Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configure the IPv6 Internet and WAN Settings 101 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The Connection Status screen shows a valid IP address and gateway. You are connected to the Internet. For more information about the connection status, see View the WAN Port Status and Terminate or Establish the Internet Connection on page 594. Note:If the configuration was not successful, see Troubleshoot the ISP Connection on page 615. Manage Tunneling for IPv6 Traffic The following sections provide information about managing tunneling for IPv6 traffic: •Manage 6to4 Automatic Tunneling •Manage ISATAP Automatic Tunneling •View the Tunnel Status and Tunnel IPv6 Addresses Manage 6to4 Automatic Tunneling If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you must make sure that the IPv6 packets can travel over the IPv4 Internet backbone by enabling automatic 6to4 tunneling. The following sections provide information about managing 6to4 automatic tunneling: •6to4 Tunnel •Enable 6to4 Automatic Tunneling 6to4 Tunnel If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you must make sure that the IPv6 packets can travel over the IPv4 Internet backbone by enabling automatic 6to4 tunneling.
Configure the IPv6 Internet and WAN Settings 102 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 6to4 is a WAN tunnel mechanism for automatic tunneling of IPv6 traffic between a device with an IPv6 address and a device with an IPv4 address, or the other way around. 6to4 tunneling is used to transfer IPv6 traffic between LAN IPv6 hosts and WAN IPv6 networks over the IPv4 network. With 6to4 tunnels, IPv6 packets are embedded within the IPv4 packet and then transported over the IPv4 network. You do not need to specify remote tunnel endpoints, which are automatically determined by relay routers on the Internet. You cannot use 6to4 tunnels for traffic between IPv4-only devices and IPv6-only devices. Note:If the VPN firewall functions as the endpoint for 6to4 tunnels in your network, make sure that the VPN firewall has a static IPv4 address (see Manually Configure a Static IPv4 Internet Connection on page 36). A dynamic IPv4 address can cause routing problems on the 6to4 tunnels. Note:If you do not use a stateful DHCPv6 server in your LAN, you must configure the Router Advertisement Daemon (RADVD) and set up 6to4 advertisement prefixes for 6to4 tunneling to function correctly. For more information, see Manage the IPv6 LAN on page 153. Typically, 6to4 tunnel addresses start with a 2002 prefix (decimal notification). On the VPN firewall, a 6to4 tunnel is indicated by sit0-WAN1 (see View the Tunnel Status and Tunnel IPv6 Addresses on page 107). Enable 6to4 Automatic Tunneling The following procedure describes how to enable 6to4 automatic tunneling. To enable 6to4 automatic tunneling: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain.
Configure the IPv6 Internet and WAN Settings 103 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > WAN Settings > 6 to 4 Tunneling. The 6 to 4 Tunneling screen displays. 7. Select the Enable Automatic Tunneling check box. 8. Click the Apply button. Your settings are saved. Manage ISATAP Automatic Tunneling If your network is an IPv4 network or IPv6 network that consists of both IPv4 and IPv6 devices, you must make sure that the IPv6 packets can travel over the IPv4 intranet by enabling and configuring Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling. The following sections provide information about managing ISATAP automatic tunneling: •ISATAP Tunnel •Configure an ISATAP Tunnel •Change an ISATAP Tunnel •Remove One or More ISATAP Tunnels ISATAP Tunnel ISATAP is a LAN tunnel mechanism in which the IPv4 network functions as a virtual IPv6 local link. Each IPv4 address is mapped to a link-local IPv6 address, that is, the IPv4 address is used in the interface portion of the IPv6 address. ISATAP tunneling is used intrasite, that is, between addresses in the LAN. For more information about link-local addresses, see Manage the IPv6 LAN on page 153.
Configure the IPv6 Internet and WAN Settings 104 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note:If you do not use a stateful DHCPv6 server in your LAN, you must configure the Router Advertisement Daemon (RADVD) and set up ISATAP advertisement prefixes (which are referred to as Global/Local/ISATAP prefixes) for ISATAP tunneling to function correctly. For more information, see Manage the IPv6 LAN on page 153. The VPN firewall determines the link-local address by concatenating the IPv6 address with the 32 bits of the IPv4 host address: •For a unique global address: fe80:0000:0000:0000:0000:5efe (or fe80::5efe) is concatenated with the IPv4 address. For example, fe80::5efe with 10.29.33.4 becomes fe80::5efe:10.29.33.4, or in hexadecimal format, fe80::5efe:a1d:2104. •For a private address: fe80:0000:0000:0000:0200:5efe (or fe80::200:5efe) is concatenated with the IPv4 address. For example, fe80::200:5efe with 192.168.1.1 becomes fe80::200:5efe:192.168.1.1, or in hexadecimal format, fe80::200:5efe:c0a8:101. Configure an ISATAP Tunnel The following procedure describes how to configure an ISATAP tunnel. To configure an ISATAP tunnel: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > WAN Settings > ISATAP Tunnels. The ISATAP Tunnels screen displays. The following figure shows some examples.
Configure the IPv6 Internet and WAN Settings 105 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 7. Click the Add button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays. 8. Specify the tunnel settings as described in the following table. 9. Click the Apply button. Your settings are saved. The tunnel is added to the List of Available ISATAP Tunnels table on the ISATAP Tunnels screen. Change an ISATAP Tunnel The following procedure describes how to change an existing ISATAP tunnel. To change an ISATAP tunnel: 1. On your computer, launch an Internet browser. SettingDescription ISATAP Subnet Prefix The IPv6 prefix for the tunnel. Local End Point AddressFrom the menu, select the type of local address: • LAN. The local endpoint address is the address of the default VLAN. • Other IP. The local endpoint address is another LAN IP address that you must specify in the IPv4 Address fields. IPv4 Address If you select Other IP from the Local End Point Address menu, enter the IPv4 address.
Configure the IPv6 Internet and WAN Settings 106 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > WAN Settings > ISATAP Tunnels. The ISATAP Tunnels screen displays. 7. In the List of Available ISATAP tunnels table, click the Edit button for the tunnel that you want to change. The Edit ISATAP Tunnel screen displays. 8. Change the settings. For more information about the settings, see Configure an ISATAP Tunnel on page 104. 9. Click the Apply button. Your settings are saved. The modified tunnel settings display in the List of Available ISATAP Tunnels table on the ISATAP Tunnels screen. Remove One or More ISATAP Tunnels The following procedure describes how to remove one or more ISATAP tunnels that you no longer need. To remove one or more ISATAP tunnels: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password.
Configure the IPv6 Internet and WAN Settings 107 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > WAN Settings > ISATAP Tunnels. The ISATAP Tunnels screen displays. 7. In the List of Available ISATAP Tunnels table, select the check box to the left of each tunnel that you want to remove or click the Select All button to select all tunnels. 8. Click the Delete button. The selected tunnels are removed from the List of Available ISATAP Tunnels table. View the Tunnel Status and Tunnel IPv6 Addresses You can display the status of all active 6to4 and ISATAP tunnels and their IPv6 addresses. To view the status of the tunnels and IPv6 addresses: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Monitoring > Router Status > Tunnel Status. The Tunnel Status screen displays.
Configure the IPv6 Internet and WAN Settings 108 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The IPv6 Tunnel Status table shows the following fields: •Tunnel Name. The tunnel name for the 6to4 tunnel is always sit0-WAN1 (SIT stands for Simple Internet Transition); the tunnel name for an ISATAP tunnel is isatapx-LAN, in which x is an integer. •IPv6 Address. The IPv6 address of the local tunnel endpoint. Configure Stateless IP/ICMP Translation The following sections provide information about Stateless IP/ICMP Translation: •Stateless IP/ICMP Translation •Configure Stateless IP/ICMP Translation Stateless IP/ICMP Translation Stateless IP/ICMP Translation (SIIT) is a transition mechanism algorithm that translates between IPv4 and IPv6 packet headers. Using SIIT, an IPv6 device that does not have a permanently assigned IPv4 address can communicate with an IPv4-only device. SIIT functions with IPv4-translated addresses, which are addresses of the format 0::ffff:0:0:0/96 for IPv6-enabled devices. You can substitute an IPv4 address in the format a.b.c.d for part of the IPv6 address so that the IPv4-translated address becomes 0::ffff:0:a.b.c.d/96. For SIIT to function, the routing mode must be IPv4/IPv6. NETGEAR’s implementation of SIIT lets you configure a single IPv4 address. This IPv4 address is then used in the IPv4-translated address for IPv6 devices to enable communication between IPv4-only devices on the VPN firewall’s LAN and IPv6-only devices on the WAN. Configure Stateless IP/ICMP Translation For SIIT to function, the routing mode must be IPv4/IPv6 (see Manage the IPv6 Routing Mode on page 88). The following procedure describes how to configure SIIT. To configure SIIT: 1. On your computer, launch an Internet browser.
Configure the IPv6 Internet and WAN Settings 109 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > SIIT. The SIIT screen displays. 7. Select the Enable SIIT check box. 8. In the SIIT Address fields, enter the IPv4 address that must be used in the IPv4-translated address for IPv6 devices. 9. Click the Apply button. Your settings are saved. Configure Auto-Rollover for IPv6 Interfaces The following sections provide information about configuring auto-rollover for IPv6 interfaces: •Auto-Rollover for IPv6 WAN Interfaces •Configure Auto-Rollover Mode for IPv6 WAN Interfaces •Configure the Failure Detection Method for IPv6 WAN Interfaces
Configure the IPv6 Internet and WAN Settings 110 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Auto-Rollover for IPv6 WAN Interfaces You can configure the VPN firewall’s IPv6 interfaces for auto-rollover for increased system reliability. You must specify one WAN interface as the primary interface. The VPN firewall supports the following modes for IPv6 interfaces: •Primary WAN mode. The selected WAN interface is made the primary interface. The other three interfaces are disabled. •Auto-rollover mode. The selected WAN interface is defined as the primary link, and another interface must be defined as the rollover link. The remaining two interfaces are disabled. As long as the primary link is up, all traffic is sent over the primary link. When the primary link goes down, the rollover link is brought up to send the traffic. When the primary link comes back up, traffic automatically rolls back to the original primary link. If you want to use a redundant ISP link for backup purposes, select the WAN port that must function as the primary link for this mode. Ensure that you also configure the backup WAN port and that you configure the WAN failure detection method to support auto-rollover. Note:If the VPN firewall functions in IPv4/IPv6 mode, you cannot configure load balancing. For information about IPv4/IPv6 mode, see Manage the IPv6 Routing Mode on page 88. To use a redundant ISP link for backup purposes, ensure that the backup WAN interface is configured. Then select the WAN interface that must function as the primary link for this mode and configure the WAN failure detection method to support auto-rollover. When the VPN firewall is configured in auto-rollover mode, it uses the WAN failure detection method to detect the status of the primary link connection at regular intervals. For IPv6 interfaces, the VPN firewall detects link failure by sending a ping request to an IP address. From the primary WAN interface, ping requests are sent to the specified IP address. If replies are not received, after a specified number of retries, the primary WAN interface is considered down and a rollover to the backup WAN interface occurs. When the primary WAN interface comes back up, another rollover occurs from the backup WAN interface back to the primary WAN interface. WAN failure detection applies only to the primary WAN interface, that is, it monitors the primary link only. Configure Auto-Rollover Mode for IPv6 WAN Interfaces The following procedure describes how you can configure auto-rollover mode for IPv6 WAN interfaces. To configure auto-rollover mode for IPv6 WAN interfaces: 1. On your computer, launch an Internet browser.