Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports FVS124G NETGEAR, Inc.
© 2005 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR is a trademark of Netgear, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders. Statement of Conditions In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Certificate of the Manufacturer/Importer It is hereby certified that the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992. The operation of some equipment (for example, test transmitters) in accordance with the regulations may, however, be subject to certain restrictions.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc. MD5 Message-Digest Algorithm" in all material mentioning or referencing this software or this function.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Product and Publication Details Model Number: FVS124G Publication Date: March 2005 Product Family: Router Product Name: FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Home or Business Product: Business Language: English Publication Part Number: 202-10085-01 -6 202-10085-01, March 2005
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Contents Chapter 1 About This Manual Audience, Scope, Conventions, and Formats ................................................................1-1 How to Use This Manual ................................................................................................1-2 How to Print this Manual .................................................................................................
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Inbound Traffic ................................................................................................................3-3 Inbound Traffic to Single WAN Port (Reference Case) ............................................3-3 Inbound Traffic to Dual WAN Port Systems .............................................................3-3 Inbound Traffic: Dual WAN Ports for Improved Reliability ..............................
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Load Balancing (and Protocol Binding) Setup .................................................4-17 Step 5: Configure Dynamic DNS (If Needed) .........................................................4-20 Step 6: Configure the WAN Options (If Needed) ....................................................4-23 Chapter 5 LAN Configuration Using the LAN IP Setup Options .............................................................
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Creating a VPN Connection: Between FVX538 and FVS124G ......................................7-5 Configuring the FVX538 ...........................................................................................7-5 Configuring the FVS124G ........................................................................................7-9 Testing the Connection ........................................................................
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports WAN Port Connection Status ...........................................................................8-18 Dynamic DNS Status .......................................................................................8-19 Internet Traffic Information ...............................................................................8-19 LAN Ports and Attached Devices ...............................................................
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Routing Information Protocol ................................................................................... B-2 IP Addresses and the Internet ....................................................................................... B-2 Netmask .................................................................................................................. B-4 Subnet Addressing .........................................
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports MacOS X ............................................................................................................... C-16 Verifying TCP/IP Properties for Macintosh Computers ......................................... C-17 Verifying the Readiness of Your Internet Account ....................................................... C-18 Are Login Protocols Used? .................................................................
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports C .........................................................................................................................Glossary-3 D .........................................................................................................................Glossary-3 E .........................................................................................................................Glossary-4 G .....................
Chapter 1 About This Manual This chapter describes the intended audience, scope, conventions, and formats of this manual. Audience, Scope, Conventions, and Formats This reference manual assumes that the reader has basic to intermediate computer and Internet skills. However, basic computer network, Internet, firewall, and VPN technologies tutorial information is provided in the Appendices and on the Netgear website. This guide uses the following typographical conventions: Table 1-1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports How to Use This Manual The HTML version of this manual includes the following: • Buttons, at a time and , for browsing forwards or backwards through the manual one page • A button that displays the table of contents and an button. Double-click on a link in the table of contents or index to navigate directly to where the topic is described in the manual. • A product model.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic. Use the Print button on the browser toolbar to print the page contents. • Printing a Chapter. Use the PDF of This Chapter link at the top left of any page.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 1-4 About This Manual 202-10085-01, March 2005
Chapter 2 Introduction This chapter describes the features of the NETGEAR FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. Key Features of the VPN Firewall The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports with 4 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem. The FVS124G is a complete security solution that protects your network from attacks and intrusions.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • • Front panel LEDs for easy monitoring of status and activity. Flash memory for firmware upgrade. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVS124G VPN Firewall has two broadband WAN ports, WAN1 and WAN2, each capable of operating independently at speeds of either 10 Mbps or 100 Mbps.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • With its URL keyword filtering feature, the FVS124G prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses. You can configure the firewall to log and report attempts to access objectionable Internet sites.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Extensive Protocol Support The FVS124G VPN Firewall supports the Transmission Control Protocol/Internet Protocol (TCP/ IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to Appendix B, “Network, Routing, Firewall, and Basics.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • VPN Wizard The FVS124G VPN Firewall includes the NETGEAR VPN Wizard to easily configure VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • • Resource CD for ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports, including: – This guide. – Application Notes and other helpful information. – ProSafe VPN Client Software - single user license. Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 2-1. FVS124G front panel Object Activity Description PWR LED On (Green) Off Power is supplied to the firewall. Power is not supplied to the firewall. TEST LED On (Amber) Blinking (Amber) Off Test mode: The system is initializing or the initialization has failed. Writing to Flash memory (during upgrading or resetting to defaults). The system has booted successfully.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 4 3 LAN 2 1 WAN2 WAN1 12VDC 1.2A Factory Defaults Factory Defaults Button WAN2 Port LAN Ports WAN1 Port AC Power Adapter Connection Figure 2-2: FVS124G Rear Panel Viewed from left to right, the rear panel contains the following elements: Table 2-2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports LAN IP Address User Name Password Figure 2-3: FVS124G Bottom Label Logging into the Router To log into the FVS124G once it is connected, 1. Open a Web browser. 2. Enter http://192.168.1.1 as the URL. 3.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 2-4: Login screen on the Web browser Note: Read-only access is provided by logging in as username guest and default password password. Default Factory Settings When you first receive your FVS124G, the default factory settings will be set as shown in Table 2-1 below. You can restore these defaults with the Factory Defaults restore switch on the front panel — see “The Router’s Front Panel” on page 2-6.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 2-1. Factory Default Settings Feature User Name (case sensitive) Password (case sensitive) Built-in DHCP server IP Configuration Time Zone Default admin password DHCP server is enabled, issues addresses in the default subnet IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 Gateway: 0.0.0.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 2-12 Introduction 202-10085-01, March 2005
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Chapter 3 Network Planning This chapter describes the factors to consider when planning a network using a firewall that has dual WAN ports. Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: • Inbound traffic (e.g.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: Once the gateway firewall WAN port rolls over, the VPN tunnel collapses and must be re-established using the new WAN IP address. The Rollover Case for Firewalls With Dual WAN Ports Rollover (Figure 3-1) for the dual WAN port case is different from the single gateway WAN port case when specifying the IP address.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Inbound Traffic Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a response to one of your local computers or a service that you have configured in the Inbound Rules menu. Instead of discarding this traffic, you can have it forwarded to one or more LAN hosts on your network.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Inbound Traffic: Dual WAN Ports for Improved Reliability In the dual WAN port case with rollover (Figure 3-4), the WAN’s IP address will always change at rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the WAN ports (i.e., WAN1 or WAN2). Dual WAN Ports (Before Rollover) Router WAN1 IP Dual WAN Ports (After Rollover) WAN1 IP (N/A) Router netgear.dyndns.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table 3-1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Dual WAN Ports (After Rollover) Dual WAN Ports (Before Rollover) Gateway WAN1 IP Gateway netgear.dyndns.org WAN1 IP (N/A) WAN1 port inactive X X VPN Router X WAN2 port inactive VPN Router WAN2 IP (N/A) X netgear.dyndns.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 10.5.6.0/24 Road Warrior Example (Single WAN Port) Gateway A LAN IP 10.5.6.1 VPN Router (at employer's main office) Client B WAN IP WAN IP FQDN bzrouter.dyndns.org 0.0.0.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports After a rollover of the gateway WAN port (Figure 3-10), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel. The gateway WAN port must act as the responder. 10.5.6.0/24 Road Warrior Example (Dual WAN Ports, After Rollover) WAN1 IP (N/A) Gateway A X LAN IP Client B WAN1 port inactive X bzrouter.dyndns.org 10.5.6.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall (Figure 3-13), either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 10.5.6.0/24 Gateway-to-Gateway Example (Dual WAN Ports, After Rollover) Gateway A WAN_A1 IP (N/A) WAN_A1 port inactive X LAN IP X netgear.dyndns.org 10.5.6.1 VPN Router (at office A) WAN_A2 IP 172.23.9.0/24 WAN_B1 IP netgearB.dyndns.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional. VPN Telecommuter (Client-to-Gateway Through a NAT Router) Note: The telecommuter case presumes the home office has a dynamic IP address and NAT router.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall (Figure 3-17), the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder. 10.5.6.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The purpose of the fully-qualified domain name is this case is to toggle the domain name of the gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that the remote PC client can determine the gateway IP address to establish or re-establish a VPN tunnel.
Chapter 4 Connecting the FVS124G to the Internet This chapter describes how to connect the WAN ports of the FVS124G VPN Firewall to the Internet. What You Will Need to Do Before You Begin The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports is a powerful and versatile solution for your networking needs. But to make the configuration process easier and to understand all of the choices available to you, you need to think through the following items before you begin: 1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – 2. You can also add your own service protocols to the list (see “Services-Based Rules” on page 6-4 for information on how to do this). Set up your accounts a. Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports You make these selections during “Step 2: Log in to the VPN Firewall (Required)” on page 4-7. • 4. There are a variety of WAN options you can choose when the factory default settings are not applicable to your installation. These include enabling a WAN port to respond to a ping and setting MTU size, port speed, and upload bandwidth.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Internet Configuration Requirements Depending on how your ISPs set up your Internet accounts, you will need one or more of these configuration parameters to connect your firewall to the Internet: • • • • Host and Domain Names ISP Login Name and Password ISP Domain Name Server (DNS) Addresses Fixed IP Address which is also known as Static IP Address Where Do I Get the Internet Configuration Parameters? There are several
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP. For AOL customers, the login name is their primary screen name. Some ISPs use your full e-mail address as the login name. The Service Name is not required by all ISPs.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Connecting the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports This section provides instructions for connecting the FVS124G VPN Firewall. Also, the Resource CD for ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports included with your firewall contains an animated Installation Assistant to help you through this procedure. There are six major steps to connecting your firewall: 1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Step 1: Physically Connect the VPN Firewall to Your Network (Required) 1. Turn off your computer and Cable or DSL Modem. 2. Disconnect the Ethernet cable from your computer which connects to your cable or DSL modem. 3. Connect the Ethernet cables from your cable or DSL modems to the WAN1 and WAN2 Internet ports on the FVS124G. 4.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 4-2: Login screen on the Web browser 2. For security reasons, the firewall has its own user name and password. When prompted, enter admin for the firewall user name and password for the firewall password, both in lower case letters.The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports WAN1 screens WAN2 screens Figure 4-3: WAN1 and WAN2 Basic Settings and Setup Wizard Screens Connecting the FVS124G to the Internet 202-10085-01, March 2005 4-9
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports b. Click Setup Wizard on the WAN1 ISP Settings screen to get the Setup Wizard (WAN1) screen. c. Click Next and follow the steps in the WAN1 Setup Wizard for inputting the configuration parameters from your ISP1 to connect to the Internet.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 2. The steps to configure WAN port 2 are as follows: a. Repeat the above steps to set up the parameters for ISP2. Start by clicking the WAN2 ISP link directly under WAN Setup on the upper left of the main menu to get the WAN2 ISP Settings screen shown in Figure 4-3. Next click Setup Wizard on the WAN2 ISP Settings screen to get the Setup Wizard (WAN2) screen.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below if you do not want to allow the Setup Wizard to determine your configuration as described in the previous sections.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Programming the Traffic Meter (if Desired) From the Main Menu of the browser interface, under WAN Setup, click Traffic Meter. You will get the screens shown in Figure 4-5. Fill out the information described in Table 4-1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 4-1. Traffic meter Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port.WAN1 or WAN2 can be selected through the drop down menu, the entire configuration is specific to each wan interface. • No Limit - If this is selected specified restriction will not be applied when traffic limit is reached.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Step 4: Configure the WAN Mode (Required for Dual WAN) The dual WAN ports of the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports can be configured on a mutually exclusive basis for either rollover for increased system reliability or load balancing for maximum bandwidth efficiency.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Rollover Setup Perform the following steps to configure the dual WAN ports for rollover: 1. Click the WAN Mode link directly under Setup on the upper left of the main menu to invoke the WAN Mode Auto-Rollover screen shown in Figure 4-6.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Test Period—DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures—The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply from the configured DNS server. The minimum number of failed DNS queries is four. The rollover link is brought up after this.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 4-7: WAN Mode screen for load balancing and protocol binding Fill out the screen using the following parameter definitions: • 4-18 Detection of WAN failure—WAN failure is detected using DNS queries to the DNS server. For each WAN interface, DNS queries are sent to the configured DNS server. If the DNS replies are not received, the corresponding WAN interface is considered down.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Test Period—DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures—The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply from the configured DNS server. The minimum number of failed DNS queries is four. The minimum time for a WAN interface to be classified as having failed is two minutes (i.e.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Step 5: Configure Dynamic DNS (If Needed) If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS). However, if your Internet account uses a dynamically assigned IP address, you will not know in advance what your IP address will be, and the address can change frequently.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Dynamic DNS screen for rollover mode Dynamic DNS screens for load balancing mode Figure 4-8: Dynamic DNS screens Connecting the FVS124G to the Internet 202-10085-01, March 2005 4-21
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Each DNS service provider requires its own parameters (Figure 4-9). DynDNS Service Screen TZO Service Screen Oray Service Screen Figure 4-9: Dynamic DNS service provider screens 3. Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’ box, and register for an account. For example, for dyndns.org, go to www.dyndns.org. 4.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet. Step 6: Configure the WAN Options (If Needed) Perform the following steps to configure the WAN options: 1. If you haven’t already, log in to the firewall at its default LAN address of http://192.168.1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Port Speed—In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port speed. If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M; otherwise, select 10M.
Chapter 5 LAN Configuration This chapter describes how to configure the advanced features of your FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. These features can be found under the Advanced heading in the Main Menu of the browser interface. • LAN Setup • Static Routes Using the LAN IP Setup Options The LAN IP Setup menu allows configuration of LAN IP services such as DHCP and RIP.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 5-1: LAN IP Setup menu Note: Once you have completed the LAN IP setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these traffic rules, refer to Chapter 6, “Firewall Protection and Content Filtering. Configuring LAN TCP/IP Setup Parameters LAN TCP/IP Setup—The default values are suitable for most users and situations.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • IP Subnet Mask: The subnet mask specifies the network number portion of an IP address. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the router). • RIP Direction: RIP (Routing Information Protocol, RFC 2453) allows a router to exchange routing information with other routers.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Ending IP Address - This box specifies the last of the contiguous addresses in the IP address pool. 192.168.1.254 is the default ending address. • WINS Server - This box can specify the Windows NetBios Server IP if one is present in your network. • Lease Time - This box specifies the Lease time to be given to the DHCP Clients.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address) • Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu) • WINS Server (if you entered a Secondary DNS address in the Basic Settings menu) Using Address Reservation When you specify a reserved IP address for a PC on the LAN, that PC will always receive th
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Multi Home LAN IPs Click Multi Home LAN IPs Setup on the LAN IP Setup screen (see Figure 5-1) to invoke the Secondary LAN IP Setup screens. This allows the firewall to act as a gateway to additional logical subnets on your LAN. You can assign the firewall an IP address on each additional logical subnet.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports From the Main Menu of the browser interface, under Advanced, click on Static Routes to view the Static Route menu, shown below. Figure 5-4. Static Routes Summary Table and Add screens To add or edit a Static Route: 1. Click the Add button to open the Add/Edit Menu, shown below. 2. Type a route name for this static route in the Route Name box under the table. (This is for identification purpose only.) 3.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 8. Type a number between 1 and 15 as the Metric value. This represents the number of firewalls between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1. 9. Click Apply to have the static route entered into the table.
Chapter 6 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVS124G are: • Inbound: Block all access from outside except responses to requests from the LAN side. • Outbound: Allow all access from the LAN side to the outside.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. Outbound Services—This lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed. The default rule allows all outgoing traffic. • To create a new outbound service rule: a. Click the Add button. It does not matter which radio button is selected.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports b. Click the button for the desired actions: – Edit - to make any changes to the rule definition. The Inbound Service screen will be displayed (see “Inbound Rules (Port Forwarding)” on page 6-5) with the data for the selected rule. – Move - to move the selected rule to a new position in the table. You will be prompted for the new position. – Delete - to delete the selected rule.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Quality of service (QoS) priorities—Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-1. Inbound Services Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Customized Services” on page 6-16).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location. If you are unsure, refer to the Acceptable Use Policy of your ISP. Remember that allowing inbound services opens holes in your FVS124G VPN Firewall.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Inbound Rule Example: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 6-4, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – • LAN IP address subnet is 192.168.1.1 255.255.255.0 Web server PC on the firewall's LAN – LAN IP address is 192.168.1.2 – Access to Web server is (simulated) public IP address 10.1.0.52 IP Address Requirements—If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 5. Select Action "ALLOW always". 6. For Send to LAN Server, enter the local IP address of your web server PC. 7. For Public Destination IP Address, choose "Other Public IP Address." 8. Enter one of your public Internet addresses that will be used by clients on the Internet to reach your web server. 9. Click Apply. Your rule will now appear in the Inbound Services table of the Rules menu (see Figure 6-6).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports To test the connection from a PC on the Internet, type http://, where is the public IP address you have mapped to your web server. You should see the home page of your web server. Inbound Rule Example: Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you haven't defined.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Considerations for Inbound Rules • If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network. • If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: See “Source MAC Filtering” on page 6-27 for yet another way to block outbound traffic from selected PCs that would otherwise be allowed by the firewall. Table 6-1. Outbound Services Item Description Services Select the desired Service or application to be covered by this rule.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-1. Outbound Services Item Description QoS Priority This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service. The user can change it accordingly. If the user does not make a selection (i.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu. You can also have the firewall log any attempt to use Instant Messenger during that blocked period.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 6-10: Figure 6-10: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the default rules at the bottom.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Although the FVS124G already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 5. Click Apply. The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu. Quality of Service (QoS) Priorities This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The QoS priority definition for a service determines the queue that is used for its traffic passing through the FVS124G VPN Firewall as follows: Table 6-2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Managing Groups and Hosts The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests—By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-13: Groups and Hosts screens Firewall Protection and Content Filtering 202-10085-01, March 2005 6-21
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-3. Groups and hosts Item Description Known PCs and Devices This table lists all current entries in the Network Database. For each PC or device, the following data is displayed. • Radio button—Use this to select a PC for editing or deletion. • Name—The name of the PC or device. Sometimes, this can not be determined, and will be listed as Unknown. In this case, you can edit the entry to add a meaningful name.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-14: Schedule menu To invoke rules and block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day. Otherwise, if you want to limit access during certain times for the selected days, type a Start Blocking time and an End Blocking time. Note: Note: Enter the values as 24-hour time.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Time Zone The FVS124G VPN Firewall uses the Network Time Protocol (NTP) to obtain the current time and date from one of several Network Time Servers on the Internet. In order to localize the time for your log entries, you must specify your Time Zone: • Time Zone. Select your local time zone. This setting will be used for the blocking schedule and for time-stamping log entries. • Daylight Savings Time.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The Block Sites menu is shown in Figure 6-15: Figure 6-15: Block Sites menu Firewall Protection and Content Filtering 202-10085-01, March 2005 6-25
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-4. Block Sites Item Description Web Component Blocking Select Proxy, Java, ActiveX and Cookies to enable respective content filtering. Example: By enabling Java filtering *.java files will be blocked. Note: Keywords are always blocked. To block keywords or • Select the Turn keyword blocking on check box. Internet domains: • Type a keyword or domain name in the Add Keyword box, click Add Keyword button.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Source MAC Filtering Source MAC Filter will drop the Internet-bound traffic received from the PCs with the specified MAC address. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default. • When enabled, Internet-bound traffic will be dropped from the PCs that have the configured MAC addresses.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-5. Source MAC address filter Item Description Activation • Enable the source MAC filter by ticking the check box. • Press APPLY. Add • Now add the MAC Addresses from which the traffic should be dropped by clicking on ADD button. Each time one MAC Address entry can be added. MAC Address input should be entered with ':' separator. A valid MAC address will have 0 to 9 and A to F.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated. Note: For additional ways of allowing inbound traffic, see “Inbound Rules (Port Forwarding)” on page 6-5.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-6. Port Triggering Item Description Port Triggering Rules • Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to disable a rule unless it interferes with some other function such as Port Forwarding. • Name - The name for this rule. • Outgoing Ports - The port or port range for outgoing traffic. An outgoing connection using one of these ports will trigger this rule.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-18: Logs and E-mail screens Click on View Log button to view various log messages generated by the Router. • In view log window To delete all log entries: Click Clear Log. • To see the most recent entries: Click Refresh. • To E-mail the log messages now: Click Send Log. Log Identifier is a mandatory field to identify the log messages. This ID appended to log messages.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Items to include in the log: • Use these checkboxes to determine which events are included in the log. Selecting all events will increase the size of the log, so it is good practice to disable any events which are not really required. • Selecting an event under Include In Log will enable logging of messages pertaining to that event.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • In the Log Threshold Time box, set the logs Threshold time. • In the Alert Queue Length box, set the alerts queue length. Click Apply to have your changes take effect. Syslog You can configure the firewall to send system logs to an external PC that is running a syslog logging program. Enter the IP address of the logging PC and click the Enable Syslog checkbox.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-19: Firewall Logs menu Table 6-7. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or Action The type of event and what action was taken if any. Source IP The IP address of the initiating device for this log entry.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-7. Log entry descriptions Field Description Source port and interface The service port number of the initiating device, and whether it originated from the LAN or WAN Destination The name or IP address of the destination device or website. Destination port and The service port number of the destination device, and whether it’s on the interface LAN or WAN. Table 6-8.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 6-36 Firewall Protection and Content Filtering 202-10085-01, March 2005
Chapter 7 Virtual Private Networking This chapter describes how to use the virtual private networking (VPN) features of the FVS124G VPN Firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and them edit the VPN and IKE Policy screens for the various VPN scenarios.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 7-1 shows the setup screens for the selected WAN mode. This setup is accomplished in “Step 4: Configure the WAN Mode (Required for Dual WAN)” on page 4-15.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports See “Step 5: Configure Dynamic DNS (If Needed)” on page 4-20 for how to select and configure the Dynamic DNS service.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports FVS124G Functional Block Diagram FVS124G Firewall WAN 1 Port Rest of FVS124G Functions FVS124G WAN Port Functions Load Balancing Control WAN 2 Port Internet FQDN required (dynamic IP addresses) FQDN optional (static IP addresses) Dynamic DNS screens FQDN setup for WAN1 port Select Dynamic DNS service FQDN setup for WAN2 port Select Dynamic DNS service Figure 7-3: Functional operation of FVS124G WAN ports for lo
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Creating a VPN Connection: Between FVX538 and FVS124G This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and a NETGEAR FVS124G VPN Firewall. Using each firewall's VPN Wizard, we will create a set of policies (IKE and VPN) that will allow the two firewalls to connect from locations with fixed IP addresses. Either firewall can initiate the connection.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 5. Click Next. 6. Enter the WAN IP address of the remote FVS124G. 7. Click WAN1 to bind this connection to the WAN1 port. Figure 7-5: WAN IP address of remote FVS124G 8. Click Next. 9. Enter the LAN IP address and subnet mask of the remote FVS124G. Figure 7-6: LAN IP address and subnet mask of remote FVS124G 10. Click Next.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 11. Click Done to create the 'to_fvs' IKE and VPN policies. In the IKE Policies menu, the 'to_fvs' IKE policy will appear in the table. Figure 7-7: IKE Policies 12. You can view the IKE parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 13. In the VPN Policies menu, the 'to_fvs' VPN policy will appear in the table.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 14. You can view the VPN parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes. Figure 7-10: FVX538-to-FVS124G VPN screen Configuring the FVS124G 1. Select the VPN Wizard 2. Give the client connection a name, such as to_fvx. 3. Enter a value for the pre-shared key.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 4. Select 'a remote VPN gateway'. Figure 7-11: VPN Wizard start page 5. Click Next. 6. Enter the WAN IP address of the remote FVX538. Figure 7-12: WAN IP address of remote FVX538 7. Click Next.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 8. Enter the LAN IP address and subnet mask of the remote FVX538. Figure 7-13: LAN IP address and subnet mask of remote FVX538 9. Click Next. 10. Click Done to create the 'to_fvx' IKE and VPN policies. Testing the Connection 1. From a PC on either firewall's LAN, try to ping a PC on the other firewall's LAN. Establishing the VPN connection may take several seconds. 2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports This procedure was developed and tested using: • Netgear FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports with version 1.0 firmware • Netgear VPN Client version 10.3.5 (Build 6) • NAT router: Netgear FR114P with version 1.5_09 firmware Configuring the FVS124G 1. Select the VPN Wizard 2. Give the client connection a name, such as home. 3. Enter a value for the pre-shared key. 4.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 2. In the upper left of the Policy Editor window, click the New Document icon to open a New Connection.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 3. Give the New Connection a name, such as to_FVS. Figure 7-16: New connection named 4. In the Remote Party Identity section, select ID Type of IP Subnet. 5. Enter the LAN IP Subnet Address and Subnet Mask of the FVS124G's LAN. 6. Select 'Connect using Secure Gateway Tunnel'. 7. Under ID Type, select 'Domain Name' and 'Gateway IP Address'.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 8. For Domain Name, enter 'fvs_local.com' and enter the WAN IP Address of the FVS124G. Figure 7-17: Remote client info 9. In the left frame, click on My Identity. 10. Select Certificate = None. 11. Under ID Type, select 'Domain Name'. The value entered under Domain Name will be of the form '.fvs_remote.com', where each user must use a different variation on the Domain Name entered here.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 12. Leave Virtual Adapter disabled, and select your computer's Network Adapter. Your current IP address will appear. Figure 7-18: My Identity screen 13. Before leaving the My Identity menu, click the Pre-Shared Key button.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 14. Click Enter Key, type your preshared key, and click OK. This key will be shared by all users of the FVS124G policy "home". Figure 7-19: Pre-shared key 15. In the left frame, click on Security Policy.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 16. Select Phase 1 Negotiation Mode = Aggressive Mode. PFS should be disabled, and Replay Detection should be enabled.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 17. In the left frame, expand Authentication and select Proposal 1. Compare with the figure below. No changes should be necessary.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 18. In the left frame, expand Key Exchange and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 7-22: Client Key Exchange screen 19. In the upper left of the window, click the disk icon to save the policy. Testing the Connection 20. Right-click on the VPN client icon in your Windows toolbar and select "Connect...", then "My Connections\to_FVS".
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 21. For additional status and troubleshooting information, right-click on the VPN client icon in your Windows toolbar and select "Connection Monitor" or "Log Viewer", or view the VPN log and status menu in the FVS124G.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 7-22 Virtual Private Networking 202-10085-01, March 2005
Chapter 8 Router and Network Management This chapter describes how to use the network management features of your FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports offers many tools for managing the network traffic to optimize its performance.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Firewall Features That Reduce Traffic Features of the VPN firewall that can be called upon to decrease WAN-side loading are as follows: • • • Service blocking Block sites Source MAC filtering Service Blocking Note: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. You can control specific outbound traffic (i.e., from LAN to WAN).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – Address range: The rule is applied to a range of Internet IP addresses. • Services—You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services” on page 8-3).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports See “Using a Schedule to Block or Allow Specific Traffic” on page 6-22 for the procedure on how to use this feature. Block Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall's filtering feature. By default, this feature is disabled; all requested traffic from any Web site is allowed.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the service is unavailable). You can also create additional firewall rules that are customized to block or allow specific traffic.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • WAN Users—These settings determine which Internet locations are covered by the rule, based on their IP address. – Any: The rule applies to all Internet IP address. – Single address: The rule applies to a single Internet IP address. – Address range: The rule is applied to a range of Internet IP addresses.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – After a PC has finished using a Port Triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated. See “Port Triggering” on page 6-28 for the procedure on how to use this feature. VPN Tunnels The VPN firewall permits up to 200 VPN tunnels at a time.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Administrator and Guest Access Authorization You can change the administrator and guest passwords, administrator login timeout, and enable remote management. Administrator access is read/write and guest access is read-only. Changing the Passwords and Login Timeout The default passwords for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your FVS124G VPN Firewall. You must be logged in locally to enable remote management (see “Step 2: Log in to the VPN Firewall (Required)” on page 4-7). Note: Be sure to change the firewall's default configuration password to a very secure password.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 3. a. To allow access from any IP address on the Internet, select Everyone. b. To allow access from a range of IP addresses on the Internet, select IP address range. Enter a beginning and ending IP address to define the allowed range. c. To allow access from a single IP address on the Internet, select Only this PC. Enter the IP address that will be allowed access.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports You can access the command line interface (CLI) either by using telnet or by connecting a terminal to the console port on the front of the unit. To access the CLI from a communications terminal when the FVS124G VPN Firewall is still set to its factory defaults (or use your own settings if you have changed them), do the following: 1. From the command line prompt, enter the following command: telnet 192.168.1.1 2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Each WAN port is programmed separately. WAN port shuts down once the traffic limit is reached. An email alert can be sent when this shutdown happens. Figure 8-3: Traffic Limit Reached alert Login Failures and Attacks Figure 8-3 shows the Log screen that is invoked by clicking Logs and Email under Security on the Main Menu bar.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Select the types of alerts to email. Enable email alerts. Accumulate 64 messages before sending a log email. Wait 24 hours before sending sending an email. Accumulate 8 messages before sending an alert email.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Monitoring You can view status information about the firewall, WAN ports, LAN ports, and VPN tunnels and program SNMP connections. Viewing VPN Firewall Status and Time Information Firewall Status The Router Status menu provides status and usage information. From the main menu of the browser interface, click on Management, then select Router Status to view this screen.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports FVS124G Figure 8-5: Router Status screen Router and Network Management 8-15 202-10085-01, March 2005
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. Router Status Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router. LAN Port Information These are the current settings for MAC address, IP address, DHCP role and Subnet Mask that you set in the LAN IP Setup page. DHCP can be either Server or None.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Automatic adjustment enable for daylight savings time Current date and time Figure 8-6: Time information on the Schedule screen If supported for your region, you can check Automatically adjust for Daylight Savings Time.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. Current date and time Item Description Use Default NTP Servers (Network Time Protocol) If enabled, the system clock is updated regularly by contacting a Default Netgear NTP Server on the Internet. Use Custom NTP Servers If you prefer to use a particular NTP server, enable this and enter the name or IP address of an NTP Server in the Server 1 Name/IP Address field.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Dynamic DNS Status Invoke the Dynamic DNS Status screen from Dynamic DNS screen by clicking Show Status to see the current DDNS Status in a sub-window. Figure 8-8: Dynamic DNS Status screen Internet Traffic Information The Internet Traffic screen provides the following information: • Internet Traffic Statistics—This displays statistics on Internet Traffic via the WAN port.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-9: Internet Traffic information LAN Ports and Attached Devices Known PCs and Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network. From the Main Menu of the browser interface, under the Security heading, select Groups and Hosts to view the table, shown below.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-10: Network Database screen The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: • DHCP Client Requests—By default, the DHCP server in this Router is enabled, and will accept and respond to DHCP client requests from PCs and other network devices. These requests also generate an entry in the Network Database.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button. DHCP Log You can view the DHCP log. Invoke the DHCP Log from LAN IP Setup screen. Figure 8-11: DHCP Log Port Triggering Status You can view the status of port triggering. Invoke the Port Triggering Status screen from Port Triggering screen.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. Port Triggering Status data Item Description Rule The name of the Rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule. Incoming traffic using one of these ports will be sent to the IP address above. Time Remaining The time remaining before this rule is released, and thus available for other PCs.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Select the types of logs to email. Enable emailing of logs. Enable system logs. Accumulate 64 messages before sending a log email. Wait 24 hours before sending sending an email. Accumulate 8 messages before sending an alert email.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Invoke the Firewall Log screen from Logs and Email screen.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Tunnels You can view the status of the VPN tunnels. Figure 8-15: VPN Status/Log and IPSec Connection Status screens Table 8-1. VPN Status data Item Description Policy Name The name of the VPN policy associated with this SA. Endpoint The IP address on the remote VPN Endpoint. Tx (KBytes) The amount of data transmitted over this SA.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. VPN Status data Item Description State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required. SNMP SNMP lets you monitor and manage log resources from an SNMP-compliant system manager. SNMP system configuration lets you change the system variables for MIB2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-17: Diagnostics screen Table 8-1. Diagnostics Item Description Ping or Trace an IP address Ping—Use this to send a ping packet request to the specified IP address. This is often used to test a connection. If the request times out (no reply is received), this usually means the destination is unreachable. However, some network devices can be configured not to respond to a ping.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. Diagnostics Item Description Reboot the Router Use this button to perform a remote reboot (restart). You can use this if the Router seems to have become unstable or is not operating normally. Note: Rebooting will break any existing connections either to the Router (such as this one) or through the Router (for example, LAN users accessing the Internet).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Restoring and Backing Up the Configuration IMPORTANT! Once you start restoring settings or erasing the router, do NOT try to go online, turn off the router, shutdown the computer or do anything else to the router until it finishes restarting! This should only take a minute or so. When the Test light turns off, wait a few more seconds before doing anything with the router.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Be careful how you use this! Figure 8-19: Router Upgrade menu To upload new firmware: 1. Download and unzip the new software file from NETGEAR. 2. In the Router Upgrade menu, click the Browse button and browse to the location of the binary image (.IMG) upgrade file 3. Click Upload.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the front panel of the firewall (see “The Router’s Front Panel” on page 2-6). Also see “Restoring the Default Configuration and Password” on page 9-7.
Chapter 9 Troubleshooting This chapter gives information about troubleshooting your FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. After each problem description, instructions are provided to help you diagnose and solve the problem. Basic Functioning After you turn on power to the firewall, the following sequence of events should occur: 1. When power is first applied, verify that the PWR LED is on. 2. After approximately 10 seconds, verify that: a. The TEST LED is not lit. b.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall. If all LEDs are still on one minute after power up: • Cycle the power to see if the firewall recovers. • Clear the firewall’s configuration to factory defaults. This will set the firewall’s IP address to 192.168.1.1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: • Check the Ethernet connection between the PC and the firewall as described in the previous section. • Make sure your PC’s IP address is on the same subnet as the firewall.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Troubleshooting the ISP Connection If your firewall is unable to access the Internet, you should first determine whether the firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your firewall must request an IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: 1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports OR Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page 4-12. If your firewall can obtain an IP address, but your PC is unable to load any web pages from the Internet: • Your PC may not recognize any DNS server addresses.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • Wrong physical connections — Make sure the LAN port LED is on. If the LED is off, follow the instructions in “LAN or Internet Port LEDs Not On” on page 9-2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem. If this is the case, you must configure your firewall to “clone” or “spoof” the MAC address from the authorized PC.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Time is off by one hour. Cause: The firewall does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings Time”.
Appendix A Technical Specifications This appendix provides technical specifications for the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. Network Protocol and Standards Compatibility Data and Routing Protocols: TCP/IP, RIP-1, RIP-2, DHCP PPP over Ethernet (PPPoE) Power Adapter Voltage and amperage: 12 VDC, 1.2A Physical Specifications Dimensions: 1.15 x 7.5 x 4.75 in.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Interface Specifications LAN: 10BASE-T or 100BASE-Tx, RJ-45 WAN: 10BASE-T or 100BASE-Tx A-2 Technical Specifications 202-10085-01, March 2005
Appendix B Network, Routing, Firewall, and Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network. Using this information, the router chooses the best path for forwarding network traffic.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 195.34.12.7 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network. The dividing point may vary depending on the address range and the application. There are five standard classes of IP addresses.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 128.1.x.x to 191.254.x.x. • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node. They are in this range: 192.0.1.x to 223.255.254.x. • Class D Class D addresses are used for multicasts (messages sent to many hosts). Class D addresses are in this range: 224.0.0.0 to 239.255.255.255.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.” In the example, the address could be written as 192.168.170.237/24, indicating that the netmask is 24 ones followed by 8 zeros.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address. For instance, to partition a Class C network number (192.68.135.0) into two, you shift one bit from the host address to the network address.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 9-2. Netmask Formats 255.255.255.0 /24 255.255.255.128 /25 255.255.255.192 /26 255.255.255.224 /27 255.255.255.240 /28 255.255.255.248 /29 255.255.255.252 /30 255.255.255.254 /31 255.255.255.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP. This type of Internet account is more costly than a single-address account typically used by a single user with a modem, rather than a router. The FVS124G VPN Firewall employs an address-sharing method called Network Address Translation (NAT).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router. This filtering can prevent intruders from probing your system.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Domain Name Server Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack. Several known types of intrusion or attack can be recognized when they occur.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports . Table B-1. UTP Ethernet cable wiring, straight-through Pin Wire color Signal 1 Orange/White Transmit (Tx) + 2 Orange Transmit (Tx) - 3 Green/White Receive (Rx) + 4 Blue 5 Blue/White 6 Green 7 Brown/White 8 Brown Receive (Rx) - Category 5 Cable Quality Category 5 distributed cable that meets ANSI/EIA/TIA-568-A building wiring standards can be a maximum of 328 feet (ft.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device. Computers and workstation adapter cards are usually media-dependent interface ports, called MDI or uplink ports.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The FVS124G VPN Firewall incorporates Auto UplinkTM technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g. connecting to a PC) or an uplink connection (e.g. connecting to a router, switch, or hub). That port will then configure itself to the correct configuration.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports B-16 Network, Routing, Firewall, and Basics 202-10085-01, March 2005
Appendix C Preparing Your Network This appendix describes how to prepare your network to connect to the Internet through the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports and how to verify the readiness of broadband Internet service from an Internet service provider (ISP).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address. In most cases, you should install TCP/IP so that the PC obtains its specific network configuration information automatically from a DHCP server during bootup.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks. If you need to install a new adapter, follow these steps: a. Click the Add button. b. Select Adapter, and then click Add. c.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports If you need Client for Microsoft Networks: 3. a. Click the Add button. b. Select Client, and then click Add. c. Select Microsoft. d. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button. The following TCP/IP Properties window will display.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it. This setting is required to enable the DHCP server to automatically assign an IP address. • Click OK to continue. Restart the PC. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 2. Type winipcfg, and then click OK. The IP Configuration window opens, which lists (among other things), your IP address, subnet mask, and default gateway. 3. From the drop-down box, select your Ethernet adapter.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows. DHCP Configuration of TCP/IP in Windows XP Locate your Network Neighborhood icon.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. • Administrator logon access rights are needed to use this window. • Click the Properties button to view details about the connection. • The TCP/IP details are presented on the Support tab page.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. • Click the OK button. This completes the DHCP configuration of TCP/ IP in Windows XP. Repeat these steps for each PC with this version of Windows on your network.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. • The Local Area Connection Properties dialog box appears. • Verify that you have the correct Ethernet card selected in the Connect using: box.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected. • Obtain DNS server address automatically is selected. • Click OK to return to Local Area Connection Properties. • Click OK again to complete the configuration process for Windows 2000. Restart the PC.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. • Choose Settings from the Start Menu, and then select Control Panel. This will display Control Panel window. • Double-click the Network icon in the Control Panel window.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • The TCP/IP Properties dialog box now displays. • Click the IP Address tab. • Select the radio button marked Obtain an IP address from a DHCP server. • Click OK. This completes the configuration of TCP/IP in Windows NT. Restart the PC. Repeat these steps for each PC with this version of Windows on your network. Verifying TCP/IP Properties for Windows XP, 2000, and NT4 To check your PC’s TCP/IP configuration: 1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • 4. The default gateway is 192.168.1.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP. MacOS 8.6 or 9.x 1. From the Apple menu, select Control Panels, then TCP/IP. The TCP/IP Control Panel opens: 2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 2. If not already selected, select Built-in Ethernet in the Configure list. 3. If not already selected, Select Using DHCP in the TCP/IP tab. 4. Click Save. Verifying TCP/IP Properties for Macintosh Computers After your Macintosh is configured and has rebooted, you can check the TCP/IP configuration by returning to the TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses • Host name and domain suffix For example, your account’s full server names may look like this: mail.xxx.yyy.com In this example, the domain suffix is xxx.yyy.com. If any of these items are dynamically supplied by the ISP, your firewall automatically acquires them.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. 6. Select the DNS Configuration tab. If any DNS server addresses are shown, write down the addresses. If any information appears in the Host or Domain information box, write it down. Click Disable DNS. 7.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVS124G VPN Firewall.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports C-22 Preparing Your Network 202-10085-01, March 2005
Appendix D Virtual Private Networking There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication. Authentication Header (AH) AH provides authentication and integrity, which protect against data tampering, using the same algorithms as ESP.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Key Management IPSec uses the Internet Key Exchange (IKE) protocol to facilitate and automate the SA setup and the exchange of keys between parties transferring data. Using keys ensures that only the sender and receiver of a message can access it. IPSec requires that keys be re-created, or refreshed, frequently so that the parties can communicate securely with each other.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Table 9-1. WAN (Internet/Public) and LAN (Internal/Private) Addressing Gateway LAN or WAN VPNC Example Address Gateway A LAN (Private) 10.5.6.1 Gateway A WAN (Public) 14.15.16.17 Gateway B LAN (Private) 22.23.24.25 Gateway B WAN (Public) 172.23.9.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Tunnel VPN Gateway B VPN Gateway A Figure 9-8: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B. This communication is often referred to as a “tunnel.” The gateways contain this information so that it does not have to be loaded onto every computer connected to the gateways.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 2. IKE Phase I. a. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. b. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates. c. A shared master key is generated by the Diffie-Hellman Public key algorithm within the IKE framework for the two parties.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPNC IKE Phase II Parameters The IKE Phase 2 parameters used in Scenario 1 are: • • • • • • TripleDES SHA-1 ESP tunnel mode MODP group 1 Perfect forward secrecy for rekeying SA lifetime of 28800 seconds (one hour) Testing and Troubleshooting Once you have completed the VPN configuration steps you can use PCs, located behind each of the gateways, to ping various addresses on the LAN-side of the other gateway.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. • [RFC 1483] Multiprotocol Encapsulation over ATM Adaptation Layer 5, Juha Heinanen, Telecom Finland, July 1993. • [RFC 2401] S. Kent, R.
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management. The IEEE 802.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports A Access Control List (ACL) An ACL is a database that an Operating System uses to track each user’s access rights to system objects (such as file directories and/or files). Ad-hoc Mode An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP). Ad-hoc mode is also referred to as peer-to-peer mode or an Independent Basic Service Set (IBSS).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Broadcast A packet sent to all devices on a network. C Class of Service A term to describe treating different types of traffic with different levels of service priority.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports based on IP addresses. Every time you use a domain name, therefore, a DNS service must translate the name into the corresponding IP address. For example, the domain name www.example.com might translate to 198.105.232.4. The DNS system is, in fact, its own network. If one DNS server doesn't know how to translate a particular domain name, it asks another one, and so on, until the correct IP address is returned.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Ethernet A LAN specification developed jointly by Xerox, Intel and Digital Equipment Corporation. Ethernet networks transmit packets at a rate of 10 Mbps. G Gateway A local device, usually a router, that connects hosts on a local network to other networks. I ICMP See “Internet Control Message Protocol” IEEE Institute of Electrical and Electronics Engineers.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Internet Protocol The method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it among all other computers on the Internet. When you send or receive data (for example, an e-mail note or a Web page), the message gets divided into little chunks called packets.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Local Area Network A communications network serving users within a limited area, such as one floor of a building. A LAN typically connects multiple personal computers and shared network devices such as storage and printers. Although many technologies exist to implement a LAN, Ethernet is the most common for connecting personal computers and is limited to a distance of 1,500 feet.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports P packet A block of information sent over a network. A packet typically contains a source and destination network address, some protocol and length information, a block of data, and a checksum. Point-to-Point Protocol PPP. A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPP A protocol allowing a computer using TCP/IP to connect directly to the Internet. PPPoA PPPoA.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Q QoS See “Quality of Service” Quality of Service QoS is a networking term that specifies a guaranteed level of throughput. Throughput is the amount of data transferred from one device to another or processed in a specified amount of time - typically, throughputs are measured in bytes per second (Bps). R RADIUS Short for Remote Authentication Dial-In User Service, RADIUS is an authentication system.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router. T TCP/IP The main internetworking protocols used in the Internet. The Internet Protocol (IP) used in conjunction with the Transfer Control Protocol (TCP) form TCP/IP. U Universal Plug and Play UPnP.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Wide Area Network A WAN is a computer network that spans a relatively large geographical area. Typically, a WAN consists of two or more local-area networks (LANs). Wi-Fi A trade name for the 802.11b wireless networking standard, given by the Wireless Ethernet Compatibility Alliance (WECA, see http://www.wi-fi.net), an industry standards group promoting interoperability among 802.11b devices.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports -12 Glossary 202-10085-01, March 2005
