Home » Netgear Manuals » Network Security & Firewall Devices » Netgear FVX538v2 » Manual Viewer

Netgear FVX538v2 FVX538v2 Reference Manual - Page 46

Configuring the LAN Setup Options, DHCP Relay, DNS Proxy

Add to My Manuals
Save this manual to your list of manuals

Page 46 highlights

ProSafe VPN Firewall 200 FVX538 Reference Manual The VPN firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP address from the range that you have defined. • Subnet mask. • Gateway IP address (the VPN firewall's LAN IP address). • Primary DNS server (the VPN firewall's LAN IP address). • WINS server (if you entered a WINS server address in the DHCP section of the LAN Setup screen). • Lease time (date obtained and duration of lease). DHCP Relay options allow you to make the VPN firewall a DHCP relay agent. The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or which is not located on the local subnet. If you have no configured DHCP Relay Agent, your clients would only be able to obtain IP addresses from the DHCP server which is on the same subnet. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you have to configure the DHCP Relay Agent on the subnet that contains the remote clients, so that it can relay DHCP broadcast messages to your DHCP server. When the DNS Proxy option is enabled, the VPN firewallwill act as a proxy for all DNS requests and communicate with the ISP's DNS servers (as configured in the WAN settings screen). All DHCP clients will receive the Primary/Secondary DNS IP along with the IP address where the DNS proxy is running, that is, the VPN firewall's LAN IP address. When disabled, all DHCP clients will receive the DNS IP addresses of the ISP excluding the DNS proxy IP address. The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each connection are different, then a link failure may render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can make requests to the VPN firewall and the VPN firewall, in turn, sends those requests to the DNS servers of the active connection. Configuring the LAN Setup Options The LAN Setup screen allows configuration of LAN IP services such as DHCP and allows you to configure a secondary or "multi-home" LAN IP setup in the LAN. The default values are suitable for most users and situations. Disable the DNS Proxy if you are using a dual WAN configuration with route diversity and failover. These are advanced settings most usually configured by a network administrator. 3-2 LAN Configuration v1.0, January 2010

Section	Page
ProSafe VPN Firewall 200 FVX538 Reference Manual	1
Contents	7
About This Manual	13
Conventions, Formats and Scope	13
How to Print This Manual	14
Revision History	14
Chapter 1 Introduction	17
Key Features	17
Dual WAN Ports for Increased Reliability or Outbound Load Balancing	18
A Powerful, True Firewall with Content Filtering	18
Security Features	19
Autosensing Ethernet Connections with Auto Uplink	19
Extensive Protocol Support	20
Easy Installation and Management	20
Maintenance and Support	21
Package Contents	21
VPN Firewall Front and Rear Panels	22
Rack Mounting Hardware	24
The VPN Firewall’s IP Address, Login Name, and Password	25
Qualified Web Browsers	26
Chapter 2 Connecting the VPN Firewall to the Internet	27
Understanding the Connection Steps	27
Logging into the VPN Firewall	28
Configuring the Internet Connections to Your ISPs	28
Setting the VPN Firewall’s MAC Address	31
Manually Configuring Your Internet Connection	31
Configuring the WAN Mode (Required for Dual WAN)	33
Setting Up Auto-Rollover Mode	35
Setting Up Load Balancing	37
Configuring Dynamic DNS (Optional)	40
Configuring the Advanced WAN Options (Optional)	42
Additional WAN Related Configuration	43
Chapter 3 LAN Configuration	45
Choosing the VPN Firewall DHCP Options	45
Configuring the LAN Setup Options	46
Managing Groups and Hosts (LAN Groups)	50
Creating the Network Database	50
Viewing the Network Database	51
Adding Devices to the Network Database	52
Changing Group Names in the LAN Groups Database	53
Setting Up DHCP Address Reservation	53
Configuring Multi Home LAN IP Addresses	54
Configuring and Enabling the DMZ Port	55
Configuring Static Routes	58
Static Route Example	60
Configuring Routing Information Protocol (RIP)	60
Chapter 4 Firewall Protection and Content Filtering	63
About Firewall Protection and Content Filtering	63
Using Rules to Block or Allow Specific Kinds of Traffic	64
Services-Based Rules	65
Outbound Rules (Service Blocking)	65
Inbound Rules (Port Forwarding)	67
Viewing Rules and Order of Precedence for Rules	69
Configuring LAN WAN Rules	71
LAN WAN Outbound Services Rules	72
LAN WAN Inbound Services Rules	73
Configuring DMZ WAN Rules	74
Configuring LAN DMZ Rules	75
Inbound Rules Examples	77
LAN WAN Inbound Rule: Hosting a Local Public Web Server	77
LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses	78
LAN WAN or DMZ WAN Inbound Rule: Setting Up One-to-One NAT Mapping	78
LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host	79
Outbound Rules Example	81
LAN WAN Outbound Rule: Blocking Instant Messenger	81
Configuring Other Firewall Features	81
Attack Checks	82
Setting Session Limits	84
Managing the Application Level Gateway for SIP Sessions	85
Creating Services, QoS Profiles, and Bandwidth Profiles	86
Adding Customized Services	86
Modifying a Service	88
Specifying Quality of Service (QoS) Priorities	88
Creating Bandwidth Profiles	89
Setting a Schedule to Block or Allow Specific Traffic	91
Blocking Internet Sites (Content Filtering)	92
Configuring Source MAC Filtering	95
Configuring IP/MAC Address Binding	97
Configuring Port Triggering	99
E-Mail Notifications of Event Logs and Alerts	102
Administrator Tips	102
Chapter 5 Virtual Private Networking	103
Considerations for Dual WAN Port Systems	103
Using the VPN Wizard for Client and Gateway Configurations	105
Creating Gateway to Gateway VPN Tunnels with the Wizard	105
Creating a Client to Gateway VPN Tunnel	108
Use the VPN Wizard Configure the Gateway for a Client Tunnel	109
Use the NETGEAR VPN Client Security Policy Editor to Create a Secure Connection	110
Testing the Connections and Viewing Status Information	114
NETGEAR VPN Client Status and Log Information	114
VPN Firewall VPN Connection Status and Logs	116
Managing VPN Policies	118
Configuring IKE Policies	118
The IKE Policies Screen	119
Configuring VPN Policies	120
The VPN Policies Screen	120
Managing Certificates	121
Viewing and Loading CA Certificates	123
Viewing Active Self Certificates	124
Obtaining a Self Certificate from a Certificate Authority	124
Managing your Certificate Revocation List (CRL)	127
Extended Authentication (XAUTH) Configuration	128
Configuring XAUTH for VPN Clients	129
User Database Configuration	131
RADIUS Client Configuration	132
Assigning IP Addresses to Remote Users (ModeConfig)	134
Mode Config Operation	134
Configuring Mode Config Operation on the VPN Firewall	135
Configuring the Mode Config Screen	135
Configuring an IKE Policy for Mode Config Operation	137
Configuring the ProSafe VPN Client for ModeConfig	140
Testing the Mode Config Connection	143
Configuring Keepalives and Dead Peer Detection	144
Configuring Keepalives	144
Configuring Dead Peer Detection	145
Configuring NetBIOS Bridging with VPN	146
Chapter 6 VPN Firewall and Network Management	147
Performance Management	147
Bandwidth Capacity	147
VPN Firewall Features That Reduce Traffic	148
Service Blocking	148
Blocking Sites	150
Source MAC Filtering	150
VPN Firewall Features That Increase Traffic	150
Port Forwarding	151
Port Triggering	152
DMZ Port	153
VPN Tunnels	153
Using QoS to Shift the Traffic Mix	153
Tools for Traffic Management	154
Configuring Users, Administrative Settings, and Remote Management	154
Changing Passwords and Settings	154
Adding External Users	156
Configuring an External Server for Authentication	157
Enabling Remote Management Access	160
Using an SNMP Manager	162
Managing the Configuration File	164
Backing Up Settings	165
An Alert screen will appear indicating the status of the restore operation. You must manually restart the VPN firewall for the restored settings to take effect.	166
Reverting to Factory Default Settings	166
Upgrading the Firmware	166
Configuring Date and Time Service	167
Monitoring System Performance	169
Activating Notification of Events and Alerts	169
Viewing the Logs	172
Enabling the Traffic Meter	173
Viewing the VPN Firewall Configuration and System Status	176
Monitoring VPN Firewall Statistics	177
Monitoring WAN Ports Status	178
Monitoring Attached Devices	179
Monitoring VPN Tunnel Connection Status	180
Viewing the VPN Logs	181
Viewing the DHCP Log	182
Viewing Port Triggering Status	182
Chapter 7 Troubleshooting	185
Basic Functions	185
Power LED Not On	186
LEDs Never Turn Off	186
LAN or Internet Port LEDs Not On	186
Troubleshooting the Web Configuration Interface	187
Troubleshooting the ISP Connection	188
Troubleshooting a TCP/IP Network Using a Ping Utility	189
Testing the LAN Path to Your VPN Firewall	189
Testing the Path from Your PC to a Remote Device	190
Restoring the Default Configuration and Password	191
Problems with Date and Time	191
Using the Diagnostics Utilities	192
Appendix A Default Settings and Technical Specifications	195
Appendix B Network Planning for Dual WAN Ports	199
What You Will Need to Do Before You Begin	199
Cabling and Computer Hardware Requirements	201
Computer Network Configuration Requirements	201
Internet Configuration Requirements	201
Where Do I Get the Internet Configuration Parameters?	202
Internet Connection Information Form	202
Overview of the Planning Process	203
Inbound Traffic	203
Virtual Private Networks (VPNs)	204
The Roll-over Case for Firewalls With Dual WAN Ports	204
The Load Balancing Case for Firewalls With Dual WAN Ports	205
Inbound Traffic	205
Inbound Traffic to Single WAN Port (Reference Case)	205
Inbound Traffic to Dual WAN Port Systems	206
Inbound Traffic: Dual WAN Ports for Improved Reliability	206
Inbound Traffic: Dual WAN Ports for Load Balancing	207
Virtual Private Networks (VPNs)	207
VPN Road Warrior (Client-to-Gateway)	209
VPN Road Warrior: Single Gateway WAN Port (Reference Case)	209
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability	210
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing	211
VPN Gateway-to-Gateway	212
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)	212
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability	213
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing	214
VPN Telecommuter (Client-to-Gateway Through a NAT Router)	214
VPN Telecommuter: Single Gateway WAN Port (Reference Case)	215
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability	215
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing	217
Appendix C System Logs and Error Messages	219
System Log Messages	219
System Startup	219
Reboot	220
NTP	220
Login/Logout	221
Firewall Restart	221
IPSec Restart	222
WAN Status	222
Load Balancing	222
Auto Rollover	223
PPP Logs	224
Web Filtering and Content Filtering Logs	225
Traffic Metering Logs	227
Unicast Logs	227
ICMP Redirect Logs	227
Multicast/Broadcast Logs	228
FTP Logging	228
Invalid Packet Logging	228
Routing Logs	231
LAN to WAN Logs	232
LAN to DMZ Logs	232
DMZ to WAN Logs	232
WAN to LAN Logs	232
DMZ to LAN Logs	233
WAN to DMZ Logs	233
Appendix D Two Factor Authentication	235
Why do I need Two-Factor Authentication?	235
What are the benefits of Two-Factor Authentication?	235
What is Two-Factor Authentication	236
NETGEAR Two-Factor Authentication Solutions	236
Appendix E Related Documents	239

Match case Limit results 1 per page

ProSafe VPN Firewall 200 FVX538 Reference Manual

3-2

LAN Configuration

v1.0, January 2010

The VPN firewall will deliver the following parameters to any LAN device that requests DHCP:

•

An IP address from the range that you have defined.

•

Subnet mask.

•

Gateway IP address (the VPN firewall’s LAN IP address).

•

Primary DNS server (the VPN firewall’s LAN IP address).

•

WINS server (if you entered a WINS server address in the

DHCP

section of the LAN Setup

screen).

•

Lease time (date obtained and duration of lease).

DHCP Relay

options allow you to make the VPN firewall a DHCP relay agent. The DHCP Relay

Agent makes it possible for DHCP broadcast messages to be sent over routers that do not support

forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol

that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or

which is not located on the local subnet. If you have no configured DHCP Relay Agent, your

clients would only be able to obtain IP addresses from the DHCP server which is on the same

subnet. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you have

to configure the DHCP Relay Agent on the subnet that contains the remote clients, so that it can

relay DHCP broadcast messages to your DHCP server.

When the

DNS Proxy

option is enabled, the VPN firewallwill act as a proxy for all DNS requests

and communicate with the ISP’s DNS servers (as configured in the WAN settings screen). All

DHCP clients will receive the Primary/Secondary DNS IP along with the IP address where the

DNS proxy is running, that is, the VPN firewall’s LAN IP address. When disabled, all DHCP

clients will receive the DNS IP addresses of the ISP excluding the DNS proxy IP address. The

feature is particularly useful in Auto Rollover mode. For example, if the DNS servers for each

connection are different, then a link failure may render the DNS servers inaccessible. However,

when the DNS proxy is enabled, then clients can make requests to the VPN firewall and the VPN

firewall, in turn, sends those requests to the DNS servers of the active connection.

Configuring the LAN Setup Options

The LAN Setup screen allows configuration of LAN IP services such as DHCP and allows you to

configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are suitable

for most users and situations. Disable the DNS Proxy if you are using a dual WAN configuration

with route diversity and failover. These are advanced settings most usually configured by a

network administrator.