Univex FVS336G User Manual
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
NETGEAR, Inc.
4500 Great America Parkway
Santa Clara, CA 95054 USA
June 2008
202-10257-02
v1.2
© 2008 by NETGEAR, Inc. All rights reserved.
Trademarks
NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc.
Microsoft, Windows, and Wi ndows NT are registered trademarks of Microsoft Corporation. Other brand and product
names are registered trademarks or trademarks of their respective holders.
Statement of Conditions
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to
make changes to the products described in this document without notice.
NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit
layout(s) described herein.
Federal Communications Commission (FCC) Compliance Notice: Radio Frequency
Notice
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to
part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and
used in accordance with the instruct ions, may cause harmf ul interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference to
radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to try
to correct the interference by one or more of the following measures:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and receiver.
• Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.
• Consult the dealer or an experienced radio/TV technician for help.
EU Regulatory Compliance Statement
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN is compliant with the following EU Council
Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022
Class B, EN55024 and EN60950-1.
Bestätigung des Herstellers/Importeurs
Es wird hiermit bestätigt, daß das ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN gemäß der im BMPTAmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben
einiger Geräte (z.B. Testsender) kann jedoch gewissen Beschränkungen unterliegen. Lesen Sie dazu bitte die
Anmerkungen in der Betriebsanleitung.
Das Bundesamt für Zulassungen in der Telekommunikation wurde davon unterrichtet, daß dieses Gerät auf den Markt
gebracht wurde und es ist berechtigt, die Serie auf die Erfüllung der Vorschriften hin zu überprüfen.
Certificate of the Manufacturer/Importer
It is hereby certified that the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN has been suppressed
in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some
ii
1.2, June 2008
equipment (for example, test transmitters) in accordance with the regulations may, howe v er, be subject to certain
restrictions. Please refer to the notes in the operating instructions.
Federal Office for Telecommunications Approvals has been notified of the placing of this equipment on the market
and has been granted the right to test the series for compliance with the regulations.
Voluntary Control Council for Interference (VCCI) Statement
This equipment is in the second category (information equipment to be used in a residential area or an adjacent area
thereto) and conforms to the standards set by the Voluntary Control Council for Interference by Data Processing
Equipment and Electronic Office Machines aimed at preventing radio interference in such residential areas.
When used near a radio or TV receiver , it may become the cause of radio interference.
Read instructions for correct handling.
Additional Copyrights
AES Copyright (c) 2001, Dr Brian Gladman <brg@gladman.uk.net>, Worcester, UK.
All rights reserved.
TERMS
Redistribution and use in source and binary forms, with or without modification, are permitted
subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. The copyright holder's name must not be used to endorse or promote any products
derived from this software without his specific prior written permission.
This software is provided 'as is' with no express or implied warranties of correctness or fitness
for purpose.
1.2, June 2008
iii
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions * are met:
1. Redistributions of source code must retain the above copyright notice, this list of conditions
and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the
following acknowledgment: “This product includes software developed by the OpenSSL
Project for use in the OpenSSL Toolkit. (http://www.openssl.org/)”
4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to endorse or
promote products derived from this software without prior written permission. For written
permission, please contact openssl-core@openssl.org.
5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL"
appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: "This
product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/)"
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young (eay@cryptsoft.com). This
product includes software written by Tim Hudson (tjh@cryptsoft.com).
MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the "RSA Data
Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this
software or this function. License is also granted to make and use derivative works provided
that such works are identified as "derived from the RSA Data Security, Inc. MD5 MessageDigest Algorithm" in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of
this software or the suitability of this software for any particular purpose. It is provided "as is"
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or
software.
iv
1.2, June 2008
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any
documentation, advertising materials, and other materials related to such distribution and use
acknowledge that the software was developed by Carnegie Mellon University. The name of
the University may not be used to endor s e or promote products derive d from th i s software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib zlib.h -- interface of the 'zlib' general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995-2002 Jean-loup Gailly and Mark Adler.
This software is provided 'as-is', without any express or implied warranty. In no event will the
authors be held liable for any damages arising from the use of this software. Permission is
granted to anyone to use this software for any purpose, including commercial applications,
and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote
the original software. If you use this software in a product, an acknowledgment in the
product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented
as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: jloup@gzip.org; Mark Adler: madler@alu mni.caltech.edu
The data format used by the zlib library is described by RFCs (Request for Comments) 1950
to 1952 in the files ftp://ds.internic.net/rfc/rfc1950.txt
and rfc1952.txt (gzip format)
(zlib format), rfc1951.txt (deflate format)
Product and Publication Details
Model Number: FVS336G
Publication Date: June 2008
Product Family: VPN Firewall
Product Name: ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN
Home or Business Product: Business
Language: English
Publication Part Number: 202-10257-02
Publication Version Number 1.2
1.2, June 2008
v
vi
1.2, June 2008
Contents
About This Manual
Conventions, Formats, and Scope ..................................................................................xiii
How to Use This Manual ..................................................................................................xiv
How to Print this Manual ..................................................................................................xiv
Revision History ..................... ... .......................................... .......................................... ...xv
Chapter 1
Introduction
Key Features ..................................................................................................................1-1
Dual WAN Ports for Increased Reliability or Outbound Load Balancing ..................1-2
Advanced VPN Support for Both IPsec and SSL .....................................................1-2
A Powerful, True Firewall with Content Filtering ......................................................1-3
Autosensing Ethernet Connections with Auto Uplink ...............................................1-3
Extensive Protocol Support ......................................................................................1-4
Easy Installation and Management ................................................................................1-4
Maintenance and Support ............................... ... ... ... .... ... ... ... .... ... ... ... .... ... ... ..................1-5
Package Contents ..........................................................................................................1-5
Front Panel Features ......................................................................................................1-6
Rear Panel Features ......................................................................................................1-7
Default IP Address, Login Name, and Password Location .............................. ............... 1-8
Qualified Web Browsers .................................................................................................1-8
Chapter 2
Connecting the FVS336G to the Internet
Understanding the Connection Steps .............................................................................2-1
Logging into the VPN Firewall Router ............................. ... ... .... ... ... ... .... ... ... ..................2-2
Navigating the Menus .....................................................................................................2-4
Configuring the Internet Connections ............................................................................. 2-4
Automatically Detecting and Connecting ............................... ... ...............................2-4
Manually Configuring the Internet Connection ... .... ... ... ... .........................................2-8
Configuring the WAN Mode (Required for Dual WAN) .... ... ....................................... ...2-11
v1.2, June 2008
vii
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Network Address Translation .................................................................................2-12
Classical Routing ...................................................................................................2-12
Configuring Auto-Rollover Mode ............................................................................2-13
Configuring Load Balancing ...................................................................................2-15
Configuring Dynamic DNS (Optional) ...........................................................................2-17
Configuring the Advanced WAN Options (Optional) ............................................... ...... 2-19
Additional WAN Related Configuration ..................................................................2-21
Chapter 3
LAN Configuration
Using the VPN Firewall as a DHCP server ................... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ..... 3-1
Configuring the LAN Setup Options ...............................................................................3-2
Managing Groups and Hosts (LAN Groups) ...................................................................3-5
Viewing the LAN Groups Database .........................................................................3-6
Changing Group Names in the LAN Groups Database ...........................................3-7
Configuring DHCP Address Reservation ........................................................................3-8
Configuring Multi Home LAN IP Addresses ....................................................................3-9
Configuring Static Routes .............................................................................................3-10
Configuring Static Routes .......................................................................................3-10
Configuring Routing Information Protocol (RIP) .............. ... ... .... ... ... ... .... ... ... ... ... .... ... ...3-12
Chapter 4
Firewall Protection and Content Filtering
About Firewall Protection and Content Filtering .............................................................4-1
Using Rules to Block or Allow Specific Kinds of Traffic ..................................................4-2
About Services-Based Rules ...................................................................................4-3
Viewing the Rules ....................................................................................................4-7
Order of Precedence for Rules ................................................................................4-8
Setting the Default Outbound Policy ............................ ... .... ... ... ... .... ... ... ... ... .... ... ... ..4-8
Creating a LAN WAN Outbound Services Rule .......................................................4-9
Creating a LAN WAN Inbound Services Rule ........................................................4-10
Inbound Rules Examples .......................................................................................4-12
Outbound Rules Example .................................. .... ... ... ... .... ... ................................4-15
Adding Customized Services .................................................................................4-15
Setting Quality of Service (QoS) Priorities ............................................................. 4-17
Attack Checks ................. .... ... ....................................... ... ... ... .... ... ... .............................4-18
Blocking Internet Sites (Content Filtering) ....................................................................4-20
viii
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Configuring Source MAC Filtering ................................................................................4-24
Configuring IP/MAC Address Binding Alerts ................................................................4-26
Configuring Port Triggering ...........................................................................................4-27
Setting a Schedule to Block or Allow Specific Traffic .................................... ... ... .... ... ...4-29
Configuring a Bandwidth Profile ...................................................................................4-30
Configuring Session Limits ...........................................................................................4-32
E-Mail Notifications of Event Logs and Alerts ......................................... ......................4-33
Administrator Tips .........................................................................................................4-33
Chapter 5
Virtual Private Networking Using IPsec
Considerations for Dual WAN Port Systems ..................................................................5-1
Configuring an IPsec VPN Connection using the VPN Wizard ......................................5-4
Creating a VPN Tunnel to a Gateway ......................................................................5-4
Creating a VPN Tunnel Connection to a VPN Client ................................... .... ... ..... 5-8
Managing VPN Tunnel Policies .......................................... ... .... ... ... ... .... ... ... ... ... .... ... ...5-13
About IKE ...............................................................................................................5-13
Managing IKE Policies .............................. .......................................... ... ... ... ..........5-13
About the IKE Policy Table .....................................................................................5-14
VPN Policy ............................ .... ... ... ... .... ... ....................................... ... ... ... ... .... ... ...5-14
VPN Tunnel Connection Status ..............................................................................5-16
Creating a VPN Client Connection: VPN Client to FVS336G .......................... ....... ... ...5-16
Configuring the FVS336G ......................................................................................5-17
Configuring the VPN Client ................................ .... ... ... ... .... ...................................5-17
Testing the Connection ...........................................................................................5-19
Configuring Extended Authentication (XAUTH) ............................................................5-19
Configuring XAUTH for VPN Clients ......................................................................5-20
User Database Configuration .... ... ... ... .... .......................................... ... ... ... .............5-21
RADIUS Client Configuration .................................................................................5-21
Manually Assigning IP Addresses to Remote Users (ModeConfig) .......... ... ... ... .... ... ...5-23
Mode Config Operation ...... .......................................... ..........................................5-23
Configuring the VPN Firewall .......... .......................................... ... .... ... ... ... ... .... ... ...5-24
Configuring the ProSafe VPN Client for ModeConfig .......................................... ...5-27
Configuring Keepalives and Dead Peer Detection .......................................................5-29
Configuring Keepalive ............................................................................................5-29
Configuring NetBIOS Bridging with VPN ......................................................................5-31
v1.2, June 2008
ix
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Chapter 6
Virtual Private Networking
Using SSL Connections
Understanding the Portal Options ...................................................................................6-1
Planning for SSL VPN ....................................................................................................6-2
Creating the Portal Layout ..............................................................................................6-3
Configuring Domains, Groups, and Users ......................................................................6-7
Configuring Applications for Port Forwarding ............................................ ... ... ... .... ... ... ..6-7
Adding Servers ................................... .... ... ... ............................................................6-8
Adding A New Host Name . ... .... ... ... ... .... ... ... ... ... .... ... ... ... .... .....................................6-9
Configuring the SSL VPN Client ...................................................................................6-10
Configuring the Client IP Address Range . ... ... ... .... ... ... ... .... ... ... ... .... ... ... ... ... .... ... ...6-11
Adding Routes for VPN Tunnel Clients ........ ... ... .......................................... .... ... ...6-12
Replacing and Deleting Client Routes ...................................................................6-12
Using Network Resource Objects to Simplify Policies ..................................................6-13
Adding New Network Resources ..........................................................................6-13
Configuring User, Group, and Global Policies ..............................................................6-15
Viewing Policies .....................................................................................................6-16
Adding a Policy ...................................... ... ....................................... ... ... ... ... .... ... ...6-17
Chapter 7
Managing Users, Authentication, and Certificates
Adding Authentication Domains, Groups, and Users .....................................................7-1
Creating a Domain ....................................................................... ............................7-1
Creating a Group .................................... ... ... ... ... .......................................... ............7-3
Creating a New User Account ... .......................................... ... ... ... .... ........................7-4
Setting User Login Policies ................................ .... ... ... .......................................... ..7-6
Managing Certificates ................................................................ .....................................7-8
Viewing and Loading CA Certificates .......................................................................7-9
Viewing Active Self Certificates ..............................................................................7-10
Obtaining a Self Certificate from a Certificate Authority ............................ ... .... ... ...7-11
Managing your Certificate Revocation List (CRL) .. ... ... ..........................................7-14
Chapter 8
Router and Network Management
Performance Management ........................................... ... ... ... .... .....................................8-1
Bandwidth Capacity ............................... ... .......................................... .....................8-1
x
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Features That Reduce Traffic ...................................................................................8-2
Features That Increase Traffic .................................................................................8-5
Using QoS to Shift the Traffic Mix ............................................................................8-8
Tools for Traffic Management .......... ... .... ... ... ... ... .... ... ... .......................................... ..8-8
Changing Passwords and Administrator Settings .... .... ... ... ... .... ... ... ... .... ........................8-8
Enabling Remote Management Access .......................................................................8-10
Using the Command Line Interface ..............................................................................8-12
Using an SNMP Manager .............................................................................................8-13
Configuration File Management ...................................................................................8-15
Upgrading the Firmware ...............................................................................................8-17
Configuring Date and Time Service ..............................................................................8-18
Chapter 9
Monitoring System Performance
Enabling the Traffic Meter ...............................................................................................9-1
Activating Notification of Events and Alerts ....................................................................9-4
Viewing Firewall Logs .....................................................................................................9-6
Viewing Router Configuration and System Status ..................................... ... ... ... .... ... ... ..9-7
Monitoring the Status of WAN Ports ...............................................................................9-9
Monitoring Attached Devices ........................................................................................9-10
Reviewing the DHCP Log .............................................................................................9-12
Monitoring Active Users ................... ... ... ... .... ... ... ... ... .... .......................................... ... ...9-12
Viewing Port Triggering Status .....................................................................................9-13
Monitoring VPN Tunnel Connection Status ........ ... ... .... ... ... ... .... ... ... ... .... ... ... ................9-14
Reviewing the VPN Logs ..............................................................................................9-15
Chapter 10
Troubleshooting
Basic Functions ............................................................................................................10-1
Power LED Not On .................................................................................................10-2
LEDs Never Turn Off ..............................................................................................10-2
LAN or WAN Port LEDs Not On .............................................................................10-2
Troubleshooting the Web Configuration Interface ........................................................10-3
Troubleshooting the ISP Connection ............................................................................10-4
Troubleshooting a TCP/IP Network Using a Ping Utility ...............................................10-5
Testing the LAN Path to Your VPN Firewall ...........................................................10-5
Testing the Path from Your PC to a Remote Device ..............................................10-6
v1.2, June 2008
xi
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Restoring the Default Configuration and Password ............ ... .... ... ... ... .... ... ... ... ... .... ... ...10-7
Problems with Date and Time .......................................................................................10-7
Using the Diagnostics Utilities ......................................................................................10-8
Appendix A
Default Settings and Technical Specifications
Appendix B
Related Documents
Appendix C
Network Planning for Dual WAN Ports
What You Will Need to Do Before You Begin ................................................................C-1
Cabling and Computer Hardware Requirements .................................................... C-3
Computer Network Configuration Requirements ...................................... ... .... ... ... . C-3
Internet Configuration Requirements ...................................................................... C-4
Where Do I Get the Internet Configuration Parameters? ........................................ C-4
Internet Connection Information Form .................................................................... C-5
Overview of the Planning Process ................................................................................. C-6
Inbound Traffic ........................................................................................................ C-6
Virtual Private Networks (VPNs) .............................................................................C-6
The Roll-over Case for Firewalls With Dual WAN Ports ..........................................C-7
The Load Balancing Case for Firewalls With Dual WAN Ports ...............................C-7
Inbound Traffic ...............................................................................................................C-8
Inbound Traffic to Single WAN Port (Reference Case) ........................................... C-8
Inbound Traffic to Dual WAN Port Systems ............................................................C-8
Virtual Private Networks (VPNs) .................................................................................. C-10
VPN Road Warrior (Client-to-Gateway) ................................................................ C-11
VPN Gateway-to-Gateway ........... ...... .... ... ............................................................ C-14
VPN Telecommuter (Client-to-Gateway Through a NAT Router) ..........................C-17
Index
xii
v1.2, June 2008
About This Manual
The NETGEAR® ProSafe™ Dual WAN Gigabit Firewall with SSL & IPsec VPN Reference
Manual describes how to install, configure and troubleshoot a ProSafe Dual WAN Gigabit
Firewall with SSL & IPsec VPN. The information in this manual is intended for readers with
intermediate computer and networking skills.
Conventions, Formats, and Scope
The conventions, formats, and scope of this manual are described in the following paragraphs:
• Typographical Conventions. This manual uses the following typographical conventions:
Italic Emphasis, books, CDs, file and server names, extensions
Bold User input, IP addresses, GUI screen text
Fixed Command prompt, CLI text, code
italic URL links
• Formats. This manual uses the following formats to highlight special messages:
Note: This format is used to highlight information of importance or special interest.
Tip: This format is used to highlight a procedure that will save time or resources.
Warning: Ignoring this type of note may result in a malfunction or damage to the
equipment.
v1.2, June 2008
xiii
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Danger: This is a safety warning. Failure to take heed of this notice may result in
personal injury or death.
• Scope. This manual is written for the VPN firewall according to these specifications:
Product Version ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN
Manual Publication Date June 2008
For more information about network, Internet, firewall, and VPN technologies, see the links to the
NETGEAR website in Appendix B, “Related Documents.”.
Note: Product updates are available on the NETGEAR, Inc. website at
http://kbserver.netgear.com/products/FVS336G.asp.
How to Use This Manual
The HTML version of this manual includes the following:
• Buttons, and , for browsing forwards or backwards through the manual one page
at a time
• A button that displays the table of contents and an button. Double-click on a
link in the table of contents or index to navigate directly to where the topic is described in the
manual.
• A button to access the full NETGEAR, Inc. online knowledge base for the product
model.
• Links to PDF versions of the full manual and individual chapters.
How to Print this Manual
To print this manual, you can choose one of the following options, according to your needs.
• Printing a Page from HTML. Each page in the HTML version of the manual is dedicated to
a major topic. Select File > Print from the browser menu to print the page contents.
xiv
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in
order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at
http://www.adobe.com.
– Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page.
• Click the PDF of This Chapter link at the top left of any page in the chapter you want
to print. The PDF version of the chapter you were viewing opens in a browser
window.
• Click the print icon in the upper left of your browser window.
– Printing a PDF version of the Complete Manual. Use the Complete PDF Manual link
at the top left of any page.
• Click the Complete PDF Manual link at the top left of any page in the manual. The
PDF version of the complete manual opens in a browser window.
• Click the print icon in the upper left of your browser window.
Tip: If your printer supports printing two pages on a single sheet of paper, you can
save paper and printer ink by selecting this feature.
Revision History
Part Number
202-10257-01 1.0 October
202-10257-01 1.1 November
202-10257-02 1.2 June 2008 Updated to router software version 3.0.3-13.4
Version
Number
Date Description
First publication
2007
Text corrections
2007
v1.2, June 2008
xv
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
xvi
v1.2, June 2008
Chapter 1
Introduction
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN connects your local area network
(LAN) to the Internet through one or two external broadband access devices such as cable modems
or DSL modems. Dual wide area network (WAN) ports allow you to increase throughput to the
Internet by using both ports together, or to maintain a backup connection in case of failure of your
primary Internet connection.
As a complete security solution, the FVS336G incorporates a powerful and flexible firewall to
safeguard your network, while providing advanced IPsec and SSL VPN technologies for secure
and simple remote connections.
The use of Gigabit Ethernet LAN and WAN ports ensures extremely high data transfer speeds
The FVS336G is a plug-and-play device that can be installed and co nfigured within minutes.
This chapter contains the following sections:
• “Key Features” on page 1-1
• “Package Contents” on page 1-5
• “Front Panel Features” on page 1-6
• “Rear Panel Features” on page 1-7
• “Default IP Address, Login Name, and Password Location” on page 1-8
• “Qualified Web Browsers” on page 1-8
Key Features
The VPN firewall provides the following key features:
• Dual 10/100/1000 Mbps Gigabit Ethernet WAN ports for load balancing or failover protection
of your Internet connection, providing increased system reliability or increased throughput.
• Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data
transfer between local network resources.
• Advanced IPsec and SSL VPN support.
• Advanced stateful packet inspection (SPI) firewall with multi-NAT support.
1-1
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• Easy, web-based setup for installation and management.
• Front panel LEDs for easy monitoring of status and activity.
• Flash memory for firmware upgrade.
• Internal universal switching power supply.
Dual WAN Ports for Increased Reliability or Outbound Load Balancing
The FVS336G has two broadband WAN ports. The second WAN port allows you to connect a
second broadband Internet line that can be configured on a mutually-exclusive basis to:
• Provide backup and rollover if one line is inoperable, ensuring you are never disconnected.
• Load balance, or use both Internet lines simultaneously for outgoing traffic. The firewall
balances users between the two lines for maximum bandwidth efficiency.
See “Network Planning for Dual WAN Ports” on page C-1 for the planning factors to consider
when implementing the following capabilities with dual WAN port gateways:
• Single or multiple exposed hosts.
• V irtual private networks.
Advanced VPN Support for Both IPsec and SSL
The VPN firewall supports IPsec and SSL virtual private network (VPN) connections.
• IPsec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires the
installation of VPN client software on the remote computer.
– IPsec VPN with broad protocol support for secure connection to other IPsec gateways and
clients.
– Bundled with the single-user license of the NETGEAR ProSafe VPN Client software
(VPN01L)
– Supports 25 concurrent IPsec VPN tunnels.
• SSL VPN provides remote access for mobile users to selected corporate resources without
requiring a pre-installed VPN client on their computers.
– Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce
transactions, to provide client-free access with customizable user portals and support for a
wide variety of user repositories.
1-2 Introduction
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
– Browser based, platform-independent, remote access through a number of popular
browsers, such as Microsoft Internet Explorer or Apple Safari.
– Provides granular access to corporate resources based upon user type or group
membership.
– Supports 10 concurrent SSL VPN sessions.
A Powerful, True Firewall with Content Filtering
Unlike simple Internet sharing NAT routers, the FVS336G is a true firewall, using stateful packet
inspection (SPI) to defend against hacker attacks. Its firewall features include:
• Automatically detects and thwarts denial of service (DoS) attacks such as Ping of Death and
SYN Flood.
• Blocks unwanted traffic from the Internet to your LAN.
• Blocks access from your LAN to Internet locations or services that you specify as off-limits.
• Prevents objectionable content from reaching your PCs. You can control access to Internet
content by screening for Web services, Web addresses, and keywords within Web addresses.
You can configure the firewall to log and report attempts to access objectionable Internet sites.
• Permits scheduling of firewall policies by day and time.
• Logs security events such as blocked incoming traffic, port scans, attacks, and administrator
logins. You can configure the firewall to email the log to you at specified intervals. You can
also configure the firewall to send immediate alert messages to your email address or email
pager whenever a significant event occurs.
Autosensing Ethernet Connections with Auto Uplink
With its internal 4-po rt 10/100/1000 Mbps switch and dual 10/100/1000 WAN ports, the FVS336 G
can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or
a 1000 Mbps Gigabit Ethernet network. The four LAN and two WAN interfaces are autosensing
and capable of full-duplex or half-duplex operation.
TM
The FVS336G incorporates Auto Uplink
sense whether the Ethernet cable plugged into the port should have a “normal” connection such as
to a PC or an “uplink” connection such as to a switch or hub. That port will then configure itself to
the correct configuration. This feature eliminates the need to worry about crossover cables, as
Auto Uplink will accommodate either type of cable to make the right connection.
Introduction 1-3
technology. Each Ethernet port will automatically
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Extensive Protocol Support
The VPN firewall supports the Transmission Control Protocol/Internet Protocol (TCP/IP) and
Routing Information Protocol
Configuration Requirements” on page C-4.
• IP Address Sharing by NAT. The VPN firewall allows many networked PCs to share an
Internet account using only a single IP address, which may be statically or dynamically
assigned by your Internet service provider (ISP). This technique, known as NAT, allows the
use of an inexpensive single-user ISP account.
• Automatic Configuration of Attached PCs by DHCP. The VPN firewall dynamically
assigns network configuration information, including IP, gateway, and domain name server
(DNS) addresses, to attached PCs on the LAN using the Dynamic Host Configuration Protocol
(DHCP). This feature greatly simplifies configuration of PCs on your local network.
• DNS Proxy. When DHCP is enabled and no DNS addresses are specified, the firewall
provides its own address as a DNS server to the attached PCs. The firewall obtains actual DNS
addresses from the ISP during connection setup and forwards DNS requests from the LAN.
• PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the Internet
over a DSL connection by simulating a dial-up connection. This feature eliminates the need to
run a login program such as EnterNet or WinPOET on your PC.
• Quality of Service (QoS) support for traffic prioritization.
(RIP). For further information about TCP/IP, refer to “Internet
Easy Installation and Management
You can install, configure, and operate the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec
VPN within minutes after connecting it to the network. The following features simplify
installation and management tasks:
• Browser-Based Management. Browser-based configuration allows you to easily configure
your firewall from almost any type of personal computer, such as Windows, Macintosh, or
Linux. A user-friendly Setup Wizard is provided and online help documentation is built into
the browser-based Web Management Interface.
• Auto Detection of ISP. The VPN firewall automatically senses the type of Internet
connection, asking you only for the information required for your type of ISP account.
1-4 Introduction
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
• VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure
IPsec VPN tunnels according to the recommendations of the Virtual Private Network
Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNCcompliant VPN routers and clients.
• SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let
you monitor and manage log resources from an SNMP-compliant system manager. The SNMP
system configuration lets you change the system variables for MIB2.
• Diagnostic Functions. The firewall incorporates built-in diagnostic functions such as Ping,
Trace Route, DNS lookup, and remote reboot.
• Remote Management. The firewall allows you to login to the Web Management Interface
from a remote location on the Internet. For security, you can limit remote management access
to a specified remote IP address or range of addresses.
• Visual monitoring. The VPN firewall’s front panel LEDs provide an easy way to monitor its
status and activity.
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the VPN firewall:
• Flash memory for firmware upgrade.
• Free technical support seven days a week, 24 hours a day, according to the terms identified in
the Warranty and Support information card provided with your product.
Package Contents
The product package should contain the following items:
• ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.
• One AC power cable.
• Rubber feet.
• One Category 5 (Cat5) Ethernet cable.
• Installation Guide, FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN.
• Resource CD, including:
– Application Notes and other helpful information.
Introduction 1-5
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
– ProSafe VPN Client Software – one user license.
• Warranty and Support Information Card.
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the
carton, including the original packing materials, in case you need to return the firewall for repair.
Front Panel Features
The ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN front panel shown below
includes four groups of status indicator light-emitting diodes (LEDs), including Power and Test,
WAN1, WAN2, and the LAN lights:
Figure 1-1
The function of each LED is described in the following table:
Table 1-1. LED Descriptions
Object Activity Description
PWR
(Power)
TEST On (Amber)
WAN Ports
ACTIVE On (Green)
SPEED On (Green)
1-6 Introduction
On (Green)
Off
Blinking (Amber)
Off
On (Amber)
Off
On (Amber)
Off
Power is supplied to the VPN firewall.
Power is not supplied to the VPN firewall.
Test mode: The system is initializing or the initialization has failed.
Writing to Flash memory (during upgrading or resetting to defaults).
The system has booted successfully.
The WAN port has a valid Internet connection.
The Internet connection is down or not being used because the port
is in standby for failover.
The WAN port is either not enabled or has no link.
The LAN port is operating at 1,000 Mbps.
The LAN port is operating at 100 Mbps.
The LAN port is operating at 10 Mbps.
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Table 1-1. LED Descriptions (continued)
Object Activity Description
LINK/ACT
(Link and
Activity)
LAN Ports
SPEED On (Green)
LINK/ACT
(Link and
Activity)
On (Green)
Blinking (Green)
Off
On (Amber)
Off
On (Green)
Blinking (Green)
Off
The WAN port has detected a link with a connected Ethernet device.
Data is being transmitted or received by the WAN port.
The WAN port has no link.
The LAN port is operating at 1,000 Mbps.
The LAN port is operating at 100 Mbps.
The LAN port is operating at 10 Mbps.
The WAN port has detected a link with a connected Ethernet device.
Data is being transmitted or received by the WAN port.
The WAN port has no link.
Rear Panel Features
The rear panel of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN includes
Gigabit Ethernet LAN and WAN connections, a cable lock receptacle, power and reset switches,
and an AC power connection.
Figure 1-2
Viewed from left to right, the rear panel contains the following elements:
1. Factory Defaults button.
Using a sharp object, press and hold this button for about ten seconds until the front panel
TEST light flashes to reset the VPN firewall to factory default settings. All configuration
settings will be lost and the default password will be restored.
2. LAN Ethernet ports.
Four switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports
with RJ-45 connectors.
Introduction 1-7
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
3. WAN Ethernet ports.
Two independent N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet
ports with RJ-45 connectors.
4. Cable security lock receptacle.
5. AC power receptacle.
Universal AC input (100-240 VAC, 50-60 Hz).
6. On/off power switch.
Default IP Address, Login Name, and Password Location
Check the label on the bottom of the FVS336G’s enclosure if you need a reminder of the following
factory default information:
IP Address
User Name
Password
Figure 1-3
Qualified Web Browsers
To configure the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN, an administrator
must use Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher, or Mozilla Firefox l.x Web
browser with JavaScript, cookies, and SSL enabled.
Although these web browsers are qualified for use with the VPN firewall’s Web Management
Interface for configuring the VPN firewall, SSL VPN users should choose a browser that supports
1-8 Introduction
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
JavaScript, Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications.
Note that Java is only required for the SSL VPN portal, not the Web Management Interface.
Introduction 1-9
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
1-10 Introduction
v1.2, June 2008
Chapter 2
Connecting the FVS336G to the Internet
The initial Internet configuration of the ProSafe Dual WAN Gigabit Firewall with SSL & IPsec
VPN is described in this chapter.
This chapter contains the following sections:
• “Understanding the Connection Steps” on page 2-1
• “Logging into the VPN Firewall Router” on page 2-2
• “Navigating the Menus” on page 2-4
• “Configuring the Internet Connections” on page 2-4
• “Configuring the WAN Mode (Required for Dual WAN)” on page 2-11
• “Configuring Dynamic DNS (Optional)” on page 2-17
• “Configuring the Advanced WAN Options (Optional)” on page 2-19
Understanding the Connection S teps
Typically, six steps are required to complete the basic Internet connection of your VPN firewall.
1. Connect the firewall physically to your network. Connect the cables and restart your
network according to the instructions in the installation guide. See the Installation Guide,
FVS336G ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN for complete steps. A
PDF of the Installation Guide is on the NETGEAR website at: http://kbserver.netgear.com.
2. Log in to the VPN Firewall. After logging in, you are ready to set up and configure your
VPN firewall. You can also change your password and enable remote management at this
time. See “Logging into the VPN Firewall Router” on page 2-2.
3. Configure the Internet connections to your ISP(s). During this phase, you will connect to
your ISPs. You can also program the WAN traffic meters at this time if desired. See
“Configuring the Internet Connections” on page 2-4.
4. Configure the WAN mode (required for dual WAN operation). Select either dedicated
(single WAN) mode, auto-rollover mode, or load balancing mode. For load balancing, you can
also select any necessary protocol bindings. See “Configuring the WAN Mode (Required for
Dual WAN)” on page 2-11.
v1.2, June 2008
2-1
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. Configure dynamic DNS on the WAN ports (optional). Configure your fully qualified
domain names during this phase (if required). See “Configuring Dynamic DNS (Optional)” on
page 2-17.
6. Configure the WAN options (optional). Optionally, you can enable each WAN port to
respond to a ping, and you can change the factory default MTU size and port speed. However ,
these are advanced features and changing them is not usually required. See “Configuring the
Advanced WAN Options (Optional)” on page 2-19.
Each of these tasks is detailed separately in this chapter. The configuration of firewall and VPN
features is described in later chapters.
Logging into the VPN Firewall Router
To connect to the VPN firewall, your computer needs to be configured to obtain an IP address
automatically from the VPN firewall by DHCP. For instructions on how to configure your
computer for DHCP, refer to the link in Appendix B, “Related Documents.
To connect and log in to the VPN firewall follow these steps:
1. Start any of the qualified browsers, as detailed in “Qualified Web Browsers” on page 1-8.
2. Enter https://192.168.1.1 in the address field.
The Manager login features appear in the browser.
Figure 2-1
3. In the User field, type admin
4. In the Password field, type password
Note that both entries are in lower case letters.
2-2 Connecting the FVS336G to the Internet
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
5. Click Login.
The Web Configura tion Manager appears, displaying the Router Status menu:
Figure 2-2
Connecting the FVS336G to the Internet 2-3
v1.2, June 2008
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual
Navigating the Menus
The Web Configuration Manager menus are organized in a layered structure of main categories
and submenus:
• Main menu. The horizontal orange bar near the top of the page is the main menu, containing
the primary configuration categories. Clicking on a primary category changes the contents of
the submenu bar.
• Submenu. The horizontal grey bar immediately below the main menu is the submenu,
containing subcategories of the currently selected primary category.
• Tab. Immediately below the submenu bar, at the top of the menu active window, are one or
more tabs, further subdividing the currently selected subcategory if necessary.
• Option arrow . To the right of the tabs on some menus are one or more blue dots with an arrow
in the center . Clicking an option arrow brings up either a popup window or an advanced op tion
menu.
Tip: In the instructions in this guide, we may refer to a menu using the notation
primary | subcategory, such as Network Configuration | WAN Settings. In this
example, Network is the selected primary category (in the main menu) and
WAN Settings is the selected subcategory (in the submenu).
You can now proceed to the first configuration task, configuring the VPN firewall’s Internet
connections.
Configuring the Internet Connections
To set up your VPN firewall for secure Internet connections, you configure WAN ports 1 and 2.
The Web Configuration Manager offers two connection configuration options:
• Automatic detection and configuration of the network connection.
• Manual configuration of the network connection.
Each option is detailed in the sections following.
Automatically Detecting and Connecting
To automatically configure the WAN ports for connection to the Internet:
2-4 Connecting the FVS336G to the Internet
v1.2, June 2008
Loading...