alerts should be
sent. You must use the full e-mail address (for example, ChrisXY@myISP . com).
7. The No Authentication radio box is checked by default. If your SMTP server authenticates users, uncheck the radio box by selecting the authentication type—either Login Plain or CRAM-MD5—based on your SMTP server requirements. Then enter the user name and password to be used for authentication.
8. If you want to respond to IDENT protocol, check the Respond to Identd fr om SMTP Server radio box. The Ident Protocol is an Internet protocol that helps identify the user of a particular TCP connection (a common daemon program for providing the ident service is identd).
9. You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Click the Yes radio box to enable SysLogs and send messages to the syslog server, then:
a. Enter your Syslog Server IP address b. Select the appropriate syslog facility from the SysLog Facility pull-down menu. he
SysLog Facility levels of severity are described in Table 4-3 below.
10. Click Reset to cancel your changes and return to the previous settings.
11. Click Apply to save your settings.
.
Table 4-3. SysLog Facility Message Levels
Numerical Code Severity
0 Emergency: System is unusable 1 Alert: Action must be taken immediately 2 Critical: Critical conditions 3 Error: Error conditions 4 Warning: Warning conditions
Firewall Protection and Content Filtering 4-29
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 4-3. SysLog Facility Message Levels (continued)
Numerical Code Severity
5 Notice: Normal but significant conditions 6 Informational: Informational messages 7 Debug: Debug level messages
To view the Firewall logs:
1. Click on the View Log icon opposite the Firewall Logs & E-mail tab. The Logs screen will display.
2. If the E-mail Logs options as been enabled, you can send a copy of the log by clicking send log.
3. Click refresh log to retrieve the latest update; and click clear log to delete all entries.
Log entries are described in Table 4-4.
Figure 4-19
4-30 Firewall Protection and Content Filtering
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Table 4-4. Log Entry Descriptions
Field Description
Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry. Source port and
interface Destination The name or IP address of the destination device or Web site. Destination port and
interface
The service port number of the initiating device, and whether it originated from the LAN, WAN or DMZ.
The service port number of the destination device, and whether it’s on the LAN, WAN or DMZ.

Administrator Information

Consider the following operational items:
1. As an option, you can enable remote management if you have to manage distant sites from a central location (see “Enabling Remote Management Access” on page 6-9).
2. Although setting firewall rules (see “Using Rules to Block or Allow Specific Kinds of Traf fic”
on page 4-1) is the basic way of managing the traffic through your system, you can further
refine your control with the following features of the VPN firewall: – Groups and hosts (see “Managing Groups and Hosts” on page 3-5) – Services (see “Services-Based Rules” on page 4-2) Schedules (see “Setting a Schedule to Block or Allow Traffic” on page 4-20) Block sites (see “Setting Block Sites (Content Filtering)” on page 4-21) – Source MAC filtering (see “Enabling Source MAC Filtering” on page 4-23) – Port triggering (see “Setting Up Port Triggering” on page 4-24)
Firewall Protection and Content Filtering 4-31
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
4-32 Firewall Protection and Content Filtering
v1.0, January 2007
Chapter 5
Virtual Private Networking
This chapter describes how to use the Virtual Private Networking (VPN) features of the VPN firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer.
Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic
parameters and then edit the VPN and IKE Policy screens for the various VPN scenarios.

Dual WAN Port Systems

The dual WAN ports in the VPN firewall can be configured for rollover mode for increased system reliability by specifying the Broadband connection with the Dialup connection as backup. This WAN mode choice then impacts how the VPN features must be configured.
Table 5-1. IP Addressing Requirements for VPN in Dual WAN Port Systems
Configuration and WAN IP address Rollover Mode
VPN Road Warrior (client-to-gateway)
VPN Gateway-to-Gateway Fixed FQDN required Allowed (FQDN optional)
VPN Telecommuter (client-to-gateway through a NAT router)
a. All tunnels must be re-established after a rollover using the new WAN IP address.
Fixed FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required
Dynamic FQDN required FQDN required Fixed FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required
a
Dedicated Mode
The use of fully qualified domain names is mandatory when the WAN ports are in rollover mode (“Configuring the WAN Mode” on page 2-15); also required for the VPN tunnels to fail over. When using rollover mode, you must configure a Dynamic DNS service (see “Configuring
Dynamic DNS (If Needed)” on page 2-16 to select and configure the Dynamic DNS service).
Virtual Private Networking 5-1
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Setting up a VPN Connection using the VPN Wizard

Setting up a VPN tunnel connection requires that all settings and parameters on both sides of the VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard can assist in guiding you through the setup procedure by asking you a series of questions that will determine the IPSec keys and VPN policies it sets up. It also will set the parameters for the network connection: Security Association, traffic selectors, authentication algorithm, and encryption. The parameters used by the VPN wizard are based on the VPNC recommendations.

Creating a VPN Tunnel to a Gateway

You can set up multiple Gateway VPN tunnel policies through the VPN Wizard. You can also set up multiple remote VPN Client policies through the VPN Wizard. A remote client policy can support up to 25 clients.
To create a VPN tunnel gateway policy using the VPN Wizard:
1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display.
2. Select Gateway as your VPN tunnel connection. The wizard needs to know if you are planning to connect to a remote Gateway or setting up the connection for a remote client/PC to establish a secure connection to this device.
3. Select a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the VPN settings.
4. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN Gateway , or the remote VPN Client. This key length should be minimum 8 characters and should not exceed 49 characters. This method does not require using a CA (Certificate Authority).
5. Enter the Remote WAN IP Address or Internet Name of the gateway you want to connect to.
Both the remote WAN address and the your local WAN address are required. When choosing these addresses, follow the guidelines in Table 5-1 above.
The remote WAN IP address of the Gateway must be a public address or the Internet name of the Gateway. The Internet name is the Fully Qualified Domain Name (FQDN) as setup in a Dynamic DNS service. Both local and remote ends should be defined as either IP addresses or Internet Names (FQDN). A combination of IP address and Internet Name is not permissible.
6. Enter your Local WAN IP Address or Internet Name.
5-2 Virtual Private Networking
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
The Local WAN IP address is the address used in the IKE negotiation phase. Automatically, the WAN IP address assigned by your ISP may display. You can modify the address to use your FQDN; required if the WAN Mode you selected is auto-rollover.
7. Enter the Remote LAN IP Address and Subnet Mask of the remote gateway. The information entered here must match the Local LAN IP and Subnet Mask of the remote
gateway; otherwise the secure tunnel will fail to connect.The IP address range used on the remote LAN must be different from the IP address range used on the local LAN.
8. Click Apply to save your settings. the VPN Policies table will display showing your VPN policy. You can click the IKE Policies tab to view the corresponding IKE Policy.

Creating a VPN Tunnel Connection to a VPN Client

You can set up multiple Gateway VPN tunnel policies through the VPN Wizard. Multiple remote VPN Client policies can also be set up through the VPN Wizard by changing the default End Point Information settings. A remote client policy can support up to 25 clients. The remote clients must configure the “Local Identity” field in their policy as “PolicyName<X>.fvs_remote.com”, where X stands for a number from 1 to 25.
As an example, if the client-type policy on the router is configured with “home” as the policy name, and if two users are required to connect using this policy, then the “Local Identity” in their policy should be configured as “home1.fvs_remote.com” and “home2.fvs_remote.com”, respectively.
To create a VPN Client Policy using the VPN Wizard:
1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display.
2. Select VPN Client as your VPN tunnel connection. The wizard needs to know if you are planning to connect to a remote Gateway or setting up the connection for a remote client/PC to establish a secure connection to this device.
3. Select a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN Endpoint. It is used to help you manage the VPN settings.
4. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN Gateway , or the remote VPN Client. This key length should be minimum 8 characters and should not exceed 49 characters. This method does not require using a CA (Certificate Authority).
5. The Remote Identifier Information and the Local Identifier Information will display with the default IKE Client Policy values: fvs_remote.com for the remote end point and fvs_local.com for the local end point.
Virtual Private Networking 5-3
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
6. Click Apply. The VPN Client screen will display showing that the VPN Client has been enabled. Click the IKE Policies tab to view the corresponding IKE Client Policy.

IKE Policies

The IKE (Internet Key Exchange) protocol performs negotiations between the two VPN Gateways, and provides automatic management of the Keys used in IPSec. It is important to remember that:
“Auto” generated VPN policies must use the IKE negotiation protocol.
“Manual” generated VPN policies cannot use the IKE negotiation protocol.

IKE Policy Operation

IKE Policies are activated when:
1. The VPN Policy Selector determines that some traffic matches an existing VPN Policy. If the VPN policy is of type “Auto”, then the Auto Policy Parameters defined in the VPN Policy are accessed which specify which IKE Policy to use.
2. If the VPN Policy is a “Manual” policy, then the Manual Policy Parameters defined in the VPN Policy are accessed and the first matching IKE Policy is used to start negotiations with the remote VPN Gateway.
If negotiations fail, the next matching IKE Policy is used.
If none of the matching IKE Policies are acceptable to the remote VPN Gateway, then a
VPN tunnel cannot be established.
3. An IKE session is established, using the SA (Security Association) parameters specified in a matching IKE Policy:
Keys and other parameters are exchanged.
An IPsec SA (Security Association) is established, using the parameters in the VPN
Policy.
The VPN tunnel is then available for data transfer.
5-4 Virtual Private Networking
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

IKE Policy Table

When you use the VPN Wizard to set up a VPN tunnel, an IKE Policy is established and populated in the Policy Table and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the Policy Table Screen. Each policy contains the following data:
Name. Uniquely identifies each IKE policy. The name is chos en by you and used for the purpose of managing your policies; it is not supplied to the remote VPN Server . If the Policy is a Client Policy, it will be prepended by an “*”.
Mode. Two modes are available: either “Main” or “Aggressive”. – Main Mode is slower but more secure. – Aggressive mode is faster but less secure. (If specifying either a FQDN or a User FQDN
name as the Local ID/Remote ID, aggressive mode is automatically selected.)
Local ID. The IKE/ISAKMP identify of this device. (The remote VPN must have this value as their “Remote ID”.)
Remote ID. The IKE/ISAKMP identify of the remote VPN Gateway. (The remote VPN must have this value as their “Local ID”.)
Encr. Encryption Algorithm used for the IKE SA. The default setting using the VPN W izard is 3DES. (This setting must match the Remote VPN.)
Auth. Authentication Algorithm used for the IKE SA. The default setting using the VPN Wizard is SHA1. (This setting must match the Remote VPN.)
DH.
Diffie-Hellman Group. The Diffie-Hellman algorithm is used when ex changing keys . The DH Group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must match the Remote VPN.)
To gain a more complete understanding of the encryption, authentication and DH algorithm technologies, see Appendix B, “Related Documents”.

VPN Policies

You can create two types of VPN Policies. When using the VPN Wizard to create a VPN policy, only the Auto method is available.
Virtual Private Networking 5-5
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Manual. All settings (including the keys) for the VPN tunnel are manually input at each end (both VPN endpoints). No third party server or organization is involved.
Auto. Some parameters for the VPN tunnel are generated automatically by using the IKE (Internet Key Exchange) protocol to perform negotiations between the two VPN endpoints (the Local ID Endpoint and the Remote ID Endpoint).
In addition, a CA (Certificate Authority) can also be used to perform authentication (see
“Certificates” on page 5-33). To use a CA, each VPN Gateway must have a Certificate from the
CA. For each Certificate, there is both a “Public Key” and a “Private Key”. The “Public Key” is freely distributed, and is used to encrypt data. The receiver then uses their “Private Key” to decrypt the data (without the Private Key, decryption is impossible). CAs can be beneficial since using them reduces the amount of data entry required on each VPN Endpoint.

VPN Policy Operation

The VPN Policies screen allows you to add additional policies—either Auto or Manual—and to manage the VPN policies already created. You can edit policies, enable or disable them, or delete them entirely. The rules for VPN policy use conform to:
1. Traffic covered by a policy will automatically be sent via a VPN tunnel.
2. The VPN tunnel is created according to the parameters in the SA (Security Association).
3. The remote VPN Endpoint must have a matching SA, or it will refuse the connection.

VPN Policy Table

When you use the VPN Wizard to set up a VPN tunnel, both a VPN Policy and an IKE Policy is established and populated in both T ables on the VPN Policie s screen. The name you selected as the VPN Tunnel connection name during W izard setup identifies both the VPN Policy and IKE Policy . You can also edit exiting policies, add new VPN policies directly or change the policy hierarchy to the Policy Table. The Policy Table contains the following fields:
! (Status). Indicates whether the policy is enabled (green circle) or disabled (grey circle). To Enable or Disable a Policy, check the radio box adjacent to the circle and click Enable or Disable, as required.
Name. Each policy is given a unique name (the Connection Name when using the VPN Wizard). Client Policies are annotated by an “*”.
Type. The Type is “Auto” or “Manual” as described previously (Auto is used during VPN Wizard configuration).
5-6 Virtual Private Networking
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Local. IP address (either a single address, range of address or subnet address) on your local LAN. Traffic must be from (or to) these addresses to be covered by this policy. (Subnet address is the default IP address when using the VPN Wizard).
Remote. IP address or address range of the remote network. Traffic must be to (or from) these addresses to be covered by this policy. (The VPN Wizard default requires the remote LAN IP address and subnet mask for a gateway policy).
AH. Authentication Header. This specifies the authentication protocol for the VPN header (VPN Wizard default is disabled).
ESP. Encapsulating Security Payload. This specifies the encryption protocol used for the VPN data (VPN Wizard default is enabled).

VPN Tunnel Connection Status

Recent VPN tunnel activity is shown on the IPSec Connection S t atus screen (accessed by selecting VPN from the main menu and Connection Status from the submenu).You can set a Poll Interval (in seconds) to check the connection status of all active IKE Policies to obtain the latest VPN tunnel activity . The Active IPSec (SA)s table also lists current data for each active IPSec SA (Security Association):
Policy Name. The name of the VPN policy associated with this SA.
Endpoint. The IP address on the remote VPN Endpoint.
Tx (KBytes). The amount of data transmitted over this SA.
Tx (Packets). The number of packets transmitted over this SA.
State. The current state of the SA. Phase 1 is “Authentication phase” and Phase 2 is “Key Exchange phase”.
Action. Allows you to terminate or build the SA (connection), if required.
Virtual Private Networking 5-7
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual

Creating a VPN Gateway Connection: Between FVS338 and FVX538

This section describes how to configure a VPN connection between a NETGEAR FVS338 VPN Firewall and a NETGEAR FVX538 VPN Firewall.
Using each firewall's VPN Wizard, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses. Either firewall can initiate the connection.
This procedure was developed and tested using:
Netgear FVS338 VPN Firewall – WAN IP address: 10.1.32.41 – LAN IP address subnet:192.168.1.1/255.255 .25 5.0
Netgear FVX538 VPN Firewall – WAN1 IP address: 10.1.0.118 – LAN IP address subnet: 192.168.2.1/255.255.255 . 0

Configuring the FVS338

To configure the FVS338 using the VPN Wizard:
1. Select VPN from the main menu and VPN Wizard from the submenu. The VPN Wizard screen will display.
2. Check the Gateway radio box to establish a gateway-to-gateway VPN tunnel.
3. Give the new connection a name such as to_fvx.
4. Enter a value for the pre-shared key.
5. Enter the WAN IP address or Internet name of the remote WAN and the WAN IP Address or
Internet name of the local WAN. The address type must match.
6. Enter the remote LAN IP address and subnet mask.
7. Click Apply to create the IKE and VPN policies.
5-8 Virtual Private Networking
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 5-1
The IKE Policies screen will display showing the new “to_fvx” policy.
Figure 5-2
You can view the IKE parameters by clicking Edit in the Action column adjacent to the “to­fvs” policy. It should not be necessary to make any changes.
Virtual Private Networking 5-9
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 5-3
Click the IKE Policies tab to view the corresponding IKE Policy. The IKE Policies screen will display.
Figure 5-4
You can view the VPN parameters by clicking Edit in the Actions column adjacent to “to_fvx”. It should not be necessary to make any changes
5-10 Virtual Private Networking
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Figure 5-5

Configuring the FVX538

To configure the FVX538 using the VPN Wizard:
1. Select VPN from the main menu. The Policies screen will display. Click the VPN Wizard link. The VPN Wizard screen will display.
2. Check the Gateway radio box to establish a remote VPN gateway.
3. Give the new connection a name such as to_fvs.
4. Enter a value for the pre-shared key.
5. Enter the WAN IP address or Internet name of the remote WAN.
Virtual Private Networking 5-11
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
6. Enter the remote LAN IP address and subnet mask.
7. Click Apply to create the “to_fvs” IKE and VPN policies.
Figure 5-6

Testing the Connection

1. From a PC on either firewall’s LAN, try to ping a PC on the other firewall’s LAN. Establishing the VPN connection may take several seconds.
2. For additional status and troubleshooting information, view the VPN log and status menu in the FVX538 or FVS338.

Creating a VPN Client Connection: VPN Client to FVS338

This section describes how to configure a VPN connection between a Windows PC (the client) installed with the NETGEAR ProSafe VPN Client and the VPN firewall.
5-12 Virtual Private Networking
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
Using the FVS338 VPN Wizard, we will create a single set of policies (IKE and VPN) that will allow up to 50 remote PCs to connect from locations in which their IP addresses are unknown in advance. The PCs may be directly connected to the Internet or may be behind NAT routers. If more PCs are to be connected, an additional policy or policies must be created.
Each PC will use the NETGEAR VPN Client. Since the PC’s IP address is assumed to be unknown, the PC must always be the Initiator of the connection.
This procedure was developed and tested using:
NETGEAR ProSafe VPN Firewall 50 FVS338
NETGEAR ProSafe VPN Client
NAT router: NETGEAR FR114P

Configuring the FVS338

To configure the FVS338 using the VPN Wizard:
1. Select VPN from the main menu. The Policies screen will display. Click the VPN Wizard link. The VPN Wizard screen will display.
2. Check the VPN Client radio box to establish a remote VPN client.
3. Give the new connection a name such as home.
4. Enter a value for the pre-shared key.
5. Click Apply. The VPN Policies screen will display showing a VPN Client policy named home. Select the VPN Policies tab to display the corresponding “home” VPN Policy.
Note: When XAuthentication (XAUTH) is enabled, incoming VPN connections are
authenticated against the FVS338 Network Database first, then, if configured, a RADIUS server is checked.
Virtual Private Networking 5-13
v1.0, January 2007
FVS338 ProSafe VPN Firewall 50 Reference Manual
fvs_remote.com fvs_local.com
Figure 5-7

Configuring the VPN Client

On a remote PC that has a NETGEAR ProSafe VPN Client installed, configure the client using the FVS338 VPN Client default parameters (displayed in both the IKE Policy table and the VPN Policy table of the FVS338 under the name “home”):
Local FQDN (the router): fvs_local.com
Remote FQDN (the client): fvs_remote.com
Encryption Algorithm: 3DES
Authentication Algorithm: SHA-1
Pre-shared key: 12345678 (defined by user)
Diffie-Hellman (DH) Group: Group 2 (1024 bit)
SA Life Time: unspecified
Remote LAN IP subnet: 192.168.1.0/255.255.255.0
5-14 Virtual Private Networking
v1.0, January 2007
Loading...
Buy Points How it Works FAQ Contact Us Questions and Suggestions Privacy Policy Cookie Policy Terms of Use