Home » Netgear Manuals » Network Security & Firewall Devices » Netgear FVG318v1 » Manual Viewer

Netgear FVG318v1 FVG318 Reference Manual - Page 70

Default DMZ Server, DMZ WAN Rules, Service, Send to DMZ Service, WAN Users, Apply

Add to My Manuals
Save this manual to your list of manuals

Page 70 highlights

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual Default DMZ Server Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network. This computer is called the Default DMZ Server. The Default DMZ Server feature is helpful when using some online games and video conferencing applications that are incompatible with NAT. The firewall is programmed to recognize some of these applications and to work properly with them, but there are other applications that may not function well. In some cases, one local PC can run the application properly if that PC's IP address is entered as the Default DMZ Server for a particular service. The DMZ Server screen is used for setting up a firewall rule for traffic coming from the WAN to the DMZ. Inbound traffic for a service can be configured to be blocked or allowed, by default, or set per a schedule (defined on the Schedule page under the Security menu). To assign a computer or server to be a Default DMZ server: 1. Click the DMZ WAN Rules tab. 2. When the DMZ WAN Rules screen displays, click Add. 3. From the Service pull-down menu, select the service to allow or block. This is a unique name assigned to the service. The name usually indicates the type of traffic the rule covers such as ftp, ssh, telnet, ping, etc. Services not already in the list can be added from the Security < Services screen. 4. Enter the Send to DMZ Service address of the device on the DMZ which is hosting the server. Select the port number checkbox and enter a port number ONLY if the server is listening on a port other than the default. For example, if a machine on the DMZ side is running a telnet server on port 2000, then select the Translate to Port Number checkbox and type 2000 in the Port field. if it is listening on the default port 23, then the box can be left unchecked. 5. From the WAN Users pull-down menu, select the specific IP addresses on the WAN that will be affected by the rule. This rule will affect packets for the selected service to the defined IP address or range of IP addresses on the WAN side. • Any: All IP addresses on the WAN will be affected by the rule. • Single Address: A single WAN IP address will be affected by the rule. • Address Range: A range of IP addresses on the DMZ network will be affected by the rule. 6. Click Apply to save your settings. 4-10 Firewall Protection and Content Filtering v1.0, September 2007

Section	Page
ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual	1
Contents	7
About This Manual	13
Conventions, Formats, and Scope	13
How to Use This Manual	14
How to Print this Manual	14
Revision History	15
Chapter 1 Introduction	17
Key Features of the VPN Firewall Router	17
802.11g and 802.11b Wireless Networking	18
Wireless Multimedia (WMM) Support	18
A Powerful, True Firewall with Content Filtering	18
Security	19
Autosensing Ethernet Connections with Auto Uplink	19
Extensive Protocol Support	19
Easy Installation and Management	20
Maintenance and Support	21
Package Contents	21
The FVG318 Front Panel	21
The FVG318 Rear Panel	22
Chapter 2 Connecting the Firewall to the Internet	25
Installing Your FVG318	25
Configuring the FVG318 for Internet Access with Auto Detect	28
Manually Configuring your Internet Connection	31
Configuring Dynamic DNS (If Needed)	33
Configuring Your Time Zone	35
Troubleshooting Tips	36
Be sure to restart your network in the correct sequence.	36
Make sure the Ethernet cables are securely plugged in.	36
Make sure the computer & router wireless settings match exactly.	36
Make sure the network settings of the computer are correct.	36
Check the router status lights to verify correct router operation.	37
Tips for Accessing the VPN firewall	37
Chapter 3 Configuring Wireless Connectivity	39
Observing Performance, Placement, and Range Guidelines	39
Implementing Appropriate Wireless Security	40
Understanding Wireless Settings	41
Security Check List for SSID and WEP Settings	45
Setting Up and Testing Basic Wireless Connectivity	46
Restricting Wireless Access by MAC Address	47
Configuring WEP Security Settings	48
Configuring WPA with RADIUS	50
Configuring WPA2 with RADIUS	52
Configuring WPA and WPA2 with RADIUS	53
Configuring WPA-PSK	55
Configuring WPA2-PSK	56
Configuring WPA-PSK and WPA2-PSK	58
Chapter 4 Firewall Protection and Content Filtering	61
Firewall Protection and Content Filtering Overview	61
Block Sites	61
Using Rules to Block or Allow Specific Kinds of Traffic	64
Inbound Rules (Port Forwarding)	66
Inbound Rule Example: A Local Public Web Server	67
Inbound Rule Example: Allowing a Videoconference from Restricted Addresses	67
Considerations for Inbound Rules	68
Outbound Rules (Service Blocking)	68
Outbound Rule Example: Blocking Instant Messenger	68
Order of Precedence for Rules	69
Default DMZ Server	70
Attack Checks	71
Services	72
Using a Schedule to Block or Allow Specific Traffic	73
Getting E-Mail Notifications of Firewall Logs	74
Chapter 5 Basic Virtual Private Networking	79
Overview of VPN Configuration	80
Client-to-Gateway VPN Tunnels	80
Gateway-to-Gateway VPN Tunnels	80
Planning a VPN	81
VPN Tunnel Configuration	82
Setting Up a Client-to-Gateway VPN Configuration	83
Step 1: Configuring the Client-to-Gateway VPN Tunnel on the FVG318	83
Step 2: Configuring the NETGEAR ProSafe VPN Client on the Remote PC	85
Monitoring the Progress and Status of the VPN Client Connection	93
Transferring a Security Policy to Another Client	95
Setting Up a Gateway-to-Gateway VPN Configuration	97
Activating a VPN Tunnel	101
Verifying the Status of a VPN Tunnel	103
Deactivating a VPN Tunnel	104
Using the Policy Table on the VPN Policies Screen to Deactivate a VPN Tunnel	104
Using the VPN Status Page to Deactivate a VPN Tunnel	105
Deleting a VPN Tunnel	105
Chapter 6 Advanced Virtual Private Networking	107
Using IKE and VPN Policies to Manage VPN Traffic	107
Using Automatic Key Management	108
IKE Policy Automatic Key and Authentication Management	108
VPN Policy Configuration for Auto Key and Manual Negotiation	109
Using Digital Certificates for IKE Auto-Policy Authentication	113
Certificate Revocation List (CRL)	113
VPN Configuration Scenarios on the FVG318	114
VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets	115
FVG318 Gateway A to FVG318 Gateway B (IKE and VPN Policies)	116
Checking Your VPN Connections	119
VPN Consortium Scenario 2: FVG318 Gateway to Gateway with Digital Certificates	121
Chapter 7 Maintenance	125
Viewing VPN Firewall Router Status Information	125
Upgrading the Firewall Software	128
Backing Up and Restoring Settings	129
Changing the Administrator Password	130
Chapter 8 Advanced Configuration	131
Configuring Dynamic DNS	131
Using the LAN IP Setup Options	132
Configuring LAN TCP/IP Setup Parameters	132
Using the Firewall as a DHCP server	133
Using Address Reservation	134
Configuring Static Routes	135
Configuring RIP	136
Static Route Example	137
Enabling Remote Management Access	138
SNMP Administration	140
Enabling Universal Plug and Play (UPnP)	142
Chapter 9 Troubleshooting	143
Basic Functioning	143
Power LED Not On	143
LEDs Never Turn Off	144
LAN or Internet Port LEDs Not On	144
Troubleshooting the Web Configuration Interface	144
Troubleshooting the ISP Connection	145
Troubleshooting a TCP/IP Network Using a Ping Utility	147
Testing the LAN Path to Your Firewall	147
Testing the Path from Your PC to a Remote Device	148
Restoring the Default Configuration and Password	148
Problems with Date and Time	149
Appendix A Default Settings and Technical Specifications	151
Default Settings	151
Technical Specifications	153
Appendix B Related Documents	155
Appendix C VPN Configuration of NETGEAR FVG318	157
Case Study Overview	157
Gathering the Network Information	157
Configuring the Gateways	158
Activating the VPN Tunnel	159
The FVG318-to-FVG318 Case	159
Configuring the VPN Tunnel	160
Viewing and Editing the VPN Parameters	161
Initiating and Checking the VPN Connections	162
The FVG318-to-FVS318v2 Case	163
Configuring the VPN Tunnel	163
Viewing and Editing the VPN Parameters	164
Initiating and Checking the VPN Connections	165
The FVG318-to-FVL328 Case	166
Configuring the VPN Tunnel	166
Viewing and Editing the VPN Parameters	167
Initiating and Checking the VPN Connections	168
The FVG318-to-VPN Client Case	169
Client-to-Gateway VPN Tunnel Overview	169
Configuring the VPN Tunnel	170

Match case Limit results 1 per page

ProSafe 802.11g Wireless VPN Firewall FVG318 Reference Manual

4-10

Firewall Protection and Content Filtering

v1.0, September 2007

Default DMZ Server

Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a

response to one of your local computers or a service for which you have configured an inbound

rule. Instead of discarding this traffic, you can have it forwarded to one computer on your network.

This computer is called the Default DMZ Server.

The Default DMZ Server feature is helpful when using some online games and video conferencing

applications that are incompatible with NAT. The firewall is programmed to recognize some of

these applications and to work properly with them, but there are other applications that may not

function well. In some cases, one local PC can run the application properly if that PC’s IP address

is entered as the Default DMZ Server for a particular service.

The DMZ Server screen is used for setting up a firewall rule for traffic coming from the WAN to

the DMZ. Inbound traffic for a service can be configured to be blocked or allowed, by default, or

set per a schedule (defined on the Schedule page under the Security menu).

To assign a computer or server to be a Default DMZ server:

Click the

DMZ WAN Rules

tab.

When the DMZ WAN Rules screen displays, click

Add.

From the

Service

pull-down menu, select the service to allow or block.

This is a unique name assigned to the service. The name usually indicates the type of traffic

the rule covers such as ftp, ssh, telnet, ping, etc. Services not already in the list can be added

from the Security < Services screen.

Enter the

Send to DMZ Service

address of the device on the DMZ which is hosting the server.

Select the port number checkbox and enter a port number ONLY if the server is listening on a

port other than the default. For example, if a machine on the DMZ side is running a telnet

server on port 2000, then select the Translate to Port Number checkbox and type 2000 in the

Port field. if it is listening on the default port 23, then the box can be left unchecked.

From the

WAN Users

pull-down menu, select the specific IP addresses on the WAN that will

be affected by the rule. This rule will affect packets for the selected service to the defined IP

address or range of IP addresses on the WAN side.

•

Any: All IP addresses on the WAN will be affected by the rule.

•

Single Address: A single WAN IP address will be affected by the rule.

•

Address Range: A range of IP addresses on the DMZ network will be affected by the rule.

Click

Apply

to save your settings.