Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configure the IPv6 Internet and WAN Settings 111 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > WAN Settings > WAN Mode. The WAN Mode screen displays. Note:The IPv6 radio button is disabled. However, you can configure auto-rollover mode for IPv6 interfaces with the IPv4 radio button selected. 7. In the Load Balancing Settings section, configure the following settings: a.Select the Primary WAN Mode radio button. b. From the corresponding menu on the right, select a WAN interface to function as the primary WAN interface.
Configure the IPv6 Internet and WAN Settings 112 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The other WAN interface becomes disabled. c. Select the Auto Rollover check box. d. From the corresponding menu on the right, select a WAN interface to function as the backup WAN interface. Note:Ensure that the backup WAN interface is configured before enabling auto-rollover mode. 8. Click the Apply button. Your settings are saved. Configure the Failure Detection Method for IPv6 WAN Interfaces The following procedure describes how to configure the failure detection method for IPv6 WAN interfaces that function in auto-rollover mode. To configure the failure detection method for IPv6 WAN interfaces: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > WAN Settings > WAN Setup. The WAN Setup screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The WAN Setup screen displays the IPv6 settings.
Configure the IPv6 Internet and WAN Settings 113 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. In the IPv6 WAN Settings table, click the Edit button for the WAN interface that you selected as the primary WAN interface. The WAN IPv6 ISP Settings screen displays. 9. Click the Advanced option arrow in the upper right. The WAN IPv6 Advanced Settings screen displays for the WAN interface that you selected. 10. Enter the settings as described in the following table. Note:The default time to roll over after the primary WAN interface fails is two minutes. The minimum test period is 30 seconds, and the minimum number of tests is 2. 11. Click the Apply button. Your settings are saved. SettingDescription Ping IP Address The IP address of the interface that must receive the ping request. The interface must not reject the ping request and must not consider ping traffic to be abusive. Note:Pings are sent through the WAN interface that is being monitored. The retry interval and number of failover attempts determine how quickly the VPN firewall switches from the primary link to the backup link if the primary link fails, or when the primary link comes back up, switches back from the backup link to the primary link. Retry Interval Is The retry interval in seconds. A ping is sent after every retry interval. The default retry interval is 30 seconds. Failover After The number of failover attempts. The primary WAN interface is considered down after the specified number of queries fails to elicit a reply. The backup interface is brought up after this situation occurs. The failover default is 4 failures.
Configure the IPv6 Internet and WAN Settings 114 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note:You can configure the VPN firewall to generate a WAN status log and email this log to a specified address (see Manage Logging, Alerts, and Event Notifications on page 567). Additional WAN-Related Configuration Tasks If you want the ability to manage the VPN firewall remotely, enable remote management (see Set Up Remote Management Access on page 534). If you enable remote management, NETGEAR strongly recommends that you change your password (see Change Passwords and Automatic Logout Period on page 511). Test the VPN firewall before deploying it in a live production environment. Verify that network traffic can pass through the VPN firewall:by doing the following: •Ping an Internet URL. •Ping the IP address of a device on either side of the VPN firewall. What to Do Next After you complete setting up the IPv6 WAN connection for the VPN firewall, the important tasks that are described in the following chapter and sections you might want to address before you deploy the VPN firewall in your network: •Chapter 2, Configure the IPv4 Internet and WAN Settings •Chapter 4, Configure the IPv4 LAN Settings •Configure Authentication Domains, Groups, and User Accounts on page 488 •Manage Digital Certificates for VPN Connections on page 512 •Use the IPSec VPN Wizard for Client and Gateway Configurations on page 334 •Chapter 9, Set Up Virtual Private Networking with SSL Connections
114 4 4. Configure the IPv4 LAN Settings This chapter describes how to configure the IPv4 LAN features of your VPN firewall. The chapter contains the following sections: •Manage IPv4 Virtual LANs and DHCP Options •Manage IPv4 Multihome LAN IP Addresses on the Default VLAN •Manage IPv4 LAN Groups and Hosts •Manage the DMZ Port for IPv4 Traffic •Manage Static IPv4 Routing
Configure the IPv4 LAN Settings 115 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage IPv4 Virtual LANs and DHCP Options The following sections provide information about managing IPv4 VLANs and DHCP options: •IPv4 LANs and VLANs •Port-Based VLANs •Assign VLAN Profiles •VLAN DHCP •Manage VLAN Profiles •Configure Unique VLAN MAC Addresses •Disable the Broadcast of ARP Packets for the Default VLAN IPv4 LANs and VLANs A local area network (LAN) can generally be defined as a broadcast domain. Hubs, bridges, or switches in the same physical segment or segments connect all end node devices. Endpoints can communicate with each other without the need for a router. Routers connect LANs together, routing the traffic to the appropriate port. A virtual LAN (VLAN) is a local area network with a definition that maps workstations on some basis other than geographic location (for example, by department, type of user, or primary application). To enable traffic to flow between VLANs, traffic must go through a router, as if the VLANs were on two separate LANs. A VLAN is a group of computers, servers, and other network resources that behave as if they were connected to a single network segment—even though they might not be. For example, all marketing personnel might be spread throughout a building. Yet if they are all assigned to a single VLAN, they can share resources and bandwidth as if they were connected to the same segment. The resources of other departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to specified individuals, depending on how the IT manager has set up the VLANs. VLANs have a number of advantages: •It is easy to set up network segmentation. Users who communicate most frequently with each other can be grouped into common VLANs, regardless of physical location. Each group’s traffic is contained largely within the VLAN, reducing extraneous traffic and improving the efficiency of the whole network. •They are easy to manage. The addition of nodes, as well as moves and other changes, can be dealt with quickly and conveniently from a management interface rather than from the wiring closet. •They provide increased performance. VLANs free up bandwidth by limiting node-to-node and broadcast traffic throughout the network. •They ensure enhanced network security. VLANs create virtual boundaries that can be crossed only through a router. So standard, router-based security measures can be used to restrict access to each VLAN.
Configure the IPv4 LAN Settings 116 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Port-Based VLANs The VPN firewall supports port-based VLANs. Port-based VLANs confine broadcast traffic to the LAN ports. Even though a LAN port can be a member of more than one VLAN, the port can have only one VLAN ID as its port VLAN identifier (PVID). By default, all four LAN ports of the VPN firewall are assigned to the default VLAN, or VLAN 1. Therefore, by default, all four LAN ports have the default PVID 1. However, you can assign another PVID to a LAN port (see Assign VLAN Profiles on page 11 6). After you create a VLAN profile and assign one or more ports to the profile, you must enable the profile to activate it. You cannot remove the VPN firewall’s default VLAN. All untagged traffic is routed through the default VLAN (VLAN 1), which you must assign to at least one LAN port. Note the following about VLANs and PVIDs: •One physical port is assigned to at least one VLAN. •One physical port can be assigned to multiple VLANs. •When one port is assigned to multiple VLANs, the port is used as a trunk port to connect to another switch or router. •When a port receives an untagged packet, this packet is forwarded to a VLAN based on the PVID. •When a port receives a tagged packet, this packet is forwarded to a VLAN based on the ID that is extracted from the tagged packet. When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets. Untagged packets that enter these LAN ports are assigned to the default PVID 1; packets that leave these LAN ports with the same default PVID 1 are untagged. All other packets are tagged according to the VLAN ID that you assigned to the VLAN when you created the VLAN profile. In a typical scenario for a configuration with an IP phone that has two Ethernet ports, one port is connected to the VPN firewall, and the other one to another device. Packets coming from the IP phone to the VPN firewall LAN port are tagged. Packets passing through the IP phone from the connected device to the VPN firewall LAN port are untagged. When you assign the VPN firewall LAN port to a VLAN, packets entering and leaving the port are tagged with the VLAN ID. However, untagged packets entering the VPN firewall LAN port are forwarded to the default VLAN with PVID 1; packets that leave the LAN port with the same default PVID 1 are untagged. Assign VLAN Profiles The following procedure describes how to assign existing VLAN profiles (which includes the default VLAN) to LAN ports.
Configure the IPv4 LAN Settings 117 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 To assign VLAN profiles to LAN ports: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings. The LAN submenu tabs display, with the LAN Setup screen in view, displaying the IPv4 settings. The following figure shows some VLAN profiles as an example. For each VLAN profile, the following fields display in the VLAN Profiles table: •Check box. Allows you to select the VLAN profile in the table. •Status icon. Indicates the status of the VLAN profile: -Green circle. The VLAN profile is enabled. -Gray circle. The VLAN profile is disabled. •Profile Name. The unique name assigned to the VLAN profile.
Configure the IPv4 LAN Settings 118 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •VLAN ID. The unique ID (or tag) assigned to the VLAN profile. •Subnet IP. The subnet IP address for the VLAN profile. •DHCP Status. The DHCP server status for the VLAN profile, which can be either Enabled or Disabled. •Action. The Edit button, which provides access to the Edit VLAN Profile screen. 7. In the Default VLAN section, assign a VLAN profile to a LAN port by selecting a VLAN profile from a port menu. The enabled VLAN profile displays in the menu. 8. To assign a VLAN profile to another LAN port, repeat Step 7. 9. Click the Apply button. Your settings are saved. Note:After you assign an active VLAN profile to LAN ports, all outbound traffic is allowed and all inbound traffic is discarded except responses to requests from the LAN side. For information about how to change these default traffic rules, see Chapter 6, Customize Firewall Protection. VLAN DHCP For each VLAN, you must specify the Dynamic Host Configuration Protocol (DHCP) options (see Manage VLAN Profiles on page 11 9). For information about configuring the DHCP options for the VPN firewall’s default VLAN, or VLAN 1, see Configure the IPv4 Internet Connection and WAN Settings on page 30. The following sections provide information about VLAN DHCP concepts: •DHCP Servers •DHCP Relay •DNS Proxy •LDAP Servers DHCP Servers The default VLAN (VLAN 1) has the DHCP server option enabled by default, allowing the VPN firewall to assign IP, DNS server, WINS server, and default gateway addresses to all computers connected to the VPN firewall’s LAN. The assigned default gateway address is the LAN address of the VPN firewall. IP addresses are assigned to the attached computers from a pool of addresses that you must specify. Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN. When you create a VLAN, the DHCP server option is disabled by default.
Configure the IPv4 LAN Settings 119 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For most applications, the default DHCP server and TCP/IP settings of the VPN firewall are satisfactory. The VPN firewall delivers the following settings to any LAN device that requests DHCP: •An IP address from the range that you define •Subnet mask •Gateway IP address (the VPN firewall’s LAN IP address) •Primary DNS server (the VPN firewall’s LAN IP address) •WINS server (if you configure a WINS server for the DHCP server) •Lease time (the date obtained and the duration of the lease) DHCP Relay DHCP relay options allow you to make the VPN firewall a DHCP relay agent for a VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages. The DHCP relay agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet. If you do not configure a DHCP relay agent for a VLAN, its clients can obtain IP addresses only from a DHCP server that is on the same subnet. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you must configure the DHCP relay agent on the subnet that contains the remote clients so that the DHCP relay agent can relay DHCP broadcast messages to your DHCP server. DNS Proxy When the DNS proxy option is enabled for a VLAN, the VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers. These are the DNS servers that the VPN firewall detected during the automatic configuration of the IPv4 Internet connection or that you configured manually for the WAN interfaces (see Configure the IPv4 Internet Connection and WAN Settings on page 30). All DHCP clients receive the primary and secondary DNS IP addresses along with the IP address where the DNS proxy is located (that is, the VPN firewall’s LAN IP address). When the DNS proxy option is disabled for a VLAN, all DHCP clients receive the DNS IP addresses of the ISP but without the DNS proxy IP address. LDAP Servers A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, contact information, and other service information using an LDAP server. For each VLAN, you can specify an LDAP server and a search base that defines the location in the directory (that is, the directory tree) from which the LDAP search begins. Manage VLAN Profiles For each VLAN on the VPN firewall, you can configure its profile, port membership, LAN TCP/IP settings, DHCP options, DNS server, and inter-VLAN routing capability.