Secure Computing SG300, SG530, SG570, SG575, SG580 User Manual

Secure Computing SnapGear™

User Manual

Secure Computing
4810 Harwood Road
San Jose, CA 95124-5206
Email: support@au.securecomputing.com
Web: www.securecomputing.com

Revision 3.1.4

August 15

Part Number 86-0945932-A

th

, 2006

Contents

Document Conventions ........................................................................................ vi

1. Introduction...............................................................................................1

SG Gateway Appliances (SG3xx, SG5xx Series) ..................................................1

SG Rack Mount Appliances (SG7xx Series) .........................................................4

SG PCI Appliances (SG6xx Series).......................................................................7

2. Getting Started........................................................................................11

SG Gateway Appliance Quick Setup...................................................................12

SG Rack Mount Appliance Quick Setup..............................................................23

SG PCI Appliance Quick Setup ...........................................................................34

The SnapGear Management Console.................................................................42

3. Network Setup.........................................................................................43

Configuring Connections .....................................................................................43

Multifunction vs. Fixed-function Ports..................................................................44

Direct Connection................................................................................................46

ADSL ...................................................................................................................49

Cable Modem ......................................................................................................54

Dialout and ISDN.................................................................................................55

Dial-in...................................................................................................................56

Failover, Load Balancing and High Availability....................................................62

Internet Failover...................................................................................................63

Internet Load Balancing.......................................................................................68

High Availability ...................................................................................................70

DMZ Network.......................................................................................................73

Guest Network.....................................................................................................75

Wireless...............................................................................................................77

Bridging................................................................................................................91

VLANs..................................................................................................................94

Port Based VLANs...............................................................................................97

GRE Tunnels.....................................................................................................101

Routes ...............................................................................................................106

System...............................................................................................................115

DNS...................................................................................................................116

DHCP Server.....................................................................................................118

Web Cache........................................................................................................123

QoS Traffic Shaping ..........................................................................................130

IPv6....................................................................................................................133

SIP.....................................................................................................................133

4. Firewall..................................................................................................135

Incoming Access................................................................................................135

Web Management .............................................................................................137

Customizing the Firewall....................................................................................140

Definitions..........................................................................................................140

Packet Filtering..................................................................................................144

Network Address Translation (NAT)..................................................................148

Connection Tracking..........................................................................................161

Intrusion Detection.............................................................................................163

Basic Intrusion Detection and Blocking (IDB)....................................................164

Advanced Intrusion Detection and Prevention (Snort and IPS).........................166

Access Control and Content Filtering................................................................171

Antivirus.............................................................................................................182

5. Virtual Private Networking...................................................................193

PPTP and L2TP.................................................................................................194

PPTP VPN Server .............................................................................................194

L2TP VPN Server ..............................................................................................202

PPTP and L2TP VPN Client ..............................................................................209

IPSec.................................................................................................................211

Quick Setup.......................................................................................................212

Set Up the Branch Office...................................................................................215

Configuring the Headquarters............................................................................227

Tunnel List.........................................................................................................230

NAT Traversal Support......................................................................................233

Dynamic DNS Support.......................................................................................233

Certificate Management.....................................................................................233

IPSec Failover ...................................................................................................238

IPSec Troubleshooting ......................................................................................247

Port Tunnels ......................................................................................................250

6. USB........................................................................................................254

USB Mass Storage Devices ..............................................................................254

USB Printers......................................................................................................261

Printer Troubleshooting .....................................................................................267

USB Network Devices and Modems..................................................................268

7. System...................................................................................................269

Date and Time...................................................................................................269

Backup/Restore Configuration...........................................................................271

Users .................................................................................................................274

Management......................................................................................................279

Diagnostics........................................................................................................282

Advanced...........................................................................................................286

Reboot and Reset..............................................................................................286

Flash upgrade....................................................................................................287

Configuration Files.............................................................................................289

Support..............................................................................................................290

Appendix A – Terminology...........................................................................292

Appendix B – System Log............................................................................299

Access Logging .................................................................................................299

Creating Custom Log Rules...............................................................................301

Rate Limiting......................................................................................................304

Administrative Access Logging..........................................................................305

Boot Log Messages...........................................................................................305

Appendix C – Firmware Upgrade Practices and Precautions...................306

Appendix D – Recovering From a Failed Upgrade.....................................308

Appendix E – System Clock.........................................................................312

Appendix F – Null Modem Administration..................................................313

Appendix G – Command Line Interface (CLI) .............................................315

Document Conventions

This document uses different fonts and typefaces to show specific actions.

Warning/Note

Text like this highlights important issues.

Bold text in procedures indicates text that you type, or the name of a screen object (e.g.
a menu or button).

1. Introduction

This manual describes the features and capabilities of your SnapGear unit, and provides
you with instructions on how to best take advantage of them.

This includes setting up network connections (in the chapter entitled Network
Connections), tailoring the firewall to your network (Firewall), and establishing a virtual
private network (Virtual Private Networking). It also guides you through setting up the
SnapGear unit on your existing or new network using the web management console
(Getting Started).

This chapter provides a high level overview to familiarize you with your SnapGear unit’s
features and capabilities.

SG Gateway Appliances (SG3xx, SG5xx Series)

Note

The SG gateway appliance range includes models SG300, SG530, SG550, SG560,
SG565, SG570, SG575 and SG580.

The SG gateway appliance range provides Internet security and
privacy of communications for small and medium enterprises, and
branch offices. It simply and securely connects your office to the
Internet, and with its robust stateful firewall, shields your computers
from external threats.

With the SnapGear unit’s masquerading firewall, hosts on your LAN (local area network)
can see and access resources on the Internet, but all outsiders see is the SnapGear
unit’s external address.

You may tailor your SnapGear unit to disallow access from your LAN to specific Internet
sites or categories of content, give priority to specific types of network traffic, and allow
controlled access to your LAN from the outside world. You may also choose to enable
intrusion detection and prevention services on your SnapGear unit, to further bolster the
security of your local network.

Introduction

1

The SG565, SG560, SG570, SG575 and SG580 may also connect to a DMZ
(demilitarized zone) network. A DMZ is a separate local network typically used to host
servers accessible to the outside world. It is separated both physically and by the
firewall, in order to shield your LAN from external traffic.

The SnapGear unit allows you to establish a virtual private network (VPN). A VPN
enables remote workers or branch offices to connect securely to your LAN over the public
Internet. The SnapGear unit can also connect to external VPNs as a client. The SG550,
SG560, SG565, SG570, SG575 and SG580 use onboard cryptographic acceleration to
ensure excellent VPN throughput.

The SnapGear unit may be configured with multiple Internet connections. These auxiliary
connections may be kept on stand-by should the primary connection become
unavailable, or maintained concurrently with the primary connection for spreading
network load.

The SG565, SG570, SG575 and SG580 incorporate a powerful web proxy cache to
improve web page response time and reduce link loads. It is designed to integrate
seamlessly with upstream proxy caches provided by ISPs.

Front panel LEDs

The front and rear panels contain LEDs indicating status. An example of the front panel
LEDs are illustrated in the following figure and detailed in the following table.

Note

Not all the LEDs described below are present on all SnapGear unit models. Labels vary
from model to model.

Label Activity Description

Power
Heart Beat

On Power is supplied to the SnapGear unit.
Flashing The SnapGear unit is operating correctly.

On If this LED is on and not flashing, an operating

error has occurred.

LAN Activity

Flashing Network traffic on the LAN network interface.

Introduction

2

Label Activity Description

WAN Activity

Flashing Network traffic on the Internet network interface.

WLAN
DMZ Activity
Serial

Activity

Flashing Network traffic on the Wireless network interface.
Flashing Network traffic on the DMZ network interface.
Flashing For either of the SnapGear unit COM ports, these

LEDs indicate receive and transmit data.

HA

On The SnapGear unit has switched to a backup

device.

Online
VPN
Online

On An Internet connection has been established.
On Virtual private networking is enabled.
On An Internet connection has been established.

Note

If Heart Beat does not begin flashing shortly after power is supplied, refer to Appendix D,
Recovering From a Failed Upgrade.

Rear panel

The rear panel contains Ethernet and serial ports, the Reset/Erase button, and power
inlet. If network status LEDs are present, the lower or left LED indicates the link
condition, where a cable is connected correctly to another device. The upper or right LED
indicates network activity.

Specifications

Internet link

10/100baseT Ethernet
Serial (for dial-up/ISDN)
Front panel serial status LEDs (for TX/RX)
Online status LEDs (for Internet/VPN)
Rear panel Ethernet link and activity status LEDs

Introduction

3

Local network link

10/100BaseT LAN port (SG530, SG550)
10/100BaseT 4 port LAN switch (SG300)
10/100BaseT DMZ port (SG570, SG575)
10/100BaseT 4 port VLAN-capable switch (SG560, SG565, SG580)
Rear panel Ethernet link and activity status LEDs

Enviromental

External power adaptor (voltage/current depends on individual model)
Front panel operating status LEDs: Power, Heart Beat
Operating temperature between 0° C and 40° C
Storage temperature between -20° C and 70° C
Humidity between 0 to 95% (non-condensing)

SG Rack Mount Appliances (SG7xx Series)

Note

The SG rack mount appliance range includes models SG710 and SG710+.

The SG7xx series is the flagship of Secure Computing’s SG
family. It features multi-megabit throughput, rack-optimized
form factor, two fast Ethernet ports, and two 4-port fast
Ethernet switches as standard, and the option for two additional
gigabit ports (SG710+).

In addition to providing all of the features described in SG Gateway Appliances earlier in
this chapter, it equips central sites to securely connect hundreds of mobile employees
and branch offices.

Introduction

4

Front panel LEDs

The front panel contains LEDs indicating status. An example of the front panel LEDs are
illustrated in the following figure and detailed in the following table.

Label Activity Description

Note

If H/B does not begin flashing 20 – 30 seconds after power is supplied, refer to Appendix
E, Recovering From a Failed Upgrade.

Front panel

Power

Beat)

Failover

High Avail

Online

On Power is supplied to the SnapGear unit.
Flashing The SnapGear unit is operating correctly. H/B (Heart

On If this LED is on and not flashing, an operating

error has occurred.

On The SnapGear unit has switched to the backup

Internet connection.

On The SnapGear unit has switched to a backup

device.

On An Internet connection has been established.

The front panel contains two 10/100 Ethernet four port switches (A and B), two 10/100
Ethernet ports (C and D), and analog/ISDN modem (Serial), as well as operating status
LEDs and the configuration reset button (Erase).

On the front panel Ethernet ports, the right hand LED indicates the link condition, where a
cable is connected correctly to another device. The left hand LED indicates network

activity.

Introduction

5

Rear panel

The rear panel contains a power switch and a power inlet for an IEC power cable.
Additionally, the SG710+ has two gigabit Ethernet ports (E and F).

Specifications

Internet link

Two 10/100baseT Ethernet ports (C, D)
Two GbE ports (E, F – SG710+ only)
Serial port
Online status LEDs (Online, Failover)
Ethernet link and activity status LEDs

LAN/DMZ link

Two 10/100BaseT 4 port LAN switches
Ethernet link and activity status LEDs

Enviromental

Front panel operating status LEDs: Power, H/B
Operating temperature between 0° C and 40° C
Storage temperature between -20° C and 70° C
Humidity between 0 to 95% (non-condensing)

Introduction

6

SG PCI Appliances (SG6xx Series)

Note

The SG PCI appliance range includes models SG630 and SG635.

The SG PCI appliance is a hardware-based firewall and VPN
server embedded in a 10/100 Ethernet PCI network interface
card (NIC). It is installed into the host PC like a regular NIC,
providing a transparent firewall to shield the host PC from
malicious Internet traffic, and VPN services to allow secure
remote access to the host PC.

Unlike other SG gateway and rack mount appliances, a single SG PCI appliance is not
intended as a means for your entire office LAN to be connected to, and shielded from, the
Internet. Installing a SG PCI appliance in each network connected PC gives it its own
independently manageable, enterprise-grade VPN server and firewall, running in isolation
from the host operating system.

This approach offers an increased measure of protection against internal threats as well
as conventional Internet security concerns. You can update, configure and monitor the
firewall and VPN connectivity of a workstation or server from any web browser. In the
event of a breach, you have complete control over access to the host PC independent of
its operating system, even if the host PC has been subverted and is denying normal
administrator access.

All network filtering and CPU-intensive cryptographic processing is handled entirely by
the SnapGear unit. This has the advantage over the traditional approach of using a host­based personal software firewall and VPN service by not taxing the host PC's resources.

Bridged mode

By default, the SG PCI appliance operates in bridged mode. This is distinctly different
from the masquerading behavior of SG gateway and rack mount appliances.

In bridged mode, the SG PCI appliance uses two IP addresses. Note that these
addresses are both in the same subnet as the LAN, as no masquerading is being
performed (refer to the Masquerading section of the chapter entitled Firewall for further
details).

One IP address is used to manage the SnapGear unit via the web management console.

Introduction

7

The other is the host PC's IP address, which is configurable through the host operating
system, identically to a regular NIC. This is the IP address that other PCs on the LAN
see. It should be dynamically (DHCP) or statically configured to use the same gateway,
DNS, etc. settings as a regular PC on the LAN.

Note

It is possible to configure the SG PCI appliance to run in masquerading mode. This is
discussed in the chapter entitled Firewall.

Secure by default

By default, all SnapGear units run a fully secured stateful firewall. This means from the
PC that it is plugged into, most network resources are freely accessible. However, any
services that the PC provides, such as file shares or web services (e.g. IIS) are not
accessible by other hosts on your LAN without further configuration of the SnapGear unit.
This is accomplished using packet filter rules. For details refer to the Packet Filtering
section of the chapter entitled Firewall.

LEDs

The rear panel contains LEDs indicating status. The two LEDs closest to the network
port are network activity (upper) and network link (lower). The two other LEDs are power
(upper) and heart beat (lower).

Introduction

8

Location Activity Description

Top right
(Power)
Bottom right
(Heart beat)
Top left
(Network

activity)
Bottom left
(Network

link)

Note

If Heart beat does not begin flashing shortly after power is supplied, refer to Appendix D,
Recovering From a Failed Upgrade.

Specifications

On Power is supplied to the SnapGear unit (top right).

Flashing The SnapGear unit is operating correctly (bottom

right).

Flashing Data is being transmitted or received (top left).

On The SnapGear unit is attached to the network.

Network link

10/100baseT Ethernet port
Ethernet LEDs (link, activity)

Environmental

Status LEDs: Power, Heart Beat
Operating temperature between 0° C and 40° C
Storage temperature between -20° C and 70° C
Humidity between 0 to 95% (non-condensing)

Introduction

9

Introduction

10

2. Getting Started

This chapter provides step-by-step instructions for installing your SnapGear unit. These
instructions are identical to those in the printed Quick Install Guide that shipped with your
SnapGear unit.

Upon completing the steps in this chapter, your
SG gateway or rack mount appliance is installed
in a network configuration similar that depicted in
the figure to the right. If you are setting up a SG
PCI appliance, upon completing the steps in this
chapter, your host PC is connected securely to
your existing LAN.

These instructions assume you have a PC
running Microsoft Windows (95/98/Me/2000/XP
for SG gateway and rack mount appliances,
2000/XP only for SG PCI appliances). If you are
installing an SG gateway or rack mount appliance, you must have an Ethernet network
interface card (NIC) installed. You may need to be logged in with administrator
privileges.

Instructions are not given for other operating systems; refer to your operating system
documentation on how to configure your PCs’ network settings using the examples given
for Windows PCs as a guide.

Note

Installing your SnapGear unit into a well-planned network is easy. However, network
planning is outside the scope of this manual. Please take the time to plan your network
before installing your SnapGear unit.

If you are setting up a SG gateway appliance (SG3xx, SG5xx series) proceed to SG

Gateway Appliance Quick Setup Guide.

If you are setting up a SG rack mount appliance (SG7xx series) proceed to SG Rack

Mount Appliance Quick Setup Guide.

If you are setting up a SG PCI appliance (SG6xx series), proceed to SG PCI

Appliance Quick Setup Guide.

Getting Started

11

SG Gateway Appliance Quick Setup

Unpack the SnapGear unit

Check that the following items are included with your SnapGear unit:



Power adapter



SG CD



Network cable

On the rear panel of the SnapGear unit you will see network, serial and possibly USB
ports, a Reset/Erase button, and a power inlet.

The front panel of the SnapGear unit contains activity LEDs (lights) that vary slightly
between models. These provide information on the operating status of the SnapGear
unit.

Note

Power is ON when power is applied (use only the power adapter packaged with the unit).

System/Heart Beat/TST flashes when the SnapGear unit is running.

Initially, all appliance models except for the SG300 also have all other front panel LEDs
flashing.

If these LEDs do not behave in this manner before your SnapGear unit is attached to the
network, perform a factory reset. Press the black Reset/Erase button on rear panel
twice within two seconds to restore factory default settings. If the LEDs are still not
flashing after 30 seconds, you may need to contact customer support.

Getting Started

12

Set up a single PC to connect to the SnapGear unit

The SnapGear unit ships with initial network settings of:

LAN IP address: 192.168.0.1
LAN subnet mask: 255.255.255.0

The SnapGear unit needs an IP address suitable for your LAN before it is connected.
You may choose to use the SnapGear unit’s initial network settings above as a basis for
your LAN settings.

Connect the supplied power adapter to the SnapGear unit:

 If you are setting up the SG300, attach your PC’s network interface card directly to

any network port on its LAN switch using the supplied network cable.

 If you are setting up the SG560, SG565 or SG580, attach your PC’s network interface

card directly any network port on switch A (A1 – A4) using the supplied network
cable.

 Otherwise, connect the SnapGear unit’s LAN network port directly to your PC’s

network interface card using the supplied network cable.

Note

At this point, if you attach the SnapGear unit directly to a LAN with an existing DHCP
server, or a PC running a DHCP service, it will automatically obtain an additional
address. The SnapGear unit will still be reachable at 192.168.0.1.

However, we strongly recommend that you do not connect the SnapGear unit to your
LAN until instructed to do so by this guide.

All other network ports are by default inactive, i.e. they are not running any network
services such as DHCP, and they are not configured with an IP address.

Next, modify your PC’s network settings to enable it to communicate with the SnapGear
unit.

Getting Started

13

Click Start > (Settings >) Control Panel and double-click Network Connections (or in
95/98/Me, double-click Network).

Right-click Local Area Connection then select Properties.

Note

If there is more than one existing network connection, select the one corresponding to the
network interface card to which the SnapGear unit is attached.

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP > your
network card name if there are multiple entries) and click Properties.

Select Use the following IP address and enter the following details:

IP address: 192.168.0.100
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1

Select Use the following DNS server addresses and enter:

Preferred DNS server: 192.168.0.1

Getting Started

14

Note

If you wish to retain your existing IP settings for this network connection, click Advanced
and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0.

Set up the SnapGear unit’s password and LAN connection settings

Launch your web browser and navigate to 192.168.0.1.

Select Quick Setup Wizard from the center of the page.

A login prompt is displayed. Enter the initial user name and password for the SnapGear
unit:

User name: root
Password: default

Note

If you are unable to browse to the SnapGear unit at 192.168.0.1, or the initial user name
and password are not accepted, press the black Reset/Erase button on the SnapGear
unit’s rear panel twice, wait 20 – 30 seconds, then try again.

Pressing Reset/Erase twice within 2 seconds resets the SnapGear unit to its factory
default settings.

Enter and confirm a password for your SnapGear unit. This is the password for the user
root, the main administrative user account on the SnapGear unit. It is therefore
important that you choose a password that is hard to guess, and keep it safe.

Note

The new password takes effect immediately. You are prompted to enter it when
completing the next step.

Getting Started

15

The quick setup wizard is displayed.

Changing the Hostname is not typically necessary.

Select how you would like to set up your LAN connection, then click Next.

Note

You must select Manual configuration in order to enable the SnapGear unit’s built-in
DHCP server. The SnapGear unit’s DHCP server automatically configures the network
settings of PCs and other hosts on your LAN.

Changes to the SnapGear unit’s LAN configuration do not take effect until the quick setup
wizard has completed.

1. Select how you will configure your LAN:

 (recommended) Select Manual configuration to manually specify the SnapGear

unit’s LAN connection settings.

 If you wish to use the SnapGear unit’s initial network settings (IP address 192.168.0.1

and subnet mask 255.255.255.0) as a basis for your LAN settings, and you do not
wish to use the SnapGear unit’s built-in DHCP server, select Skip: LAN already
configured. Skip to the step 3.

Getting Started

16

 If you have an existing DHCP server, and wish to rely on it to automatically configure

the SnapGear unit’s LAN connection settings (not recommended), choose to Obtain
LAN IP address from a DHCP server on LAN. Skip to the next step 3.

2. If you selected Manual configuration, some additional information is required.
Otherwise, skip to the next step.

3. Enter an IP address and Subnet Mask for the SnapGear unit’s LAN connection.

Note

Take note of this IP address and subnet mask, as you will need them later on.

4. To enable the SnapGear unit’s built-in DHCP server, enter a range of addresses to
hand out in DHCP Server Address Range. PCs and other hosts on your LAN that
are set to automatically obtain network settings are assigned an address from this
range, and instructed to use the SnapGear unit as their gateway to the Internet and
as their DNS server for Internet domain name resolution.

5. Click Next.

Getting Started

17

Set up the SnapGear unit’s Internet connection settings

Attach the SnapGear unit to your modem device or Internet connection medium. If
necessary, give the modem device some time to power up.

Select your Internet connection type and click Next. The options displayed differ
depending on the connection type selected.

 If you are connecting using a Cable Modem, select your ISP, or Generic Cable

Modem Provider if yours does not appear.

 If you are connecting using an analog (dialup) Modem, enter the details provided by

your ISP.

 If you are connecting using an ADSL modem, select Auto detect ADSL connection

type, click Next, then enter the details provided by your ISP. If auto detection fails,

you must manually select your ADSL connection type – if you are unsure of this,
contact your ISP.

 If you have a Direct Connection to the Internet (e.g. a leased line), enter the IP

settings provided by your ISP.

Note

For detailed help for each of these options, please refer to the user manual on the SG CD
(\doc\UserManual.pdf).

After entering the appropriate details, click Next.

Getting Started

18

Set up the SnapGear unit’s switch

Note

This page will only display if you are setting up the SG560, SG565 or SG580. Otherwise
skip to the next step.

By default, the SnapGear unit’s switch A behaves as a conventional switching hub.
However, it may be configured so that each port behaves as if it were physically separate
from the others.

Select a configuration for the SnapGear unit’s switch, then click Next.

 1 LAN Port, 3 Isolated Ports, select this if you require multiple network segments,

such as a DMZ, guest network or second LAN, or if you want to use multiple
broadband Internet connections for Internet load balancing or Internet failover. Port
A1 is used as the primary LAN connection.

Note

For instructions on setting up multiple network segments and Internet connections,
please refer to the next chapter of this manual.

 4 LAN Ports, select if you don’t want multiple network segments.

Getting Started

19

Connect the SnapGear unit to your LAN

Review your configuration changes. Once you are satisfied, click Finish to activate the
new configuration.

Note

If you have changed the SnapGear unit’s LAN connection settings, it may become
uncontactable at this point. This step describes how to set up the PCs on your network
to access the SnapGear unit and the Internet.

If you haven’t already done so, connect the SnapGear unit to your LAN.

Model/Configuration Instructions

SG300 Connect PCs and/or your LAN hub directly to

its LAN switch.

SG560, SG565, or SG580 and have
configured its switch as 4-Lan Ports

SG560, SG565 or SG580 and have
configured its switch as 1 LAN Port, 3
Isolated Ports

Otherwise Connect the LAN port directly to your LAN

Set up your LAN to access the Internet

To access the Internet, each PC on your LAN must be assigned an appropriate IP
address, and have the SnapGear unit’s LAN IP address designated as its gateway and
as its DNS server.

A DHCP server allows PCs to automatically obtain these network settings when they start
up. If your network does not have a DHCP server, you may either manually set up each
PC on your network, or

 (recommended) To use the SnapGear unit’s built-in DHCP server, proceed to

Automatic configuration of your LAN.

set up the SnapGear unit’s DHCP server.

Connect PCs and/or your LAN hub directly to
switch A.

Connect port A1 directly to your LAN hub.

hub.

 If your LAN already has a DHCP server that you will use instead of the SnapGear

unit’s built-in DHCP server, proceed to Automatic configuration of your LAN using an

existing DHCP server.

Getting Started

20

 If you do not want to use a DHCP server, proceed to Manual configuration of your

LAN.

Automatic configuration of your LAN

If you selected Manual Configuration for the SnapGear unit’s LAN connection, and
supplying DHCP Server Address Range, then the SnapGear unit’s DHCP server is
already set up and running.

Each PC on your LAN must now be set up to automatically obtain network settings.

Click Start > (Settings >) Control Panel and double-click Network Connections (or in
95/98/Me, double-click Network).

If presented with multiple connections, right-click on Local Area Connection (or
appropriate network connection) and select Properties.

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP > [your
network card name] if there are multiple entries) and click Properties (in 95/98/Me, you
may also have to click the IP Address tab).

Check Obtain an IP address automatically, check Obtain DNS server address
automatically and click OK (in 95/98/Me, reboot the PC if prompted to do so).

Quick setup is now complete.

Getting Started

21

Automatic configuration of your LAN using an existing DHCP server

 If you chose to have the SnapGear unit Obtain LAN IP address from a DHCP

server on LAN, It is strongly recommended that you add a lease to your existing

DHCP server to reserve the IP address you chose for the SnapGear unit’s LAN
connection.

 If you chose to set the SnapGear unit’s LAN connection settings using Manual

configuration, you may simply remove this address from the pool of available

addresses.

Enter this same IP address as the gateway IP address to be handed out by the existing
DHCP server.

Enter this same IP address as the DNS server IP address to be handed out by the DHCP
server.

Ensure all PCs on the network are set up to automatically obtain network configuration as
per Automatic configuration of your LAN, then restart them.

Note

The purpose of restarting the computers is to force them to update their automatically
configured network settings. Alternatively, you can use a utility such as ipconfig to
release then renew the DHCP lease, or disable and re-enable the network connection.

Quick setup is now complete.

Manual configuration of your LAN

Click Start > (Settings >) Control Panel and double-click Network Connections (or in
95/98/Me, double-click Network).

If presented with multiple connections, right-click on Local Area Connection (or
appropriate network connection) and select Properties.

If there are multiple entries, select Internet Protocol (TCP/IP) and click Properties (or in
95/98/Me, TCP/IP > [your network card name]).

Getting Started

22

Enter the following details:



IP address is an IP address that is part of the same subnet range as the SnapGear
unit’s LAN connection (if using the default settings, 192.168.0.2 – 192.168.0.254).



Subnet mask is the subnet mask of the SnapGear unit’s LAN connection (if using the
default settings, 255.255.255.0).



Default gateway is the IP address of the SnapGear unit’s LAN connection (if using
the default settings, 192.168.0.1).



Preferred DNS server is the IP address of the SnapGear unit’s LAN connection (if
using the default settings, 192.168.0.1).

Click OK (or in 95/98/Me, Add then OK, and reboot the PC if prompted to do so).

Perform these steps for each PC on your network.

Quick setup is now complete.

SG Rack Mount Appliance Quick Setup

Unpack the SnapGear unit

Check that the following items are included with your SnapGear unit:



Power cable



SG CD



Network cable

The front panel of the SnapGear unit has two 4-port network switches (A and B), two
network ports (C and D), a serial port, status LEDs, and Erase button.

The rear panel of the SnapGear unit has a power inlet and power switch.

Note

The SG710+ has two gigabit network ports on the rear panel (E and F).

Getting Started

23

The status LEDs on the front panel provide information on the operating status of the
SnapGear unit.

The Power LED is ON when power is applied. H/B (heart beat) flashes when the SnapGear unit is
running. Each of the network ports has two LEDs indicating link, activity, and speed. In its
factory-default state, the four status LEDs next to Power flash.

If these LEDs do not behave in this manner before your SnapGear unit is attached to the
network, perform a factory reset. Press the black Erase button on front panel twice
within two seconds to restore factory default settings. If the LEDs are still not flashing
after 30 seconds, you may need to contact customer support.

Set up a single PC to connect to the SnapGear unit

The SnapGear unit ships with initial network settings of:

LAN IP address: 192.168.0.1
LAN subnet mask: 255.255.255.0

The SnapGear unit needs an IP address suitable for your LAN before it is connected.
You may choose to use the SnapGear unit’s initial network settings above as a basis for
your LAN settings.

Initial configuration is performed through a port on network switch A (A1 – A4). If you
attach A1 – A4 directly to a LAN with an existing DHCP server, or a PC running a DHCP
service, it will automatically obtain an additional address. The SnapGear unit will still be
reachable at 192.168.0.1.

Note:

We strongly recommend that you do not connect the SnapGear unit to your LAN until
instructed to do so by this guide.

All other network ports are by default inactive, i.e. they are not running any network
services such as DHCP, and they are not configured with an IP address.

Connect the supplied power cable to the power inlet on the rear panel of the SnapGear
unit and turn on the rear panel power switch.

Connect one of the ports of network switch A (A1 – A4) directly to your PC’s network
interface card using the supplied network cable.

Getting Started

24

Next, modify your PC’s network settings to enable it to communicate with the SnapGear
unit.

Click Start > (Settings >) Control Panel and double-click Network Connections (or in
95/98/Me, double-click Network).

Right-click Local Area Connection then select Properties.

Note

If there is more than one existing network connection, select the one corresponding to the
network interface card to which the SnapGear unit is attached.

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP > your
network card name if there are multiple entries) and click Properties.

Select Use the following IP address and enter the following details:

IP address: 192.168.0.100
Subnet mask: 255.255.255.0
Default gateway: 192.168.0.1

Select Use the following DNS server addresses and enter:

Preferred DNS server: 192.168.0.1

Getting Started

25

Note

If you wish to retain your existing IP settings for this network connection, click Advanced
and Add the secondary IP address of 192.168.0.100, subnet mask 255.255.255.0.

Set up the SnapGear unit’s password and LAN connection settings

Launch your web browser and navigate to 192.168.0.1.

Select Quick Setup Wizard from the center of the page.

A login prompt is displayed. Enter the initial user name and password for the SnapGear
unit:

User name: root
Password: default

Note

If you are unable to browse to the SnapGear unit at 192.168.0.1, or the initial user name
and password are not accepted, press the black Erase button on the SnapGear unit’s
front panel twice, wait 20 – 30 seconds, then try again.

Pressing Erase twice within 2 seconds resets the SnapGear unit to its factory-default
settings. Erase will delete all current configuration settings, passwords and certificates.
However, any saved configurations (.sgu files) are NOT deleted.

Enter and confirm a password for your SnapGear unit. This is the password for the user
root, the main administrative user account on the SnapGear unit. It is therefore
important that you choose a password that is hard to guess, and keep it safe.

Note

The new password takes effect immediately. You are prompted to enter it when
completing the next step.

Getting Started

26

The Quick Setup wizard is displayed.

Changing the Hostname is not typically necessary.

Select how you would like to set up your LAN connection then click Next.

Note

You must select Manual configuration in order to enable the SnapGear unit’s built-in
DHCP server. The SnapGear unit’s DHCP server automatically configures the network
settings of PCs and other hosts on your LAN.

Changes to the SnapGear unit’s LAN configuration do not take effect until the quick setup
wizard has completed.

 (recommended) Select Manual configuration to manually specify the SnapGear

unit’s LAN connection settings.

 Select Skip: LAN already configured if you wish to use the SnapGear unit’s initial

network settings (IP address 192.168.0.1 and subnet mask 255.255.255.0) as a basis
for your LAN settings, and you do not wish to use the SnapGear unit’s built-in DHCP
server. Skip to the next step.

 You may choose to Obtain LAN IP address from a DHCP server on LAN if you

have an existing DHCP server, and wish to rely on it to automatically configure the
SnapGear unit’s LAN connection settings (not recommended). Skip to the next step.

Getting Started

27

If you selected Manual configuration, some additional information is required.
Otherwise, skip to the next step.

Enter an IP address and Subnet Mask for the SnapGear unit’s LAN connection.

Note

Take note of this IP address and subnet mask, as you will need them later on.

To enable the SnapGear unit’s built-in DHCP server, enter a range of addresses to hand
out in DHCP Server Address Range. PCs and other hosts on your LAN that are set to
automatically obtain network settings are assigned an address from this range, and
instructed to use the SnapGear unit as their gateway to the Internet and as their DNS
server for Internet domain name resolution.

Click Next.

Connect the SnapGear unit to your LAN

Review your configuration changes. Once you are satisfied, click Finish to activate the
new configuration.

Getting Started

28

Note

If you have changed the SnapGear unit’s LAN connection settings, it may become
uncontactable at this point. This step describes how to set up the PCs on your network
to access the SnapGear unit and the Internet.

Connect PCs and/or your LAN hub to switch A on the SnapGear unit.

Set up the PCs on your LAN

Each PC on your LAN must now be assigned an appropriate IP address, and have the
SnapGear unit’s LAN IP address designated as its gateway and as its DNS server.

A DHCP server allows PCs to automatically obtain these network settings when they start
up. If your network does not have a DHCP server, you may either manually set up each
PC on your network, or

 (recommended) To use the SnapGear unit’s built-in DHCP server, proceed to

Automatic configuration of your LAN.

set up the SnapGear unit’s DHCP server.

 If your LAN already has a DHCP server that you will use instead of the SnapGear

unit’s built-in DHCP server, proceed to Automatic configuration of your LAN using an
existing DHCP server.

 If you do not want to use a DHCP server, proceed to Manual configuration of your

LAN.

Automatic configuration of your LAN

By selecting Manual Configuration for the SnapGear unit’s LAN connection, and
supplying DHCP Server Address Range, the SnapGear unit’s DHCP server is already
set up and running.

Each PC on your LAN must now be set up to automatically obtain network settings.

Click Start > (Settings >) Control Panel and double-click Network Connections (or in
95/98/Me, double-click Network).

If presented with multiple connections, right-click on Local Area Connection (or
appropriate network connection) and select Properties.

Getting Started

29

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP > [your
network card name] if there are multiple entries) and click Properties (in 95/98/Me, you

may also have to click the IP Address tab).

Check Obtain an IP address automatically, check Obtain DNS server address
automatically and click OK (in 95/98/Me, reboot the PC if prompted to do so).

Automatic configuration of your LAN using an existing DHCP server

 If you chose to have the SnapGear unit Obtain LAN IP address from a DHCP

server on LAN, It is strongly recommended that you add a lease to your existing

DHCP server to reserve the IP address you chose for the SnapGear unit’s LAN
connection.

 If you chose to set the SnapGear unit’s LAN connection settings using Manual

configuration, you may simply remove this address from the pool of available

addresses.

Enter this same IP address as the gateway IP address to be handed out by the existing
DHCP server.

Enter this same IP address as the DNS server IP address to be handed out by the DHCP
server.

Getting Started

30

Ensure all PCs on the network are set up to automatically obtain network configuration as
per Automatic configuration of your LAN, then restart them.

Note

The purpose of restarting the computers is to force them to update their automatically
configured network settings. Alternatively you can use a utility such as ipconfig to
release then renew the DHCP lease, or disable and re-enable the network connection.

Manual configuration of your LAN

Click Start > (Settings >) Control Panel and double-click Network Connections (or in
95/98/Me, double-click Network).

If presented with multiple connections, right-click Local Area Connection (or appropriate
network connection) and select Properties.

Select Internet Protocol (TCP/IP) and click Properties (or in 95/98/Me, TCP/IP > [your
network card name] if there are multiple entries).

Enter the following details:



IP address is an IP address that is part of the same subnet range as the SnapGear
unit’s LAN connection (e.g. if using the default settings, 192.168.0.2 –

192.168.0.254).



Subnet mask is the subnet mask of the SnapGear unit’s LAN connection (if using the
default settings, 255.255.255.0).



Default gateway is the IP address of the SnapGear unit’s LAN connection (if using
the default settings, 192.168.0.1).



Preferred DNS server is the IP address of the SnapGear unit’s LAN connection (if
using the default settings, 192.168.0.1).

Click OK (or in 95/98/Me, Add then OK, reboot the PC if prompted to do so).

Perform these steps for each PC on your network.

Getting Started

31

Set up the SnapGear unit’s Internet connection settings

Choose a port on the SnapGear unit for your primary Internet connection. Port C is used
in this guide. Attach Port C to your modem device or Internet connection medium. If
necessary, give the modem device some time to power up.

Note

If you have changed the SnapGear unit’s LAN connection settings, browse to the new
LAN IP address.

Select Network Setup from the Network Setup menu.

In the row labeled Port C, select your Internet connection type from the Change Type
drop down list.

 If you are connecting using a Cable Modem, select your ISP, or Generic Cable

Modem Provider if yours does not appear.

 If you are connecting using an ADSL modem, select Auto detect ADSL connection

type, click Next, then enter the details provided by your ISP. If auto detection fails,

you must manually select your ADSL connection type – if you are unsure of this,
contact your ISP.

Getting Started

32

 If you have a Direct Connection to the Internet (e.g. a leased line), enter the IP

settings provided by your ISP.

Note

For detailed help for each of the options, please refer to the next chapter.

After entering the appropriate details, click Finish.

Quick setup is now complete.

Getting Started

33

SG PCI Appliance Quick Setup

Unpack the SnapGear unit

Check that the SG CD is included with your appliance:

On the SnapGear unit is a single 10/100 network port, a Reset button, and four LEDs
(lights). The LEDs provide information on the operating status of your SnapGear unit.
The two LEDs closest to the network port indicate network link and network activity.

The two LEDs furthest from the network port indicate Power and Heart Beat. The Heart
Beat LED blinks when the SnapGear unit is running. The Power LED is ON when power
is applied.

Install the SnapGear unit in an unused PCI slot

Power off your PC and remove its cover.

Select an unused PCI slot and insert the SnapGear unit.

Power on your PC.

Install the network driver on your PC

The SnapGear unit is automatically detected and the appropriate driver is installed when
Windows starts up. It is detected as a Realtek RTL8139-series Fast Ethernet Adapter.

Note

You can check that a new network adapter has been installed by clicking Start >
(Settings >) Network and Dialup Connections > Local Area Connection (possibly
followed by a number) > Properties and ensure the adapter is listed in the Connect
using field.

Getting Started

34

Set up your PC to connect to the web management console

Note

The following steps assume you want to set up your SnapGear unit in bridged mode, so
that it sits between your PC and the LAN, transparently filtering network traffic.

If you want to set up your SnapGear unit for NAT mode or to connect directly to your ISP,
refer to

The SnapGear unit ships with initial network settings of:

Next, modify your PC’s network settings to enable it to communicate with the SnapGear
unit.

Network Address Translation (NAT) on page 148.

IP address: 192.168.0.1
Subnet mask: 255.255.255.0

Click Start > (Settings >) Control Panel and double-click Network Connections.

Right-click on Local Area Connection (or appropriate network connection for the newly
installed PCI appliance) and select Properties.

Select Internet Protocol (TCP/IP) and click Properties.

Getting Started

35

Select Use the following IP address and enter the following details:

IP address: 192.168.0.100
Subnet mask: 255.255.255.0

Leave the Default gateway and DNS server addresses blank.

Set up the SnapGear unit’s password and network connection settings

Launch your web browser and navigate to 192.168.0.1.

Select Network Setup from the Networking menu.

A login prompt is displayed. Enter the initial user name and password for the SnapGear
unit:

User name: root
Password: default

Note

If you are unable to connect to the management console at 192.168.0.1, or the initial user
name and password are not accepted, press the Reset button on the SnapGear unit’s
rear panel twice, wait 20 – 30 seconds, and try again.

Pressing Reset twice within 2 seconds resets the SnapGear unit to its factory default
settings

Enter and confirm a password for your SnapGear unit. This is the password for the user
root, the main administrative user account on the SnapGear unit. It is therefore
important that you choose a password that is hard to guess, and keep it safe.

Getting Started

36

Note

The new password takes effect immediately. You are prompted to enter it when
completing the next step.

In the row labeled Bridge, click the Modify icon.

Note

The purpose of this step is to configure the IP address for the web management console.
For convenience, this is generally a free IP address on your LAN.

 If your LAN has a DHCP server running, you may set up the SnapGear unit and your

PC to obtain their network settings automatically. Proceed to Automatic configuration.

 Otherwise, you must manually specify network settings for both the SnapGear unit

and your PC. Proceed to Manual configuration.

Automatic configuration

Before continuing, ensure your DHCP server has two free leases. One is used for the
web management console, the other for your PC.

Note

It is strongly recommended that you reserve the IP address to be used by the web
management console using the SnapGear unit’s MAC address. In bridged mode, this is
the top MAC address of the three displayed on the SnapGear unit itself.

Getting Started

37

Check DHCP assigned. Anything in the IP Address and Subnet Mask fields is ignored.

Click Update.

Click Start > (Settings >) Control Panel and double-click Network Connections.

Right-click Local Area Connection (or appropriate network connection for the newly
installed PCI appliance) and select Properties.

Select Internet Protocol (TCP/IP) and click Properties and click Properties.

Getting Started

38

Check Obtain an IP address automatically, check Obtain DNS server address
automatically and click OK.

Attach your SnapGear unit’s Ethernet port to your LAN’s hub or switch.

Quick setup is now complete.

Manual configuration

Ensure you have two free IP addresses that are part of the subnet range of your LAN,
and ensure you know your LAN’s subnet mask, and the DNS server address and
gateway address used by PCs on your LAN.

Note

Contact your network administrator if you are unsure of any of these settings.

The first IP address is used by the web management console.

Getting Started

39

Enter this address as the IP Address, and the subnet mask for your LAN as the Subnet
mask.

Ensure DHCP assigned is unchecked

.

You may also enter one or more DNS Server(s) and a Gateway address to be used by
the SnapGear unit, not your PC, for access to the Internet. Typically this is not
necessary, as only your PC needs to access the Internet.

Click Update.

Next, configure your PC with the second IP address in the same manner you would as if
it were connected to the LAN with a regular network interface card.

Click Start > (Settings >) Control Panel and double-click Network Connections.

Right-click Local Area Connection (or appropriate network connection for the newly
installed PCI appliance) and select Properties.

Select Internet Protocol (TCP/IP) and click Properties.

Getting Started

40

Enter the following details:



IP address is the second free IP address that is part of your LAN’s subnet range.



Subnet mask is you LAN’s subnet mask.



Default gateway is your LAN’s default gateway IP address.



Preferred DNS server is the IP address of the DNS server used by PCs on your
LAN.

Click OK.

Attach your SnapGear unit’s Ethernet port to your LAN’s hub.

Quick setup is now complete.

Disabling the reset button on your SnapGear PCI appliance

For convenience, the SnapGear unit ships with the rear panel Reset button enabled.
This allows the SnapGear unit’s configuration to be reset to factory defaults.

From a network security standpoint, it may be desirable to disable the Reset switch after
initial setup has been performed. This is accomplished by removing the jumper linking

CON2 on the SnapGear unit. This jumper is labeled Remove Link to Disable Erase.

Getting Started

41

The SnapGear Management Console

The various features of your SnapGear unit are configured and monitored using the
management console. Follow the steps from the beginning of this chapter to set up your
PC to access the management console.

The main menu is displayed on the left hand side. Navigate your way around and get a
feel for the SnapGear unit’s features by clicking the corresponding link in the main menu.

The remainder of this user manual is roughly divided into
chapters based on the main menu section heading, e.g.
Network Setup, Firewall, etc. Chapter sections roughly
correspond to the menu items under each heading, e.g. DHCP
Server, Web Cache.

Help

To access help for the current page, click the blue help icon on the top right hand side of
the screen.

Help describes each field, along with acceptable input values where appropriate. To
search the entire contents of the help system, enter search Keywords and click Search.

Backup/restore configuration

Hover your mouse over the black backup/restore icon on the top right-hand side of the
screen to display the date on which configuration changes were last backed up. (Click
the icon to backup the current configuration or restore backed up configuration;) see the

Backup/Restore section of the chapter entitled System for details.

Getting Started

42

3. Network Setup

This chapter describes the Network Setup sections of the web management console.
Here you can configure each of your SnapGear unit’s Ethernet, wireless and serial ports.
To access Network Setup, click the Network Setup under the Network Setup section
of the main web management console menu.

The QoS Traffic Shaping and IPv6 sections are also described towards the end of this
chapter.

An Ethernet network interface may be configured to connect to your LAN, DMZ, an
untrusted LAN, or the Internet as a primary, back-up or load-balacing connection. A
serial port may be configured to provide remote dial-in access, or connect to the Internet
as a primary or back-up connection. A wireless interface may be configured to connect
to your LAN, DMZ, or an untrusted LAN.

If you are using a SnapGear gateway or rack mount appliance, the section Set up the
PCs on your LAN to access the Internet in the chapter entitled Getting Started describes
how to configure the PCs on your LAN to share the connection once your Internet
connection has been established.

Configuring Connections

Under the Connections tab, each of your SnapGear unit’s network interfaces display
alongside its physical Port name and the Current Details of its configuration.

Initially, all network interfaces are unconfigured, aside from a single LAN connection on
the initial setup port (switch A on SnapGear rack mount appliances, SG560, SG565 and
SG580, the LAN port on other models).

Network Setup

43

A network interface is configured by selecting a connection type from the Change Type
pull-down menu. The current configuration can be viewed or modified by clicking the
Edit icon. Clicking the Delete icon unconfigures a network interface; you are prompted
to confirm this action.

Multifunction vs. Fixed-function Ports

Some SnapGear units have network ports with labels corresponding to the port’s
function, i.e. LAN, DMZ and Internet/WAN. These are said to be fixed-function ports.

Alternatively, some SnapGear units have network ports that are generically labeled, e.g.
port A, port B, port C. These are said to be multifunction ports. This reflects the ability of
these ports to perform many different functions, e.g. port B is not limited to connecting to
the Internet only, it may be configured as a LAN connection.

Note

Before beginning configuration of multifunction ports, you should determine which
function you are assigning to each of the ports.

Proceed to the section pertaining to your SnapGear unit for information on its network
ports and possible configurations.

SG710, SG710+: Multifunction Switches and Ports

SnapGear rack mount appliances have a fixed-function LAN switch (switch A), and a
multifunction switch (switch B) and two or four multifunction Ethernet ports (C, D, E and
F).

Network Setup

44

Note

The switches’ ports can not be configured individually; a switch is configured with a single
function only (e.g., LAN switch, DMZ switch).

SG560, SG565 and SG580: Multifunction Ports

The SG560, SG565 and SG580 have generically named Ethernet ports (ports A1, A2,
A3, A4 and B). By default, switch A functions as a regular LAN switch, with network
traffic passing freely between its ports. Typically, port B is used as your primary Internet
connection.

However, switch A’s ports can be configured individually to perform separate functions,
e.g. port A2 can be a configured to connect to a second LAN, port A3 can be configured
as a DMZ port, and port A4 can be configured as a secondary Internet connection.

These per-port configuration scenarios are accomplished using VLANs (virtual local area
networks). For documentation concerning the advanced use of the VLAN capability of
your SnapGear unit, refer to the sections entitled VLANs and Port based VLANs towards
the end of this chapter.

All Other SG Models: Fixed-function Ports

All other SnapGear units have specifically labeled ports for specific functions.

The port labeled LAN may only perform the functions described in the section entitled
LAN Connection, the port labeled Internet or WAN may only perform the functions
described in the section entitled Internet Connection.

Note

On SG570 and SG575 models, the DMZ port is special in that it may be configured with
any kind of connection, i.e. LAN, DMZ, Guest or Internet. These connection types are
discussed during the course of this chapter.

Network Setup

45

Direct Connection

A direct connection is a direct IP connection to a network, i.e. a connection that does not
require a modem to be established. This is typically a LAN, DMZ or Guest connection,
but may also be an Internet connection. Network settings may be assigned statically, or
dynamically by a DHCP server.

Note

Direct connections may be added to a network bridge. For more information see

Bridging on page 91.

Network settings

Click the Edit icon of the interface your wish to modify.

To assign network settings statically, enter an IP Address and Subnet Mask. If you are
using the SnapGear unit in its default, network address translation mode, (see Network
address translation in the Advanced section of this chapter), this is typically part of a
private IP range, such as 192.168.0.1 / 255.255.255.0. Ensure DHCP assigned is
unchecked.

If required, enter a default Gateway out which to send outgoing traffic on this connection.
For LAN connections, a default gateway is not generally necessary.

Network Setup

46

To have your SnapGear unit obtain its LAN network settings from an active DHCP server
on your local network, check DHCP assigned. Note that anything in the IP Address,
Subnet Mask and Gateway fields are ignored.

You may also enter one or more DNS servers. To enter multiple servers, enter each IP
address separated by commas.

Firewall class

The Firewall class setting controls the basic allow/deny policy for this interface. Allowed
network traffic is accepted, denied network traffic is dropped. Dropped means network
traffic is denied silently, no response such as “connection refused” is sent back to the
originator of the traffic.

The following table details the policy associated with each firewall class. Note that VPN
and Dial-In connections are assigned a firewall class of LAN by default.

Incoming Interface Outgoing Interface Action

LAN Any Accept
VPN Any Accept
Dial-in Any Accept
DMZ Internet Accept
DMZ Any except Internet Drop
Internet Any Drop
Guest Any Drop

For further discussion of DMZ and Guest networks, see the sections DMZ Network and
Guest Network further on in this chapter.

Click Update to apply the new settings.

Ethernet configuration

Click the Ethernet configuration tab to modify the low-level Ethernet configuration
settings of an Ethernet network port.

Network Setup

47

If an Ethernet port is experiencing difficulties auto-negotiating with another device,
Ethernet Speed and duplex may be set manually.

On rare occasions, it may be necessary to change the Ethernet hardware or MAC
Address of your SnapGear unit. The MAC address is a globally unique address and is
specific to a single SnapGear unit. It is set by the manufacturer and should not normally
be changed. However, you may need to change it if your ISP has configured your ADSL
or cable modem to only communicate with a device with a known MAC address.

Interface aliases

Interface aliases allow the SnapGear unit to respond to multiple IP addresses on a
single network interface. This is useful for when your ISP has assigned you a range of IP
addresses to use with your Internet connection, or when you have more than one subnet
connected to a single network interface.

Network Setup

48

IPv6

For aliases on interfaces that have the DMZ or Internet firewall class, you must also
setup appropriate Packet Filtering and/or Port forwarding rules to allow traffic on these
ports to be passed onto the local network. See the chapter entitled Firewall for details.

You must enable IPv6 under the Network Settings Connection tab for each connection
that supports IPv6. In particular, enable IPvg for the LAN connections on which you wish
to advertise routes and on the Internet connections on which you wish to create 6to4
tunnels.

When IPv6 is enabled, the following actions are performed

o Site-local addresses are assigned to LAN connections

o The site-local DNS server address (fec0:0:0:ffff::1/64) is assigned to LAN

connections if the DNS proxy is enabled.

o Router advertisements are sent on LAN connections.

You may enter a site level aggregation value for this connection in Site Level
Aggregation. It is used in the creation of a site local address and for routing IPv6 traffic
on this connection. This setting is only available for LAN connections, and should be
unique.

ADSL

To connect to the Internet using DSL, select ADSL from the Change Type pull-down
menu for the interface that connects to your DSL modem. ADSL connections have the
interface firewall class of Internet.

If you have not already done so, connect the appropriate network port of your SnapGear
unit to your DSL modem. Power on the DSL modem and give it some time to initialize. If
fitted, ensure the Ethernet link LEDs are illuminated on both the SnapGear unit and DSL
modem.

o 6to4 tunnels are created on Internet connections.

o A default set of IPv6 packet filter rules are enabled. These rules are stateless (as

opposed to the IPv4 packet filter rules which are stateful). The default rules only
support a singe LAN connection and a single WAN connection. You can
customize these rules on the Custom IPv6 Firewall Rules page.

Network Setup

49

Do not continue until it has reached the line sync state and is ready to connect.

Note

For PPPoE/PPPoA connections, ensure your DSL modem is set to operate in bridged
mode. Typically, for PPPoE connections, your DSL modem must be set to use LLC
multiplexing/encapsulation. For PPPoA connections, your DSL modem must be set to
use VC-based multiplexing/encapsulation.

Select the connection method to use in establishing a connection to your ISP as follows:

PPPoE - If your ISP uses user name and password authentication to access

the Internet.

PPTP - If your ISP has instructed you to make a dial-up VPN connection to the

Internet.

DHCP - If your ISP does not require a user name and password, or your ISP

instructed you to obtain an IP address dynamically.

Manually Assign Settings - If your ISP has given you an IP address or

address range.

If you are unsure, you may let the SnapGear unit attempt to Auto detect ADSL
connection type. Note that the SnapGear unit is unable to detect the PPTP connection
type.

Network Setup

50

PPPoE

Note

If autodetection fails, it may be because your DSL modem is misconfigured for your
connection type, or your DSL service has not yet been provisioned by your telco.

Click Next to continue.

To configure a PPPoE or PPPoA connection, enter the user name and password
provided by your ISP. You may also enter a descriptive Connection Name if you wish.
Click Finish.

By default, PPPoE connections are treated as “always on” and are kept up continuously.
Alternatively, you may choose to only bring the connection up when PCs on the LAN,
DMZ or Guest network (via a VPN tunnel) are trying to reach the Internet. For
instructions, refer to the section entitled Dial on Demand further on in this chapter. As
DSL connections are not generally metered by time, this is not generally necessary.

Network Setup

51

PPTP

To configure a PPTP connection to your ISP, enter the PPTP Server IP Address and a
Local IP Address and Netmask for the SnapGear network port through which you are
connecting to the Internet.

The Local IP address is used to connect to the PPTP server and is not typically your
real Internet IP address. You may also enter a descriptive Connection Name if you
wish. Click Finish or Update.

DHCP

DHCP connections may require a Hostname to be specified, but otherwise all settings
are assigned automatically by your ISP. You may also enter a descriptive Connection
Name if you wish. Click Finish or Update.

Manually assign settings

For Manually Assign Settings connections, enter the IP Address, Subnet mask, the
Gateway and the DNS Address provided by your ISP.

Network Setup

52

The latter two settings are optional, but are generally required for normal operation.
Multiple DNS addresses may be entered separated by commas. You may also enter a
descriptive Connection Name if you wish. Click Finish or Update.

Connection (dial on demand)

You may choose to bring up a PPPoE/PPPoA DSL, dialout or ISDN connection only
when PCs on the LAN, DMZ or Guest network (via a VPN tunnel) are trying to reach the
Internet and disconnect again when the connection has been idle for a specified period.
This is known as dial on demand, and is particularly useful when your connection is
metered by time.

Click the Edit icon, then the Connection tab for the connection for which you wish to
enable dial on demand.

Check Dial on Demand. Idle Time (minutes) is the number of minutes the SnapGear
unit waits after the connection becomes idle before disconnecting. Max Connection
Attempts specifies the number of times the SnapGear unit attempts to connect should
the dial-up connection fail. This is useful to prevent the situation where an incorrectly
entered user name and password or expired account leads to a large phone bill. Time
between redials (seconds) is the time to wait between such reconnection attempts.

Network Setup

53

Ethernet configuration

See the section entitled Ethernet configuration under Direct Connection.

Aliases

See the section entitled Aliases under Direct Connection.

Cable Modem

To connect to the Internet using a cable Internet service, select Cable Modem from the
Change Type pull-down menu for the interface that connects to your cable modem.
Cable Modem connections have the interface firewall class of Internet.

If you have not already done so, connect the appropriate network port of your SnapGear
unit to your cable modem. Power on the cable modem and give it some time to initialize.
If fitted, ensure the Ethernet link LEDs are illuminated on both the SnapGear unit and
cable modem.

Select your cable ISP from the list and click Next. If your provider does not appear,
select Generic Cable Modem Provider. You may enter a descriptive Connection
Name if you wish. For cable modem providers other than Generic, enter your user name
and password or hostname. Click Finish or Update.

Network Setup

54

Ethernet configuration

See the section entitled Ethernet configuration under Direct Connection.

Aliases

See the section entitled Aliases under Direct Connection.

Dialout and ISDN

To connect to the Internet using a regular dialup or ISDN service, select Dialout from the
Change Type pull-down menu for the interface that connects to your dialup modem or
ISDN TA. Dialout and ISDN connections have the interface firewall class of Internet.

Note

To connect to an ISDN line, the SnapGear unit requires an intermediate device called a
Terminal Adapter (TA). A TA connects into your ISDN line and has either a serial or
Ethernet port that is connected to your SnapGear unit. Do not plug an ISDN connection
directly in to your SnapGear unit.

Enter the Phone Number(s) to Dial and the User name and Password provided by
your ISP. The DNS Server(s) setting is optional, your ISP may automatically assign
DNS servers when the connection is established. You may enter a descriptive
Connection Name if you wish. Click Finish or Update.

Note

If your ISP has provided multiple phone numbers, you may enter them separated with
commas. Use \, to send a comma (pause) to your modem, e.g. if you need to dial 0 to get
an outside line from behind a PABX, and your ISP’s number is 1234567, the Phone

Number field may look like: 0\,\,\,1234567

By default, Dialout/ISDN connections are treated as “always on” and is kept up
continuously. Alternatively, you may choose to only bring the connection up when PCs
on the LAN, DMZ or Guest network (via a VPN tunnel) are trying to reach the Internet.
For instructions, refer to the section entitled Dial on Demand further on in this chapter.

Network Setup

55

Port settings

If necessary, you may set the SnapGear unit’s serial port Baud rate and Flow Control.
This is not generally necessary.

Static addresses

The majority of ISPs dynamically assign an IP address to your connection when you dial­in. However some ISPs use pre-assigned static addresses. If your ISP has given you a
static IP address, click the Static Addresses tab and enter it in My Static IP Address
and enter the address of the ISP gateway in ISP Gateway IP Address.

Aliases

See the section entitled Aliases under Direct Connection.

Connection (dial on demand)

See the section entitled Connection (dial on demand) under ADSL.

Dial-in

A remote user may dial directly to a modem connected to SnapGear unit’s serial port.
Once connected and authenticated, the user has access to network resources as if they
were a local user on the LAN. This may be useful for remote administration of your
SnapGear unit, or for telecommuting.

Dial-in setup

From the Change Type pull-down menu, select Dial-in (for the interface that connects to
the dialup modem to answer incoming calls.

Network Setup

56

If you wish, you may enter a descriptive Connection Name.

In the IP Address for Dial-In Clients enter an available IP address. This IP address
must not already be in use on the network (typically the LAN) that the remote user is
assigned while connected to the SnapGear unit.

If you have configured several network connections, select the one that you want to
connect remote users to from the IP Address for Dial-In Server pull-down menu. This is
typically a LAN interface or alias.

Select the weakest Authentication Scheme to accept. Access is denied to remote
users attempting to connect using an authentication scheme weaker than this. They are
described below, from strongest to weakest:

Encrypted Authentication (MS-CHAP v2): The strongest type of authentication to

use. This is the recommended option.

Encrypted Authentication (MS-CHAP): This is not a recommended encryption type

and should only be used for older dial-in clients that do not support MS-CHAP v2.

Weakly Encrypted Authentication (CHAP): This is the weakest type of encrypted

password authentication to use. It is not recommended that clients connect using this
as it provides very little password protection. Also note that clients connecting using
CHAP are unable to encrypt traffic.

Network Setup

57

Unencrypted Authentication (PAP): This is plain text password authentication.

When using this type of authentication, the client passwords are transmitted un­encrypted.

Select the Required Encryption Level, access is denied to remote users attempting to
connect not using this encryption level. Using Strong Encryption (MPPE 128 Bit) is
recommended.

Select the Authentication Database. This allows you to indicate where the list of valid
clients can be found. You can select from the following options:

Local: Use the local database defined on the Local Users tab of the Users page.

You must enable the Dial-in Access option for the individual users that are allowed
dial-in access.

RADIUS: Use an external RADIUS server as defined on the RADIUS tab of the

Users page.

TACACS+: Use an external TACACS+ server as defined on the TACACS+ tab of the

Users page.

Note

See the Users section of the chapter entitled System for details on adding user accounts
for dial-in access, and configuring the SnapGear unit to enable authentication against a
RADIUS or TACACS+ server.

Click Update.

Network Setup

58

Connecting a dial-in client

Remote users can dial in to the SnapGear unit using the standard Windows Dial-Up
Networking software or similar. The following instructions are for Windows 2000/XP.

Click Start > Settings > Network and Dial-up Connections and select Make New
Connection. The network connection wizard guides you through setting up a remote
access connection:

Click Next to continue.

Select Dial-up to private network as the connection type and click Next to continue.

Network Setup

59

Select Use dialing rules to enable you to select a country code and area code. This
feature is useful when using remote access in another area code or overseas.

Click Next to continue.

Select the option Only for myself to make the connection only available for you. This is
a security feature that does not allow any other users who log onto your machine to use
this remote access connection:

Network Setup

60

Enter a name for the connection and click Finish to complete the configuration. Check
Add a shortcut to my desktop to add an icon for the remote connection to the desktop.

To launch the new connection, double-click on the new icon on the desktop. The remote
access login screen appears as in the next figure. If you did not create a desktop icon,
click Start > Settings > Network and Dial-up Connections and select the appropriate
connection. Enter the user name and password set up for the SnapGear unit dial-in
account.

Network Setup

61

Failover, Load Balancing and High Availability

Note

This section applies to SG gateway and rack mount appliances only.

The SnapGear unit supports a wide range of
configurations through which you can use
multiple Internet connections, and even multiple
SnapGear units, to help ensure Internet
availability in the event of service outage or
heavy network load.

The following Internet availability services are
provided by the SnapGear unit. They may be
configured individually, or in combination.

Internet Failover: A backup, redundant

Internet connection (or connections) that is only established should the primary link
lose connectivity

Load Balancing: Another Internet connection (or connections) concurrently with the

primary link, for spreading network load over multiple connections

High Availability: A back up, redundant SnapGear unit to monitor the status of the

primary unit, coming online and becoming the Internet gateway for your network
should the primary SnapGear unit fail

Note

SnapGear unit models SG300, SG530 and SG550 are limited to Internet availability
configurations using a single broadband Internet connection and a single dialout or ISDN
connection.

Configure Internet connections

Configure all Internet connections to use in conjunction with the SnapGear unit’s Internet
availability services. Secondary and tertiary Internet connections are configured in the
same manner as the primary Internet connection, as detailed in the sections entitled

Direction Connection, ADSL, Cable Modem, and Dialout/ISDN earlier in this chapter.

Network Setup

62

Note

If you are using a SnapGear unit model SG560, SG565 or SG580, you may want to skip
to information on establishing multiple broadband connetions. This information is in the
section entitled Port Based VLANs on page 97.

Once the Internet connections have been configured, specify the conditions under which
the Internet connections are established.

Internet Failover

Note

If you have configured your SG560, SG565 or SG580’s switch as separate ports, and are
establishing multiple PPPoE ADSL Internet connections using two or more of these ports,
it is important that each port is connected to a remote device with a unique MAC address.
This is almost definitely the case if each of the Internet connections are through different
ISPs, otherwise you may have to request this specifically from your ISP.

If this is not possible, set each of the ADSL modems to routing or NAT rather than
bridged mode. Typically this means the ADSL modem terminates the PPPoE
connection, and the SG appliance is configured with DHCP or manually assigned
settings, using the ADSL modem as a gateway.

SnapGear units support three connection levels. A connection level consists of one or
more Internet connections. When all primary connections are functioning as expected,
the primary connection level is deemed to be up.

If one or more of the primary connections should fail, the SnapGear unit drops back to
the secondary connection level. This typically involves bringing up a secondary Internet
connection, until the primary Internet connection or connections become available again.

You may also optionally configure the tertiary failover level. If one or more of the
secondary connections should fail, the SnapGear unit drops back to the tertiary
connection level. This is typically a “last resort” dialup link to the Internet, but may be any
kind of network connection. The primary connection level and secondary connection
level are tested in turn, until one becomes available.

Network Setup

63

Note

Internet failover is not stateful, i.e. any network connections that were established
through the failed primary connection must be re-established through the secondary
connection.

Edit connection parameters

The first step of configuring failover is to set failover parameters for each connection.
These parameters specify how to test whether a connection is up and functioning
correctly.

On the Network Setup page, click the Failover & H/A tab. A list of the connections that
you have configured is displayed under the Connection Failover tab, alongside ticks
and crosses. The ticks and crosses indicate how the connection behaves at each
failover level, this is discussed further in the section entitled Modify failover levels
(primary, secondary, tertiary).

Click the Edit icon next to the connection to edit its failover parameters. The Name and
Port of this connection is displayed, along with several options.

Network Setup

64

Select a Test Type. The Ping test is usually appropriate.

Ping sends network traffic to a remote host at regular intervals, if a reply is received

the connection is deemed to be up.

Custom (advanced users only) allows you to enter a custom console command to run

to determine whether the connection is up. This is typically a script you have written
and uploaded to the SnapGear unit.

Always Up means no test is performed, and Internet failover is disabled for this

connection.

If you wish, you may fine tune the timeouts for the failover test, however the defaults are
usually suitable.

Test Delay is the number of seconds to wait after starting this connection before

testing whether it is functioning correctly, a longer delay is used for connection types
that are slow to establish, such as dialout.

Retry Delay is the number of seconds to wait after a connection test fails before re-

attempting the test.

Times to attempt this connection is the number of times to try a connection before

giving up. Once the SnapGear unit has given up trying this connection, manual
intervention is required to re-establish it.

Click Next to configure settings specific to the Test Type.

If you selected a Test Type of Always Up, no further configuration is required. Skip

ahead to Modify failover levels (primary, secondary, tertiary).

Network Setup

65

If you selected Custom, enter the custom Test Command that is used to test the

connection, e.g.: myscript 5 10 ping -c 1 -I $if_netdev 15.1.2.3

Note

If the Test Command exits with a return code of zero (0), the test is deemed to have
passed and the connection is considered up. Otherwise, the connection is considered
down. Also note that $if_netdev is replaced with the name of the network interface
on which the test is being run, e.g. ppp0.

If you selected Ping, enter an IP Address to Ping. Ensure you choose a host on the

Internet that can be contacted reliably and responds to pings. You can check whether
you can ping a host under Diagnostics > Network Tests > Ping Test.

Ping Interval is the time to wait between sending each ping. Failed Pings is the
number of missed ping replies before this connection attempt is deemed to have
failed.

Click Finish.

Modify failover levels (primary, secondary, tertiary)

The second and final step of configured Internet failover is associating Internet
connections with and primary, secondary and optionally tertiary connection levels.

Network Setup

66

Recall that a connection level is one or more connections. These connections may be
marked as Required or Enabled. Internet connections that are marked Disabled are not
part of this connection level. A connection level is deemed to be up when all connections
marked Required at that level are up, and at least one connection (marked Required or
Enabled) at that level is up.

On the Network Setup page, click the Failover & H/A tab, then Modify Levels. A table
is displayed listing each of the connections alongside a drop down box for each
connection level.

Note

If a connection is marked <Always Up>, you must edit its connection parameters as
described by the previous section before it can be associated with a connection level.

First, configure the Primary connection level. If you have a single Internet connection
only, setting it to Enabled or Required has the same effect. For failover to occur, you
must then configure at least the secondary connection level. Click Finish.

Network Setup

67

This returns you to the main Connection Failover page. You’ll notice that ticks and
crosses are display alongside each connection, describing how they are configured for
each connection level. A red cross means Disabled, a green ticket means Enabled and
a green tick with a small red plus means Required,

Internet Load Balancing

Once you have configured two or more Internet connections, you may enable Internet
load balancing. Load balancing may be used in conjunction with Internet failover, or on
its own.

Note

If you have configured your SG560, SG565 or SG580’s switch as separate ports, and are
establishing multiple PPPoE ADSL Internet connections using two or more of these ports,
it is important that each port is connected to a remote device with a unique MAC address.
This is almost definitely the case if each of the Internet connections are through different
ISPs, otherwise you may have to request this specifically from your ISP.

If this is not possible, set each of the ADSL modems to routing or NAT rather than
bridged mode. Typically this means the ADSL modem terminates the PPPoE
connection, and the SG appliance is configured with DHCP or manually assigned
settings, using the ADSL modem as a gateway.

The Internet connections need not be the same, e.g. you can perform load balancing
between a PPPoE ADSL connection on one network port, and a Cable Internet
connection on the other.

Network Setup

68

Enabling load balancing

Under the Failover & H/A tab, click Modify Levels.

Check Load Balance for each connection to enable for load balancing. Click Finish.

Note

Load balancing settings are not specified for each failover level; load balancing occurs
when any two or more load balancing connections are up.

Limitations of load balancing

Load balancing works by alternating outgoing traffic across Internet connections in a
round robin manner. It does not bond both connections together to work as one link, e.g.
it does not bond two 512 Kbit/s links to function as a single 1 Mbit/s link.

Total bandwidth and available bandwidth are not taken into account when choosing a
connection on which to send outgoing traffic.

When an internal client makes a connection to a server on the Internet, this and
subsequent connections between the the internal client and remote server are confined
to the one Internet connection to ensure connections are not broken.

If a second internal client makes a connection to the same remote server, it may or may
not go across the same link, depending on which Internet connection is next to be
selected in the round robin process.

Network Setup

69

VPN connections such as IPSec or PPTP tunnels are confined to a single Internet
connection, as they are a single connection (that encapsulate other connections).

Load balancing is not performed for incoming traffic. This scenario can be addressed
using other solutions such as round robin DNS to alternate incoming connections
between the two links.

High Availability

Just as Internet failover keeps a redundant Internet connection on stand-by should the
primary connection fail, high availability allows a second SnapGear unit to provide
network connectivity should the primary SnapGear unit fail.

High availability is accomplished with two SnapGear units on the same network segment
which provide some identical network service (such as Internet access) to other hosts on
that network segment.

A "floating" IP address (e.g. 192.168.1.254) is automatically configured as an alias on the
interface on that network segment on exactly one of the SnapGear units. This is done via
simple negotiation between the two SnapGear units such that one unit has the IP
address (master) and one does not (slave).

Note

This floating IP address is in addition to the primary IP addresses of the two SnapGear
units (e.g. 192.168.1.1 and 192.168.1.2) for the interface on the network segment.

The floating IP address and primary IP addresses of the two SnapGear units need not be
part of the same network (e.g. 192.168.1.0/24), but typically will be.

Typically, hosts on the local network will use the floating IP address as their gateway, and
only use the devices’ primary IP addresses when they need to contact a particular
SnapGear unit, e.g. to access that unit’s management console.

The following diagrams illustrate the basic HA configuration discussed above.

Network Setup

70

In this scenario, SnapGear unit #1 is initially the master and therefore the default gateway
for the local network and SnapGear unit #2 is the slave on standby. This may be
because SnapGear unit #1 booted up before SnapGear unit #2, or SnapGear unit #2 may
have previously failed, but has now come back online.

Should SnapGear unit #1 lose LAN connectivity (e.g. someone accidentally powers it
down), SnapGear unit #2 assumes the floating IP address and becomes the default
gateway for the local network.

Network Setup

71

Later, SnapGear unit #1 comes back online as the slave. SnapGear unit #2 continues its
role as the default gateway for the local network.

Note

Using the default high availability script, a high availability failover is not triggered by the
master simply losing Internet connectivity. The master must become uncontactable to
the slave via the local network segment for an HA failover to be triggered.

Enabling high availability

On each of the devices, click Network Setup, Failover & H/A, then the High
Availability tab.

Click New. Select Check this interface. From the Nework Interface dropdown select
the interface that you will be ‘checking’. In the IP Address field, enter the shared-IP
address and click Finish.

The share-IP address will automatically be configured as an alias interface by the HA
script and logic on whichever device is currently the master device. More sophisticated
HA scenarios can be configured by setting up a basic configuration here and then
manually editing the ifmond.conf file and the scripts it calls.

Network Setup

72

Note:

Both devices should have identical High Availability configuration, including the list of
interfaces, shared IP addresses, and the interface configured as the checked interface.

DMZ Network

Note

Not available on the SG300, SG530, SG550 or SG PCI appliances.

A DMZ (de-militarized zone) is a
physically separate LAN segment,
typically used to host servers that are
publically accessible from the Internet.

Servers on this segment are isolated to
provide better security for your LAN. If an
attacker compromises a server on the
LAN, then the attacker immediately has
direct access to your LAN. However, if an
attacker compromises a server in a DMZ,
they are only able to access other
machines on the DMZ.

In other words, by default the SnapGear unit blocks network traffic originating from the
DMZ from entering the LAN. Additionally, any network traffic originating from the Internet
is blocked from entering the DMZ and must be specifically allowed before the servers
become publically accessible. However, network traffic originating from the LAN is
allowed into the DMZ and network traffic originating from the DMZ is allowed out to the
Internet.

The section Services on the DMZ Network discusses how to allow certain traffic from the
Internet into the DMZ. To allow public access to the servers in the DMZ from the
Internet, this step must be performed. You may also allow certain network traffic
originating from the DMZ into the LAN, however this is not usually necessary.

Network Setup

73

By default, machines on the DMZ network have addresses in a private IP address range,
such as 192.168.1.0 / 255.255.255.0 or 10.1.0.0 / 255.255.0.0. Real world addresses
may be used on the DMZ network by by unchecking Enable NAT from DMZ interfaces
to Internet interfaces under the Advanced tab. See the Network address translation
section later in this chapter for further information.

Configuring a DMZ connection

Select Direct Connection from the Configuration pull-down box of the network port to
be connected to the DMZ. Enter appropriate IP address settings and select DMZ from
Firewall Class pull-down menu.

Configuring a Direct Connection is described in detail in the section entitled Direct
Connection towards the beginning of this chapter.

Services on the DMZ network

Once you have configured the DMZ connection, configure the SnapGear unit to allow
access to services on the DMZ. There are two methods of allowing access.

If the servers on the DMZ have public IP addresses, you need to add packet filtering
rules to allow access to the services. See the section called Packet Filtering in the
chapter entitled Firewall.

Network Setup

74

If the servers on the DMZ servers have private IP addresses, you need to port forward
the services. See the section called Incoming Access in the chapter entitled Firewall.
Creating port forwarding rules automatically creates associated packet filtering rules to
allow access. However, you can also create custom packet filtering rules if you wish to
restrict access to the services.

You may also want to configure your SnapGear unit to allow access from servers on your
DMZ to servers on your LAN. By default, all network traffic from the DMZ to the LAN is
dropped. See the section called Packet Filtering in the chapter entitled Firewall.

Guest Network

Note

Not available on the SG300, SG530, SG550 or SG PCI appliances.

The intended usage of Guest connections is for connecting to a Guest network, i.e. an
untrusted LAN or wireless networks. Machines connected to the Guest network must
establish a VPN connection to the SnapGear unit in order to access the LAN, DMZ or
Internet.

By default, you can configure the SG’s DHCP server to hand out addresses on a Guest
network, and the SG’s VPN servers (IPSec, PPTP, etc.) to listen for connections from a
Guest network and establish VPNs. Aside from this, access to any LAN, DMZ or Internet
connections from the Guest network is blocked.

If you want to allow machines on a Guest network direct access to the Internet, LAN or
DMZ without first establishing a VPN connection, add packet filtering rules to allow
access to services on the LAN or Internet as desired. See the Packet Filtering section in
the chapter entitled Firewall for details.

Warning

Caution is advised before allowing machines on a Guest network direct access to your
LAN. This may make it a lot easier for an attacker to compromise internal servers.

Network Setup

75

Caution is advised before allowing machines on a Guest network direct access to the
Internet, particularly in the case of Guest wireless networks. This may result in
unauthorized use of your Internet connection for sending spam, other malicious or illegal
activities, or simply Internet access at your expense.

Machines on the Guest network typically have addresses in a private IP address range,
such as 192.168.2.0 / 255.255.255.0 or 10.2.0.0 / 255.255.0.0. For network address
translation (NAT) purposes, the Guest connection is considered a LAN interface, i.e. the
NAT checkboxes for LAN interfaces under Advanced modify settings for both LAN
connections and Guest connections. See the Network address translation section later in
this chapter for further information.

Configuring a Guest connection

Select Direct Connection from the Configuration pull-down box of the network port to
be connected to the Guest network. Enter appropriate IP address settings and select
Guest from Firewall Class pull-down menu.

Configuring a Direct Connection is described in detail in the section entitled Direct

Connection towards the beginning of this chapter.

Network Setup

76

Wireless

Note

SG565 only.

The SnapGear unit’s wireless interface may be configured as a wireless access point,
accepting connections from 802.11b (11 Mbit/s) or 802.11g (54 Mbit/s) capable wireless
clients.

Typically, the SnapGear unit’s wireless interface is configured in one of two ways; with
strong wireless security (WPA) to bridge wireless clients directly onto your LAN, or with
weak wireless security as a Guest connection. The latter requires wireless clients to
establish a VPN tunnel on top of the wireless connection to access the LAN, DMZ and
Internet, to compensate for the security vulnerabilities WEP poses.

Configuring a wireless connection

Select Direct Connection from the Change Type pull-down box of the wireless network
interface. Enter appropriate IP address information for the wireless network, and from
the Firewall Class pull-down menu, select whether your wireless network is a Guest,
DMZ, LAN or Internet connection.

Network Setup

77

Warning

We strongly recommend that the wireless interface be configured as a LAN connection
only if wireless clients are using WPA based encryption/authentication. This is
discussed in further detail later in this section.

Configuring a Direct Connection is described in detail in the section entitled Direct
Connection towards the beginning of this chapter. See the sections DMZ Network and
Guest Network earlier in this chapter for further discussion of these network types.

In addition to connection configuration, you may also configure wireless access point,
access control list (ACL) and advanced settings. These settings are described in the
following section.

Note

A walkthrough for configuring your SnapGear unit to bridge wireless clients directly onto
your LAN is provided in the section entitled Connecting wireless clients, towards the end
of the Wireless section.

Basic wireless settings

To edit basic wireless settings, click the Edit icon alongside the Wireless network
interface, click the Wireless Configuration tab, then the Access Point tab. Each of the
fields is discussed below.

Network Setup

78

Ba

sic

Security
Method

ESSID: (Extended Service Set Identifier) The ESSID is a unique name that identifies a
wireless network. This value is case sensitive, and may be up to 32 alphanumeric
characters.

Broadcast ESSID: Enables broadcasting of the ESSID. This makes this wireless
network visible to clients that are scanning for wireless networks. Choosing not to
broadcast the ESSID should not be considered a security measure; clients can still
connect if they know the ESSID, and it is possible for network sniffers to read the ESSID
from other clients.

Channel/Frequency: Select the operating frequency or channel for the wireless network.
Changing to a different channel may give better performance if there is interference from
another access point.

Bridge Between Clients: This setting enables the access point to forward packets
between clients at the wireless level, i.e. wireless clients are able to “see” each other.
This means that packets between wireless clients are not restricted by the firewall. Note
that if you disable this setting, but you still want to allow access between clients in the
firewall, you usually also need to configure each client to route to other clients via the
access point.

Network Setup

79

Wireless security

Encryption and authentication settings for your wireless network are configured under
Access Point. Fields vary based on the security method you choose.

If Security Method is set to None, any client is allowed to connect, and there is no data
encryption.

Warning

If you use this setting, then it is highly recommended that you configure wireless interface
as a Guest connection, disable bridging between clients, and only allow VPN traffic over
the wireless connection.

WEP security method

WEP (Wired Equivalent Privacy) allows for 64 or 128 bit encryption.

Warning

The WEP protocol has known security flaws, so it is recommended that you configure the
wireless interface as a Guest connection, disable bridging between clients, and only allow
VPN traffic over the wireless connection.

WEP Authentication:

Open System: Allow any client to authenticate. Since clients must still have a

valid WEP key in order to send or receive data, this setting does not make the
WEP protocol less secure, and is the recommended setting.

Shared Key: Clients must use the WEP key to authenticate.

Network Setup

80

Warning

Due to flaws in the authentication protocol, this method reduces the security of
the WEP key. It is recommended that you use Open System authentication
instead.

Open System or Shared Key: Allows clients to authenticate using either of the

above two methods.

WEP Key Length: This sets the length of the WEP keys to be entered below. It is
recommended to use 128 bit keys if possible.

WEP Key: Enter up to 4 encryption keys. These must be either 10 hexadecimal digits (0
– 9, A – F) for 64 bit keys, or 26 hexadecimal digits for 128 bit keys. You must also
select one of the 4 keys to be the default transmit key.

WEP with 802.1X

WEP with 802.1X extends Wired Equivalent Privacy to use the IEEE 802.1X protocol to
authenticate the user and dynamically assign a 128 bit encryption key via a RADIUS
server. This is a significant improvement to the security of WEP.

The RADIUS server must be defined on the RADIUS page (see the RADIUS section of
the chapter entitled System).

WPA-PSK (aka WPA-Personal) security method

WPA-PSK (Wi-Fi Protected Access Preshared Key) is an authentication and encryption
protocol that fixes the security flaws in WEP. This is the recommended security method if
you do not have a RADIUS server.

WPA Encryption: Select the encryption algorithm, either TKIP (Temporary Key Integrity
Protocol) or AES (Advanced Encryption Standard). TKIP is more commonly supported
by wireless clients, AES is more secure, but may not be supported by wireless clients.

WPA Key: Enter the WPA preshared key, which can be either 8 to 63 ASCII characters,
or 64 hexadecimal characters.

Network Setup

81

WPA-Enterprise

Wi-Fi Protected Access uses the IEEE 802.1X protocol to provide authenticate the user
and dynamically assign the encryption key via a RADIUS server. This is the
recommended security method.

The RADIUS server must be defined on the RADIUS page (see the RADIUS section of
the chapter entitled System).

WPA Encryption: Select the encryption algorithm, either TKIP (Temporary Key Integrity
Protocol) or AES (Advanced Encryption Standard). TKIP is more commonly supported
by wireless clients, AES is more secure, but may not be supported by wireless clients.

ACL (Access Control List)

To edit access control list settings, click the Edit icon alongside the Wireless network
interface; click the Wireless Configuration tab, then the ACL tab.

When the Access Control List is disabled (Disable Access Control List), any wireless
client with the correct ESSID (and encryption key if applicable) can connect to the
wireless network. For additional security, you can specify a list of MAC addresses
(network hardware addresses) to either allow or deny.

Network Setup

82

WDS

Select Allow authentication for MACs in the Access Control List to disallow all but
the MAC addresses you specify, or Deny authentication for MACs in the Access
Control List to allow all but the MAC address you specify. Click Update.

Enter a MAC to allow or deny and click Add. A MAC may be removed from the list by
clicking the corresponding Delete icon.

Warning

This is only a weak form of authentication, and does not provide any data privacy
(encryption). MAC addresses may be forged relatively easily.

Select the WDS tab to enter WDS (Wireless Distribution System) configuratioin
information. WDS allows wireless Access Points to communicate with each other without
the need for a wired Ethernet connection.

Access Points connected using WDS must be configured with the same channel and
encryption settings. The ESSID may be the same or different. If the Access Points have
the same ESSID, then clients may transparently roam between them.

Network Setup

83

There are two common scenarios for WDS: bridging or repeating. WDS bridging is when
an Access Point allows wireless clients to connect, and forwards packets from these
clients to another Access Point. This is used to connect two wired Ethernet connections
via a wireless link. WDS repeating is when an Access Point allows wireless clients to
connect, and forwards packets from these clients to another Access Point. This is used
to extend the wireless coverage without requiring the additional Access Points to be
connected to the Wired Ethernet connection.

Use the following procedure to configure WDS bridging:

1. Configure the wireless settings on the Access Point tab as normal.

2. Select the WDS tab.

3. Set Mode to Automatic.

4. Click Add and enter the MAC of the peer Access Point.

5. Click the Connections tab, create a new Bridge. Select both the LAN interface
and the WDS interface to be on the bridge.

6. Leave the Wireless port unconfigured.

7. Configure the peer Access Point in a similar manner.

Use the following procedure to configure WDS repeating:

1. Configure the wireless settings on the Access Point tab as normal.

2. Select the WDS tab.

3. Set Mode to Automatic.

4. Click Add and enter the MAC of the main Access Point.

5. Click the Connections tab, create a new Bridge. Select both the Wireless
interface and the WDS interface to be on the bridge.

6. Configure the main Access Point in a similar manner; however, it will typically
include the LAN interface on the bridge.

Use the following procedure to configure WDS bridging and repeating:

Network Setup

84

1. Configure the wireless settings on the Access Point tab as normal.

2. Select the WDS tab.

3. Set Mode to Automatic.

4. Click Add and enter the MAC of the main Access Point.

5. Click the Connections tab, create a new Bridge. Select the Wireless interface,
the LAN interface, and the WDS interface to all be on the bridge.

Mode

This is the mode that WDS is operating in, either Disable or Automatic.

Disable – this disables WDS completely.

Automatic – this enables bridging or repeating as appropriate. If the wireless interface is
unconfigured, then bridging is enabled (wireless clients cannot connect). Otherwise
repeating is enabled.

WPA Key

Specify the WPA preshared key that is used for the WDS link. This key is only used if the
Access Point Security Method is configured for WPA-PSK or WPA-Enterprise. If the
Security Method is set to WEP, then the same WEP Key is used for both the wireless
clients and the WDS link. You cannot enable both WDS and WEP with 802.1X.

Can be exactly 64 hexadecimal characters (0-9, a-b, or A-B)
Can be from 8 to 63 characters of any type

MAC

Specify the MAC address of an Acdess Point to create a WDS link to, and then click the

Add button. You can create up to 8 WDS links. You can delete a WDS link using the
Delete icon. You can change the MAC address for a WDS link using the Modify icon
fond in the Connections tab. Can be Ethernet MAC address of the form

AA:BB:CC:DD:EE:FF, where each of the components are a hexadecimal digit.

Advanced

To edit access control list settings, click the Edit icon alongside the Wireless network
interface; click the Wireless Configuration tab, then the Advanced tab.

Network Setup

85

Region: Select the region in which the access point is operating. This restricts the
allowable frequencies and channels. If your region is not listed, select a region that has
similar regulations.

Protocol:

802.11b only: Wireless clients can only connect using 802.11b (11 Mbit/s). Note
that most wireless clients which support 802.11g also support 802.11b.

802.11g only: Wireless clients can only connect using 802.11g (54 Mbit/s).

Wireless clients that only support 802.11b are unable to connect.

802.11b and 802.11g: Both 802.11b and 802.11g wireless clients can connect.

Transmit Power (%): Select the transmit power for the access point. Decreasing the

power reduces the range of the network. This reduces interference caused to other
nearby access points, and limits the range from which clients can connect.

Preamble Type: The preamble is part of the physical wireless protocol. Using a short
preamble can give higher throughput. However, some wireless clients may not support
short preambles.

Enable RTS: RTS (Request to Send) is used to negotiate when wireless clients can
transmit.

If you have two wireless clients that are out of range of each other, but both still within
range of the access point, they may both attempt to transmit at the same time, causing a
collision. Enabling RTS avoids these collisions, and thus increases performance.

Network Setup

86

RTS incurs an overhead for transmitting, so enabling it when it is not needed decreases
performance. Since the access point is in range of all wireless clients, you would not
normally enable RTS for an access point.

RTS Threshold: The minimum packet size for which RTS is enabled. Collisions are less
likely for smaller packets, and so the overhead of using RTS for these may not be
worthwhile.

Enable Fragmentation: Normally, when a packet has an error, the entire packet must be
retransmitted. If packet fragmentation is enabled, the packet is split up into smaller
fragments, and thus only the fragment that has an error needs to be retransmitted, which
increases performance.

Fragmentation incurs an overhead per fragment, so enabling it when it is not needed
decreases performance.

Fragmentation Length: Using smaller fragments decreases the amount that is
retransmitted when there is an error, but it also increases the total overhead for each
packet.

Beacon Interval (ms): Beacon frames are used to coordinate the wireless network.
Sending beacon frames more often (i.e.using a lower becon interval) increases
responsiveness, but decreases performance due to higher overheads.

DTIM Interval (beacons): Specify how often a Delivery Traffic Indication Message is
sent. A DTIM is periodically included in the beacon frame. A DTIM is used to indicate to
clients in power saving mode that there are packets for them to receive. Sending a DTIM
more often increases responsiveness for clients in power saving mode, but uses more
power since the clients must stay awake longer.

Connecting wireless clients

The following steps detail how to configure your SnapGear unit to bridge between its
wireless and LAN interfaces. The result of this configuration would be similar to attaching
a wireless access point in bridge mode to one of the SnapGear unit’s LAN ports.
Individual settings and fields are detailed earlier in the Wireless section.

The wireless and wired LAN interfaces share a single IP address, in this example the
wireless interface shares the existing IP address of the wired LAN interface.

Alongside the Wireless network interface in the Connections menu, select Direct
Connection from the Change Type pull-down menu, or if you have previously
configured wireless settings, click Edit.

Network Setup

87

Click Wireless Configuration. Enter an appropriate ESSID and select a Channel for
your wireless network. Enable Bridge Between Clients to allow wireless clients to
intercommunicate, and there is generally no reason not to Broadcast ESSID. Take note
of the ESSID and Channel, you need them to configure the wireless clients.

Select WPA-PSK as the Security Method, select AES for WPA Encryption if your
wireless clients support it, otherwise select TKIP. Enter a WPA Key of 8 to 63 ASCII
characters, or 64 hexadecimal characters. Take note of the WPA Key and WPA
Encryption method, you need them to configure the wireless clients.

Click Apply. Click ACL.

Network Setup

88

Select Allow authentication for MACs in the Access Control List and click Apply.
Select Add to add the MAC address of each wireless client you wish to allow to connect.

Click Advanced. Ensure the Region has been set appropriately. You may also restrict
the Protocol to 802.11b only or 802.11g only if you wish. Generally, the other settings
should be left at their default values.

Click Apply. Click the Connections tab.

Network Setup

89

Under the main table, select Bridge and click Add.

Select your wired LAN connection from the Existing Interface Configuration pull-down
box. This is the address to share between the interfaces. Click Next.

Network Setup

90

Alongside the wireless interface, check Bridged and select LAN from the Firewall Class
pull-down menu. Click Finish.

Note

If your LAN interface was previously configured to obtain an IP address automatically
from a DHCP server, the SnapGear unit now uses the MAC address of the wireless
device when obtaining an IP address. You may have to update your DHCP server
accordingly.

Configure each wireless client with the Channel, ESSID, WPA Key and WPA
Encryption method.

Bridging

The SG may be configured to bridge between network interfaces. When two or more
network interfaces are bridged, the SnapGear unit learns and keeps track of which hosts
are reside on either side of the bridge, and automatically directs network traffic
appropriately.

One advantage of bridging network interfaces is that hosts on either side of the bridge
can communicate with hosts on the other side without having to specify a route to the
other network via the SnapGear unit.

Network Setup

91

Another advantage is that network traffic not usually routed by unbridged interface, such
as broadcast packets, multicast packets, and any non-IP protocols such as IPv6, IPX or
Appletalk pass over the bridge to their destination host.

Bridging network interfaces involves creating, then associating existing network
interfaces with a Bridge interface.

Warning

You must trust all devices that are directly connected to bridged interfaces. This is
because the firewall does not know which IP addresses for the bridged network belong
on which interface. This means it is easy for a directly connected device to spoof an IP
address. You can manually add Packet Filter rules to prevent spoofing.

Furthermore, non-IP protocols are not restricted by the firewall. You should not bridge
between interfaces with different firewall classes if you are using non-IP protocols.

Adding a bridge interface

From below the main Connections table, select Bridge from the pull-down menu and
click Add.

Once this bridge interface has been added, it appears on the Network Setup page under
the Connections tab, along with the SnapGear unit’s other network interfaces.

When network interfaces are bridged, they all share a common configuration for the
network connection. This means that a single IP address is used on all of the network
interfaces.

Network Setup

92

If you wish to transfer the IP address settings of an existing network connection to the
bridge interface, select it from the Existing Interface Configuration pull-down menu.
Click Next.

Note

As the SnapGear unit automatically directs network traffic, hosts on either side do not
need to specify this IP address as a gateway to the networks connected to the bridge.

So in reality, it is not so important which IP address you choose to assign to the bridge
interface; it is primarily used by hosts on either side of the bridge only to connect to the
SnapGear unit’s web management console. Specific routes are still required to reach
networks that are not being bridged.

Edit bridge configuration

For each network interface that you wish to bridge, select Bridged. Also ensure its
Firewall Class is set appropriately; this setting is discussed in the Direct Connection
section towards the beginning of this chapter.

Note

Bridging only supports ethernet and GRE network interfaces, and can only be configured
as a Direct Connection. This means you cannot bridge a PPPoE connection.

Network Setup

93

If you have multiple bridges on your network, you may want to Enable Spanning Tree
Protocol. It allows the bridges to exchange information, helping elimate loops and find

the optimal path for network traffic.

Forwarding Delay is the time in seconds between when the bridge interface comes
online and when it begins forwarding packets. This usually only occurs when the unit first
boots, or the bridge configuration is modified. This delay allows the SnapGear unit’s
bridge to begin learning which hosts are connected to each of the bridge’s interfaces,
rather than blindly sending network traffic out all network interfaces.

Click Next to review or change IP address information for the bridge interface, otherwise
click Finish.

Bridging across a VPN connection

Bridging across a VPN connection is useful for:

Sending IPX/SPX over a VPN, something that is not supported by other VPN

vendors

Serving DHCP addresses to remote sites to ensure that they are under better

control

A guide to bridging across an IPSec tunnel using GRE is provided in the section entitled
GRE over IPSec in the Virtual Private Networking chapter.

VLANs

Note

VLANs are not supported by the SG300.

VLAN stands for virtual local area network. It is a method of creating multiple virtual
network interfaces using a single physical network interface.

Packets in a VLAN are simply Ethernet packets that have an extra 4 bytes immediately
after the Ethernet header. The format for these bytes is defined by the standard IEEE

802.1Q. Essentially, they provide for a VLAN ID and a priority. The VLAN ID is used to
distinguish each VLAN. A packet containing a VLAN header is called a tagged packet.

It allows users to make use of protocols that do not work well in a WAN

environment (e.g. netbios)

Network Setup

94