ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
June 2008
202-10257-02
v1.2
© 2008 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc.
Microsoft, Windows, and Wi ndows NT are registered trademarks of Microsoft Corporation. Other brand and product
names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency
Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and
used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to
radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try
to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
EU Regulatory Compliance Statement
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN is compliant with the following EU Council
Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022
Class B, EN55024 and EN60950-1.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN gemäß der im BMPTAmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben
einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die
Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN has been suppressed
in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some
ii
1.2, June 2008
equipment (for example, test transmitters) in accordance with the regulations may, howe v er, be subject to certain
restrictions. Please refer to the notes in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Additional Copyrights
AES Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
All rights reserved.
TERMS
Redistribution and use in source and binary forms, with or without modification, are permitted
subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. The copyright holder's name must not be used to endorse or promote any products
derived from this software without his specific prior written permission.
This software is provided 'as is' with no express or implied warranties of correctness or fitness
for purpose.
1.2, June 2008
iii
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions * are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the
following acknowledgment: “This product includes software developed by the OpenSSL
Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or
promote products derived from this software without prior written permission. For written
permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL"
appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This
product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This
product includes software written by Tim Hudson (tjh@cryptsoft.com).
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data
Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this
software or this function. License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of
this software or the suitability of this software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or
software.
iv
1.2, June 2008
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any
documentation, advertising materials, and other materials related to such distribution and use
acknowledge that the software was developed by Carnegie Mellon University. The name of
the University may not be used to endor s e or promote products derive d from th i s software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler.
This software is provided 'as-is', without any express or implied warranty. In no event will the
authors be held liable for any damages arising from the use of this software. Permission is
granted to anyone to use this software for any purpose, including commercial applications,
and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote
the original software. If you use this software in a product, an acknowledgment in the
product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented
as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu
The data format used by the zlib library is described by RFCs (Request for Comments) 1950
to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
and rfc1952.txt (gzip format)
(zlib format), rfc1951.txt (deflate format)
Product and Publication Details
Model Number: FVS336G
Publication Date: June 2008
Product Family: VPN Firewall
Product Name: ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN
Home or Business Product: Business
Language: English
Publication Part Number: 202-10257-02
Publication Version Number 1.2
1.2, June 2008
v
vi
1.2, June 2008
Contents
About This Manual
Conventions, Formats, and Scope ..................................................................................xiii
How to Use This Manual ..................................................................................................xiv
How to Print this Manual ..................................................................................................xiv
Revision History ..................... ... .......................................... .......................................... ...xv
Chapter 1
Introduction
Key Features ..................................................................................................................1-1
Dual WAN Ports for Increased Reliability or Outbound Load Balancing ..................1-2
Advanced VPN Support for Both IPsec and SSL .....................................................1-2
A Powerful, True Firewall with Content Filtering ......................................................1-3
Autosensing Ethernet Connections with Auto Uplink ...............................................1-3
Extensive Protocol Support ......................................................................................1-4
Easy Installation and Management ................................................................................1-4
Maintenance and Support ............................... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ..................1-5
Package Contents ..........................................................................................................1-5
Front Panel Features ......................................................................................................1-6
Rear Panel Features ......................................................................................................1-7
Default IP Address, Login Name, and Password Location .............................. ............... 1-8
Qualified Web Browsers .................................................................................................1-8
Chapter 2
Connecting the FVS336G to the Internet
Understanding the Connection Steps .............................................................................2-1
Logging into the VPN Firewall Router ............................. ... ... .... ... ... ... .... ... ... ..................2-2
Navigating the Menus .....................................................................................................2-4
Configuring the Internet Connections ............................................................................. 2-4
Automatically Detecting and Connecting ............................... ... ...............................2-4
Manually Configuring the Internet Connection ... .... ... ... ... .........................................2-8
Configuring the WAN Mode (Required for Dual WAN) .... ... ....................................... ...2-11
v1.2, June 2008
vii
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Network Address Translation .................................................................................2-12
Classical Routing ...................................................................................................2-12
Configuring Auto-Rollover Mode ............................................................................2-13
Configuring Load Balancing ...................................................................................2-15
Configuring Dynamic DNS (Optional) ...........................................................................2-17
Configuring the Advanced WAN Options (Optional) ............................................... ...... 2-19
Additional WAN Related Configuration ..................................................................2-21
Chapter 3
LAN Configuration
Using the VPN Firewall as a DHCP server ................... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ..... 3-1
Configuring the LAN Setup Options ...............................................................................3-2
Managing Groups and Hosts (LAN Groups) ...................................................................3-5
Viewing the LAN Groups Database .........................................................................3-6
Changing Group Names in the LAN Groups Database ...........................................3-7
Configuring DHCP Address Reservation ........................................................................3-8
Configuring Multi Home LAN IP Addresses ....................................................................3-9
Configuring Static Routes .............................................................................................3-10
Configuring Static Routes .......................................................................................3-10
Configuring Routing Information Protocol (RIP) .............. ... ... .... ... ... ... .... ... ... ... ... .... ... ...3-12
Chapter 4
Firewall Protection and Content Filtering
About Firewall Protection and Content Filtering .............................................................4-1
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-2
About Services-Based Rules ...................................................................................4-3
Viewing the Rules ....................................................................................................4-7
Order of Precedence for Rules ................................................................................4-8
Setting the Default Outbound Policy ............................ ... .... ... ... ... .... ... ... ... ... .... ... ... ..4-8
Creating a LAN WAN Outbound Services Rule .......................................................4-9
Creating a LAN WAN Inbound Services Rule ........................................................4-10
Inbound Rules Examples .......................................................................................4-12
Outbound Rules Example .................................. .... ... ... ... .... ... ................................4-15
Adding Customized Services .................................................................................4-15
Setting Quality of Service (QoS) Priorities ............................................................. 4-17
Attack Checks ................. .... ... ....................................... ... ... ... .... ... ... .............................4-18
Blocking Internet Sites (Content Filtering) ....................................................................4-20
viii
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring Source MAC Filtering ................................................................................4-24
Configuring IP/MAC Address Binding Alerts ................................................................4-26
Configuring Port Triggering ...........................................................................................4-27
Setting a Schedule to Block or Allow Specific Traffic .................................... ... ... .... ... ...4-29
Configuring a Bandwidth Profile ...................................................................................4-30
Configuring Session Limits ...........................................................................................4-32
E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-33
Administrator Tips .........................................................................................................4-33
Chapter 5
Virtual Private Networking Using IPsec
Considerations for Dual WAN Port Systems ..................................................................5-1
Configuring an IPsec VPN Connection using the VPN Wizard ......................................5-4
Creating a VPN Tunnel to a Gateway ......................................................................5-4
Creating a VPN Tunnel Connection to a VPN Client ................................... .... ... ..... 5-8
Managing VPN Tunnel Policies .......................................... ... .... ... ... ... .... ... ... ... ... .... ... ...5-13
About IKE ...............................................................................................................5-13
Managing IKE Policies .............................. .......................................... ... ... ... ..........5-13
About the IKE Policy Table .....................................................................................5-14
VPN Policy ............................ .... ... ... ... .... ... ....................................... ... ... ... ... .... ... ...5-14
VPN Tunnel Connection Status ..............................................................................5-16
Creating a VPN Client Connection: VPN Client to FVS336G .......................... ....... ... ...5-16
Configuring the FVS336G ......................................................................................5-17
Configuring the VPN Client ................................ .... ... ... ... .... ...................................5-17
Testing the Connection ...........................................................................................5-19
Configuring Extended Authentication (XAUTH) ............................................................5-19
Configuring XAUTH for VPN Clients ......................................................................5-20
User Database Configuration .... ... ... ... .... .......................................... ... ... ... .............5-21
RADIUS Client Configuration .................................................................................5-21
Manually Assigning IP Addresses to Remote Users (ModeConfig) .......... ... ... ... .... ... ...5-23
Mode Config Operation ...... .......................................... ..........................................5-23
Configuring the VPN Firewall .......... .......................................... ... .... ... ... ... ... .... ... ...5-24
Configuring the ProSafe VPN Client for ModeConfig .......................................... ...5-27
Configuring Keepalives and Dead Peer Detection .......................................................5-29
Configuring Keepalive ............................................................................................5-29
Configuring NetBIOS Bridging with VPN ......................................................................5-31
v1.2, June 2008
ix
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Chapter 6
Virtual Private Networking
Using SSL Connections
Understanding the Portal Options ...................................................................................6-1
Planning for SSL VPN ....................................................................................................6-2
Creating the Portal Layout ..............................................................................................6-3
Configuring Domains, Groups, and Users ......................................................................6-7
Configuring Applications for Port Forwarding ............................................ ... ... ... .... ... ... ..6-7
Adding Servers ................................... .... ... ... ............................................................6-8
Adding A New Host Name . ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... .....................................6-9
Configuring the SSL VPN Client ...................................................................................6-10
Configuring the Client IP Address Range . ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ...6-11
Adding Routes for VPN Tunnel Clients ........ ... ... .......................................... .... ... ...6-12
Replacing and Deleting Client Routes ...................................................................6-12
Using Network Resource Objects to Simplify Policies ..................................................6-13
Adding New Network Resources ..........................................................................6-13
Configuring User, Group, and Global Policies ..............................................................6-15
Viewing Policies .....................................................................................................6-16
Adding a Policy ...................................... ... ....................................... ... ... ... ... .... ... ...6-17
Chapter 7
Managing Users, Authentication, and Certificates
Adding Authentication Domains, Groups, and Users .....................................................7-1
Creating a Domain ....................................................................... ............................7-1
Creating a Group .................................... ... ... ... ... .......................................... ............7-3
Creating a New User Account ... .......................................... ... ... ... .... ........................7-4
Setting User Login Policies ................................ .... ... ... .......................................... ..7-6
Managing Certificates ................................................................ .....................................7-8
Viewing and Loading CA Certificates .......................................................................7-9
Viewing Active Self Certificates ..............................................................................7-10
Obtaining a Self Certificate from a Certificate Authority ............................ ... .... ... ...7-11
Managing your Certificate Revocation List (CRL) .. ... ... ..........................................7-14
Chapter 8
Router and Network Management
Performance Management ........................................... ... ... ... .... .....................................8-1
Bandwidth Capacity ............................... ... .......................................... .....................8-1
x
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Features That Reduce Traffic ...................................................................................8-2
Features That Increase Traffic .................................................................................8-5
Using QoS to Shift the Traffic Mix ............................................................................8-8
Tools for Traffic Management .......... ... .... ... ... ... ... .... ... ... .......................................... ..8-8
Changing Passwords and Administrator Settings .... .... ... ... ... .... ... ... ... .... ........................8-8
Enabling Remote Management Access .......................................................................8-10
Using the Command Line Interface ..............................................................................8-12
Using an SNMP Manager .............................................................................................8-13
Configuration File Management ...................................................................................8-15
Upgrading the Firmware ...............................................................................................8-17
Configuring Date and Time Service ..............................................................................8-18
Chapter 9
Monitoring System Performance
Enabling the Traffic Meter ...............................................................................................9-1
Activating Notification of Events and Alerts ....................................................................9-4
Viewing Firewall Logs .....................................................................................................9-6
Viewing Router Configuration and System Status ..................................... ... ... ... .... ... ... ..9-7
Monitoring the Status of WAN Ports ...............................................................................9-9
Monitoring Attached Devices ........................................................................................9-10
Reviewing the DHCP Log .............................................................................................9-12
Monitoring Active Users ................... ... ... ... .... ... ... ... ... .... .......................................... ... ...9-12
Viewing Port Triggering Status .....................................................................................9-13
Monitoring VPN Tunnel Connection Status ........ ... ... .... ... ... ... .... ... ... ... .... ... ... ................9-14
Reviewing the VPN Logs ..............................................................................................9-15
Chapter 10
Troubleshooting
Basic Functions ............................................................................................................10-1
Power LED Not On .................................................................................................10-2
LEDs Never Turn Off ..............................................................................................10-2
LAN or WAN Port LEDs Not On .............................................................................10-2
Troubleshooting the Web Configuration Interface ........................................................10-3
Troubleshooting the ISP Connection ............................................................................10-4
Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................10-5
Testing the LAN Path to Your VPN Firewall ...........................................................10-5
Testing the Path from Your PC to a Remote Device ..............................................10-6
v1.2, June 2008
xi
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Restoring the Default Configuration and Password ............ ... .... ... ... ... .... ... ... ... ... .... ... ...10-7
Problems with Date and Time .......................................................................................10-7
Using the Diagnostics Utilities ......................................................................................10-8
Appendix A
Default Settings and Technical Specifications
Appendix B
Related Documents
Appendix C
Network Planning for Dual WAN Ports
What You Will Need to Do Before You Begin ................................................................C-1
Cabling and Computer Hardware Requirements .................................................... C-3
Computer Network Configuration Requirements ...................................... ... .... ... ... . C-3
Internet Configuration Requirements ...................................................................... C-4
Where Do I Get the Internet Configuration Parameters? ........................................ C-4
Internet Connection Information Form .................................................................... C-5
Overview of the Planning Process ................................................................................. C-6
Inbound Traffic ........................................................................................................ C-6
Virtual Private Networks (VPNs) .............................................................................C-6
The Roll-over Case for Firewalls With Dual WAN Ports ..........................................C-7
The Load Balancing Case for Firewalls With Dual WAN Ports ...............................C-7
Inbound Traffic ...............................................................................................................C-8
Inbound Traffic to Single WAN Port (Reference Case) ........................................... C-8
Inbound Traffic to Dual WAN Port Systems ............................................................C-8
Virtual Private Networks (VPNs) .................................................................................. C-10
VPN Road Warrior (Client-to-Gateway) ................................................................ C-11
VPN Gateway-to-Gateway ........... ...... .... ... ............................................................ C-14
VPN Telecommuter (Client-to-Gateway Through a NAT Router) ..........................C-17
Index
xii
v1.2, June 2008
About This Manual
The NETGEAR® ProSafe™ Dual WAN Gigabit Firewall with SSL & IPsec VPN Reference
Manual describes how to install, configure and troubleshoot a ProSafe Dual WAN Gigabit
Firewall with SSL & IPsec VPN. The information in this manual is intended for readers with
intermediate computer and networking skills.
Conventions, Formats, and Scope
The conventions, formats, and scope of this manual are described in the following paragraphs:
• Typographical Conventions. This manual uses the following typographical conventions:
Italic Emphasis, books, CDs, file and server names, extensions
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italic URL links
• Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
equipment.
v1.2, June 2008
xiii
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Danger: This is a safety warning. Failure to take heed of this notice may result in
personal injury or death.
• Scope. This manual is written for the VPN firewall according to these specifications:
Product Version ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN
Manual Publication Date June 2008
For more information about network, Internet, firewall, and VPN technologies, see the links to the
NETGEAR website in Appendix B, “Related Documents.”.
Note: Product updates are available on the NETGEAR, Inc. website at
http://kbserver.netgear.com/products/FVS336G.asp.
How to Use This Manual
The HTML version of this manual includes the following:
• Buttons, and , for browsing forwards or backwards through the manual one page
at a time
• A button that displays the table of contents and an button. Double-click on a
link in the table of contents or index to navigate directly to where the topic is described in the
manual.
• A button to access the full NETGEAR, Inc. online knowledge base for the product
model.
• Links to PDF versions of the full manual and individual chapters.
How to Print this Manual
To print this manual, you can choose one of the following options, according to your needs.
• Printing a Page from HTML. Each page in the HTML version of the manual is dedicated to
a major topic. Select File > Print from the browser menu to print the page contents.
xiv
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in
order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
– Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page.
• Click the PDF of This Chapter link at the top left of any page in the chapter you want
to print. The PDF version of the chapter you were viewing opens in a browser
window.
• Click the print icon in the upper left of your browser window.
– Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link
at the top left of any page.
• Click the Complete PDF Manual link at the top left of any page in the manual. The
PDF version of the complete manual opens in a browser window.
• Click the print icon in the upper left of your browser window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.
Revision History
Part Number
202-10257-01 1.0 October
202-10257-01 1.1 November
202-10257-02 1.2 June 2008 Updated to router software version 3.0.3-13.4
Version
Number
Date Description
First publication
2007
Text corrections
2007
v1.2, June 2008
xv
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
xvi
v1.2, June 2008
Chapter 1
Introduction
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN connects your local area network
(LAN) to the Internet through one or two external broadband access devices such as cable modems
or DSL modems. Dual wide area network (WAN) ports allow you to increase throughput to the
Internet by using both ports together, or to maintain a backup connection in case of failure of your
primary Internet connection.
As a complete security solution, the FVS336G incorporates a powerful and flexible firewall to
safeguard your network, while providing advanced IPsec and SSL VPN technologies for secure
and simple remote connections.
The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds
The FVS336G is a plug-and-play device that can be installed and co nfigured within minutes.
This chapter contains the following sections:
• “Key Features” on page 1-1
• “Package Contents” on page 1-5
• “Front Panel Features” on page 1-6
• “Rear Panel Features” on page 1-7
• “Default IP Address, Login Name, and Password Location” on page 1-8
• “Qualified Web Browsers” on page 1-8
Key Features
The VPN firewall provides the following key features:
• Dual 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover protection
of your Internet connection, providing increased system reliability or increased throughput.
• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data
transfer between local network resources.
• Advanced IPsec and SSL VPN support.
• Advanced stateful packet inspection (SPI) firewall with multi-NAT support.
1-1
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Easy, web-based setup for installation and management.
• Front panel LEDs for easy monitoring of status and activity.
• Flash memory for firmware upgrade.
• Internal universal switching power supply.
Dual WAN Ports for Increased Reliability or Outbound Load Balancing
The FVS336G has two broadband WAN ports. The second WAN port allows you to connect a
second broadband Internet line that can be configured on a mutually-exclusive basis to:
• Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.
• Load balance, or use both Internet lines simultaneously for outgoing traffic. The firewall
balances users between the two lines for maximum bandwidth efficiency.
See “Network Planning for Dual WAN Ports” on page C-1 for the planning factors to consider
when implementing the following capabilities with dual WAN port gateways:
• Single or multiple exposed hosts.
• V irtual private networks.
Advanced VPN Support for Both IPsec and SSL
The VPN firewall supports IPsec and SSL virtual private network (VPN) connections.
• IPsec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires the
installation of VPN client software on the remote computer.
– IPsec VPN with broad protocol support for secure connection to other IPsec gateways and
clients.
– Bundled with the single-user license of the NETGEAR ProSafe VPN Client software
(VPN01L)
– Supports 25 concurrent IPsec VPN tunnels.
• SSL VPN provides remote access for mobile users to selected corporate resources without
requiring a pre-installed VPN client on their computers.
– Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce
transactions, to provide client-free access with customizable user portals and support for a
wide variety of user repositories.
1-2 Introduction
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
– Browser based, platform-independent, remote access through a number of popular
browsers, such as Microsoft Internet Explorer or Apple Safari.
– Provides granular access to corporate resources based upon user type or group
membership.
– Supports 10 concurrent SSL VPN sessions.
A Powerful, True Firewall with Content Filtering
Unlike simple Internet sharing NAT routers, the FVS336G is a true firewall, using stateful packet
inspection (SPI) to defend against hacker attacks. Its firewall features include:
• Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and
SYN Flood.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
• Prevents objectionable content from reaching your PCs. You can control access to Internet
content by screening for Web services, Web addresses, and keywords within Web addresses.
You can configure the firewall to log and report attempts to access objectionable Internet sites.
• Permits scheduling of firewall policies by day and time.
• Logs security events such as blocked incoming traffic, port scans, attacks, and administrator
logins. You can configure the firewall to email the log to you at specified intervals. You can
also configure the firewall to send immediate alert messages to your email address or email
pager whenever a significant event occurs.
Autosensing Ethernet Connections with Auto Uplink
With its internal 4-po rt 10/100/1000 Mbps switch and dual 10/100/1000 WAN ports, the FVS336 G
can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or
a 1000 Mbps Gigabit Ethernet network. The four LAN and two WAN interfaces are autosensing
and capable of full-duplex or half-duplex operation.
TM
The FVS336G incorporates Auto Uplink
sense whether the Ethernet cable plugged into the port should have a “normal” connection such as
to a PC or an “uplink” connection such as to a switch or hub. That port will then configure itself to
the correct configuration. This feature eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.
Introduction 1-3
technology. Each Ethernet port will automatically
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Extensive Protocol Support
The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and
Routing Information Protocol
Configuration Requirements” on page C-4.
• IP Address Sharing by NAT. The VPN firewall allows many networked PCs to share an
Internet account using only a single IP address, which may be statically or dynamically
assigned by your Internet service provider (ISP). This technique, known as NAT, allows the
use of an inexpensive single-user ISP account.
• Automatic Configuration of Attached PCs by DHCP. The VPN firewall dynamically
assigns network configuration information, including IP, gateway, and domain name server
(DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol
(DHCP). This feature greatly simplifies configuration of PCs on your local network.
• DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the firewall
provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS
addresses from the ISP during connection setup and forwards DNS requests from the LAN.
• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet
over a DSL connection by simulating a dial-up connection. This feature eliminates the need to
run a login program such as EnterNet or WinPOET on your PC.
• Quality of Service (QoS) support for traffic prioritization.
(RIP). For further information about TCP/IP, refer to “Internet
Easy Installation and Management
You can install, configure, and operate the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec
VPN within minutes after connecting it to the network. The following features simplify
installation and management tasks:
• Browser-Based Management. Browser-based configuration allows you to easily configure
your firewall from almost any type of personal computer, such as Windows, Macintosh, or
Linux. A user-friendly Setup Wizard is provided and online help documentation is built into
the browser-based Web Management Interface.
• Auto Detection of ISP. The VPN firewall automatically senses the type of Internet
connection, asking you only for the information required for your type of ISP account.
1-4 Introduction
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure
IPsec VPN tunnels according to the recommendations of the Virtual Private Network
Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNCcompliant VPN routers and clients.
• SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let
you monitor and manage log resources from an SNMP-compliant system manager. The SNMP
system configuration lets you change the system variables for MIB2.
• Diagnostic Functions. The firewall incorporates built-in diagnostic functions such as Ping,
Trace Route, DNS lookup, and remote reboot.
• Remote Management. The firewall allows you to login to the Web Management Interface
from a remote location on the Internet. For security, you can limit remote management access
to a specified remote IP address or range of addresses.
• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its
status and activity.
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the VPN firewall:
• Flash memory for firmware upgrade.
• Free technical support seven days a week, 24 hours a day, according to the terms identified in
the Warranty and Support information card provided with your product.
Package Contents
The product package should contain the following items:
• ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.
• One AC power cable.
• Rubber feet.
• One Category 5 (Cat5) Ethernet cable.
• Installation Guide, FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.
• Resource CD, including:
– Application Notes and other helpful information.
Introduction 1-5
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
– ProSafe VPN Client Software – one user license.
• Warranty and Support Information Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the firewall for repair.
Front Panel Features
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN front panel shown below
includes four groups of status indicator light-emitting diodes (LEDs), including Power and Test,
WAN1, WAN2, and the LAN lights:
Figure 1-1
The function of each LED is described in the following table:
Table 1-1. LED Descriptions
Object Activity Description
PWR
(Power)
TEST On (Amber)
WAN Ports
ACTIVE On (Green)
SPEED On (Green)
1-6 Introduction
On (Green)
Off
Blinking (Amber)
Off
On (Amber)
Off
On (Amber)
Off
Power is supplied to the VPN firewall.
Power is not supplied to the VPN firewall.
Test mode: The system is initializing or the initialization has failed.
Writing to Flash memory (during upgrading or resetting to defaults).
The system has booted successfully.
The WAN port has a valid Internet connection.
The Internet connection is down or not being used because the port
is in standby for failover.
The WAN port is either not enabled or has no link.
The LAN port is operating at 1,000 Mbps.
The LAN port is operating at 100 Mbps.
The LAN port is operating at 10 Mbps.
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Table 1-1. LED Descriptions (continued)
Object Activity Description
LINK/ACT
(Link and
Activity)
LAN Ports
SPEED On (Green)
LINK/ACT
(Link and
Activity)
On (Green)
Blinking (Green)
Off
On (Amber)
Off
On (Green)
Blinking (Green)
Off
The WAN port has detected a link with a connected Ethernet device.
Data is being transmitted or received by the WAN port.
The WAN port has no link.
The LAN port is operating at 1,000 Mbps.
The LAN port is operating at 100 Mbps.
The LAN port is operating at 10 Mbps.
The WAN port has detected a link with a connected Ethernet device.
Data is being transmitted or received by the WAN port.
The WAN port has no link.
Rear Panel Features
The rear panel of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN includes
Gigabit Ethernet LAN and WAN connections, a cable lock receptacle, power and reset switches,
and an AC power connection.
Figure 1-2
Viewed from left to right, the rear panel contains the following elements:
1. Factory Defaults button.
Using a sharp object, press and hold this button for about ten seconds until the front panel
TEST light flashes to reset the VPN firewall to factory default settings. All configuration
settings will be lost and the default password will be restored.
2. LAN Ethernet ports.
Four switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports
with RJ-45 connectors.
Introduction 1-7
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
3. WAN Ethernet ports.
Two independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet
ports with RJ-45 connectors.
4. Cable security lock receptacle.
5. AC power receptacle.
Universal AC input (100-240 VAC, 50-60 Hz).
6. On/off power switch.
Default IP Address, Login Name, and Password Location
Check the label on the bottom of the FVS336G’s enclosure if you need a reminder of the following
factory default information:
IP Address
User Name
Password
Figure 1-3
Qualified Web Browsers
To configure the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN, an administrator
must use Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher, or Mozilla Firefox l.x Web
browser with JavaScript, cookies, and SSL enabled.
Although these web browsers are qualified for use with the VPN firewall’s Web Management
Interface for configuring the VPN firewall, SSL VPN users should choose a browser that supports
1-8 Introduction
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications.
Note that Java is only required for the SSL VPN portal, not the Web Management Interface.
Introduction 1-9
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
1-10 Introduction
v1.2, June 2008
Chapter 2
Connecting the FVS336G to the Internet
The initial Internet configuration of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec
VPN is described in this chapter.
This chapter contains the following sections:
• “Understanding the Connection Steps” on page 2-1
• “Logging into the VPN Firewall Router” on page 2-2
• “Navigating the Menus” on page 2-4
• “Configuring the Internet Connections” on page 2-4
• “Configuring the WAN Mode (Required for Dual WAN)” on page 2-11
• “Configuring Dynamic DNS (Optional)” on page 2-17
• “Configuring the Advanced WAN Options (Optional)” on page 2-19
Understanding the Connection S teps
Typically, six steps are required to complete the basic Internet connection of your VPN firewall.
1. Connect the firewall physically to your network. Connect the cables and restart your
network according to the instructions in the installation guide. See the Installation Guide,
FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN for complete steps. A
PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.
2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your
VPN firewall. You can also change your password and enable remote management at this
time. See “Logging into the VPN Firewall Router” on page 2-2.
3. Configure the Internet connections to your ISP(s). During this phase, you will connect to
your ISPs. You can also program the WAN traffic meters at this time if desired. See
“Configuring the Internet Connections” on page 2-4.
4. Configure the WAN mode (required for dual WAN operation). Select either dedicated
(single WAN) mode, auto-rollover mode, or load balancing mode. For load balancing, you can
also select any necessary protocol bindings. See “Configuring the WAN Mode (Required for
Dual WAN)” on page 2-11.
v1.2, June 2008
2-1
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified
domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on
page 2-17.
6. Configure the WAN options (optional). Optionally, you can enable each WAN port to
respond to a ping, and you can change the factory default MTU size and port speed. However ,
these are advanced features and changing them is not usually required. See “Configuring the
Advanced WAN Options (Optional)” on page 2-19.
Each of these tasks is detailed separately in this chapter. The configuration of firewall and VPN
features is described in later chapters.
Logging into the VPN Firewall Router
To connect to the VPN firewall, your computer needs to be configured to obtain an IP address
automatically from the VPN firewall by DHCP. For instructions on how to configure your
computer for DHCP, refer to the link in Appendix B, “Related Documents.
To connect and log in to the VPN firewall follow these steps:
1. Start any of the qualified browsers, as detailed in “Qualified Web Browsers” on page 1-8.
2. Enter https://192.168.1.1 in the address field.
The Manager login features appear in the browser.
Figure 2-1
3. In the User field, type admin
4. In the Password field, type password
Note that both entries are in lower case letters.
2-2 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. Click Login.
The Web Configura tion Manager appears, displaying the Router Status menu:
Figure 2-2
Connecting the FVS336G to the Internet 2-3
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Navigating the Menus
The Web Configuration Manager menus are organized in a layered structure of main categories
and submenus:
• Main menu. The horizontal orange bar near the top of the page is the main menu, containing
the primary configuration categories. Clicking on a primary category changes the contents of
the submenu bar.
• Submenu. The horizontal grey bar immediately below the main menu is the submenu,
containing subcategories of the currently selected primary category.
• Tab. Immediately below the submenu bar, at the top of the menu active window, are one or
more tabs, further subdividing the currently selected subcategory if necessary.
• Option arrow . To the right of the tabs on some menus are one or more blue dots with an arrow
in the center . Clicking an option arrow brings up either a popup window or an advanced op tion
menu.
Tip: In the instructions in this guide, we may refer to a menu using the notation
primary | subcategory, such as Network Configuration | WAN Settings. In this
example, Network is the selected primary category (in the main menu) and
WAN Settings is the selected subcategory (in the submenu).
You can now proceed to the first configuration task, configuring the VPN firewall’s Internet
connections.
Configuring the Internet Connections
To set up your VPN firewall for secure Internet connections, you configure WAN ports 1 and 2.
The Web Configuration Manager offers two connection configuration options:
• Automatic detection and configuration of the network connection.
• Manual configuration of the network connection.
Each option is detailed in the sections following.
Automatically Detecting and Connecting
To automatically configure the WAN ports for connection to the Internet:
2-4 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
1. Select Network Configuration > WAN Settings from the menu. The WAN Settings tabs
appear, with the WAN1 ISP Settings tab in view.
Figure 2-3
2. Click Auto Detect at the bottom of the menu. Auto Detect will probe the WAN port for a
range of connection methods and suggest one that your ISP appears to support.
a. If Auto Detect is successful, a status bar at the top of the menu will display the results:.
Figure 2-4
Connecting the FVS336G to the Internet 2-5
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
b. If Auto Detect senses a connection method that requires input from you, it will prompt yo u
for the information. All methods with their required settings are detailed in the following
table.
Table 2-1. Internet connection methods
Connection Method Data Required
DHCP (Dynamic IP) No data is required.
PPPoE Login (Username, Password);
Account Name, Domain Name (sometimes required).
PPTP Login (Username, Password),
Local IP address, and PPTP Server IP address;
Account Name (sometimes required).
BigPond Cable Login (Username, Password), Login Server.
Fixed (Static) IP Static IP address, Subnet, and Gateway IP; DNS Server IP addresses.
c. If Auto Detect does not find a connection, you will be prompted to (1) check the physical
connection between your VPN firewall and the cable or DSL line, or to (2) check your
VPN firewall’s MAC address (For more information, see “Configuring the WAN Mode
(Required for Dual WAN)” on page 2-11 and “Troubleshooting the ISP Connection” on
page 10-4).
3. To verify the connection, click the WAN Status option arrow at the top right of the screen.
2-6 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
A popup window appears, displaying the connection status of WAN port 1.
Figure 2-5
The WAN Status window should show a valid IP address and gateway. If the configuration
was not successful, skip ahead to “Manually Configuring the Internet Connection” following
this section, or see “Troubleshooting the ISP Connection” on page 10-4.
Note: If the configuration process was successful, you are connected to the Internet
through WAN port 1. If you intend to use the dual WAN capabilities of the
VPN firewall, continue with the configuration process for WAN port 2.
4. Click the WAN2 ISP Settings tab.
5. Repeat the previous steps to automatically detect and configure the WAN2 Internet
connection.
6. Open the WAN Status window and verify a successful connection
If your WAN ISP configuration was successful, you can skip ahead to “Configuring the WAN
Mode (Required for Dual WAN)” on page 2-11.
If one or both automatic WAN ISP configurations failed, you can attempt a manual configuration
as described in the following section, or see “Troubleshooting the ISP Connection” on page 10-4.
Connecting the FVS336G to the Internet 2-7
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Manually Configuring the Internet Connection
Unless your ISP automatically assigns your configuration automatically via DHCP, you will need
to obtain configuration parameters from your ISP in order to manually establish an Internet
connection. The necessary parameters for various connection types are listed in Table 2-1.
To manually configure your WAN1 ISP Settings:
1. Select Network Configuration > WAN Settings > WAN1 ISP Settings and enter the following:
2. In the ISP Login options, choose one of these options:
• If your ISP requires an initial login to establish an Internet connection, click Yes (this is
the default).
• If a login is not required, click No and ignore the Login and Password fields.
Figure 2-6
3. If you clicked Yes, enter the ISP-provided Login and Password information.
4. In the ISP Type options, select the type of ISP connection you use from the three listed
options. (By default, “Other (PPPoE)” is selected, as shown below.
Figure 2-7
(If your connection is PPPoE, PPTP or BigPond Cable, your ISP will require an initial login.)
5. If you have installed login software such as WinPoET or Enternet, then your connection type
is PPPoE. If your ISP uses PPPoE as a login protocol:
2-8 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
a. Select Other (PPPoE).
Figure 2-8
b. Configure the following fields:
• Account Name. Valid account name for the PPPoE connection
• Domain Name. Name of your ISP’s domain or your domain name if your ISP has
assigned one. In most cases, you may leave this field blank.
• Idle Timeout. Select Keep Connected, to keep the connection always on. To logout
after the connection is idle for a period of time, click Idle Time and in the timeout field
enter the number of minutes to wait before disconnecting.
6. If your ISP is Austria Telecom or any other ISP that uses PPTP as a login protocol:
a. Select Austria (PPTP).
b. Configure the following fields:
• Account Name (also known as Host Name or System Name). Enter the valid account
name for the PPTP connection (usually your ema il name as assigned by your ISP).
Some ISPs require entering your full email address here.
• Domain Name. Your domain name or workgroup name assigned by your ISP , or your
ISPs domain name. You may leave this field blank.
• Idle Timeout. Check the Keep Connected radio button to keep the connection always
on. T o logout after the connection is idle for a period of time, click Idle T ime and enter
the number of minutes to wait before disconnecting in the timeout field. This is useful
if your ISP charges you based on the amount of time you have logged in.
• My IP Address. IP address assigned by the ISP to make the connection with the ISP
server.
• Server IP Address. IP address of the PPTP server.
7. If your ISP is Telstra BigPond Cable:
Connecting the FVS336G to the Internet 2-9
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
a. Select BigPond Cable.
b. Configure the Login Server and Idle Timeout fields.
The Login Server is the IP address of the local BigPond Login Server in your area.
8. Review the Internet (IP) Address options.
Figure 2-9
These options are inactive if BigPond Cable is selected.
9. If your ISP has assigned a fixed (static) IP address, select Use Static IP Address , and
configure the following fields:
• IP Address. Enter the Static IP address assigned to you, that identifies the VPN firewall to
your ISP.
• Subnet Mask. Enter the mask provided by the ISP or your network administrator.
• Gateway IP Address. Enter the IP address of the ISP’s gateway, provided by the ISP or
your network administrator.
10. If your ISP has not assigned a static IP address, click Get dynamically from ISP. The text
fields will be inactivated.
The ISP will automatically assign an IP address to the VPN firewall using DHCP network
protocol.
2-10 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
11. Review the Domain Name Server (DNS) Servers options.
Figure 2-10
• If your ISP has not assigned any Domain Name Servers (DNS) addresses, click Get
dynamically from ISP.
• If your ISP (or your IT department) has assigned DNS addresses, click Use these DNS
Servers and enter the DNS server IP addresses provided to you in the fields.
12. Click Apply to save any changes to the WAN1 ISP Settings. (Or click Reset to discard any
changes and revert to the previous settings.)
13. Click Test to evaluate your entries.
The VPN firewall will attempt to connect to the NETGEAR Web site. If a successful
connection is made, NETGEAR’s Web site appears.
14. If you intend to use a dual WAN mode, click the WAN2 ISP Settings tab and configure the
WAN2 ISP settings using the same steps as WAN1.
When you are finished, click Logout or proceed to additional setup and management tasks.
Configuring the WAN Mode (Required for Dual WAN)
The dual WAN ports of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN can be
configured on a mutually exclusive basis for either auto-rollover (for increased system reliability)
or load balancing (for maximum bandwidth efficiency), or one port can be disabled.
• Auto-Rollover Mode. The selected WAN interface is made primary and the other is the
rollover link. As long as the primary link is up, all traffic is sent over the primary link. Once
the primary WAN interface goes down, the rollover link is brought up to send the
traffic.Traffic will automatically roll back to the original primary link once the original
primary link is back up and running again.
Connecting the FVS336G to the Internet 2-11
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
If you want to use a redundant ISP link for backup purposes, select the WAN port that will act
as the primary link for this mode. Ensure that the backup WAN port has also been configured
and that you configure the WAN Failure Detection Method to support Auto-Rollover.
• Load Balancing Mode. The VPN firewall distributes the outbound traffic equally among the
WAN interfaces that are functional.
Note: Scenarios could arise when load balancing needs to be bypassed for certain
traffic or applications. If certain traffic needs to travel on a specific WAN
interface, configure protocol binding rules for that WAN interface. The rule
should match the desired traffic.
• Single WAN Port Mode. The selected WAN interface is made primary and the other is
disabled.
For whichever WAN mode you choose, you must also choose either NAT or classical routing, as
explained in the following sections.
Network Address Translation
Network Address Translation (NAT) allows all PCs on your LAN to share a single public Internet
IP address. From the Internet, there is only a single device (the VPN firewall) and a single IP
address. PCs on your LAN can use any private IP address range, and these IP addresses are not
visible from the Internet.
• The VPN firewall uses NAT to select the correct PC (on your LAN) to receive any incoming
data.
• If you only have a single public Internet IP address, you MUST use NAT. (the default setting).
• If your ISP has provided you with multiple public IP addresses, you can use one address as the
primary shared address for Internet access by your PCs, and you can map incoming traffic on
the other public IP addresses to specific PCs on your LAN. This one-to-one inbound mapping
is configured using an inbound firewall rule.
Classical Routing
In classical routing mode, the VPN firewall performs routing, but without NAT. To gain Internet
access, each PC on your LAN must have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to you, and you have assigned one of
these addresses to each PC, you can choose classical routing. Or, you can use classical routing for
routing private IP addresses within a campus environment.
2-12 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
To learn the status of the WAN ports, you can view the Router Status page (see “Monitoring VPN
Tunnel Connection Status” on page 9-14) or look at the LEDs on the front panel (see “Front Panel
Features” on page 1-6).
Configuring Auto-Rollover Mode
To use a redundant ISP link for backup purposes, ensure that the backup WAN port has already
been configured. Then select the WAN port that will act as the primary link for this mode and
configure the WAN Failure Detection Method to support Auto-Rollover.
When the VPN firewall is configured in Auto-Rollover Mode, it uses the selected WAN Failure
Detection Method to check the connection of the primary link at regular intervals to detect router
status. Link failure is detected in one of the following ways:
• By sending DNS queries to a DNS server, or
• By sending a Ping request to an IP address, or
• None (no failure detection is performed).
From each WAN interface, DNS queries or Ping requests are sent to the specified IP address. If
replies are not received, after a specified number of retries, the corresponding WAN interface is
considered down.
To configure the dual WAN ports for Auto-Rollover
1. Select Network Configuration > WAN Settings from the main menu and click the WAN Mode
tab. The WAN Mode tab is displayed
Connecting the FVS336G to the Internet 2-13
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Figure 2-11
2. In the Port Mode section, select Auto-Rollover Using WAN port.
3. From the pull-down menu, choose which WAN port will act as the primary link for this mode.
4. In the WAN Failure Detection Method section, select one of the following detection failure
methods:
• DNS lookup using ISP DNS Servers. DNS queries are sent to the DNS server configured
on the WAN ISP pages (see “Configuring the Internet Connections” on page 2-4).
• DNS lookup using this DNS Server. Enter a public DNS server. DNS queries are sent to
this server through the WAN interface being monitored.
• Ping to this IP addresses. Enter a public IP address that will not reject the Ping request
and will not consider Ping traffic to be abusive. Queries are sent to this server through the
WAN interface being monitored.
5. Enter a Retry Interval in seconds. The DNS query or Ping is sent periodically after every test
period. The default test period is 30 seconds.
2-14 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
6. Enter the Failover after count. The WAN interface is considered down after the configured
number of queries have failed to elicit a reply. The rollover link is brought up after this. The
Failover default is 4 failures.
The default time to roll over after the primary WAN interface fails is 2 minutes (a 30-second
minimum test period for a minimum of 4 tests).
7. Click Apply to save your settings.
Once a rollover occurs, an alert will be generated (see “E-Mail Notifications of Event Logs and
Alerts” on page 4-33). When the VPN firewall detects that the failed primary WAN interface has
been restored, it will automatically rollover again to the primary WAN interface. Alternatively,
you can manually force traffic back on the original primary WAN interface by reapplying the
Auto-Rollover settings in the WAN Mode menu.
Configuring Load Balancing
To use multiple ISP links simultaneously, select Load Balancing. In Load Balancing mode, either
WAN port will carry any outbound protocol unless protocol binding is configured. When a
protocol is bound to a particular WAN port, all outgoing traffic of that protocol will be directed to
the bound WAN port. For example, if the HTTPS protocol is bound to WAN1 and the FTP
protocol is bound to WAN2, then the VPN firewall will automatically route all outbound HTTPS
traffic from the computers on the LAN through the WAN1 port. All outbound FTP traffic will be
routed through the WAN2 port.
Protocol binding
Protocol binding addresses two issues:
• Segregation of traffic between links that are not of the same speed.
High volume traffic can be routed through the WAN port connected to a high speed link and
low volume traffic can be routed through the WAN port connected to the low speed link.
• Continuity of source IP address for secure connections.
Some services, particularly HTTPS, will cease responding when a client’s source IP address
changes shortly after a session has been established.
To configure the dual WAN ports for load balancing with protocol binding:
1. Select Network >WAN Settings, and click the WAN Mode tab.
2. In the Port Mode section, select Load Balancing.
Connecting the FVS336G to the Internet 2-15
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
3. Click view protocol bindings (if required). The WAN1 Protocol Bindings screen is
displayed.
Figure 2-12
Enter the following data in the Add Protocol Binding options:
a. Service. From the pull-down menu, choose the desired Service or application to be
covered by this rule. If the desired service or application does not appear in the list, you
must define it using the Services menu (see “About Services-Based Rules” on page 4-3).
b. Source Network. These settings determine which computers on your network are affected
by this rule. Select the desired options:
• Any. All PCs and devices on your LAN.
• Single address. Enter the required address and the rule will be applied to that
particular PC.
• Address range. If this option is selected, you must enter the start and finish fields.
• Group 1-Group 8. If this option is selected, the devices assigned to this group will be
affected. (You may also assign a customized name to the group. See Edit Group
Names on the Groups and Hosts menu in the LAN Groups sub-menu.)
c. Destination Network. These settings determine which Internet locations are covered by
the rule, based on their IP address. Select the desired option:
• Any. All Internet IP address are covered by this rule.
• Single address. Enter the required address in the start field.
2-16 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Address range. If this option is selected, you must enter the start and finish fields.
4. Click Add to save this rule.
The new Protocol Binding Rule will be enabled and added to the Protocol Binding Table for
the WAN1 port.
5. Open the WAN2 Protocol Bindings tab and repeat the previous steps to set protocol bindings
for the WAN2 port.
Configuring Dynamic DNS (Optional)
Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses
to be located using Internet domain names. To use DDNS, you must setup an account with a
DDNS provider such as DynDNS.org, TZO.com or Iego.net. (Links to DynDNS, TZO and Iego
are provided for your convenience on the Dynamic DNS Configuration screen.) The VPN
firewall firmware includes software that notifies dynamic DNS servers of changes in the WAN IP
address, so that the services running on this network can be accessed by others on the Internet.
If your network has a permanently assigned IP address, you can register a domain name and have
that name linked with your IP address by public Domain Name Servers (DNS). However, if your
Internet account uses a dynamically assigned IP address, you will not know in advance what your
IP address will be, and the address can change frequently—hence, the need for a commercial
DDNS service, which allows you to register an extension to its domain, and restores DNS requests
for the resulting FQDN to your frequently-changing IP address.
After you have configured your account information in the firewall, whenever your ISP-assigned
IP address changes, your firewall will automatically contact your DDNS service provider, log in to
your account, and register your new IP address.
• For auto-rollover mode, you will need a fully qualified domain name (FQDN) to implement
features such as exposed hosts and virtual private networks regardless of whether you have a
fixed or dynamic IP address.
• For load balancing mode, you may still need a fully qualified domain name (FQDN) either for
convenience or if you have a dynamic IP address.
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the
dynamic DNS service will not work because private addresses will not be routed
on the Internet.
Connecting the FVS336G to the Internet 2-17
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
To configure Dynamic DNS:
1. Select Network Configuration > Dynamic DNS from the main menu and click the Dynamic
DNS Configuration tab. The Dynamic DNS Configuration screen is displayed.
Figure 2-13
The Current WAN Mode section reports the currently configured WAN mode. (For example,
Single Port WAN1, Load Balancing or Auto Rollover.) Only those options that match the
configured WAN Mode will be accessible.
2. Select the tab for the DDNS service provider you will use.
2-18 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
3. Click the information or registration link in the upper right corner for registration information.
Figure 2-14:
4. Access the Web site of the DDNS service provider and register for an account (for example,
for dyndns.org, go to http://www.dyndns.org).
5. For each WAN port, click the Yes radio button for Change DNS to <your desired DDNS
service> and configure the active fields:
a. Enter the account information for the service you have chosen (for example, user name,
password, key, or domain).
b. If your DDNS provider allows the use of wild cards in resolving your URL, you may
select the Use wildcards check box to activate this feature. For example, the wildcard
feature will cause *.yourhost.dyndns.org to be aliased to the same IP address as
yourhost.dyndns.org
c. If your WAN IP address does not change often, you may need to force a periodic update to
the DDNS service to prevent your account from expiring. If it appears, you can select the
Update every 30 days check box to enable a periodic update.
6. Click Apply to save your configuration.
Configuring the Advanced WAN Options (Optional)
To configure the Advanced WAN options:
1. Select Network Configuration > WAN Settings from the main menu. The WAN! ISP
Settings screen will display.
Connecting the FVS336G to the Internet 2-19
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
2. Click the Advanced link to the right of the tabs. The WAN1 Advanced Options tab is
displayed (along with the WAN2 Advanced Options tab).
Figure 2-15
3. Edit the default information you want to change.
a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet
networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may
need to reduce the MTU. This is rarely required, and should not be done unless you are
sure it is necessary for your ISP connection.
b. Port Speed. In most cases, your VPN firewall can automatically determine the connection
speed of the WAN port. If you cannot establish an Internet connection and the WAN Link
or Speed LED blinks continuously, you may need to manually select the port speed.
AutoSense is the default.
If you know the Ethernet port speed that your broadband modem supports, select it;
otherwise, select 10M. Use the half-duplex settings unless you are sure your broadband
modem supports full duplex.
c. Router's MAC Address. Each computer or router on your network has a unique 32-bit
local Ethernet address. This is also referred to as the computer's MAC (Media Access
Control) address. The default is Use default address. However, if your ISP requires MAC
authentication, then select either of these options:
• Use this Computer's MAC address to have the VPN firewall use the MAC address of
the computer you are now using, or
• Use This MAC Address to manually type in the MAC address that your ISP expects.
2-20 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
The format for the MAC address is 01:23:45:67:89:AB (numbers 0-9 and either uppercase
or lowercase letters A-F). If you select Use This MAC Address and then type in a MAC
address, your entry will be overwritten.
4. Click Apply to save your changes.
Additional WAN Related Configuration
• If you want the ability to manage the firewall remotely , enable remote mana gement at this time
(see “Enabling Remote Management Access” on page 8-10). If you enable remote
management, we strongly recommend that you change your password (see “Changing
Passwords and Administrator Settings” on page 8-8).
• At this point, you can set up the traffic meter for each WAN, if desired. See “Enabling the
Traffic Meter” on page 9-1.
Connecting the FVS336G to the Internet 2-21
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
2-22 Connecting the FVS336G to the Internet
v1.2, June 2008
Chapter 3
LAN Configuration
This chapter describes how to configure the advanced LAN features of your ProSafe Dual WAN
Gigabit Firewall with SSL & IPsec VPN.
This chapter contains the following sections
• “Using the VPN Firewall as a DHCP server” on page 3-1
• “Managing Groups and Hosts (LAN Groups)” on page 3-5
• “Configuring DHCP Address Reservation” on page 3-8
• “Configuring Multi Home LAN IP Addresses” on page 3-9
• “Configuring Static Routes” on page 3-10
• “Configuring Routing Information Protocol (RIP)” on page 3-12
Using the VPN Firewall as a DHCP server
By default, the VPN firewall will function as a DHCP (Dynamic Host Configuration Protocol)
server, allowing it to assign IP, DNS server, WINS Server, and default gateway addresses to all
computers connected to the LAN. The assigned default gateway address is the LAN address of the
VPN firewall. IP addresses will be assigned to the attached PCs from a pool of addresses specified
in this menu. Each pool address is tested before it is assigned to avoid duplicate addresses on the
LAN.
For most applications, the default DHCP and TCP/IP settings of the VPN firewall are satisfactory.
See the link to “Preparing a Computer for Network Access” in Appendix B, “Related Documents”
for an explanation of DHCP and information about how to assign IP addresses for your network.
If another device on your network will be the DHCP server, or if you will manually configure the
network settings of all of your computers, click the Disable DHCP Server radio button.
Otherwise, leave the Enable DHCP server radio button checked.
Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP
Address. These addresses should be part of the same IP address subnet as the VPN firewall’s LAN
IP address. Using the default addressing scheme, you should define a range between 192.168.1.2
and 192.168.1.100, although you may wish to save part of the range for devices with fixed
addresses.
3-1
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
The VPN firewall will deliver the following parameters to any LAN device that requests DHCP:
• An IP Address from the range you have defined.
• Subnet Mask.
• Gateway IP Address (the VPN firewall’s LAN IP address).
• Primary DNS Server (the VPN firewall’s LAN IP address or a user-specified DNS server IP
address in the LAN Setup menu).
• Secondary DNS Server (if you entered a secondary DNS server IP address in the LAN Setup
menu).
• WINS Server (if you entered a WINS server IP address in the LAN Setup menu).
• Lease Time (date obtained and duration of lease).
Configuring the LAN Setup Options
The LAN Setup menu allows configuration of LAN IP services such as DHCP and allows you to
configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are suitable
for most users and situations. These are advanced settings usually configured by a network
administrator.
To modify your LAN setup, follow these steps:
1. Select Network Configuration > LAN Settings from the main menu. The LAN Setup screen
is displayed
3-2 LAN Configuration
v1.2, June 2008
.
Figure 3-1
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
2. In the LAN TCP/IP Setup section, configure the following settings:
• IP Address. The LAN address of your VPN firewall (factory default: 192.168.1.1).
Note: If you change the LAN IP address of the firewall while connected through the
browser, you will be disconnected. You must then open a new connection to
the new IP address and log in again. For example, if you change the default IP
address 192.168.1.1 to 10.0.0.1, you must now enter https://10.0.0.1 in your
browser to reconnect to the Web Configuration Manager.
• IP Subnet Mask. The subnet mask specifies the network number portion of an IP address.
Your VPN firewall will automatically calculate the subnet mask based on the IP address
that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet
mask.
LAN Configuration 3-3
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
3. In the DHCP section, select Enable or Disable DHCP Server.
By default, the VPN firewall will function as a DHCP server, providing TCP/IP configuration
settings for all computers connected to the VPN firewall's LAN. If another device on your
network will be the DHCP server, or if you will manually configure all devices, click Disable
DHCP Server. If the DHCP server is enabled, enter the following parameters:
• Domain Name. (Optional) The DHCP will assign the entered domain to DHCP clients.
• Starting IP Address. Specifies the first of the contiguous addresses in the IP address pool.
Any new DHCP client joining the LAN will be assigned an IP address between this
address and the Ending IP Address. The IP address 192.168.1.2 is the default start address.
• Ending IP Address. Specifies the last of the contiguous addresses in the IP address pool.
The IP address 192.168.1.100 is the default ending address.
Note: The Starting and Ending DHCP addresses should be in the same subnet as
the LAN IP address of the VPN firewall (the IP Address configured in the
LAN TCP/IP Setup section).
• Primary DNS Server. (Optional) If an IP address is specified, the VPN firewall will
provide this address as the primary DNS server IP address. If no address is specified, the
VPN firewall will provide its own LAN IP address as the primary DNS server IP address.
• Secondary DNS Server. (Optional) If an IP address is specified, the VPN firewall will
provide this address as the secondary DNS server IP address.
• WINS Server. (Optional) Specifies the IP address of a local Windows NetBios Server if
one is present in your network.
• Lease Time. Specifies the duration for which a DHCP-provided IP address will be leased
to a client.
• Enable DNS Proxy. When DNS proxy is enabled (the default), the DHCP server will
provide the VPN firewall’s LAN IP address as the DNS server for address name
resolution. If this box is unchecked, the DHCP server will provide the ISP’s DNS server IP
addresses. The VPN firewall will still service DNS requests sent to its LAN IP address
unless you disable DNS Proxy in the firewall settings (see “Attack Checks” on page 4-18).
4. Click Apply to save your settings.
Note: Once you have completed the LAN setup, all outbound traffic is allowed and
all inbound traffic is discarded. To change these default traffic rules, refer to
Chapter 4, “Firewall Protection and Content Filtering.
3-4 LAN Configuration
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Managing Groups and Hosts (LAN Groups)
The Known PCs and Devices table in the LAN Groups menu contains a list of all known PCs
and network devices that are assigned dynamic IP addresses by the VPN firewall, or have been
discovered by other means. Collectively, these entries make up the LAN Groups Database.
The LAN Groups Database is updated by these methods:
• DHCP Client Requests. By default, the DHCP server in this VPN firewall is enabled, and
will accept and respond to DHCP client requests from PCs and other network devices. These
requests also generate an entry in the LAN Groups Database. Because of this, leaving the
DHCP server feature (on the LAN screen) enabled is strongly recommended.
• Scanning the Network. The local network is scanned using ARP requests. The ARP scan will
detect active devices that are not DHCP clients. However, sometimes the name of the PC or
device cannot be accurately determined, and will appear in the database as Unknown.
• Manual Entry. You can manually enter information about a network device.
Some advantages of the LAN Groups Database are:
• Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just
select the desired PC or device.
• No need to reserve an IP address for a PC in the DHCP server. All IP address assignments
made by the DHCP server will be maintained until the PC or device is removed from the
database, either by expiry (inactive for a long time) or by you.
• No need to use a fixed IP on PCs. Because the address allocated by the DHCP server will
never change, you don't need to assign a fixed IP to a PC to ensure it always has the same IP
address.
• MAC level control over PCs. The LAN Groups Database uses the MAC address to identify
each PC or device. So changing a PC’s IP address does not affect any restrictions on that PC.
• Group and individual control over PCs.
– You can assign PCs to Groups and apply restrictions to each Group using the Firewall
Rules screen (see “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2).
– You can also select the Groups to be covered by the Block Sites feature (see “Blocking
Internet Sites (Content Filtering)” on page 4-20).
– If necessary, you can also create Firewall Rules to apply to a single PC (see “Configuring
Source MAC Filtering” on page 4-24). Because the MAC address is used to identify each
PC, users cannot avoid these restrictions by changing their IP address.
LAN Configuration 3-5
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• A computer is identified by its MAC address—not its IP address. Hence, changing a
computer’s IP address does not affect any restrictions applied to that PC.
Viewing the LAN Group s Database
To view the LAN Groups Database, follow these steps:
1. Select Network Configuration > LAN Settings from the main menu. The LAN Setup tab
displays.
2. Click the LAN Groups tab. The LAN Groups tab is displayed.
Figure 3-2
The Known PCs and Devices table lists the entries in the LAN Groups Database. For each
computer or device, the following fields are displayed:
• Name. The name of the PC or device. For computers that do not support the NetBIOS
protocol, this will be listed as “Unknown” (you can edit the entry manually to add a
meaningful name). If the computer was assigned an IP address by the DHCP server, then the
Name will be appended by an asterisk.
• IP Address. The current IP address of the computer. For DHCP clients of the VPN firewall,
this IP address will not change. If a computer is assigned a static IP addresses, you will need to
update this entry manually if the IP address on the computer has been changed.
• MAC Address. The MAC address of the PC’s network interface.
• Group. Each PC or device can be assigned to a single group. By default, a computer is
assigned to Group 1, unless a different group is chosen from the Group pull-down menu.
3-6 LAN Configuration
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Action. Allows modification of the selected entry by clicking Edit.
Adding Devices to the LAN Groups Database
To add devices manually to the LAN Groups Database, follow these steps:
1. In the Add Known PCs and Devices section, make the following entries:
• Name. Enter the name of the PC or device.
• IP Address Type. From the pull-down menu, choose how this device receives its IP
address. The choices are:
– Fixed (Set on PC). The IP address is statically assigned on the computer.
– Reserved (DHCP Client). Directs the VPN firewall’s DHCP server to always assign
the specified IP address to this client during the DHCP negotiation (see “Configuring
DHCP Address Reservation” on page 3-8).
Note: When assigning a Reserved IP address to a client, the IP address selected must
be outside the range of addresses allocated to the DHCP server pool.
• IP Address. Enter the IP address that this computer or device is assigned in the IP
Address field. If the IP Address Type is Reserved (DHCP Client), the VPN firewall will
reserve the IP address for the associated MAC address.
• MAC Address. Enter the MAC address of the computer’s network interface in the MAC
Address field. The MAC address format is six colon-separated pairs of hexadecimal
characters (0-9 and A-F), such as 01:23:45:67:89:AB.
• Group. From the pull-down menu, select the LAN Group to which the computer will be
assigned. (Group 1 is the default group.)
2. Click Add. The device will be added to the Known PCs and Devices table.
3. (Optional) To enable DHCP Address Reservation after the entry is in the table, select the
check box for the new table entry and click Save Binding to bind the IP address to the MAC
address for DHCP assignment.
Changing Group Names in the LAN Groups Database
By default, the LAN Groups are named Group1 through Group8. You can rename these group
names to be more descriptive, such as Engineering or Marketing.
To edit the names of any of the eight available groups:
LAN Configuration 3-7
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The
Network Database Group Names tab appears.
Figure 3-3
2. Select the radio button next to any group name to make that name active for editing.
3. Type a new name in the field.
4. Select and edit other group names if desired.
5. Click Apply to save your settings.
Configuring DHCP Address Reservation
When you specify a reserved IP address for a device on the LAN (based on the MAC address of
the device), that computer or device will always receive the same IP address each time it accesses
the VPN firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access
points that require permanent IP address settings. The Reserved IP address that you select must be
outside of the DHCP Server pool.
To reserve an IP address, manually enter the device in the LAN Groups tab, specifying Reserved
(DHCP Client), as described in “Configuring DHCP Address Reservation” on page 3-8.
Note: The reserved address will not be assigned until the next time the PC contacts the
VPN firewall’s DHCP server. Reboot the PC or access its IP configuration and
force a DHCP release and renew.
3-8 LAN Configuration
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring Multi Home LAN IP Addresses
If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or
10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the
Internet through the VPN firewall. This allows the VPN firewall to act as a gateway to additional
logical subnets on your LAN. You can assign the VPN firewall an IP address on each additional
logical subnet.
To add a secondary LAN IP address, follow these steps:
1. Select Network Configuration > LAN Settings from the main menu, and click the LAN Multihoming tab. The LAN Multi-homing screen displays.
Figure 3-4
The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the
VPN firewall.
• IP Address. The “alias,” an additional IP address hosted by the LAN port of the VPN
firewall. This address will be the gateway for computers on the secondary subnet.
• Subnet Mask. The IPv4 subnet mask that defines the range of the secondary subnet.
2. In the Add Secondary LAN IP Address section, enter the additional IP address and subnet
mask to be assigned to the LAN port of the VPN firewall.
3. Click Add. The new Secondary LAN IP address will appear in the A vailable Secondary LAN
IPs table.
Note: IP addresses on these secondary subnets cannot be configured in the DHCP
server. The hosts on the secondary subnets must be manually configured with
IP addresses, gateway IP addresses, and DNS server IP addresses.
LAN Configuration 3-9
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Tip: The secondary LAN IP address will be assigned to the LAN interface of the
VPN firewall and can be used as a gateway by computers on the secondary
subnet.
Configuring Static Routes
Static Routes provide additional routing information to your VPN firewall. Under normal
circumstances, the VPN firewall has adequate routing information after it has been configured for
Internet access, and you do not need to configure additional static routes. You should configure
static routes only for unusual cases such as multiple firewalls or multiple IP subnets located on
your network.
Configuring Static Routes
To add or edit a static route:
1. Select Network Configuration > Routing from the main menu. The Routing screen displays.
Figure 3-5
3-10 LAN Configuration
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
2. Click Add. The Add Static Route tab is displayed.
Figure 3-6
3. Enter a route name for this static route in the Route Name field (for identification and
management).
4. Select Active to make this route effective.
5. Select Private if you want to limit access to the LAN only. The static route will not be
advertised in RIP.
6. Enter the Destination IP Address to the host or network to which the route leads.
7. Enter the IP Subnet Mask for this destination. If the destination is a single host, enter
255.255.255.255.
8. Enter the Interface which is the physical network interface (WAN1, WAN2, or LAN) through
which this route is accessible.
9. Enter the Gateway IP Address through which the destination host or network can be reached
(must be a firewall on the same LAN segment as the firewall).
10. Enter the Metric priority for this route. If multiple routes to the same destination exit, the
route with the lowest metric is chosen (value must be between 1 and 15).
11. Click Apply to save your settings.
The new static route will be added to the Static Route table.
LAN Configuration 3-11
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring Routing Information Protocol (RIP)
RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is
commonly used in internal networks (LANs). It allows a router to exchange its routing information
automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to
changes in the network. RIP is disabled by default.
To configure RIP parameters:
1. Select Network Configuration > Routing from the main menu.
2. Click the RIP Configuration link to the right of the tab. The RIP Configuration menu is
displayed.
Figure 3-7
3. From the RIP Direction pull-down menu, choose the direction in which the VPN firewall will
send and receive RIP packets. The choices are:
• None. The VPN firewall neither broadcasts its route table nor does it accept any RIP
packets from other routers. This effectively disables RIP.
3-12 LAN Configuration
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Both. The VPN firewall broadcasts its routing table and also processes RIP information
received from other routers.
• Out Only. The VPN firewall broadcasts its routing table periodically but does not accept
RIP information from other routers.
• In Only. The VPN fire wall accepts RIP information from other routers, but does not
broadcast its routing table.
4. From the RIP Version pull-down menu, choose the version from the following options:
• RIP-1. A classful routing that does not include subnet information. This is the most
commonly supported version.
• RIP-2. Supports subnet information. Both RIP-2B and RIP-2M send the routing data in
RIP-2 format:
– RIP-2B. Sends the routing data in RIP-2 format and uses subnet broadcasting.
– RIP-2M. Sends the routing data in RIP-2 format and uses multicasting.
5. Authentication for RIP2B/2M required? If you selected RIP-2B or RIP-2M, check YES the
feature, and input the First Key Parameters and Second Key Parameters, MD-5 keys to
authenticate between routers.
6. Click Add to save your settings.
LAN Configuration 3-13
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
3-14 LAN Configuration
v1.2, June 2008
Chapter 4
Firewall Protection and Content Filtering
This chapter describes how to use the content filtering features of the ProSafe Dual WAN Gigabit
Firewall with SSL & IPsec VPN to protect your network.
This chapter contains the following sections:
• “About Firewall Protection and Content Filtering” on page 4-1
• “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2
• “Attack Checks” on page 4-18
• “Blocking Internet Sites (Content Filtering)” on page 4-20
• “Configuring Source MAC Filtering” on page 4-24
• “Configuring IP/MAC Address Binding Alerts” on page 4-26
• “Configuring Port Triggering” on page 4-27
• “Setting a Schedule to Block or Allow Specific Traffic” on page 4-29
• “Configuring a Bandwidth Profile” on page 4-30
• “Configuring Session Limits” on page 4-32
• “E-Mail Notifications of Event Logs and Alerts” on page 4-33
• “Administrator Tips” on page 4-33
About Firewall Protection and Content Filtering
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN provides you with Web content
filtering options, plus browsing activity reporting and instant alerts via e-mail. Network
administrators can establish restricted access policies based on time-of-day, Web addresses and
Web address keywords. You can also block Internet access by applications and services, such as
chat or games.
A firewall is a special category of router that protects one network (the “trusted” network, such as
your LAN) from another (the untrusted network, such as the Internet), while allowing
communication between the two. You can further segment keyword blocking to certain known
groups (see “Managing Groups and Hosts (LAN Groups)” on page 3-5 to set up LAN Groups).
4-1
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
A firewall incorporates the functions of a NAT (Network Address Translation) router, while
adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic
that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall
uses a process called stateful packet inspection to protect your network from attacks and
intrusions. NAT performs a very limited stateful inspection in that it considers whether the
incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far
beyond NAT.
Using Rules to Block or Allow Specific Kinds of Traffic
This section includes the following topics:
• “About Services-Based Rules” on page 4-3
• “Viewing the Rules” on page 4-7
• “Order of Precedence for Rules” on page 4-8
• “Setting the Default Outbound Policy” on page 4-8
• “Creating a LAN WAN Outbound Services Rule” on page 4-9
• “Creating a LAN WAN Inbound Services Rule” on page 4-10
• “Inbound Rules Examples” on page 4-12
• “Outbound Rules Example” on page 4-15
• “Adding Customized Services” on page 4-15
• “Setting Quality of Service (QoS) Priorities” on page 4-17
Firewall rules are used to block or allow specific traffic passing through from one side to the other.
Inbound rules (WAN to LAN) restrict access by outsiders to private resources, selectively allowing
only specific outside users to access specific resources. Outbound rules (LAN to WAN) determine
what outside resources local users can have access to.
A firewall has two default rules, one for inbound traffic and one for outbound traffic. The default
rules of the FVS336G are:
• Inbound. Block all access from outside except responses to requests from the LAN side.
• Outbound. Allow all access from the LAN side to the outside.
User-defined firewall rules for blocking or allowing traffic on the VPN firewall can be applied to
inbound or outbound traffic.
4-2 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
About Services-Based Rules
The rules to block traffic are based on the traffic’s category of service.
• Outbound Rules (service blocking). Outbound traffic is normally allowed unless the firewall
is configured to disallow it.
• Inbound Rules (port forwarding). Inbound traffic is normally blocked by the firewall unless
the traffic is in response to a request from the LAN side. The firewall can be configured to
allow this otherwise blocked traffic.
• Customized Services. Additional services can be added to the list of services in the factory
default list. These added services can then have rules defined for them to either allow or block
that traffic (see “Adding Customized Services” on page 4-15.
• Quality of Service (QoS) priorities. Each service at its own native priority that impacts its
quality of performance and tolerance for jitter or delays. You can change this QoS priority if
desired to change the traffic mix through the system (see “Setting Quality of Service (QoS)
Priorities” on page 4-17).
Outbound Rules (Service Blocking)
The FVS336G allows you to block the use of certain Internet services by PCs on your network.
This is called service blocking or port filtering.
The default policy can be changed to block all outbo und traffic and enable only specific services to
pass through the router. The following Outbound Rules table lists the configured rules for
outgoing traffic. An outbound rule is defined by the following fields:
Table 4-1. Outbound Rules
Item Description
Service Name Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the
Services menu (see “Adding Customized Services” on page 4-15).
Action (Filter) Select the desired action for outgoing connections covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise Allow
• ALLOW always
• ALLOW by schedule, otherwise Block
Note: Any outbound traffic which is not blocked by rules you create will be allowed by
the Default rule.
ALLOW rules are only useful if the traffic is already covered by a BLOCK rule. That
is, you wish to allow a subset of traffic that is currently blocked by another rule.
Firewall Protection and Content Filtering 4-3
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Table 4-1. Outbound Rules (continued)
Item Description
Action (Select
Schedule)
LAN Users Specifies which computers on your network are affected by this rule. Select the
WAN Users Specifies which Internet locations are covered by the rule, based on their IP address.
QoS Priority Specifies the priority of a service which, in turn, determines the quality of that service
Log This determines whether packets covered by this rule are logged. Select the desired
Bandwidth Profile Specifies the name of a bandwidth limiting profile. Using a bandwidth profile,
NAT IP Specifies whether the source IP address of the outgoing packets should be the W AN
NAT single IP is on: Specifies to which WAN interface the NAT IP address belongs. All outgoing packets
Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be
used by this rule.
• This drop down menu gets activated only when “BLOCK by schedule, otherwise
Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
• Use schedule page to configure the time schedules (see “Setting a Schedule to
Block or Allow Specific Traffic” on page 4 -2 9).
desired options:
• Any – All PCs and devices on your LAN.
• Single address – Enter the required address and the rule will be applied to that
particular PC.
• Address range – If this option is selected, you must enter the start and finish fields.
• Groups – Select the Group to which this rule will apply. Use the LAN Groups screen
(under Network Configuration) to assign PCs to Groups. See “Managing Groups
and Hosts (LAN Groups)” on page 3-5.
Select the desired option:
• Any – All Internet IP address are covered by this rule.
• Single address – Enter the required address in the start field.
• Address range – If this option is selected, you must enter the start and end fields.
for the traffic passing through the firewall. By default, the priority shown is that of the
selected service. The user can change it accordingly. If the user does not make a
selection (leaves it as Normal-Service), then the native priority of the service will be
applied to the policy. See “Setting Quality of Service (QoS) Priorities” on page 4-17.
action:
• Always – always log traffic considered by this rule, whether it matches or not. This
is useful when debugging your rules.
• Never – never log traffic considered by this rule, whether it matches or not.
bandwidth consumed by different connections can be limited. If multiple connections
correspond to the same firewall rule, they will share the same bandwidth limiting. See
“Configuring a Bandwidth Profile” on page 4-30.
interface address or a specified address, which should belong to the WAN subnet.
will be routed through the specified WAN interface only.
4-4 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Note: See “Configuring Source MAC Filtering” on page 4-24 for yet another way to
block outbound traffic from selected PCs that would otherwise be allowed by the
firewall.
Inbound Rules (Port Forwarding)
When the FVS336G uses Network Address Translation (NAT), your network presents only one IP
address to the Internet and outside users cannot directly address any of your local computers.
However, by defining an inbound rule you can make a local server (for example, a Web server or
game server) visible and available to the Internet. The rule tells the firewall to direct inbound
traffic for a particular service to one local server based on the destination port number. This is al so
known as port forwarding.
Whether or not DHCP is enabled, how the PCs will access the server’s LAN address impacts the
Inbound Rules. For example:
• If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP
address may change periodically as the DHCP lease expires. Consider using Dyamic DNS
(under Network Configuration) so that external users can always find your network (see
“Configuring Dynamic DNS (Optional)” on page 2-17.
• If the IP address of the local server PC is assigned by DHCP, it may change when the PC is
rebooted. To avoid this, use the Reserved IP address feature in the LAN Groups menu (under
Network Configuration) to keep the PC’s IP address constant (see “Configuring DHCP
Address Reservation” on page 3-8.
• Local PCs must access the local server using the server’s local LAN address. Attempts by
local PCs to access the server using the external WAN IP address will fail.
Note: See “Configuring Port Triggering” on page 4-27 for yet another way to allow
certain types of inbound traffic that would otherwise be blocked by the
firewall.
Firewall Protection and Content Filtering 4-5
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Table 4-2. Inbound Rules
Item Description
Service Select the desired Service or application to be covered by this rule. If the desired
service or application does not appear in the list, you must define it using the
Services menu (see “Adding Customized Services” on page 4-15).
Action (Filter) Select the desired action for packets covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise Allow
• ALLOW always
• ALLOW by schedule, otherwise Block
Note: Any inbound traffic which is not allowed by rules you create will be blocked by
the Default rule.
Schedule Select the desired time schedule (Schedule1, Schedule2, or Schedule3) that will be
used by this rule (see “Setting a Schedule to Block or Allow Specific Traffic” on
page 4-29).
• This drop down menu gets activated only when “BLOCK by schedule, otherwise
Allow” or “ALLOW by schedule, otherwise Block” is selected as Action.
• Use schedule page to configure the time schedules.
Send to LAN Server Th is field appears only with NAT Routing (not Classical). This LAN address
determines which computer on your network is hosting this service rule. (You can
also translate this address to a port number.)
Translate to Port
Number
WAN Destination IP
Address
LAN users This field appears only with Classical Routing (not NAT). Speci fie s which computers
WAN Users Specifies which Internet locations are covered by the rule, based on their IP
Check this box and enter a port number to assign the LAN Server to a different
service port number. Inbound traffic to the service port will have the destination port
number modified to the port number configured here.
Specifies the destination IP address applicable to incoming traffic.
This is the public IP address that will map to the internal LAN server; it can either be
the address of the WAN1 or WAN2 ports or another public IP address
on your network are affected by this rule. Select the desired options:
• Any – All PCs and devices on your LAN.
• Single address – Enter the required address and the rule will be applied to that
particular PC.
• Address range – If this option is selected, you must enter the start and finish fields.
• Groups – Select the Group to which this rule will apply. Use the LAN Groups screen
(under Network Configuration) to assign PCs to Groups. See “Managing Groups
and Hosts (LAN Groups)” on page 3-5.
addresses. Select the desired option:
• Any – All Internet IP address are covered by this rule.
• Single address – Enter the required address in the start field.
• Address range – If this option is selected, you must enter the start and end fields.
.
4-6 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Table 4-2. Inbound Rules (continued)
Item Description
Log Specifies whether packet s covered by this rule are logged. Select the desired action:
• Always – Always log traffic considered by this rule, whether it matches or not. This
is useful when debugging your rules.
• Never – Never log traffic considered by this rule, whether it matches or not.
Bandwidth Profile Specifies the name of a bandwidth limiting profile. Using a bandwidth profile,
bandwidth consumed by different connections can be limited. If multiple connections
correspond to the same firewall rule, they will share the same bandwidth limiting. See
“Configuring a Bandwidth Profile” on page 4-30.
Note: Some residential broadband ISP accounts do not allow you to run any server
processes (such as a Web or FTP server) from your location. Your ISP may
periodically check for servers and may suspend your account if it discovers any
active services at your location. If you are unsure, refer to the Acceptable Use
Policy of your ISP.
Remember that allowing inbound services opens holes in your VPN firewall. Enable only those
ports that are necessary for your network. We also recommend enabling the server’s application
security and configuring user password or privilege levels, if provided.
Viewing the Rules
To view the firewall rules:
1. Select Security > Firewall Rules from the main menu. The LAN WAN Rules tab appears:
Firewall Protection and Content Filtering 4-7
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Figure 4-1
Order of Precedence for Rules
As you define new rules, they are added to the tables in the Rules menu as the last item in the list,
as shown in Figure 4-1. For any traffic attempting to pass through the firewall, the packet
information is subjected to the rules in the order shown in the Rules Table, begi nning at the top and
proceeding to the bottom, before applying the default rule. In some cases, the order of precedence
of two or more rules may be important in determining the disposition of a packet. For example,
you should place the most strict rules at the top (those with the most specific services or
addresses). The Up and Down buttons allow you to relocate a defined rule to a new position in the
table.
Setting the Default Outbound Policy
The Default Outbound Policy is to allow all traffic to the Internet to pass through. Firewall rules
can then be applied to block specific types of traffic from going out from the LAN to the Internet
(Outbound). The default policy of Allow Always can be changed to block all outbound traffic
which then allows you to enable only specific services to pass through the VPN firewall.
4-8 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
To change the Default Outbound Policy, follow these steps:
1. Click the LAN WAN Rules tab, shown in Figure 4-1.
2. Change the Default Outbound Policy by choosing Block Always from the drop-down menu.
3. Click Apply.
Creating a LAN WAN Outbound Services Rule
An outbound rule will block or allow the selected application from an internal IP LAN address to
an external WAN IP address according to the schedule created in the Schedule menu.
You can also tailor these rules to your specific needs (see “Administrator Tips” on page 4-33).
Note: This feature is for Advanced Administrators only! Incorrect configuration will
cause serious problems.
To create a new outbound service rule in the LAN WAN Rules tab:
Firewall Protection and Content Filtering 4-9
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
1. Click Add under the Outbound Services Table. The Add LAN WAN Outbound Service
screen is displayed...
Figure 4-2
2. Configure the parameters based on the descriptions in Table 4-1 on page 4-3.
3. Click Apply to save your changes and reset the fields on this screen. The new rule will be
listed on the Outbound Services table.
Creating a LAN WAN Inbound Services Rule
This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not
defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that
allowing inbound services opens holes in your firewall. Only enable those ports that are necessary
for your network.
To create a new inbound service rule in the LAN WAN Rules tab:
1. Click Add under the Inbound Services Table. The Add LAN WAN Inbound Service screen is
displayed.
4-10 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Figure 4-3
2. Configure the parameters based on the descriptions in Table 4-2 on page 4-6.
3. Click Apply to save your changes and reset the fields on this screen. The new rule will be
listed on the Inbound Services table.
Modifying Rules
To make changes to an existing outbound or inbound service rule:
1. In the Action column adjacent to the rule, do the following:
• Click Edit to make any changes to the rule definition of an existing rule. The Outbound
Service or Inbound Service screen is displayed containing the data for the selected rule.
• Click Up to move the rule up one position in the table rank.
• Click Down to move the rule down one position in the table rank.
Note: Since rules are applied in the order listed (from top to bottom), the order of
the rules may make a difference in how traffic is handled.
Firewall Protection and Content Filtering 4-11
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
2. Check the box adjacent to the rule, then do any of the following:
• Click Enable to enable the rule. The “!” Status icon will turn green.
• Click Disable to disable the policy. A rule can be disabled if not in use and enabled as
needed. Disabling a rule does not delete the configuration, but merely de-activates the
rule. The status circle will change from green to grey, indicating that the rule is disabled.
(By default, when a rule is added to the table it is automatically enabled.)
• Click Delete to delete the rule.
Inbound Rules Examples
LAN WAN Inbound Rule: Hosting A Local Public Web Server
If you host a public W eb ser ver on your local network, you can define a rule to allow inbound Web
(HTTP) requests from any outside IP address to the IP address of your Web server at any time of
day.
In the example shown in Figure 4-4, unrestricted access is provided from the Internet to the local
Web server at LAN IP address 192.168.1.99.
Figure 4-4
4-12 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of outside
IP addresses, such as from a branch office, you can create an inbound rule.
In the example shown in Figure 4-5, CU-SeeMe connections are allowed to a local host only from
a specified range of external IP addresses. Connections are blocked during the period specified by
Schedule 1.
Figure 4-5
LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping
If you arrange with your ISP to have more than one public IP address for your use, you can use the
additional public IP addresses to map to servers on your LAN. One of these public IP addresses
will be used as the primary IP address of the VPN firewall. This address will be used to provide
Internet access to your LAN PCs through NAT. The other addresses are available to map to your
servers.
Firewall Protection and Content Filtering 4-13
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
In the example shown in Figure 4-6, we have configured multi-NAT to support multiple public IP
addresses on one WAN interface. The inbound rule instructs the VPN firewall to host an
additional public IP address (10.1.0.5) and to associate this address with the Web server on the
LAN (at 192.168.1.2). We also instruct the VPN firewall to translate the incoming HTTP port
number (port 80) to a different port number (port 8080).
The following addressing scheme is used in this example:
• VPN firewall FVS336G
– WAN1 primary public IP address: 10.1.0.1
– WAN1 additional public IP address: 10.1.0.5
– LAN IP address 192.168.1.1
• Web server PC on the VPN firewall’s LAN
– LAN IP address: 192.168.1.11
– Port number for Web service: 8080
Figure 4-6
4-14 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the
Web server should appear.
LAN WAN Inbound Rule: Specifying an Exposed Host
Specifying an exposed host allows you to set up a computer or server that is available to anyone on
the Internet for services that you have not yet defined.
To expose one of the PCs on your LAN as this host:
1. Create an inbound rule that allows all protocols.
2. Place the new rule below all other inbound rules.
Note: For security, NETGEAR strongly recommends that you avoid creating an exposed
host. When a computer on your LAN is designated as the exposed host, it loses
much of the protection of the firewall and is exposed to many exploits from the
Internet. If compromised, the computer can be used to attack your network.
Outbound Rules Example
Outbound rules let you prevent users from using applications such as Instant Messenger, Real
Audio, or other non-essential services.
LAN WAN Outbound Rule: Blocking Instant Messenger
To block Inst ant Messenger usage by employees during working hours, you can create an
outbound rule to block that application from any internal IP address to any external address
according to the schedule that you have created in the Schedule menu. You can also have the
firewall log any attempt to use Instant Messenger during that blocked period.
Adding Customized Services
Services are functions performed by server computers at the request of client computers. For
example, Web servers serve Web pages, time servers serve time and date information, and game
hosts serve data about other players’ moves. When a computer on the Internet sends a request for
service to a server computer, the requested service is identified by a service or port number. This
number appears as the destination port number in the transmitted IP packets. For example, a packet
that is sent with destination port number 80 is an HTTP (Web server) request.
The service numbers for many common protocols are defined by the Internet Engineering Task
Force (IETF) and published in RFC1700, “Assigned Numbers.” Service numbers for other
applications are typically chosen from the range 1024 to 65535 by the authors of the application.
Firewall Protection and Content Filtering 4-15
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Although the FVS336G already holds a list of many service port numbers, you are not limited to
these choices. Use the Services screen to add additional services and applications to the list for use
in defining firewall rules. The Services menu shows a list of services that you have defined, as
shown in Figure 4-7.
To define a new service, you must first determine which port number or range of numbers is used
by the application. This information can usually be determined by contacting the publisher of the
application or from user groups or newsgroups. When you have the port number information, you
can enter it on the Services screen. You can configure up to 125 custom services.
To add a custom service:
1. Select Security > Services from the main menu. The Services screen is displayed..
Figure 4-7
2. In the Add Custom Services section, enter a descriptive name for the service (this name is for
your convenience).
3. Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP.
4. For TCP or UDP services, enter the first port of the range that the service uses. For ICMP
sevices, enter the ICMP Type number.
5. For TCP or UDP services, enter the last port of the range that the service uses. If the service
only uses a single port number, enter the same number in both fields.
6. Click Add. The new custom service will be added to the Custom Services Table.
Modifying a Service
To edit the parameters of an existing service:
4-16 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
1. In the Custom Services Table, click the Edit button adjacent to the service you want to edit.
The Edit Service screen is displayed.
2. Modify the parameters you wish to change.
3. Click Apply to confirm your changes. The modified service is displayed in the Custom
Services Table.
Setting Quality of Service (QoS) Priorities
The QoS setting determines the priority of a service, which in turn determines the quality of that
service for the traffic passing through the firewall. You can change the QoS Priority:
•On the Services screen in the Custom Services Table for customized services (see Figure 4-7).
•On the Add LAN WAN Outbound Services screen:
Figure 4-8
The QoS priority definition for a service determines the queue that is used for the traffic passing
through the VPN firewall. A priority is assigned to IP packets using this service. Priorities are
defined by the “Type of Service (ToS) in the Internet Protocol Suite” standards, RFC 1349 . A ToS
priority for traffic passing through the VPN firewall is one of the following:
Firewall Protection and Content Filtering 4-17
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Normal-Service. No special priority given to the traffic. The IP packets for services with this
priority are marked with a ToS value of 0.
• Minimize-Cost. Used when the data must be transferred over a link that has a low
transmission cost. The IP packets for this service priority are marked with a ToS value of 1.
• Maximize-Reliability. Used when data needs to travel to the destination over a reliable link
with little or no retransmission. The IP packets for this service priority are marked with a ToS
value of 2.
• Maximize-Throughput. Used when the volume of data transferred during an interval is
important even if the latency over the link is high. The IP packets for services with this priority
are marked with a ToS value of 4.
• Minimize-Delay. Used when the time required for the packet to reach the destination must be
short (low link latency). The IP packets for this service priority are marked with a TOS value
of 8.
Attack Checks
The Attack Checks menu allows you to specify whether or not the VPN firewall should be
protected against common attacks in the LAN and WAN networks. To enable the appropriate
Attack Checks for your environment:
1. Select Security > Firewall Rules from the main menu.
2. Click the Attack Checks tab. The Attack Checks screen is displayed.
4-18 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
.
Figure 4-9
3. Check the boxes for the Attack Checks you wish to monitor. The various types of attack
checks are listed and defined below.
4. Click Apply to save your settings.
The various types of attack checks listed on the Attack Checks screen are:
• WAN Security Checks
– Respond To Ping On Internet Ports—By default, the VPN firewall does not respond to
an ICMP Echo (ping) packet coming from the Internet or WAN side. We recommend that
you leave this option disabled to prevent hackers from easily discovering the VPN firewall
via a ping, but it can be enabled as a diagnostic tool for connectivity problems.
– Enable Stealth Mode—In stealth mode, the VPN firewall will not respond to port scans
from the WAN or Internet, which makes it less susceptible to discovery and attacks.
– Block TCP Flood. A SYN flood is a form of denial of service attack in which an attacker
sends a succession of SYN requests to a target system. When the system responds, the
attacker doesn’t complete the connection, thus saturating the server with half-open
connections. No legitimate connections can then be made.
When blocking is enabled, the VPN firewall will limit the lifetime of partial connections
and will be protected from a SYN flood attack.
• LAN Security Checks
Firewall Protection and Content Filtering 4-19
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
– Block UDP flood—A UDP flood is a form of denial of service attack in which the
attacking machine sends a large number of UDP packets to random ports to the victim
host. As a result, the victim host will check for the application listening at that port, see
that no application is listening at that port, and reply with an ICMP Destination
Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker may also spoof the IP
address of the UDP packets, ensuring that the excessive ICMP return packets do not reach
him, making the attacker’s network location anonymous.
If flood checking is enabled, the VPN firewall will not accept more than 20 simultaneous,
active UDP connections from a single computer on the LAN.
– Disable Ping Reply on LAN Ports. T o prevent the VPN firewall from responding to Ping
requests from the LAN, click this checkbox.
– Disable DNS Proxy. Whether DNS Proxy is enabled or disabled in the DHCP server
configuration (see “Configuring the LAN Setup Options” on page 3-2), the VPN firewall
will service DNS requests sent to its own LAN IP address. To disable this service, check
this checkbox.
• VPN Pass through—When the FVS336G is in NAT mode, all packets going to the Remote
VPN Gateway are first filtered through NAT and then encrypted per the VPN policy.
If a VPN client or gateway on the LAN side of the VPN firewall wants to connect to another
VPN endpoint on the WAN, with the FVS336G between the two VPN end points, all
encrypted packets will be sent to the FVS336G. Since the FVS336G filters the encrypted
packets through NAT, the packets become invalid.
IPSec, PPTP, and L2TP represent different types of VPN tunnels that can pass through the
FVS336G. T o allow the VPN traf fic to pass through without filtering, enable those options for
the type of tunnel(s) that will pass through the FVS336G.
Blocking Internet Sites (Content Filtering)
To restrict internal LAN users from access to certain sites on the Internet, you can use the VPN
firewall’s Content Filtering and Web Components filtering. By default, these features are disabled;
all requested traffic from any Web site is allowed. If you enable one or more of these features and
users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
Several types of blocking are available:
4-20 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Web Componen ts blocking. You can filter the following Web Component types: Proxy, Java,
ActiveX, and Cookies. For example, by enabling Java filtering, “Java” files will be blocked.
Certain commonly used web components can be blocked for increased security. Some of these
components are can be used by malicious websites to infect computers that access them.
– Proxy. A proxy server (or simply, proxy) allows computers to route connections to other
computers through the proxy, thus circumventing certain firewall rules. For example, if
connections to a specific IP address are blocked by a firewall rule, the requests can be
routed through a proxy that is not blocked by the rule, rendering the restriction ineffective.
Enabling this feature blocks proxy servers.
– Java. Blocks java applets from being downloaded from pages that contain them. Java
applets are small programs embedded in web pages that enable dynamic functionality of
the page. A malicious applet can be used to compromise or infect computers. Enabling this
setting blocks Java applets from being downloaded.
– ActiveX. Similar to Java applets, ActiveX controls install on a Windows computer
running Internet Explorer. A malicious ActiveX control can be used to compromise or
infect computers. Enabling this setting blocks ActiveX applets from being downloaded.
– Cookies. Cookies are used to store session information by websites that usually require
login. However, several websites use cookies to store tracking information and browsing
habits. Enabling this option filters out cookies from being created by a website..
Note: Many websites require that cookies be accepted in order for the site to be
accessed properly. Blocking cookies may interfere with useful functions
provided by these websites.
• Keyword Blocking (Domain Name Blocking). You can specify up to 32 words that, should
they appear in the Web site name (URL) or in a newsgroup name, will cause that site or
newsgroup to be blocked by the VPN firewall.
You can apply the keywords to on e or more groups. Requests from the PCs in the groups for
which keyword blocking has been enabled will be blocked. Blocking does not occur for the
PCs that are in the groups for which keyword blocking has not been enabled.
You can bypass Keyword block ing for trusted domains by adding the exact ma tching domain
to the list of Trusted Domains. Access to the domains or keywords on this list by PCs, even
those in the groups for which keyword blocking has been enabled, will still be allowed without
any blocking.
Firewall Protection and Content Filtering 4-21
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Keyword application examples:
• If the keyword “XXX” is specified, the URL <http://www.badstuff.com/xxx.html> is blocked,
as is the newsgroup alt.pictures.XXX.
• If the keyword “.com” is specified, only Web sites with other domain suffixes (such as .edu or
.gov) can be viewed.
• To block all Internet browsing access, enter the keyword “.”.
To enable Content Filtering:
1. Select Security > Block Sites from the main menu. The Block Sites screen is displayed.
4-22 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
.
Figure 4-10
2. Select Yes to enable Content Filtering.
3. Click Apply to activate the menu controls.
Firewall Protection and Content Filtering 4-23
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
4. Select any Web Components you wish to block and click Apply.
5. Select the groups to which Keyword Blocking will apply, then click Enable to activate
Keyword blocking (or disable to deactivate Keyword Blocking).
6. Enter your list of blocked Keywords or Domain Names in the Blocked Keyword fields. After
each entry , click Add. The Keyword or Domain name will be added to the Blocked Keywords
table. (You can also edit an entry by clicking Edit in the Action column adjacent to the entry.)
7. In the Add Trusted Domain table, enter the name(s) of any domain for which the keyword
filtering will be bypassed and click Add. The Trusted Domain will appear in the Trusted
Domains table and will be exempt from filtering.
Configuring Source MAC Filtering
Source MAC Filter will drop or allow the Internet-bound traffic received from PCs with specified
MAC addresses.
• By default, the source MAC address filter is disabled. Traffic received from any MAC address
is allowed.
• When the source MAC address filter is enabled, outbound Internet traffic will be filtered using
the MAC Addresses list in this menu. You can choose to block MAC addresses in the list or to
allow only those addresses in the list.
Note: For additional ways of restricting outbound traffic, see “Outbound Rules
(Service Blocking)” on page 4-3
To enable MAC filtering and add MAC addresses to be blocked:
1. Select Security > Source MAC Filter from the main menu. The Source MAC Filter screen is
displayed.
4-24 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Figure 4-11
2. Click Yes to enable Source MAC Filtering.
3. Select the action to be taken on outbound traffic from the listed MAC addresses:
– Block this list and permit all other MAC addresses
– Permit this list and block all other MAC addresses
4. Enter a MAC Address in the Add Source MAC Address box and click Add. The MAC
address will appear in the MAC Addresses table. Repeat this process to add additional MAC
addresses.
A valid MAC address is six colon-separated pairs of hexadecimal digits (0 to 9 and a to f). For
example: 01:23:45:ab:cd:ef.
5. Click Add. The MAC address will be added to the MAC Addresses table.
6. Click Apply to save your settings.
To remove an entry from the table, select the MAC address entry and click Delete.
Firewall Protection and Content Filtering 4-25
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring IP/MAC Address Binding Alerts
You can configure the FVS336G to drop packets and generate an alert when a device appears to
have hijacked or spoofed another device’s IP address. An IP address can be bound to a specific
MAC address either by using a DHCP reserved address (see “Configuring DHCP Address
Reservation” on page 3-8) or by manually binding in the IP/MAC Binding menu.
To enable IP/MAC address binding enforcement and alerts:
1. Select Security > Address Filter from the main menu. The Source MAC Filter screen will
display.
2. Select the IP/MAC Binding tab to display the IP/MAC Binding menu.
Figure 4-12
The IP/MAC Bindings table displays existing bindings.
3. In the Email IP/MAC Violations frame, check the Yes radio button to enable IP/MAC address
binding enforcement and alerts. Email alerts must be enabled (see “E-Mail Notifications of
Event Logs and Alerts” on page 4-33).
4. Click Apply.
4-26 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. To add a manual binding entry, enter the following data in the Add IP/MAC Bindings
section:
a. Enter a Name for the bound host device.
b. Enter the MAC Address and IP Address to be bound. A valid MAC address is six colon-
separated pairs of hexadecimal digits (0 to 9 and a to f). For example: 01:23:45:ab:cd:ef.
c. From the pull-down list, select whether dropped packets should be logged to a special
counter. To view the counter, click the Set Poll Interval link at the top of the menu.
6. Click Apply. The specified binding will be added to the list.
Configuring Port Triggering
Port triggering allows some applications to function correctly that would otherwise be partially
blocked by the firewall when the router is in NAT mode. Some applications require that when
external devices connect to them, they receive data on a specific port or range of ports. The router
must send all incoming data for that application only on the required port or range of ports. Using
this feature requires that you know the port numbers used by the application.
Port triggering allows computers on the private network (LAN) to request that one or more ports
be forwarded to them. Unlike basic port forwarding which forwards ports to only one
preconfigured IP address, port triggering waits for an outbound request from the private network
on one of the defined outgoing ports. It then automatically sets up forwarding to the IP address that
sent the request. When the application ceases to transmit data over the port, the router waits for a
timeout interval and then closes the port or range of ports, making them available to other
computers on the private network.
Once configured, port triggering operates as follows:
1. A PC makes an outgoing connection using a port number defined in the Port Triggering table.
2. The VPN firewall records this connection, opens the additional incoming port or ports
associated with this entry in the Port Triggering table, and associates them with the PC.
3. The remote system receives the PC’s request and responds using the different port numbers
that you have now opened.
4. The VPN firewall matches the response to the previous request, and forwards the response to
the PC.
Without Port Triggering, this response would be treated as a new connection request rather than a
response. As such, it would be handled in accordance with the inbound service rules.
Firewall Protection and Content Filtering 4-27
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Note these restrictions with Port Triggering:
• Only one PC can use a port triggering application at any time.
• After a PC has finished using a port triggering application, there is a time-out period before the
application can be used by another PC. This is required because the VPN firewall cannot be
sure when the application has terminated.
Note: For additional ways of allowing inbound traffic, see “Inbound Rules (Port
Forwarding)” on page 4-5.
To add a port triggering rule:
1. Select Security > Port Triggering from the main menu. The Port Triggering screen is
displayed..
Figure 4-13
2. Enter a user-defined name for this rule in the Name field.
3. From the Enable pull-down menu, indicate if the rule is enabled or disabled.
4. From the Protocol pull-down menu, choose either TCP or UDP transport protocol.
5. In the Outgoing (Trigger) Port Range fields:
a. Enter the Start Port range (1 - 65534).
b. Enter the End Port range (1 - 65534).
6. In the Incoming (Response) Port Range fields:
4-28 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
a. Enter the Start Port range (1 - 65534).
b. Enter the End Port range (1 - 65534).
7. Click Add. The port triggering rule will be added to the Port Triggering Rules table.
To check the status of the port triggering rules, click the Status option arrow to the right of the tab
on the Port Triggering screen. The following data is displayed:
• Rule – The name of the port triggering rule.
• LAN IP Address – The IP address of the PC currently using this rule.
• Open Ports – The incoming ports associated with this rule. Incoming traffic using these ports
will be sent to the LAN IP address above.
• Time Remaining – The time remaining before this rule is released, and th us available for other
PCs. The timer is reset whenever incoming or outgoing traffic is received.
Setting a Schedule to Block or Allow Specific Traffic
If you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when
blocking occurs or when access is restricted. The firewall allows you to specify when blocking
will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3.
The VPN firewall uses the Network Time Protocol (NTP) to obtain the current time and date from
one of several Network Time Servers on the Internet.
To invoke rules and block keywords or Internet domains based on a schedule:
1. Select Security > Schedule from the main menu. The Schedule 1 screen is displayed.
Firewall Protection and Content Filtering 4-29
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
.
Figure 4-14
2. Schedule days by selecting either the All Days radio button or the Specific Days radio button.
If you selected Specific Days, specify which days.
3. Select the time of day radio button: either All Day to limit access completely for the selected
days, or Specific Times to limit access for a period during the selected days.
If you select Specific Times, enter the Start Time and End Time for this schedule in the
appropriate fields.
4. Click Apply to save your settings to Schedule 1.
Repeat this procedure to set schedules for Schedule 2 and Schedule 3.
Configuring a Bandwidth Profile
To prevent one user or group from using excessive inbound or outbound bandwidth, you can
define a bandwidth profile to set a minimum and maximum bandwidth for an individual or group.
You can apply a defined profile in a firewall rule to limit specific protocols or all traffic (see
“Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2).
To create a bandwidth profile:
4-30 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
1. Select Security from the main menu and Bandwidth Profile from the submenu. The
Bandwidth Profile menu will display.
Figure 4-15
The List of Bandwidth Profiles displays existing profiles.
2. T o create a new bandwidth profile, click add. The Add Bandwidth Profile menu will display.
Figure 4-16
3. Enter the following data in the Add IP/MAC Bindings section:
a. Enter a Profile Name. This name will become available in the firewall rules definition
menus.
b. Enter the Minimum Bandwidth and Maximum Bandwidth to be allowed.
c. From the Type pull-down box, select whether the profile will apply to a group or
individual.
Firewall Protection and Content Filtering 4-31
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
d. From the Direction pull-down box, select whether the profile will apply to outbound or
inbound traffic.
4. Click Apply. The new bandwidth profile will be added to the list.
Configuring Session Limits
To prevent one user or group from using excessive system resources, you can limit the total
number of IP sessions allowed through the FVS336G for an individual or group. You can specify
the maximum number of sessions by either a percentage of maximum sessions or an absolute
number of maximum sessions. Session limiting is disabled by default.
To configure session limits:
1. Select Security from the main menu.
2. Select Address Filter from the submenu. The Source MAC Filter screen will display.
3. Select the Session Limits tab. The Session Limits menu will display.
Figure 4-17
4. Click Yes to enable Session Limits.
4-32 Firewall Protection and Content Filtering
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. In the pull-down menu, select whether you will limit sessions by percentage or by absolute
number. The percentage is computed based on the total connection capacity of the
device.When setting a limit based on absolute number, note that some protocols (for example,
FTP and RSTP) create two sessions per connection.
6. Click Apply.
To monitor session limiting, return to this menu periodically and check the display of Total
Number of Packets Dropped due to Session Limit, which indicates that session limits have been
reached.
E-Mail Notifications of Event Logs and Alerts
The Firewall Logs can be configured to log and then e-mail denial of access, general attack
information, and other information to a specified e-mail address. For example, your VPN firewall
will log security-related events such as: accepted and dropped packets on different segments of
your LAN; denied incoming and outgoing service requests; hacker probes and login attempts; and
other general information based on the settings you input on the Firewall Logs & E-mail menu. In
addition, if you have set up Content Filtering on the Block Sites screen (see “Blocking Internet
Sites (Content Filtering)” on page 4-20), a log will be generated when someone on your network
tries to access a blocked site.
To configure e-mail or syslog notification, or to view the logs, see “Activating Notification of
Events and Alerts” on page 9-4.
Administrator Tips
Consider the following operational items:
1. As an option, you can enable remote management if you have to manage distant sites from a
central location (see “Enabling Remote Management Access” on page 8-10).
2. Although rules (see “Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2)
are the basic way of managing the traffic through your system, you can further refine your
control with the following optional features of the VPN firewall:
• Groups and hosts (see “Managing Groups and Hosts (LAN Groups)” on page 3-5)
• Services (see “About Services-Based Rules” on page 4-3)
• Schedules (see “Setting a Schedule to Block or Allow Specific Traffic” on page 4-29)
Firewall Protection and Content Filtering 4-33
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Block sites (see “Blocking Internet Sites (Content Filtering)” on page 4-20)
• Source MAC filtering (see “Configuring Source MAC Filtering” on page 4-24)
• Port triggering (see “Configuring Port Triggering” on page 4-27)
4-34 Firewall Protection and Content Filtering
v1.2, June 2008
Chapter 5
Virtual Private Networking Using IPsec
This chapter describes how to use the IPsec virtual private networking (VPN) features of the
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN to provide secure, encrypted
communications between your local network and a remote netw ork or computer.
This chapter contains the following sections:
• “Considerations for Dual WAN Port Systems” on page 5-1
• “Configuring an IPsec VPN Connection using the VPN Wizard” on page 5-4
• “Managing VPN Tunnel Policies” on page 5-13
• “Creating a VPN Client Connection: VPN Client to FVS336G” on page 5-16
• “Configuring Extended Authentication (XAUTH)” on page 5-19
• “Manually Assigning IP Addresses to Remote Users (ModeConfig)” on page 5-23
• “Configuring Keepalives and Dead Peer Detection” on page 5-29
• “Configuring NetBIOS Bridging with VPN” on page 5-31
Considerations for Dual WAN Port Systems
If both of the WAN ports of the VPN firewall are configured, you can enable either Auto-Rollover
mode for increased system reliability or Load Balancing mode for optimum bandwidth efficiency.
The WAN mode selection determines how several of the VPN features must be configured.
Refer to “Virtual Private Networks (VPNs)” on page C-10 for an overview of the IP addressing
requirements for VPN in the two dual WAN modes. To aid in determining the WAN addressing
requirements (FQDN or IP address) for your VPN tunnel in either dual W AN mode, see Table 5-1.
Table 5-1. IP Addressing for VPNs in Dual WAN Port Systems
Configuration and WAN IP address Rollover Mode
VPN Road Warrior
(client-to-gateway)
Fixed FQDN required Allowed (FQDN optional)
Dynamic FQDN required FQDN required
v1.2, June 2008
a
Load Balancing Mode
5-1
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Table 5-1. IP Addressing for VPNs in Dual WAN Port Systems
Configuration and WAN IP address Rollover Mode
VPN Gateway-to-Gateway Fixed FQDN required Allowed (FQDN optional)
Dynamic FQDN required FQDN requ ired
VPN Telecommuter
(client-to-gateway through
a NAT router)
a. All tunnels must be re-established after a rollover using the new WAN IP address.
Fixed FQDN required Allowed (FQDN optional)
Dynamic FQDN required FQDN requ ired
a
Load Balancing Mode
Tip: When configuring VPN for a dual WAN port network, use the VPN Wizard to
configure the basic parameters and then edit the VPN and IKE Policy menus for the
specific VPN application, if necessary.
Figure 5-1 shows the WAN Mode setup screen for Auto-Rollover Mode using WAN port 1 as the
primary WAN port. The WAN mode configuration is described in “Configuring the WAN Mode
(Required for Dual WAN)” on page 2-11.
Figure 5-1
5-2 Virtual Private Networking Using IPsec
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
The use of fully qualified domain names is:
• Mandatory when the WAN ports are in rollover mode (Figure 5-2 on page 5-3); also required
for the VPN tunnels to fail over.
• Mandatory when the WAN ports are in load balancing mode and the IP addresses are dynamic
(Figure 5-3 on page 5-3)
• Optional when the WAN ports are in load balancing mode if the IP addresses are static
(Figure 5-3 on page 5-3)
For instructions on how to select and configure a dynamic DNS service for resolving your FQDNs,
see “Configuring Dynamic DNS (Optional)” on page 2-17.
FVS336G Functional Block Diagra
FVS336G Firewall
Rest of
FVS336G
Functions
Figure 5-2
FVS336G Functional Block Diagram – Load Balancing
FVS336G Firewall
Rest of
FVS336G
Functions
Figure 5-3
FVS336G
WAN Port
Functions
FVS336G
WAN Port
Functions
m – Auto-Rollover
FVS336G
Rollover
Control
WAN 1 Port
Load
Balancing
Control
WAN 2 Port
WAN 1 Port
WAN 2 Port
FQDN required (same for BOTH
WAN ports)
FQDN required (dynamic IP addresses)
FQDN optional (static IP addresses)
Internet
Internet
Virtual Private Networking Using IPsec 5-3
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring an IPsec VPN Connection using the VPN Wizard
Configuring a VPN tunnel connection requires that all settings and parameters on both sides of the
VPN tunnel match or mirror each other precisely, which can be a daunting task. The VPN Wizard
efficiently guides you through the setup procedure with a series of questions that will determine
the IPsec keys and VPN policies it sets up. Using the information you provide, the VPN Wizard
will automatically configure the parameters for the network connection: Security Association,
traffic selectors, authentication algorithm, and encryption.The choices made by the VPN Wizard
are based on the recommended practices of the VPN Consortium (VPNC), an organization that
promotes multi-vendor VPN interoperability. You will be able to view the suggested VPNC
recommendations on the VPN Wizard summary page before establishing a VPN tunnel
connection.
Creating a VPN Tunnel to a Gateway
To set up a Gateway-to-Gateway VPN tunnel using the VPN Wizard:
1. Select VPN > IPsec VPN from the main menu.
2. Click the VPN Wizard tab.The VPN Wizard screen is displayed.
5-4 Virtual Private Networking Using IPsec
v1.2, June 2008
Loading...