Prosafe dual wan gigabit ssl vpn firewall (691 pages)
Summary of Contents for NETGEAR ProSafe FVS124G
Page 1
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports FVS124G NETGEAR, Inc. 4500 Great America Parkway Santa Clara, CA 95054 USA 202-10085-01 March 2005 202-10085-01, March 2005...
Page 2
In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes to the products described in this document without notice. NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Certificate of the Manufacturer/Importer It is hereby certified that the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports has been suppressed in accordance with the conditions set out in the BMPT-AmtsblVfg 243/1991 and Vfg 46/1992.
Page 4
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1.
Page 5
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the "RSA Data Security, Inc.
Page 6
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Product and Publication Details Model Number: Publication Date: Product Family: Product Name: Home or Business Product: Language: Publication Part Number: FVS124G March 2005 Router FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Business...
The Router’s Rear Panel ...2-7 The Router’s IP Address, Login Name, and Password ...2-8 Logging into the Router ...2-9 Default Factory Settings ...2-10 NETGEAR Related Products ... 2-11 Chapter 3 Network Planning Overview of the Planning Process ...3-1 Inbound Traffic ...3-1 Virtual Private Networks (VPNs) ...3-1...
Page 8
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Inbound Traffic ...3-3 Inbound Traffic to Single WAN Port (Reference Case) ...3-3 Inbound Traffic to Dual WAN Port Systems ...3-3 Inbound Traffic: Dual WAN Ports for Improved Reliability ...3-4 Inbound Traffic: Dual WAN Ports for Load Balancing ...3-4 Virtual Private Networks (VPNs) ...3-5 VPN Road Warrior (Client-to-Gateway) ...3-6...
Page 9
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Load Balancing (and Protocol Binding) Setup ...4-17 Step 5: Configure Dynamic DNS (If Needed) ...4-20 Step 6: Configure the WAN Options (If Needed) ...4-23 Chapter 5 LAN Configuration Using the LAN IP Setup Options ...5-1...
Page 10
Creating a VPN Connection: Between FVX538 and FVS124G ...7-5 Configuring the FVX538 ...7-5 Configuring the FVS124G ...7-9 Testing the Connection ... 7-11 Creating a VPN Connection: Netgear VPN Client to FVS124G ... 7-11 Configuring the FVS124G ...7-12 Configuring the VPN Client ...7-12 Testing the Connection ...7-20...
Page 11
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports WAN Port Connection Status ...8-18 Dynamic DNS Status ...8-19 Internet Traffic Information ...8-19 LAN Ports and Attached Devices ...8-20 Known PCs and Devices ...8-20 DHCP Log ...8-22 Port Triggering Status ...8-22 Firewall ...8-23...
Page 12
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Routing Information Protocol ... B-2 IP Addresses and the Internet ... B-2 Netmask ... B-4 Subnet Addressing ... B-5 Private IP Addresses ... B-7 Single IP Address Operation Using NAT ...
Page 13
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports MacOS X ... C-16 Verifying TCP/IP Properties for Macintosh Computers ... C-17 Verifying the Readiness of Your Internet Account ... C-18 Are Login Protocols Used? ... C-18 What Is Your Configuration Information? ...
Page 14
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports C ...Glossary-3 D ...Glossary-3 E ...Glossary-4 G ...Glossary-5 I ...Glossary-5 L ...Glossary-6 M ...Glossary-7 P ...Glossary-8 Q ...Glossary-9 R ...Glossary-9 S ...Glossary-9 T ...Glossary-10 U ...Glossary-10 W ...Glossary-10 202-10085-01, March 2005...
Table 1-2. Manual Scope Product Version Manual Publication Date Note: Product updates are available on the NETGEAR, Inc. Web site at http://kbserver.netgear.com/products/FVS124G.asp. About This Manual About This Manual FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN...
• button to access the full NETGEAR, Inc. online knowledge base for the product model. • Links to PDF versions of the full manual and individual chapters.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports How to Print this Manual To print this manual you can choose one of the following several options, according to your needs. • Printing a Page in the HTML View. Each page in the HTML version of the manual is dedicated to a major topic.
Page 18
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports About This Manual 202-10085-01, March 2005...
This chapter describes the features of the NETGEAR FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. Key Features of the VPN Firewall The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports with 4 port switch connects your local area network (LAN) to the Internet through an external access device such as a cable modem or DSL modem.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Front panel LEDs for easy monitoring of status and activity. • Flash memory for firmware upgrade. Dual WAN Ports for Increased Reliability or Outbound Load Balancing The FVS124G VPN Firewall has two broadband WAN ports, WAN1 and WAN2, each capable of operating independently at speeds of either 10 Mbps or 100 Mbps.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • With its URL keyword filtering feature, the FVS124G prevents objectionable content from reaching your PCs. The firewall allows you to control access to Internet content by screening for keywords within Web addresses.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Extensive Protocol Support The FVS124G VPN Firewall supports the Transmission Control Protocol/Internet Protocol (TCP/ IP) and Routing Information Protocol (RIP). For further information about TCP/IP, refer to Appendix B, “Network, Routing, Firewall, and •...
The FVS124G VPN Firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the FVS124G VPN Firewall: • Flash memory for firmware upgrade •...
• Warranty and Support Information Card. If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the firewall for repair. The Router’s Front Panel The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 2-1. FVS124G front panel Object Activity PWR LED On (Green) TEST LED On (Amber) Blinking (Amber) WAN Port Link/Act LED LEDs On (Green) Blinking (Green) 100 LED On (Green)
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Factory Defaults Factory LAN Ports Defaults Button Figure 2-2: FVS124G Rear Panel Viewed from left to right, the rear panel contains the following elements: Table 2-2.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports LAN IP Address User Name Password Figure 2-3: FVS124G Bottom Label Logging into the Router To log into the FVS124G once it is connected, Open a Web browser.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 2-4: Login screen on the Web browser Note: Read-only access is provided by logging in as username guest and default password password. Default Factory Settings When you first receive your FVS124G, the default factory settings will be set as shown in Table 2-1 below.
Built-in DHCP server IP Configuration Time Zone Adjust for Daylight Saving TIme NETGEAR Related Products NETGEAR products related to the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports are as follows: • FA311 10/100 PCI Adapter •...
Page 30
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 2-12 Introduction 202-10085-01, March 2005...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports This chapter describes the factors to consider when planning a network using a firewall that has dual WAN ports. Overview of the Planning Process The areas that require planning when using a firewall that has dual WAN ports include: •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: Once the gateway firewall WAN port rolls over, the VPN tunnel collapses and must be re-established using the new WAN IP address. The Rollover Case for Firewalls With Dual WAN Ports Rollover (Figure 3-1) for the dual WAN port case is different from the single gateway WAN port...
IP address is dynamic. Router WAN IP netgear.dyndns.org IP address of WAN port: FQDN is required for dynamic IP address and is optional for fixed IP address Figure 3-3: Inbound traffic to single WAN port case Inbound Traffic to Dual WAN Port Systems The IP address range of the firewall’s WAN port must be both fixed and public so that the public...
WAN ports (i.e., WAN1 or WAN2). Dual WAN Ports (Before Rollover) WAN1 IP Router netgear.dyndns.org WAN2 port inactive WAN2 IP (N/A) IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required) Figure 3-4: Inbound traffic to dual WAN ports, before and after rollover...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN port depends on the configuration being implemented: Table 3-1.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Dual WAN Ports (Before Rollover) WAN1 IP Gateway netgear.dyndns.org WAN2 port inactive VPN Router WAN2 IP (N/A) IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required) Figure 3-6: Dual gateway WAN ports before and after rollover •...
- required for Fixed IP addresses - required for Dynamic IP addresses 202-10085-01, March 2005 Client B WAN IP 0.0.0.0 Remote PC (running NETGEAR ProSafe VPN Client) (Figure 3-9), the remote PC client Client B WAN IP 0.0.0.0 Remote PC...
Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses 202-10085-01, March 2005 Client B WAN IP 0.0.0.0 Remote PC (running NETGEAR ProSafe VPN Client) (Figure 3-11), the remote PC Client B WAN IP 0.0.0.0 Remote PC...
If an IP address is fixed, a fully-qualified domain name is optional. Network Planning WAN IP WAN IP FQDN netgear.dyndns.org 22.23.24.25 Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses 202-10085-01, March 2005...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability In the case of the dual WAN ports on the gateway VPN firewall gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Figure 3-15: Dual gateway WAN ports (load balancing case) for gateway-to-gateway VPN tunnels Network Planning WAN_A1 IP (N/A) WAN_B1 IP WAN_A1 port inactive netgearB.dyndns.org netgear.dyndns.org WAN_B2 port inactive WAN_A2 IP WAN_B2 IP (N/A) Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses - required for Dynamic IP addresses...
If the IP address is fixed, a fully-qualified domain name is optional. 3-12 NAT Router B WAN IP WAN IP FQDN 0.0.0.0 NAT Router (at telecommuter's home office) 202-10085-01, March 2005 (Figure 3-16), the remote PC Client B Remote PC (running NETGEAR ProSafe VPN Client) Network Planning...
202-10085-01, March 2005 (Figure 3-17), the remote PC Client B NAT Router B NAT Router (at telecommuter's Remote PC home office) (running NETGEAR ProSafe VPN Client) Client B NAT Router B NAT Router (at telecommuter's Remote PC home office) (running NETGEAR...
3-14 (Figure WAN1 IP WAN IP 0.0.0.0 WAN2 IP NAT Router (at telecommuter's home office) 202-10085-01, March 2005 3-19), the remote PC Client B NAT Router B Remote PC (running NETGEAR ProSafe VPN Client) Network Planning...
Connecting the FVS124G to the Internet This chapter describes how to connect the WAN ports of the FVS124G VPN Firewall to the Internet. What You Will Need to Do Before You Begin The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports is a powerful and versatile solution for your networking needs.
Page 46
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – You can also add your own service protocols to the list (see Rules” on page 6-4 Set up your accounts Have active Internet services such as that provided by cable or DSL broadband accounts and locate the Internet Service Provider (ISP) configuration information.
FVS124G, your must use a Java-enabled web browser program that supports HTTP uploads such as Microsoft Internet Explorer or Netscape Navigator. NETGEAR recommends using Internet Explorer or Netscape Navigator 4.0 or above. Free browser programs are readily available for Windows, Macintosh, or UNIX/Linux.
• You may also refer to the FVS124G Resource CD for the NETGEAR Router ISP Guide which provides Internet connection information for many ISPs. Once you locate your Internet configuration parameters, you may want to record them on the page below.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Record Your Internet Connection Information Print this page. Fill in the configuration parameters from your Internet Service Provider (ISP). ISP Login Name: The login name and password are case sensitive and must be entered exactly as given by your ISP.
Page 50
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Connecting the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports This section provides instructions for connecting the FVS124G VPN Firewall. Also, the Resource CD for ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports included with your firewall contains an animated Installation Assistant to help you through this procedure.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Step 1: Physically Connect the VPN Firewall to Your Network (Required) Turn off your computer and Cable or DSL Modem. Disconnect the Ethernet cable from your computer which connects to your cable or DSL modem.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 4-2: Login screen on the Web browser For security reasons, the firewall has its own user name and password. When prompted, enter for the firewall user name and admin letters.The firewall user name and password are not the same as any user name or password you may use to log in to your Internet connection.
Page 53
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports WAN1 screens WAN2 screens Figure 4-3: WAN1 and WAN2 Basic Settings and Setup Wizard Screens Connecting the FVS124G to the Internet 202-10085-01, March 2005...
Page 54
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Click Setup Wizard on the WAN1 ISP Settings screen to get the Setup Wizard (WAN1) screen. Click Next and follow the steps in the WAN1 Setup Wizard for inputting the configuration parameters from your ISP1 to connect to the Internet.
Page 55
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The steps to configure WAN port 2 are as follows: Repeat the above steps to set up the parameters for ISP2. Start by clicking the WAN2 ISP link directly under WAN Setup on the upper left of the main menu to get the WAN2 ISP Settings screen shown in screen to get the Setup Wizard (WAN2) screen.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Manually Configuring Your Internet Connection You can manually configure your firewall using the menu below if you do not want to allow the Setup Wizard to determine your configuration as described in the previous sections. ISP Does Not Require Login ISP Does Require Login Figure 4-4: Browser-based configuration WAN ISP Settings menus (WAN1 ISP shown)
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Programming the Traffic Meter (if Desired) From the Main Menu of the browser interface, under WAN Setup, click Traffic Meter. You will get the screens shown in Figure 4-5.
Page 58
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 4-1. Traffic meter Parameter Description Enable Traffic Meter Check this if you wish to record the volume of Internet traffic passing through the Router's WAN1 or WAN2 port.WAN1 or WAN2 can be selected through the drop down menu, the entire configuration is specific to each wan interface.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Step 4: Configure the WAN Mode (Required for Dual WAN) The dual WAN ports of the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports can be configured on a mutually exclusive basis for either rollover for increased system reliability or load balancing for maximum bandwidth efficiency.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Rollover Setup Perform the following steps to configure the dual WAN ports for rollover: Click the WAN Mode link directly under Setup on the upper left of the main menu to invoke the WAN Mode Auto-Rollover screen shown in Figure 4-6: WAN Mode screen for auto-rollover Fill out the screen using the following parameter definitions:...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Test Period—DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures—The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply from the configured DNS server.
Page 62
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 4-7: WAN Mode screen for load balancing and protocol binding Fill out the screen using the following parameter definitions: • Detection of WAN failure—WAN failure is detected using DNS queries to the DNS server.
Page 63
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Test Period—DNS query is sent periodically after every test period. The minimum test period is 30 seconds. • Maximum Failures—The WAN interface is considered down after the configured number of DNS queries have failed to elicit a DNS reply from the configured DNS server.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Step 5: Configure Dynamic DNS (If Needed) If your network has a permanently assigned IP address, you can register a domain name and have that name linked with your IP address by public Domain Name Servers (DNS).
Page 65
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Dynamic DNS screen for rollover mode Dynamic DNS screens for load balancing mode Figure 4-8: Dynamic DNS screens Connecting the FVS124G to the Internet 4-21 202-10085-01, March 2005...
Page 66
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Each DNS service provider requires its own parameters DynDNS Service Screen Figure 4-9: Dynamic DNS service provider screens Access the website of one of the dynamic DNS service providers whose names appear in the ‘Select Service Provider’...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the dynamic DNS service will not work because private addresses will not be routed on the Internet.
Page 68
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Port Speed—In most cases, your router can automatically determine the connection speed of the Internet (WAN) port. If you cannot establish an Internet connection and the Internet LED blinks continuously, you may need to manually select the port speed.
This chapter describes how to configure the advanced features of your FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. These features can be found under the Advanced heading in the Main Menu of the browser interface. •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 5-1: LAN IP Setup menu Note: Once you have completed the LAN IP setup, all outbound traffic is allowed and all inbound traffic is discarded. To change these traffic rules, refer to Protection and Content Configuring LAN TCP/IP Setup Parameters LAN TCP/IP Setup—The default values are suitable for most users and situations.
Page 71
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • IP Subnet Mask: The subnet mask specifies the network number portion of an IP address. Your router will automatically calculate the subnet mask based on the IP address that you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask (computed by the router).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Ending IP Address - This box specifies the last of the contiguous addresses in the IP address pool. 192.168.1.254 is the default ending address. •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Primary DNS Server (if you entered a Primary DNS address in the Basic Settings menu; otherwise, the firewall’s LAN IP address) • Secondary DNS Server (if you entered a Secondary DNS address in the Basic Settings menu) •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Multi Home LAN IPs Click Multi Home LAN IPs Setup on the LAN IP Setup screen (see Figure 5-1) to invoke the Secondary LAN IP Setup screens. This allows the firewall to act as a gateway to additional logical subnets on your LAN.
Page 75
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports From the Main Menu of the browser interface, under Advanced, click on Static Routes to view the Static Route menu, shown below. Figure 5-4. Static Routes Summary Table and Add screens To add or edit a Static Route: Click the Add button to open the Add/Edit Menu, shown below.
Page 76
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Type a number between 1 and 15 as the Metric value. This represents the number of firewalls between your network and the destination. Usually, a setting of 2 or 3 works, but if this is a direct connection, set it to 1.
Chapter 6 Firewall Protection and Content Filtering This chapter describes how to use the content filtering features of the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports to protect your network. These features can be found by clicking on the Content Filtering heading in the Main Menu of the browser interface. Firewall Protection and Content Filtering Overview The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports provides you with Web content filtering options, plus browsing activity reporting and instant alerts via e-mail.
Page 78
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the FVS124G are: • Inbound: Block all access from outside except responses to requests from the LAN side. •...
Page 79
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: This feature is for Advanced Administrators only! Incorrect configuration will cause serious problems. Outbound Services—This lists all existing rules for outbound traffic. If you have not defined any rules, only the default rule will be listed.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Click the button for the desired actions: – Edit - to make any changes to the rule definition. The Inbound Service screen will be displayed (see “Inbound Rules (Port Forwarding)”...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Quality of service (QoS) priorities—Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system.
Page 82
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-1. Inbound Services Item Description Services Select the desired Service or application to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see Action Select the desired action for packets covered by this rule:...
Page 83
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a Web or FTP server) from your location. Your ISP may periodically check for servers and may suspend your account if it discovers any active services at your location.
Page 84
This application note describes how to configure multi-NAT to support multiple public IP addresses on one WAN interface of a NETGEAR FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. By creating an inbound rule, we will configure the firewall to host an additional public IP addresses and associate this address with a web server on the LAN.
Page 85
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – LAN IP address subnet is 192.168.1.1 255.255.255.0 • Web server PC on the firewall's LAN – LAN IP address is 192.168.1.2 – Access to Web server is (simulated) public IP address 10.1.0.52 IP Address Requirements—If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN.
Page 86
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Select Action "ALLOW always". For Send to LAN Server, enter the local IP address of your web server PC. For Public Destination IP Address, choose "Other Public IP Address." Enter one of your public Internet addresses that will be used by clients on the Internet to reach your web server.
Page 87
Create an inbound rule that allows all protocols. Place the rule below all other inbound rules. Note: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Considerations for Inbound Rules • If your external IP address is assigned dynamically by your ISP, the IP address may change periodically as the DHCP lease expires. Consider using the Dyamic DNS feature in the Advanced menus so that external users can always find your network.
Page 89
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: See “Source MAC Filtering” on page 6-27 traffic from selected PCs that would otherwise be allowed by the firewall. Table 6-1. Outbound Services Item Description Services...
Page 90
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-1. Outbound Services Item Description QoS Priority This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. By default, the priority shown is that of the selected service.
Page 91
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Outbound Rule Example: Blocking Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block that application from any internal IP address to any external address according to the schedule that you have created in the Schedule menu.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu, as shown in Figure 6-10: Figure 6-10: Rules table with examples For any traffic attempting to pass through the firewall, the packet information is subjected to the...
Page 93
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Although the FVS124G already holds a list of many service port numbers, you are not limited to these choices. Use the Services menu to add additional services and applications to the list for use in defining firewall rules.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Click Apply. The new service will now appear in the Services menu, and in the Service name selection box in the Rules menu. Quality of Service (QoS) Priorities This setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall.
Page 95
Example 1 (priority unchanged): If the native ToS setting for a service is 3 and the Netgear QoS setting for this service is None, then the traffic for this service is placed in the queue that handles priority 3 traffic.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Managing Groups and Hosts The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: •...
Page 97
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-13: Groups and Hosts screens Firewall Protection and Content Filtering 6-21 202-10085-01, March 2005...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-3. Groups and hosts Item Description Known PCs and This table lists all current entries in the Network Database. For each PC or device, Devices the following data is displayed.
Page 99
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-14: Schedule menu To invoke rules and block keywords or Internet domains based on a schedule, select Every Day or select one or more days. If you want to limit access completely for the selected days, select All Day.
VPN firewall's content and Web component filtering feature. By default, this feature is disabled; all requested traffic from any Web site is allowed. When users try to access a blocked site, they will get a message: Blocked by NETGEAR. •...
Page 101
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The Block Sites menu is shown in Figure 6-15: Figure 6-15: Block Sites menu Firewall Protection and Content Filtering 6-25 202-10085-01, March 2005...
Page 102
• In the Trusted Domains box, enter the exact matching domain name for which the keyword filtering will be bypassed. Example: Enter www.netgear.com to bypass URL keyword filtering for this domain. The domains in this list will be allowed without any filtering, web component filtering still applies.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Source MAC Filtering Source MAC Filter will drop the Internet-bound traffic received from the PCs with the specified MAC address. • By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed by default.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-5. Source MAC address filter Item Description Activation • Enable the source MAC filter by ticking the check box. • Press APPLY. • Now add the MAC Addresses from which the traffic should be dropped by clicking on ADD button.
Page 105
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • After a PC has finished using a Port Triggering application, there is a Time-out period before the application can be used by another PC. This is required because this Router cannot be sure when the application has terminated.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-6. Port Triggering Item Description Port Triggering • Enable - Indicates if the rule is enabled or disabled. Generally, there is no need to Rules disable a rule unless it interferes with some other function such as Port Forwarding.
Page 107
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-18: Logs and E-mail screens Click on View Log button to view various log messages generated by the Router. • In view log window To delete all log entries: Click Clear Log. •...
Page 108
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Items to include in the log: • Use these checkboxes to determine which events are included in the log. Selecting all events will increase the size of the log, so it is good practice to disable any events which are not really required.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • In the Log Threshold Time box, set the logs Threshold time. • In the Alert Queue Length box, set the alerts queue length. Click Apply to have your changes take effect.
Page 110
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 6-19: Firewall Logs menu Table 6-7. Log entry descriptions Field Description Date and Time The date and time the log entry was recorded. Description or The type of event and what action was taken if any.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 6-7. Log entry descriptions Field Description Source port and The service port number of the initiating device, and whether it originated interface from the LAN or WAN Destination The name or IP address of the destination device or website.
Page 112
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 6-36 Firewall Protection and Content Filtering 202-10085-01, March 2005...
This chapter describes how to use the virtual private networking (VPN) features of the FVS124G VPN Firewall. VPN tunnels provide secure, encrypted communications between your local network and a remote network or computer. Tip: When using dual WAN port networks, use the VPN Wizard to configure the basic parameters and them edit the VPN and IKE Policy screens for the various VPN scenarios.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 7-1 shows the setup screens for the selected WAN mode. This setup is accomplished in “Step 4: Configure the WAN Mode (Required for Dual WAN)” on page Rollover Mode Setup Screen Figure 7-1: WAN Mode Setup screens Fully Qualified Domain Names...
Page 115
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports “Step 5: Configure Dynamic DNS (If Needed)” on page 4-20 the Dynamic DNS service. FVS124G Functional Block Diagram FVS124G Firewall Rest of FVS124G FVS124G WAN Port Functions Functions...
Page 116
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports FVS124G Functional Block Diagram FVS124G Firewall Rest of FVS124G FVS124G WAN Port Functions Functions Dynamic DNS screens Figure 7-3: Functional operation of FVS124G WAN ports for load balancing mode WAN 1 Port Load Balancing...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Creating a VPN Connection: Between FVX538 and FVS124G This section describes how to configure a VPN connection between a NETGEAR FVX538 VPN Firewall and a NETGEAR FVS124G VPN Firewall.
Page 118
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Click Next. Enter the WAN IP address of the remote FVS124G. Click WAN1 to bind this connection to the WAN1 port. Figure 7-5: WAN IP address of remote FVS124G Click Next.
Page 119
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Click Done to create the 'to_fvs' IKE and VPN policies. In the IKE Policies menu, the 'to_fvs' IKE policy will appear in the table. Figure 7-7: IKE Policies You can view the IKE parameters by selecting 'to_fvs' and clicking Edit.
Page 120
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports In the VPN Policies menu, the 'to_fvs' VPN policy will appear in the table. Figure 7-9: FVX538 VPN Policies screen Virtual Private Networking 202-10085-01, March 2005...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports You can view the VPN parameters by selecting 'to_fvs' and clicking Edit. It should not be necessary to make any changes. Figure 7-10: FVX538-to-FVS124G VPN screen Configuring the FVS124G Select the VPN Wizard Give the client connection a name, such as to_fvx.
Page 122
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Select 'a remote VPN gateway'. Figure 7-11: VPN Wizard start page Click Next. Enter the WAN IP address of the remote FVX538. Figure 7-12: WAN IP address of remote FVX538 Click Next.
PCs are to be connected, an additional policy or policies must be created. Each PC will use Netgear's VPN Client. Since the PC's IP address is assumed to be unknown, the PC must always be the Initiator of the connection.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports This procedure was developed and tested using: • Netgear FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports with version 1.0 firmware •...
Page 125
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports In the upper left of the Policy Editor window, click the New Document icon to open a New Connection. Figure 7-15: New Client Connection screen Virtual Private Networking 202-10085-01, March 2005 7-13...
Page 126
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Give the New Connection a name, such as to_FVS. Figure 7-16: New connection named In the Remote Party Identity section, select ID Type of IP Subnet. Enter the LAN IP Subnet Address and Subnet Mask of the FVS124G's LAN.
Page 127
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports For Domain Name, enter 'fvs_local.com' and enter the WAN IP Address of the FVS124G. Figure 7-17: Remote client info In the left frame, click on My Identity. Select Certificate = None.
Page 128
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Leave Virtual Adapter disabled, and select your computer's Network Adapter. Your current IP address will appear. Figure 7-18: My Identity screen Before leaving the My Identity menu, click the Pre-Shared Key button. 7-16 202-10085-01, March 2005 Virtual Private Networking...
Page 129
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Click Enter Key, type your preshared key, and click OK. This key will be shared by all users of the FVS124G policy "home". Figure 7-19: Pre-shared key In the left frame, click on Security Policy.
Page 130
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Select Phase 1 Negotiation Mode = Aggressive Mode. PFS should be disabled, and Replay Detection should be enabled. Figure 7-20: Client Security Policy screen 7-18 202-10085-01, March 2005 Virtual Private Networking...
Page 131
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports In the left frame, expand Authentication and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 7-21: Client Authorization screen Virtual Private Networking 202-10085-01, March 2005 7-19...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports In the left frame, expand Key Exchange and select Proposal 1. Compare with the figure below. No changes should be necessary. Figure 7-22: Client Key Exchange screen In the upper left of the window, click the disk icon to save the policy.
Page 133
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports For additional status and troubleshooting information, right-click on the VPN client icon your Windows toolbar and select "Connection Monitor" or "Log Viewer", or view the VPN log and status menu in the FVS124G.
Page 134
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 7-22 Virtual Private Networking 202-10085-01, March 2005...
This chapter describes how to use the network management features of your FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. These features can be found by clicking on the appropriate heading in the Main Menu of the browser interface. The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports offers many tools for managing the network traffic to optimize its performance.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Firewall Features That Reduce Traffic Features of the VPN firewall that can be called upon to decrease WAN-side loading are as follows: • Service blocking •...
Page 137
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – Address range: The rule is applied to a range of Internet IP addresses. • Services—You can specify the desired Services or applications to be covered by this rule. If the desired service or application does not appear in the list, you must define it using the Services menu (see “Services”...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports “Using a Schedule to Block or Allow Specific Traffic” on page 6-22 to use this feature. Block Sites If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the VPN firewall's filtering feature.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • VPN tunnels Port Forwarding The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the service is unavailable).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • WAN Users—These settings determine which Internet locations are covered by the rule, based on their IP address. – Any: The rule applies to all Internet IP address. –...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports – After a PC has finished using a Port Triggering application, there is a time-out period before the application can be used by another PC. This is required because the firewall cannot be sure when the application has terminated.
Administrator access is read/write and guest access is read-only. Changing the Passwords and Login Timeout The default passwords for the firewall’s Web Configuration Manager is password. Netgear recommends that you change this password to a more secure password.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Enabling Remote Management Access Using the Remote Management page, you can allow an administrator on the Internet to configure, upgrade, and check the status of your FVS124G VPN Firewall. You must be logged in locally to enable remote management (see Note: Be sure to change the firewall's default configuration password to a very secure password.
FVS124G. Command Line Interface Note: The command line interface is not supported at this time. Check the Netgear Web site for the latest status. 8-10 from the Windows Start menu Run option. For TRACERT...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports You can access the command line interface (CLI) either by using telnet or by connecting a terminal to the console port on the front of the unit. To access the CLI from a communications terminal when the FVS124G VPN Firewall is still set to its factory defaults (or use your own settings if you have changed them), do the following: From the command line prompt, enter the following command:...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-3: Traffic Limit Reached alert Login Failures and Attacks Figure 8-3 shows the Log screen that is invoked by clicking Logs and Email under Security on the Main Menu bar.
Page 147
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Select the types of alerts to email. Enable email alerts. Accumulate 64 messages before sending a log email. Wait 24 hours before sending sending an email. Accumulate 8 messages before sending an alert email.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Monitoring You can view status information about the firewall, WAN ports, LAN ports, and VPN tunnels and program SNMP connections. Viewing VPN Firewall Status and Time Information Firewall Status The Router Status menu provides status and usage information.
Page 149
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports FVS124G Figure 8-5: Router Status screen Router and Network Management 8-15 202-10085-01, March 2005...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. Router Status Item Description System Name This is the Account Name that you entered in the Basic Settings page. Firmware Version This is the current software the router is using. This will change if you upgrade your router.
Page 151
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-6: Time information on the Schedule screen If supported for your region, you can check Automatically adjust for Daylight Savings Time. Router and Network Management Automatic adjustment enable for daylight savings time...
Table 8-1. Current date and time Item Description Use Default NTP If enabled, the system clock is updated regularly by contacting a Default Netgear Servers (Network NTP Server on the Internet. Time Protocol) Use Custom NTP If you prefer to use a particular NTP server, enable this and enter the name or IP Servers address of an NTP Server in the Server 1 Name/IP Address field.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Dynamic DNS Status Invoke the Dynamic DNS Status screen from Dynamic DNS screen by clicking Show Status to see the current DDNS Status in a sub-window. Figure 8-8: Dynamic DNS Status screen Internet Traffic Information The Internet Traffic screen provides the following information:...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-9: Internet Traffic information LAN Ports and Attached Devices Known PCs and Devices The Attached Devices menu contains a table of all IP devices that the firewall has discovered on the local network.
Page 155
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-10: Network Database screen The Network Database is an automatically-maintained list of all known PCs and network devices. PCs and devices become known by the following methods: •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Note: If the firewall is rebooted, the table data is lost until the firewall rediscovers the devices. To force the firewall to look for attached devices, click the Refresh button. DHCP Log You can view the DHCP log.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. Port Triggering Status data Item Description Rule The name of the Rule. LAN IP Address The IP address of the PC currently using this rule. Open Ports The Incoming ports which are associated the this rule.
Page 158
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-13: Logs and email screen 8-24 Select the types of logs to email. Enable emailing of logs. Enable system logs. Accumulate 64 messages before sending a log email.
Page 159
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Invoke the Firewall Log screen from Logs and Email screen. Figure 8-14: Firewall Log screen (invoked from Logs and Email screen) Router and Network Management 8-25 202-10085-01, March 2005...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Tunnels You can view the status of the VPN tunnels. Figure 8-15: VPN Status/Log and IPSec Connection Status screens Table 8-1. VPN Status data Item Description Policy Name...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 8-1. VPN Status data Item Description State The current status of the SA.Phase 1 is Authentication phase and Phase 2 is Key Exchange phase. Action Use this button to terminate/build the SA (connection) if required.
Page 162
Back to return to the Diagnostics screen. Perform a DNS A DNS (Domain Name Server) converts the Internet name (e.g. www.netgear.com) to Lookup an IP address. If you need the IP address of a Web, FTP, Mail or other Server on the Internet, you can do a DNS lookup to find the IP address.
This file can be saved (backed up) to a user’s PC, retrieved (restored) from the user’s PC, or cleared to factory default settings. You can also upgrade the firewall software with the latest version from Netgear. From the Main Menu of the browser interface, under the Management heading, select the Settings Backup heading to bring up the menu shown below.
NETGEAR. Upgrade files can be downloaded from Netgear's website. If the upgrade file is compressed (.ZIP file), you must first extract the binary (.TRX) file before sending it to the firewall. The upgrade file can be sent to the firewall using your browser.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure 8-19: Router Upgrade menu To upload new firmware: Download and unzip the new software file from NETGEAR. In the Router Upgrade menu, click the Browse button and browse to the location of the binary image (.IMG) upgrade file Click Upload.
Page 166
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • To restore the factory default configuration settings without knowing the login password or IP address, you must use the Default Reset button on the front panel of the firewall (see Router’s Front Panel”...
• Check that you are using the 12 V DC power adapter supplied by NETGEAR for this product. If the error persists, you have a hardware problem and should contact technical support.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports LEDs Never Turn Off When the firewall is turned on, the LEDs turns on for about 10 seconds and then turn off. If all the LEDs stay on, there is a fault within the firewall.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Troubleshooting the Web Configuration Interface If you are unable to access the firewall’s Web Configuration interface from a PC on your local network, check the following: •...
IP address from the ISP. You can determine whether the request was successful using the Web Configuration Manager. To check the WAN IP address: Launch your browser and select an external site such as www.netgear.com Access the Main Menu of the firewall’s configuration at Under the Management heading, select Router Status Check that an IP address is shown for the WAN Port If 0.0.0.0 is shown, your firewall has not obtained an IP address from your ISP.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Configure your firewall to spoof your PC’s MAC address. This can be done in the Basic Settings menu. Refer to “Manually Configuring Your Internet Connection” on page If your firewall can obtain an IP address, but your PC is unable to load any web pages from the Internet: •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports — Your ISP could be rejecting the Ethernet MAC addresses of all but one of your PCs. Many broadband ISPs restrict access by only allowing traffic from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single PC connected to that modem.
Page 174
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Time is off by one hour. Cause: The firewall does not automatically sense Daylight Savings Time. In the E-Mail menu, check or uncheck the box marked “Adjust for Daylight Savings Time”.
This appendix provides technical specifications for the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports. Network Protocol and Standards Compatibility Data and Routing Protocols: Power Adapter Voltage and amperage: Physical Specifications Dimensions: Weight: Environmental Specifications Operating temperature: Operating humidity: Electromagnetic Emissions...
Page 176
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Interface Specifications LAN: WAN: 10BASE-T or 100BASE-Tx, RJ-45 10BASE-T or 100BASE-Tx 202-10085-01, March 2005 Technical Specifications...
Appendix B Network, Routing, Firewall, and Basics This chapter provides an overview of IP networks, routing, and networking. Related Publications As you read this document, you may be directed to various RFC documents for further information. An RFC is a Request For Comment (RFC) published by the Internet Engineering Task Force (IETF), an open organization that defines the architecture and operation of the Internet.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports What is a Router? A router is a device that forwards traffic between networks based on network layer information in the data and on routing tables maintained by the router. In these routing tables, a router builds up a logical picture of the overall network by gathering and exchanging information with other routers in the network.
Page 179
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 195.34.12.7 The latter version is easier to remember and easier to enter into your computer. In addition, the 32 bits of the address are subdivided into two parts. The first part of the address identifies the network, and the second part identifies the host node or station on the network.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports 128.1.x.x to 191.254.x.x. • Class C Class C addresses can have 254 hosts on a network. Class C addresses use 24 bits for the network address and eight bits for the node.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports As a shorter alternative to dotted-decimal notation, the netmask may also be expressed in terms of the number of ones from the left. This number is appended to the IP address, following a backward slash (/), as “/n.”...
Page 182
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Although the preceding example uses the entire third octet for a subnet address, note that you are not restricted to octet boundaries in subnetting. To create more network numbers, you need only shift some bits from the host address to the network address.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table 9-2. Netmask Formats 255.255.255.0 255.255.255.128 255.255.255.192 255.255.255.224 255.255.255.240 255.255.255.248 255.255.255.252 255.255.255.254 255.255.255.255 Configure all hosts on a LAN segment to use the same netmask for the following reasons: •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Single IP Address Operation Using NAT In the past, if multiple PCs on a LAN needed to access the Internet simultaneously, you had to obtain a range of IP addresses from the ISP.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports This scheme offers the additional benefit of firewall-like protection because the internal LAN addresses are not available to the Internet through the translated connection. All incoming inquiries are filtered out by the router.
Many of the resources on the Internet can be addressed by simple descriptive names such as www.NETGEAR.com. This addressing is very helpful at the application level, but the descriptive name must be translated to an IP address in order for a user to actually contact the resource. Just as...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports What is a Firewall? A firewall is a device that protects one network from another, while allowing communication between the two. A firewall incorporates the functions of the NAT router, while adding features for dealing with a hacker intrusion or attack.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Table B-1. UTP Ethernet cable wiring, straight-through Wire color Signal Orange/White Transmit (Tx) + Orange Transmit (Tx) - Green/White Receive (Rx) + Blue Blue/White Green Receive (Rx) - Brown/White...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Inside Twisted Pair Cables For two devices to communicate, the transmitter of each device must be connected to the receiver of the other device. The crossover function is usually implemented internally as part of the circuitry in the device.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Figure B-3: Category 5 UTP Cable with Male RJ-45 Plug at Each End Note: Flat “silver satin” telephone cable may have the same RJ-45 plug. However, using telephone cable results in excessive collisions, causing the attached port to be partitioned or disconnected from the network.
Page 191
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The FVS124G VPN Firewall incorporates Auto Uplink technology (also called MDI/MDIX). Each LOCAL Ethernet port will automatically sense whether the Ethernet cable plugged into the port should have a normal connection (e.g.
Page 192
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports B-16 Network, Routing, Firewall, and Basics 202-10085-01, March 2005...
This appendix describes how to prepare your network to connect to the Internet through the FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports and how to verify the readiness of broadband Internet service from an Internet service provider (ISP). Note: If an ISP technician configured your computer during the installation of a broadband modem, or if you configured it using instructions provided by your ISP, you may need to copy the current configuration information for use in the configuration of...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports In your IP network, each PC and the firewall must be assigned a unique IP addresses. Each PC must also have certain other IP configuration information such as a subnet mask (netmask), a domain name server (DNS) address, and a default gateway address.
Page 195
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports You must have an Ethernet adapter, the TCP/IP protocol, and Client for Microsoft Networks. Note: It is not necessary to remove any other network components shown in the Network window in order to install the adapter, TCP/IP, or Client for Microsoft Networks.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports If you need Client for Microsoft Networks: Click the Add button. Select Client, and then click Add. Select Microsoft. Select Client for Microsoft Networks, and then click OK. Restart your PC for the changes to take effect.
Page 197
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Verify the following settings as shown: • Client for Microsoft Network exists • Ethernet adapter is present • TCP/IP is present • Primary Network Logon is set to Windows logon Click on the Properties button.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • By default, the IP Address tab is open on this window. • Verify the following: Obtain an IP address automatically is selected. If not selected, click in the radio button to the left of it to select it.
From the drop-down box, select your Ethernet adapter. The window is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Enabling DHCP to Automatically Configure TCP/IP Settings You will find there are many similarities in the procedures for different Windows systems when using DHCP to configure TCP/IP. The following steps will walk you through the configuration process for each of these versions of Windows.
Page 201
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Now you should be at the Local Area Network Connection Status window. This box displays the connection status, duration, speed, and activity statistics. •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Verify that the Obtain an IP address automatically radio button is selected. • Verify that Obtain DNS server address automatically radio button is selected. •...
Page 203
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Click on the My Network Places icon on the Windows desktop. This will bring up a window called Network and Dial-up Connections. • Right click on Local Area Connection and select Properties. •...
Page 204
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • With Internet Protocol (TCP/IP) selected, click on Properties to open the Internet Protocol (TCP/IP) Properties dialogue box. • Verify that • Obtain an IP address automatically is selected.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports DHCP Configuration of TCP/IP in Windows NT4 Once you have installed the network card, you need to configure the TCP/IP environment for Windows NT 4.0. Follow this procedure to configure TCP/IP with DHCP in Windows NT 4.0. •...
Page 206
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Highlight the TCP/IP Protocol in the Network Protocols box, and click on the Properties button. C-14 202-10085-01, March 2005 Preparing Your Network...
Type ipconfig /all Your IP Configuration information will be listed, and should match the values below if you are using the default TCP/IP settings that NETGEAR recommends for connecting through a router or gateway: • The IP address is between 192.168.0.2 and 192.168.0.254 •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • The default gateway is 192.168.1.1 Type exit Configuring the Macintosh for TCP/IP Networking Beginning with Macintosh Operating System 7, TCP/IP is already installed on the Macintosh. On each networked Macintosh, you will need to configure TCP/IP to use DHCP.
TCP/IP Control Panel. From the Apple menu, select Control Panels, then TCP/IP. The panel is updated to show your settings, which should match the values below if you are using the default TCP/IP settings that NETGEAR recommends: •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Verifying the Readiness of Your Internet Account For broadband access to the Internet, you need to contract with an Internet service provider (ISP) for a single-user Internet access account using a cable modem or DSL modem. This modem must be a separate physical box (not a card) and must provide an Ethernet port intended for connection to a Network Interface Card (NIC) in a computer.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • An IP address and subnet mask • A gateway IP address, which is the address of the ISP’s router • One or more domain name server (DNS) IP addresses •...
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports If an IP address appears under Installed Gateways, write down the address. This is the ISP’s gateway address. Select the address and then click Remove to remove the gateway address. Select the DNS Configuration tab.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Restarting the Network Once you’ve set up your computers to work with the firewall, you must reset the network for the devices to be able to communicate correctly. Restart any computer that is connected to the FVS124G VPN Firewall.
Page 214
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports C-22 Preparing Your Network 202-10085-01, March 2005...
There have been many improvements in the Internet including Quality of Service, network performance, and inexpensive technologies, such as DSL. But one of the most important advances has been in Virtual Private Networking (VPN) Internet Protocol security (IPSec). IPSec is one of the most complete, secure, and commercially available, standards-based protocols developed for transporting data.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Remote Access: Remote access enables telecommuters and mobile workers to access e-mail and business applications. A dial-up connection to an organization’s modem pool is one method of access for remote workers, but is expensive because the organization must pay the associated long distance telephone and service costs.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • Encapsulating Security Payload (ESP): Provides confidentiality, authentication, and integrity. • Authentication Header (AH): Provides authentication and integrity. • Internet Key Exchange (IKE): Provides key management and Security Association (SA) management.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports The ESP header is inserted into the packet between the IP header and any subsequent packet contents. However, because ESP encrypts the data, the payload is changed. ESP does not encrypt the ESP header, nor does it encrypt the ESP authentication.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Mode SAs operate using modes. A mode is the method in which the IPSec protocol is applied to the packet. IPSec can be used in tunnel mode or transport mode. Typically, the tunnel mode is used for gateway-to-gateway IPSec tunnel protection, while transport mode is used for host-to-host IPSec tunnel protection.
This TechNote provides case studies on how to configure a secure IPSec VPN tunnels. This document assumes the reader has a working knowledge of NETGEAR management systems. NETGEAR is a member of the VPN Consortium, a group formed to facilitate IPSec VPN vendor interoperability. The VPN Consortium has developed specific scenarios to aid system administrators in the often confusing process of connecting two different vendor implementations of the IPSec standard.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Process Overview Even though IPSec is standards-based, each vendor has its own set of terms and procedures for implementing the standard. Because of these differences, it may be a good idea to review some of the terms and the generic processes for connecting two gateways before diving into to the specifics.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports It is also important to make sure the addresses do not overlap or conflict. That is, each set of addresses should be separate and distinct. Table 9-1.
Page 223
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports VPN Gateway A Figure 9-8: VPN Tunnel SA The SA contains all the information necessary for gateway A to negotiate a secure and encrypted communication stream with gateway B.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports IKE Phase I. The two parties negotiate the encryption and authentication algorithms to use in the IKE SAs. The two parties authenticate each other using a predetermined mechanism, such as preshared keys or digital certificates.
LAN-side of the other gateway. You can troubleshoot connections using the VPN status and log details on the Netgear gateway to determine if IKE negotiation is working. Common problems encountered in setting up VPNs include: •...
Page 226
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports • [RFC 791] Internet Protocol DARPA Internet Program Protocol Specification, Information Sciences Institute, USC, September 1981. • [RFC 1058] Routing Information Protocol, C Hedrick, Rutgers University, June 1988. •...
Glossary List of Glossary Terms Use the list below to find definitions for technical terms used in this manual. Numeric 10BASE-T IEEE 802.3 specification for 10 Mbps Ethernet over twisted pair wiring. 100BASE-Tx IEEE 802.3 specification for 100 Mbps Ethernet over twisted pair wiring. 802.1x 802.1x defines port-based, network access control used to provide authenticated network access and automated data encryption key management.
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Access Control List (ACL) An ACL is a database that an Operating System uses to track each user’s access rights to system objects (such as file directories and/or files). Ad-hoc Mode An 802.11 networking framework in which devices or stations communicate directly with each other, without the use of an access point (AP).
Page 229
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Broadcast A packet sent to all devices on a network. Class of Service A term to describe treating different types of traffic with different levels of service priority. Higher priority traffic gets faster treatment during times of switch congestion A Certificate Authority is a trusted third-party organization or company that issues digital certificates used to create digital signatures and public-private key pairs.
Page 230
.com, .edu, .uk, etc. For example, in the address mail.NETGEAR.com, mail is a server name and NETGEAR.com is the domain. Short for digital subscriber line, but is commonly used in reference to the asymmetric version of this technology (ADSL) that allows data to be sent over existing copper telephone lines at data rates of from 1.5...
Page 231
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Ethernet A LAN specification developed jointly by Xerox, Intel and Digital Equipment Corporation. Ethernet networks transmit packets at a rate of 10 Mbps. Gateway A local device, usually a router, that connects hosts on a local network to other networks.
Page 232
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Internet Protocol The method or protocol by which data is sent from one computer to another on the Internet. Each computer (known as a host) on the Internet has at least one IP address that uniquely identifies it among all other computers on the Internet.
Page 233
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Local Area Network A communications network serving users within a limited area, such as one floor of a building. A LAN typically connects multiple personal computers and shared network devices such as storage and printers. Although many technologies exist to implement a LAN, Ethernet is the most common for connecting personal computers and is limited to a distance of 1,500 feet.
Page 234
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports packet A block of information sent over a network. A packet typically contains a source and destination network address, some protocol and length information, a block of data, and a checksum. Point-to-Point Protocol PPP.
Page 235
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports See “Quality of Service” Quality of Service QoS is a networking term that specifies a guaranteed level of throughput. Throughput is the amount of data transferred from one device to another or processed in a specified amount of time - typically, throughputs are measured in bytes per second (Bps).
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Subnet Mask Combined with the IP address, the IP Subnet Mask allows a device to know which other addresses are local to it, and which must be reached through a gateway or router. TCP/IP The main internetworking protocols used in the Internet.
Page 237
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Wide Area Network A WAN is a computer network that spans a relatively large geographical area. Typically, a WAN consists of two or more local-area networks (LANs). Wi-Fi A trade name for the 802.11b wireless networking standard, given by the Wireless Ethernet Compatibility Alliance (WECA, see http://www.wi-fi.net), an industry standards group promoting interoperability among...
Page 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports Glossary 202-10085-01, March 2005...