NETGEAR FVS318N Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Network Router
  5. ProSafe FVS318N
  6. Reference manual
NETGEAR FVS318N Reference Manual

NETGEAR FVS318N Reference Manual

Prosafe wireless-n 8-port gigabit vpn firewall
Hide thumbs Also See for FVS318N:
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, User Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
September 2011
202-10836-01
1.0
ProSafe Wireless-N 8-Port
Gigabit VPN Firewall
FVS318N
Reference M anua l

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the FVS318N and is the answer not in the manual?

Questions and answers

Related Manuals for NETGEAR FVS318N

Summary of Contents for NETGEAR FVS318N

  • Page 1 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 September 2011 202-10836-01...

  • Page 2: Technical Support

    NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com.

  • Page 3: Table Of Contents

    Chapter 1 Introduction What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? . . 9 Key Features and Capabilities ........10 Wireless Features.
  • Page 4 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional WAN-Related Configuration Tasks ....45 Verify the Connection ........45 What to Do Next .
  • Page 5 Test the Connection and View Connection and Status Information ..175 Test the NETGEAR VPN Client Connection..... 175 NETGEAR VPN Client Status and Log Information .
  • Page 6 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure NetBIOS Bridging with IPSec VPN ..... 217 Configure the L2TP Server........218 View the Active L2TP Users .
  • Page 7 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N System Management ........276 Change Passwords and Administrator and Guest Settings .
  • Page 8 What Is Two-Factor Authentication? ......337 NETGEAR Two-Factor Authentication Solutions ....337...

  • Page 9: Chapter 1 Introduction

    What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? The ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N, hereafter referred to as the wireless VPN firewall, connects your local area network (LAN) and wireless LAN (WLAN) to the Internet through an external broadband access device such as a modem or radio antenna, or another router.

  • Page 10: Key Features And Capabilities

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Key Features and Capabilities The wireless VPN firewall provides the following key features and capabilities: • A single 10/100/1000 Mbps Gigabit Ethernet WAN port • Built-in eight-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources •...

  • Page 11: Advanced Vpn Support For Both Ipsec And Ssl

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Advanced VPN Support for Both IPSec and SSL The wireless VPN firewall supports IPSec and SSL virtual private network (VPN) connections: • IPSec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters.

  • Page 12: Security Features

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Security Features The wireless VPN firewall is equipped with several features designed to maintain security: • PCs hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.

  • Page 13: Easy Installation And Management

    Internet connection, asking you only for the information required for your type of ISP account. • IPSec VPN Wizard. The wireless VPN firewall includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

  • Page 14: Maintenance And Support

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Maintenance and Support NETGEAR offers the following features to help you maximize your use of the wireless VPN firewall: • Flash memory for firmware upgrades. • Technical support seven days a week, 24 hours a day. Information about support is available on the NETGEAR website at http://support.netgear.com/app/answers/detail/a_id/212.
  • Page 15 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Left WAN LED Power Left LAN LEDs (green) (green, one for each port) Right WAN LED Right LAN LEDs Wireless LED (white, one for each port) (white) Active WAN LED Test LED DMZ LED Figure 1.
  • Page 16 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 1. LED descriptions (continued) Activity Description LAN Ports Left LED The LAN port has no link. On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port.

  • Page 17: Rear Panel

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Rear Panel The rear panel of the wireless VPN firewall includes a cable lock receptacle, a console port, a Reset button, and a DC power connection. Rear Panel Antennas (1) and (7) (6) Power...

  • Page 18: Bottom Panel With Product Label

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Bottom Panel with Product Label The product label on the bottom of the wireless VPN firewall’s enclosure displays factory defaults settings, regulatory compliance, and other information. Figure 3. Choose a Location for the Wireless VPN Firewall The wireless VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack.

  • Page 19: Chapter 2 Internet And Broadband Settings

    See the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Manual for complete steps. A PDF of the Installation Guide is on the NETGEAR support website. Log In to the Wireless VPN Firewall...
  • Page 20  To connect and log in to the wireless VPN firewall: Start any of the qualified web browsers. In the address field, enter https://192.168.1.1. The NETGEAR Configuration Manager Login screen displays in the browser. Note: The wireless VPN firewall factory default IP address is 192.168.1.1.

  • Page 21: Web Management Interface Menu Layout

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Login. The web management interface displays, showing the Router Status screen. The following figure shows the top part of the Router Status screen. For more information, View the System Status on page 300.
  • Page 22 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The web management interface menu consists of the following components: • 1st level: Main navigation menu links. The main navigation menu in the orange bar across the top of the web management interface provides access to all the configuration functions of the wireless VPN firewall, and remains constant.

  • Page 23: Requirements For Entering Ip Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Enable. Enable the selected entry or entries in the table. • Disable. Disable the selected entry or entries in the table. • Add. Add an entry to the table. • Edit. Edit the selected entry.

  • Page 24: Set Up An Ipv4 Internet Connection To Your Isp

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set Up an IPv4 Internet Connection to Your ISP  Complete these four tasks: Configure the Internet connections to your ISPs. During this phase, you connect to your ISP. See Configure the IPv4 Internet Connection on page 24.

  • Page 25: Let The Wireless Vpn Firewall Automatically Detect And Configure An Ipv4 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection  To automatically configure the WAN port for an IPv4 connection to the Internet: Select Network Configuration > WAN Settings > Broadband ISP Settings (IPv4).
  • Page 26 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.

  • Page 27: Manually Configure An Ipv4 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10. The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, skip ahead to Manually Configure an IPv4 Internet Connection...
  • Page 28 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the ISP Login section, select one of the following options: • If your ISP requires an initial login to establish an Internet connection, select Yes. (The default is No.) • If a login is not required, select No, and ignore the Login and Password fields.
  • Page 29 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 3. PPTP and PPPoE settings (continued) Setting Description Austria (PPTP) My IP Address The IP address assigned by the ISP to make the connection with the (continued) ISP server. Server IP The IP address of the PPTP server.
  • Page 30 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the wireless VPN firewall using DHCP network protocol.

  • Page 31: Configure The Ipv4 Wan Mode

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Test to evaluate your entries. The wireless VPN firewall attempts to make a connection according to the settings that you entered. Click Apply to save your changes. Note: If your ISP requires MAC authentication and another MAC address...

  • Page 32: Configure The Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv4 Routing Mode  To configure the IPv4 routing mode: Select Network Configuration > WAN Settings. The WAN Mode screen displays. Figure 14. Select the NAT radio button or the Classical Routing radio button.

  • Page 33: Let The Wireless Vpn Firewall Automatically Configure An Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Let the Wireless VPN Firewall Automatically Configure an IPv6 Internet Connection The wireless VPN firewall can autoconfigure its ISP settings through a DHCPv6 server by using either stateless or stateful address autoconfiguration: •...

  • Page 34: Manually Configure An Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the DHCPv6 section of the screen, select one of the following radio buttons: • Stateless Address Auto Configuration. • Stateful Address Auto Configuration. Click Apply to save your changes. To verify the connection, click the Broadband Status (IPv6) option arrow in the upper right of the screen to display the Connection Status pop-up screen.
  • Page 35 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 17. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static IPv6. In the Static IP Address section of the screen, enter the settings as explained in the following table.

  • Page 36: Configure Ipv6 Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If your ISP requires MAC authentication and another MAC address has been previously registered with your ISP, then you need to enter that address on the Broadband Advanced Options screen for the...

  • Page 37: Configure Ipv6 Tunnels

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Select one of the following radio buttons: • IPv4 only mode. This is the default mode. • IPv4 / IPv6 mode. WARNING! Changing the IP routing mode causes the wireless VPN firewall to reboot.
  • Page 38 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure 6to4 Tunneling  To enable 6to4 automatic tunneling: Select Network Configuration > IPv6 > 6 to 4 Tunneling. The 6 to 4 Tunneling screen displays: Figure 19. Select the Enable Automatic Tunneling check box.
  • Page 39 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 20. Click the Add table button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays: Figure 21. Specify the tunnel settings as explained in the following table.

  • Page 40: Configure Dynamic Dns

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an ISATAP tunnel: On the ISATAP Tunnels screen, click the Edit button in the Action column for the tunnel that you want to modify. The Edit ISATAP Tunnel screen displays. This screen is identical to the Add ISATAP Tunnel screen.
  • Page 41 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DDNS configuration screens.) The wireless VPN firewall firmware includes software that notifies DDNS servers of changes in the WAN IP address so that the services running on this network can be accessed by others on the Internet.
  • Page 42 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Information option arrow in the upper right of a DNS screen for registration information. Figure 24. Access the website of the DDNS service provider, and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/).

  • Page 43: Configure Advanced Wan Options And Other Tasks

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Advanced WAN Options and Other Tasks The advanced options include configuring the maximum transmission unit (MTU) size, port speed, wireless VPN firewall’s MAC address, and setting a rate limit on the traffic that is being forwarded by the wireless VPN firewall.
  • Page 44 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 9. Broadband Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value. For most Ethernet networks this value is 1500 bytes, or 1492 bytes for PPPoE connections.

  • Page 45: Additional Wan-Related Configuration Tasks

    If you want the ability to manage the wireless VPN firewall remotely, enable remote management (see Configure Remote Management Access on page 278). If you enable remote management, NETGEAR strongly recommends that you change your password (see Change Passwords and Administrator and Guest Settings on page 276).

  • Page 46: Chapter 3 Lan Configuration

    LAN Configuration This chapter describes how to configure the advanced LAN features of your wireless VPN firewall. This chapter contains the following sections: • Manage IPv4 Virtual LANs and DHCP Options • Configure IPv4 Multihome LAN IP Addresses on the Default VLAN •...

  • Page 47: Port-Based Vlans

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N VLANs have a number of advantages: • It is easy to set up network segmentation. Users who communicate most frequently with each other can be grouped into common VLANs, regardless of physical location. Each group’s traffic is contained largely within the VLAN, reducing extraneous traffic and...

  • Page 48: Assign And Manage Vlan Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This is a typical scenario for a configuration with an IP phone that has two Ethernet ports, one of which is connected to the wireless VPN firewall, the other one to another device: Packets coming from the IP phone to the wireless VPN firewall LAN port are tagged.

  • Page 49: Vlan Dhcp Options

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For each VLAN profile, the following fields display in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: Green circle.
  • Page 50 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The wireless VPN firewall delivers the following settings to any LAN device that requests DHCP: • An IP address from the range that you have defined • Subnet mask • Gateway IP address (the wireless VPN firewall’s LAN IP address) •...

  • Page 51: Configure A Vlan Profile

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure a VLAN Profile For each VLAN on the wireless VPN firewall, you can configure its profile, port membership, LAN TCP/IP settings, DHCP options, DNS server, and inter-VLAN routing capability.  To add a VLAN profile: Select Network Configuration >...
  • Page 52 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 28. LAN Configuration...
  • Page 53 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 10. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number.
  • Page 54 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 10. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the wireless VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.
  • Page 55 • OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 56: Configure Vlan Mac Addresses And Lan Advanced Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit a VLAN profile: On the LAN Setup (IPv4) screen (see Figure 27 on page 51), click the Edit button in the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile screen displays.

  • Page 57: Configure Ipv4 Multihome Lan Ip Addresses On The Default Vlan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 29. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.)
  • Page 58 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0 • Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0  To add a secondary LAN IP address: Select Network Configuration > LAN Settings > LAN Multi-homing (IPv4). The LAN Multi-homing (IPv4) screen displays.

  • Page 59: Manage Ipv4 Groups And Hosts (Ipv4 Lan Groups)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more secondary LAN IP addresses: On the LAN Multi-homing (IPv4) screen (see the previous screen), select the check box to the left of each secondary IP address that you want to delete, or click the Select All table button to select secondary IP addresses.

  • Page 60: Manage The Network Database

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • A PC is identified by its MAC address—not its IP address. The network database uses the MAC address to identify each PC or device. Therefore, changing a PC’s IP address does not affect any restrictions applied to that PC.
  • Page 61 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Known PCs and Devices table lists the entries in the network database. For each PC or device, the following fields display: • Check box. Allows you to select the PC or device in the table.
  • Page 62 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Add table button to add the PC or device to the Known PCs and Devices table. As an optional step: To enable DHCP address reservation for the entry that you just added to the Known PCs and Devices table, select the check box for the table entry, and click the Save Binding button to bind the IP address to the MAC address for DHCP assignment.

  • Page 63: Change Group Names In The Network Database

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Change Group Names in the Network Database By default, the groups are named Group1 through Group8. You can change these group names to be more descriptive, such as GlobalMarketing and GlobalSales. However, note that...

  • Page 64: Set Up Address Reservation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set Up Address Reservation When you specify a reserved IP address for a PC or device on the LAN (based on the MAC address of the device), that PC or device always receives the same IP address each time it accesses the wireless VPN firewall’s DHCP server.
  • Page 65 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 34. Enter the settings as explained in the following table: Table 12. LAN Setup (IPv6) screen settings Setting Description IPv6 LAN Setup IPv6 Address Enter the FE80 link-local IPv6 address. IPv6 Prefix Length Enter the IPv6 prefix length, for example /10 or /64.
  • Page 66 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 12. LAN Setup (IPv6) screen settings (continued) Setting Description DHCPv6 DHCP Status Specify the status of the DHCPv6 server: • Disable DHCPv6 Server. This is the default setting, and the DHCPv6 fields are masked out.
  • Page 67 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your changes. IPv6 Address Pools If you configure a stateful DHCPv6 server, you need to add local DHCP IPv6 address pools so the DHCPv6 server can control the allocation of IPv6 addresses.

  • Page 68: Configure The Router Advertisement Daemon And Advertisement Prefixes

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more IPv6 address pools: On the LAN Setup (IPv6) screen (see Figure 34 on page 65), select the check box to the left of each address pool that you want to delete, or click the Select All table button to select all address pools.
  • Page 69 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 36. Enter the settings as explained in the following table: Table 14. RADVD screen settings Setting Description RADVD Status Specify the RADVD status by making a selection from the drop-down list: • Enable. The RADVD is enabled, and the RADVD fields become available for you to configure.
  • Page 70 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 14. RADVD screen settings (continued) Setting Description RA Flags Managed To specify that the DHCPv6 stateful protocol is used for autoconfiguration of the address, select the Managed check box. Other To specify that other configuration information such as DNS information is available through DHCPv6, select the Other check box.
  • Page 71 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 37. Enter the settings as explained in the following table: Table 15. Add Advertisement Prefix screen settings Setting Description IPv6 Prefix Type Specify the IPv6 prefix type making a selection from the drop-down list: •...

  • Page 72: Configure And Enable The Dmz Port For Ipv4 Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more advertisement prefixes: On the RADVD screen (see Figure 36 on page 69), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes.
  • Page 73 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 38. Enter the settings as explained in the following table: Table 16. DMZ Setup screen settings Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? •...
  • Page 74 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 16. DMZ Setup screen settings (continued) Setting Description DHCP Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will manually configure the network settings of all of your computers, select the Disable DHCP Server radio button to disable the DHCP server.
  • Page 75 • OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 76: Manage Static Ipv4 Routing

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage Static IPv4 Routing Static routes provide additional routing information to your wireless VPN firewall. Under normal circumstances, the wireless VPN firewall has adequate routing information after it has been configured for Internet access, and you do not need to configure additional static routes.
  • Page 77 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 40. Enter the settings as explained in the following table: Table 17. Add Static Route screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management).

  • Page 78: Configure The Routing Information Protocol

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an IPv4 static route: On the IPv4 Static Routing screen (see Figure 39 on page 76), click the Edit button in the Action column for the route that you want to modify. The Edit Static Route screen displays.
  • Page 79 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 41. Enter the settings as explained in the following table: Table 18. RIP Configuration screen settings Setting Description RIP Direction From the RIP Direction drop-down list, select the direction in which the wireless VPN firewall sends and receives RIP packets: •...
  • Page 80 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 18. RIP Configuration screen settings (continued) Setting Description RIP Version By default, the RIP version is set to Disabled. From the RIP Version drop-down list, select the version: • RIP-1. Classful routing that does not include subnet information. This is the most commonly supported version.

  • Page 81: Ipv4 Static Route Example

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Static Route Example In this example, we assume the following: • The wireless VPN firewall’s primary Internet access is through a cable modem to an ISP. • The wireless VPN firewall is on a local LAN with IP address 192.168.1.100.
  • Page 82 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 42. Click the Add table button under the Static Routes table. The Add Static Route screen displays (the tab shows IPv6 Static Routing). Figure 43. Enter the settings as explained in the following table: Table 19.
  • Page 83 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 19. Add Static Route screen settings (continued) Setting Description Interface From the drop-down list, select the physical or virtual network interface (WAN1, sit0 Tunnel, or LAN) through which the route is accessible.

  • Page 84: Chapter 4 Wireless Configuration And Security

    Wireless Configuration and Security This chapter describes how to configure the wireless features of your ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N. This chapter includes the following sections: • Overview of the Wireless Features • Configure the Basic Radio Settings •...

  • Page 85: Wireless Equipment Placement And Range Guidelines

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security profile and SSID, allowing you to tailor access and security to a variety of wireless clients. The wireless VPN firewall provides wireless connectivity to multiple wireless network devices within a fixed range or area of coverage—interacting with a wireless network interface card (NIC) through an antenna.

  • Page 86: Configure The Basic Radio Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • The time it takes to establish a wireless connection can vary depending on both your security settings and placement. WEP connections can take slightly longer to establish. Also, WEP encryption can consume more battery power on a notebook computer.
  • Page 87 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the remaining wireless settings as explained the following table: Table 20. Radio Settings screen settings Field Descriptions Region This is a preconfigured field that you cannot change. Country Specify a country by making a selection from the drop-down list.

  • Page 88: Operating Frequency (Channel) Guidelines

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 20. Radio Settings screen settings (continued) Field Descriptions Channel Specify the channel you wish to use on your wireless LAN by making a selection from the drop-down list. The wireless channels and frequencies depend on the country and wireless mode.

  • Page 89: Wireless Data Security Options

    If more than one wireless access point can be used, the one with the strongest signal is used. This can happen only when the wireless access points use the same SSID. The FVS318N wireless VPN firewall functions in infrastructure mode by default.
  • Page 90 For more information about how to configure WPA+WPA2 mixed mode, see Configure and Enable Wireless Security Profiles on page 93. Note: TKIP provides only legacy (slower) rates of operation. NETGEAR recommends WPA2 with CCMP to make use of 802.11n rates and speed. Wireless Configuration and Security...

  • Page 91: Wireless Security Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Wireless Security Profiles Security profiles let you configure unique security settings for each SSID on the wireless VPN firewall. The wireless VPN firewall supports up to four security profiles (BSSIDs) that you can...

  • Page 92: Before You Change The Ssid, Wep, And Wpa Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Before You Change the SSID, WEP , and WPA Settings For a new wireless network, print or copy the following form and fill in the settings. For an existing wireless network, the network administrator can provide this information. Be sure to set the Country/Region correctly as the first step.

  • Page 93: Configure And Enable Wireless Security Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure and Enable Wireless Security Profiles  To add a wireless security profile: Select Network Configuration > Wireless Settings > Profiles. The Profiles screen displays. (The following figure shows some examples.) Figure 46.
  • Page 94 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 47. Specify the settings as explained in the following table: Table 22. Add Profile screen settings Field Description Profile Configuration Profile Name The name for the default wireless security profile is default1. You cannot change this name.
  • Page 95 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 22. Add Profile screen settings (continued) Field Description Broadcast SSID Select the check box to enable the wireless VPN firewall to broadcast its SSID, allowing wireless stations that have a null (blank) SSID to adopt the wireless VPN firewall’s SSID.
  • Page 96 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 22. Add Profile screen settings (continued) Field Description Encryption The encryption that you can select depends on the type of WPA security that you have selected: Note: WPA, WPA2, and • WPA. You can select the following encryption from the drop-down list: WPA+WPA2 only.
  • Page 97 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 22. Add Profile screen settings (continued) Field Description Encryption Key Specify the active key by selecting one of the four radio buttons. Only one key (Key1–Key4) can be the active key. Either enter a key manually or generate the key automatically by clicking Generate.

  • Page 98: Configure Virtual Access Points

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If WPS is enabled for the security profile, first disable WPS before you delete the security profile. Configure Virtual Access Points You can configure up to four virtual access points (VAPs) on the wireless VPN firewall. All VAPs can be active simultaneously to accommodate different types of clients.
  • Page 99 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table explains the fields of the Access Point screen: Table 23. Access Point screen settings Item Description Status The status of the VAP (Enabled or Disabled). Virtual AP The name of the VAP.
  • Page 100 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the settings as explained in the following table: Table 24. Add Access Point screen settings Settings Description AP Name The name for the default VAP is ap1. You cannot change this name. For additional VAPs, enter a unique name to make it easy to recognize the profile.

  • Page 101: Restrict Wireless Access By Mac Address

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more VAPs: On the Access Point screen (see Figure 48 on page 98), select the check box to the left of each VAP that you want to delete, or click the Select All table button to select all VAPs.

  • Page 102: Configure Wi-Fi Protected Setup

    To use WPS, make sure that your wireless devices are Wi-Fi certified and support WPS. NETGEAR products that use WPS call it Push 'N' Connect. You can use a WPS button or the wireless router interface method to add wireless computers and devices to your wireless network.
  • Page 103 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable WPS and initiate the WPS process on the wireless VPN firewall: Select Network Configuration > Wireless Settings > Profiles. The Profiles screen displays (see Figure 46 on page 93). Click the WPS option arrow in the upper right of the Radio Settings screen. The WPS screen displays.

  • Page 104: Configure Advanced Radio Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N With either method, the wireless VPN firewall tries to communicate with the wireless device, set the wireless security for the wireless device, and allow it to join the wireless network. Note: There is no physical WPS push button on the wireless VPN firewall.

  • Page 105: Test Basic Wireless Connectivity

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 25. Advanced Wireless screen settings (continued) Setting Description RTS Threshold Enter the Request to Send (RTS) threshold. The default setting is 2346 bytes. If the packet size is equal to or less than the RTS threshold, the wireless VPN...
  • Page 106 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Verify that your wireless clients have a link to the wireless VPN firewall. If you have enabled the DHCP server on the wireless VPN firewall (see Configure a VLAN Profile on page 51...

  • Page 107: Chapter 5 Ipv4 Firewall Protection

    IPv4 Firewall Protection This chapter describes how to use the IPv4 firewall features of the wireless VPN firewall to protect your network. This chapter contains the following sections: • About IPv4 Firewall Protection • Rules to Block or Allow Specific Kinds of Traffic •...

  • Page 108: Administrator Tips

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N can flow between the two networks. Unlike simple NAT routers, a firewall uses a process called Stateful Packet Inspection to protect your network from attacks and intrusions. NAT performs a very limited stateful inspection in that it considers whether the incoming packet is in response to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT.

  • Page 109: Service-Based Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The firewall rules for blocking and allowing traffic on the wireless VPN firewall can be applied to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic. Table 26. Number of supported firewall rule configurations...
  • Page 110 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 55 on page 118, Figure 58 page 121, and Figure 61 on page 124).
  • Page 111 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 27. Outbound rules overview (continued) Setting Description DMZ Users The settings that determine which DMZ computers on the DMZ network are affected by this rule. The options are: • Any. All PCs and devices on your DMZ network.
  • Page 112 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Inbound Rules (Port Forwarding) If you have enabled Network Address Translation (NAT), your network presents only one IP address to the Internet, and outside users cannot directly access any of your local computers (LAN users).
  • Page 113 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table describes the fields that define the rules for inbound traffic and that are common to most Inbound Service screens (see Figure 56 on page 119, Figure 59 page 122, and Figure 62 on page 125).
  • Page 114 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 28. Inbound rules overview (continued) Setting Description LAN Users These settings apply to a LAN WAN inbound rule when the WAN mode is classical routing, and determine which computers on your network are affected by this rule. The options are: •...

  • Page 115: Order Of Precedence For Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location.

  • Page 116: Set Lan Wan Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound).
  • Page 117 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N on page 118) or Edit LAN WAN Inbound Service screen (identical to Figure 56 page 119) displays, containing the data for the selected rule.  To enable, disable, or delete one or more rules: select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules.
  • Page 118 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 55. Enter the settings as explained in Table 27 on page 110. Click Apply to save your changes. The new rule is now added to the Outbound Services table. LAN WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic.

  • Page 119: Create Dmz Wan Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 56. Enter the settings as explained in Table 28 on page 113. Click Apply to save your changes. The new rule is now added to the Inbound Services table. Create DMZ WAN Rules The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ WAN Rules screen.
  • Page 120 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To access the DMZ WAN Rules screen, select Security > Firewall > DMZ WAN Rules. The DMZ WAN Rules screen displays. (The following figure shows a rule in the Outbound Services table as an example.) Figure 57.
  • Page 121 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DMZ WAN Outbound Service Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.

  • Page 122: Create Lan Dmz Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N packet matches an inbound rule on the LAN WAN Rules screen, it is not matched against the inbound rules on the DMZ WAN Rules screen.  To create a new inbound DMZ WAN service rule: In the DMZ WAN Rules screen, click the Add table button under the Inbound Services table.
  • Page 123 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N do so by adding outbound service rules (see LAN DMZ Outbound Service Rules page 124). To access the LAN DMZ Rules screen and to make changes to an existing outbound or inbound service rule, select Security > Firewall > LAN DMZ Rules. The LAN DMZ Rules screen displays: Figure 60.
  • Page 124 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN DMZ Outbound Service Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
  • Page 125 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN DMZ Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the LAN to the DMZ) is blocked.

  • Page 126: Inbound Rule Examples

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Inbound Rule Examples LAN WAN Inbound Rule: Host a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day.
  • Page 127 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN WAN Inbound Rule: Allow Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule (see the following figure).
  • Page 128 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN WAN or DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures the wireless VPN firewall to host an additional public IP address and associate this address with a web server on the LAN.
  • Page 129 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 65. From the Service drop-down list, select HTTP for a web server. From the Action drop-down list, select ALLOW Always. In the Send to LAN Server field, enter the local IP address of your web server PC (192.168.1.2 in this example).
  • Page 130 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN WAN or DMZ WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined.

  • Page 131: Outbound Rule Example

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Outbound Rule Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other nonessential sites. LAN WAN Outbound Rule: Block Instant Messenger If you want to block Instant Messenger usage by employees during working hours, you can create an outbound rule to block such an application from any internal IP address to any external address according to the schedule that you have created in the Schedule screen.

  • Page 132: Configure Other Firewall Features

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the wireless VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
  • Page 133 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Attack Checks screen settings (continued) Setting Description Enable Stealth Mode Select the Enable Stealth Mode check box (which is the default setting) to prevent the wireless VPN firewall from responding to port scans from the WAN, thus making it less susceptible to discovery and attacks.

  • Page 134: Set Session Limits

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Attack Checks screen settings (continued) Setting Description Multicast Pass through Enable IGMP IP multicast pass-through allows multicast packets that originate in the WAN subnet, such as packets from a media streaming or gaming application, to be forwarded to the LAN subnet.

  • Page 135: Manage The Application Level Gateway For Sip Sessions

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Select the Yes radio button under Do you want to enable Session Limit? Enter the settings as explained in the following table: Table 30. Session Limit screen settings Setting Description Session Limit User Limit Parameter From the User Limit Parameter drop-down list, select one of the following options: •...

  • Page 136: Services, Bandwidth Profiles, And Qos Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 70. Select the Enable SIP ALG check box. Click Apply to save your settings. Services, Bandwidth Profiles, and QoS Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
  • Page 137 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The service numbers for many common protocols are defined by the Internet Engineering Task Force (IETF) and published in RFC 1700, Assigned Numbers. Service numbers for other applications are typically chosen from the range 1024 to 65535 by the authors of the application.
  • Page 138 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 31. Services screen settings (continued) Setting Description ICMP Type A numeric value that can range between 0 and 40. For a list of ICMP types, see http://www.iana.org/assignments/icmp-parameters. Note: This field is enabled only when you select ICMP from the Type drop-down list.

  • Page 139: Create Bandwidth Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more services: In the Custom Services table, select the check box to the left of each service that you want to delete, or click the Select All table button to select all services.
  • Page 140 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 73. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 74. Enter the settings as explained in the following table: Table 32. Add Bandwidth Profile screen settings...

  • Page 141: Preconfigured Quality Of Service Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 32. Add Bandwidth Profile screen settings (continued) Setting Description Inbound Minimum The inbound minimum allocated bandwidth in Kbps. The default setting is 0 Kbps. Bandwidth Inbound Maximum The inbound maximum allowed bandwidth in Kbps. The default setting is 100 Kbps Bandwidth (you cannot configure less than 100 Kbps);...

  • Page 142: Configure Content Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can assign a QoS profile to a firewall rule or service on the following screens: • Add LAN WAN Outbound Services screen (see Figure 55 on page 118). • Add DMZ WAN Outbound Services screen (see Figure 58 on page 121).
  • Page 143 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows computer running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded.
  • Page 144 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 75. In the Content Filtering section of the screen, select the Yes radio button. IPv4 Firewall Protection...
  • Page 145 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Web Components section of the screen, select the components that you want to block: • Proxy. Blocks proxy servers. • Java. Blocks Java applets from being downloaded. • ActiveX. Blocks ActiveX applets from being downloaded.

  • Page 146: Set A Schedule To Block Or Allow Specific Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules.

  • Page 147: Enable Source Mac Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known PCs or devices. By default, the source MAC address filter is disabled. All the traffic received from PCs with any MAC address is allowed.

  • Page 148: Set Up Ip/Mac Bindings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the same section, from the Policy for MAC Addresses listed below drop-down list, select one of the following options: • Block and Permit the rest. Traffic coming from all addresses in the MAC Addresses table is blocked.
  • Page 149 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N As an example, assume that three computers on the LAN are set up as follows, and that their IP and MAC addresses are added to the IP/MAC Bindings table: • Host 1. MAC address (00:01:02:03:04:05) and IP address (192.168.10.10) •...
  • Page 150 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 33. IP/MAC Binding screen settings Setting Description Email IP/MAC Violations Do you want to Select one of the following radio buttons: enable E-mail Logs •...

  • Page 151: Configure Port Triggering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port-triggering feature requires that you know the port numbers used by the application.
  • Page 152 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 79. In the Add Port Triggering Rule section, enter the settings as explained in the following table: Table 34. Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes.

  • Page 153: Configure Universal Plug And Play

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To remove one or more port-triggering rules from the table: Select the check box to the left of each port-triggering rule that you want to delete, or click the Select All table button to select all rules.
  • Page 154 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the wireless VPN firewall and that have been automatically detected by the wireless VPN firewall: •...

  • Page 155: Chapter 6 Virtual Private Networking Using Ipv4 Ipsec And L2Tp Connections

    Virtual Private Networking Using IPv4 IPSec and L2TP Connections This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the wireless VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer. This chapter contains the following sections: •...

  • Page 156: Use The Ipsec Vpn Wizard For Client And Gateway Configurations

    Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following section provides wizard and NETGEAR ProSafe VPN Client software configuration procedures for the following scenarios: • Using the wizard to configure a VPN tunnel between two VPN gateways •...
  • Page 157 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 83. To view the wizard default settings, click the VPN Wizard Default Values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values.
  • Page 158 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 84. Complete the settings as explained in the following table: Table 35. IPSec VPN Wizard settings for a gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button. The local WAN port’s IP address or to the following peers Internet name displays in the End Point Information section of the screen.
  • Page 159 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 35. IPSec VPN Wizard settings for a gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IP address of the remote gateway. Address?

  • Page 160: Create A Client-To-Gateway Vpn Tunnel

    Use the VPN Wizard to Configure the Gateway for a Client Tunnel on page 161. • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 163 or Manually Create a Secure Connection Using the NETGEAR VPN Client on page 168.
  • Page 161 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use the VPN Wizard to Configure the Gateway for a Client Tunnel  To set up a client-to-gateway VPN tunnel using the VPN Wizard: Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. (The following figure contains an example.)
  • Page 162 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 36. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN (remote.com) to the following peers and the default local FQDN (local.com) display in the End Point Information...
  • Page 163 Router’s LAN network mask 255.255.255.0 Router’s WAN IP address 192.168.15.175 Use the NETGEAR VPN Client Wizard to Create a Secure Connection The VPN client lets you set up the VPN connection manually (see Manually Create a Secure Connection Using the NETGEAR VPN Client on page 168) or with the integrated Configuration Wizard, which is the easier and preferred method.
  • Page 164 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed.  To use the Configuration Wizard to set up a VPN connection between the VPN client and the wireless VPN firewall: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel.
  • Page 165 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 91. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays. Figure 92. Specify the following VPN tunnel parameters: •...
  • Page 166 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays. Figure 93. This screen is a summary screen of the new VPN configuration. Click Finish. Specify the local and remote IDs: a.
  • Page 167 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Specify the settings that are explained in the following table. Table 38. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the wireless VPN firewall.
  • Page 168 Manually Create a Secure Connection Using the NETGEAR VPN Client Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To manually configure a VPN connection between the VPN client and the wireless VPN firewall, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters.
  • Page 169 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Authentication Settings (Phase 1 Settings)  To create new authentication settings: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays. Figure 96.
  • Page 170 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
  • Page 171 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Click the Advanced tab in the Authentication pane. The Advanced pane displays. Figure 99. Specify the settings that are explained in the following table.
  • Page 172 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 40. VPN client advanced authentication settings (continued) Setting Description Remote ID As the type of ID, select DNS from the Remote ID drop-down list because you specified an FQDN in the wireless VPN firewall configuration.
  • Page 173 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 100. Specify the settings that are explained in the following table. Table 41. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the wireless VPN firewall’s LAN;...
  • Page 174 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters  To specify the global parameters: Click Global Parameters in the left column of the Configuration Panel screen.

  • Page 175: Test The Connection And View Connection And Status Information

    Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the wireless VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.

  • Page 176: Netgear Vpn Client Status And Log Information

    Figure 106. NETGEAR VPN Client Status and Log Information  To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays.

  • Page 177: View The Wireless Vpn Firewall Ipsec Vpn Connection Status

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 107. View the Wireless VPN Firewall IPSec VPN Connection Status To review the status of current IPSec VPN tunnels, select VPN > Connection Status > IPSec VPN Connection Status. The IPSec VPN Connection Status screen displays. (The following figure shows an IPSec SA as an example.)

  • Page 178: View The Wireless Vpn Firewall Ipsec Vpn Log

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N interval period, enter a new value in the Poll Interval field, and then click the Set Interval button. To stop polling, click the Stop button. Table 42. IPSec VPN Connection Status screen information...

  • Page 179: Manage Ipsec Vpn Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
  • Page 180 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IKE Policies Screen  To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view. (The following figure shows some examples.) Figure 110.
  • Page 181 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more IKE polices: Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all IKE policies.
  • Page 182 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 111. Virtual Private Networking Using IPv4 IPSec and L2TP Connections...
  • Page 183 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 44. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Specify whether or not the IKE policy uses a Mode Config record. For information...
  • Page 184 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 44. Add IKE Policy screen settings (continued) Setting Description Local Identifier From the drop-down list, select one of the following ISAKMP identifiers to be used by the wireless VPN firewall, and then specify the identifier in the Identifier field: •...
  • Page 185 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 44. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the wireless VPN firewall and the remote endpoint.
  • Page 186 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 44. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify...

  • Page 187: Manage Vpn Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage VPN Policies You can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. You manually enter all settings (including the keys) for the VPN tunnel on the wireless VPN firewall and on the remote VPN endpoint.
  • Page 188 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 112. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 46 on page 191. Table 45. VPN Policies screen information...
  • Page 189 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable or disable one or more VPN policies: Select the check box to the left of each policy that you want to enable or disable, or click the Select All table button to select all VPN Policies.
  • Page 190 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 113. Virtual Private Networking Using IPv4 IPSec and L2TP Connections...
  • Page 191 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 46. Add New VPN Policy screen settings Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes.
  • Page 192 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 46. Add New VPN Policy screen settings (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the wireless VPN firewall: •...
  • Page 193 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 46. Add New VPN Policy screen settings (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: • 3DES. Enter 24 characters.

  • Page 194: Configure Extended Authentication (Xauth)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 46. Add New VPN Policy screen settings (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: •...

  • Page 195: Configure Xauth For Vpn Clients

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are available: • Edge Device. The wireless VPN firewall is used as a VPN concentrator on which one or more gateway tunnels terminate.

  • Page 196: User Database Configuration

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 47. Extended authentication settings Setting Description Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: •...
  • Page 197 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N user name and password information. The gateway then attempts to verify this information first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server.

  • Page 198: Assign Ip Addresses To Remote Users (Mode Config)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 48. RADIUS Client screen settings (continued) Setting Description Primary Server NAS The primary Network Access Server (NAS) identifier that needs to be present Identifier in a RADIUS request. Note: The wireless VPN firewall functions as an NAS, allowing network access to external users after verification of their authentication information.

  • Page 199: Mode Config Operation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Mode Config Operation After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote user with a VPN client) requests the IP configuration settings such as the IP address, subnet mask, WINS server, and DNS address from the wireless VPN firewall.
  • Page 200 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool • (172.16.200.1 through 172.16.200.99) are shown.
  • Page 201 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 49. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes.
  • Page 202 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 49. Add Mode Config Record screen settings (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: •...
  • Page 203 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 117. On the Add IKE Policy screen, complete the settings as explained in the following table. Virtual Private Networking Using IPv4 IPSec and L2TP Connections...
  • Page 204 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 44 on page 183 explains the general IKE policy settings. Table 50. Add IKE Policy screen settings for a Mode Config configuration...
  • Page 205 The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying occurs. The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour). Enable Dead Peer...

  • Page 206: Configure The Prosafe Vpn Client For Mode Config Operation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 50. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify...
  • Page 207 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a PC that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters.
  • Page 208 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 119. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane.
  • Page 209 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the settings that are explained in the following table. Table 51. VPN client authentication settings (Mode Config) Setting Description Interface Select Any from the drop-down list. Remote Gateway Enter the remote IP address or DNS name of the wireless VPN firewall. For example, enter 192.168.15.175.
  • Page 210 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the settings that are explained in the following table. Table 52. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config.
  • Page 211 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the IPSec configuration that is used only for the VPN client, not during IPSec negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
  • Page 212 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 53. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Subnet mask Enter 255.255.255.0 as the remote subnet mask of the wireless VPN firewall that opens the VPN tunnel. This is the LAN IP subnet mask that you specified in the Local Subnet Mask field on the Add Mode Config Record screen of the wireless VPN firewall.

  • Page 213: Test The Mode Config Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the following default lifetimes in seconds to match the configuration on the wireless VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. • Encryption (IPSec), Default. Enter 3600 seconds. Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings to match the configuration on the wireless VPN firewall: •...

  • Page 214: Modify Or Delete A Mode Config Record

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 126. From the client PC, ping a computer on the wireless VPN firewall LAN. Modify or Delete a Mode Config Record Note: Before you modify or delete a Mode Config record, make sure it is not used in an IKE policy.

  • Page 215: Configure Keep-Alives And Dead Peer Detection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Keep-Alives and Dead Peer Detection In some cases, you might not want a VPN tunnel to be disconnected when traffic is idle, for example, when client-server applications over the tunnel cannot tolerate the tunnel establishment time.

  • Page 216: Configure Dead Peer Detection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 54. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the wireless VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.

  • Page 217: Configure Netbios Bridging With Ipsec Vpn

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 128. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 55. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Select the Yes radio button to enable DPD.

  • Page 218: Configure The L2Tp Server

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable NetBIOS bridging on a configured VPN tunnel: Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 112 on page 188). In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that you want to edit.

  • Page 219: View The Active L2Tp Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You need to enable the L2TP server on the wireless VPN firewall, specify an L2TP server address pool, and create L2TP user accounts. For information about how to create L2TP user accounts, see Configure User Accounts on page 254.
  • Page 220 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of L2TP Active Users table lists each active connection with the information that is described in the following table. Table 56. L2TP Active Users screen information Item Description Username The name of the L2TP user that you have defined (see...

  • Page 221: Chapter 7 Virtual Private Networking Using Ipv4 Ssl Connections

    Virtual Private Networking Using IPv4 SSL Connections The wireless VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the wireless VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.

  • Page 222: Ssl Vpn Portal Options

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N SSL VPN Portal Options The wireless VPN firewall’s SSL VPN portal can provide two levels of SSL service to the remote user: • SSL VPN tunnel. The wireless VPN firewall can provide the full network connectivity of a VPN tunnel using the remote user’s browser instead of a traditional IPSec VPN client.

  • Page 223: Create The Portal Layout

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N method that is used and the portal layout that is presented, which in turn determines the network resources to which the users are granted access. Because you need to assign a portal layout when creating a domain, the domain is created after you have created the portal layout.
  • Page 224 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N users or business partners are permitted to access only a few resources, the page that you create presents only the resources that are relevant to these users. You apply portal layouts by selecting one from the available portal layouts in the configuration of a domain.
  • Page 225 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Portal URL. The URL at which the portal can be accessed. • Action. The table buttons, which allow you to edit the portal layout or set it as the default. Under the List of Layouts table, click the Add table button. The Add Portal Layout screen displays.
  • Page 226 <meta http-equiv=”pragma” content=”no-cache”> <meta http-equiv=”cache-control” content=”no-cache”> <meta http-equiv=”cache-control” content=”must-revalidate”> Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache. ActiveX web cache...

  • Page 227: Configure Domains, Groups, And Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit a portal layout: On the Portal Layouts screen (see Figure 132 on page 224), click the Edit button in the Action column for the portal layout that you want to modify. The Edit Portal Layout screen displays.
  • Page 228 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To add a server and a port number: Select VPN > SSL VPN > Port Forwarding. The Port Forwarding screen displays. (The following figure shows an example.) Figure 134. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: •...

  • Page 229: Add A New Host Name

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 58. Port-forwarding applications/TCP port numbers (continued) TCP Application Port Number Citrix 1494 Terminal Services 3389 VNC (virtual network computing) 5900 or 5800 a. Users can specify the port number together with the host name or IP address.

  • Page 230: Configure The Ssl Vpn Client

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete a name from the List of Configured Host Names for Port Forwarding table: Select the check box to the left of the name that you want to delete. Click the Delete table button in the Action column.
  • Page 231 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 135. Complete the settings as explained in the following table: Table 59. SSL VPN Client screen settings Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support. If you leave this check...

  • Page 232: Add Routes For Vpn Tunnel Clients

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 59. SSL VPN Client screen settings (continued) Setting Description Client Address Range Begin The first IP address of the IP address range that you want to assign to the VPN tunnel clients. By default, the first IP address is 192.168.251.1.

  • Page 233: Use Network Resource Objects To Simplify Policies

    Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies.

  • Page 234: Edit Network Resources To Specify Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more network resources: Select the check box to the left of each network resource that you want to delete, or click the Select All table button to select all network resources.

  • Page 235: Configure User, Group, And Global Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 60. Resources screen settings to edit a resource (continued) Setting Description Service The SSL service that is assigned to the resource. You cannot modify the service after you have assigned it to the resource on the first Resources screen.
  • Page 236 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IP address ranges are configured, then the smallest address range takes precedence. Host names are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource.

  • Page 237: View Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View Policies  To view the existing policies: Select VPN > SSL VPN. The SSL VPN submenu tabs display, with the Policies screen in view. (The following figure shows some examples.) Figure 138.
  • Page 238 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 139. Complete the settings as explained in the following table: Table 61. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: •...
  • Page 239 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 61. Add SSL VPN Policy screen settings (continued) Setting Description Apply Network Policy Name A descriptive name of the SSL VPN policy for identification and Policy to? Resource management purposes. (continued) Defined...
  • Page 240 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 61. Add SSL VPN Policy screen settings (continued) Setting Description Apply IP Network Service From the drop-down list, select the service to which the SSL Policy to? (continued) VPN policy is applied: (continued) •...

  • Page 241: Access The New Ssl Portal Login Screen

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more SSL VPN policies: On the Policies screen (see Figure 138 on page 237), select the check box to the left of each SSL VPN policy that you want to delete, or click the Select All table button to select all policies.
  • Page 242 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Login. The User Portal screen displays. The format of the User Portal screen depends on the settings that you selected on the Add Portal Layout screen (see Create the Portal Layout on page 223): •...

  • Page 243: View The Ssl Vpn Connection Status

    Note: The first time that a user attempts to connect through the VPN tunnel, the NETGEAR SSL VPN tunnel adapter is installed; the first time that a user attempts to connect through the port-forwarding tunnel, the NETGEAR port-forwarding engine is installed.

  • Page 244: View The Ssl Vpn Log

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the SSL VPN Log  To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 144. Virtual Private Networking Using IPv4 SSL Connections...

  • Page 245: Chapter 8 Manage Users, Authentication, And Vpn Certificates

    Manage Users, Authentication, and VPN Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. This chapter contains the following sections: • The Wireless VPN Firewall’s Authentication Process and Options • Configure Authentication Domains, Groups, and Users •...
  • Page 246 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a group, you need to specify a domain. The following table summarizes the external authentication protocols and methods that the wireless VPN firewall supports.

  • Page 247: Configure Authentication Domains, Groups, And Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Authentication Domains, Groups, and Users This section contains the following subsections: • Configure Domains • Configure Groups • Configure User Accounts • Set User Login Policies • Change Passwords and Other User Settings Configure Domains The domain determines the authentication method to be used for associated users.
  • Page 248 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk.
  • Page 249 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 63. Add Domain screen settings (continued) Setting Description Authentication Type • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). (continued) Complete the following fields: - Authentication Server Note: If you select - Authentication Secret any type of RADIUS •...
  • Page 250 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 63. Add Domain screen settings (continued) Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This should be a user in the LDAP directory who has read access to all the users that you would like to import into the wireless VPN firewall.

  • Page 251: Configure Groups

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Domains  To edit a domain: Select Users > Domains. The Domains screen displays (see Figure 145 on page 247). In the Action column of the List of Domains table, click the Edit table button for the domain that you want to edit.

  • Page 252: Create Groups

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Groups  To create a VPN group: Select Users > Groups. The Groups screen displays. (The following figure shows the wireless VPN firewall’s default group—geardomain—and, as an example, several other groups in the List of Groups table.) The List of Groups table displays the VPN groups with the following fields: •...
  • Page 253 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 148. Complete the settings as explained in the following table: Table 64. Add Group screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The drop-down list shows the domains that are listed on the Domain screen.

  • Page 254: Configure User Accounts

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Groups For groups that were automatically created when you created a domain, you can modify only the idle time-out settings but not the group name or associated domain. For groups that you created on the Add Groups screen, you can modify the domain and the idle time-out settings but not the group name.
  • Page 255 Guest user. A user who can only view the wireless VPN firewall configuration (that is, read-only access). • IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 194). •...
  • Page 256 • Guest User. User who can only view the wireless VPN firewall configuration (that is, read-only access). • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 194).

  • Page 257: Set User Login Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 65. Add Users screen settings (continued) Setting Description Confirm Password This field needs to be identical to the password that you entered in the Password field. Idle Timeout The period after which an idle user is automatically logged out of the web management interface.
  • Page 258 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Make the following optional selections: • To prohibit the user from logging in to the wireless VPN firewall, select the Disable Login check box. • To prohibit the user from logging in from the WAN interface, select the Deny Login from WAN Interface check box.
  • Page 259 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table.
  • Page 260 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 153. In the Defined Browsers Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Browsers. Deny logging in from the browsers in the Defined Browsers table.

  • Page 261: Change Passwords And Other User Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Change Passwords and Other User Settings For any user, you can change the password, user type, and idle time-out settings. Only administrators have read/write access. All other users have read-only access. Note: The default administrator and default guest passwords for the web management interface are both password.

  • Page 262: Manage Digital Certificates For Vpn Connections

    • Guest (readonly). User who can only view the wireless VPN firewall configuration (that is, read-only access). • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 194).

  • Page 263: Vpn Certificates Screen

    The wireless VPN firewall contains a self-signed digital certificate from NETGEAR. This certificate can be downloaded from the wireless VPN firewall login screen for browser import.

  • Page 264: Manage Vpn Ca Certificates

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Self Certificate Requests table. Contains the self-signed certificate requests that you generated. These requests might or might not have been submitted to CAs, and CAs might or might not have issued digital certificates for these requests. Only the self-signed...

  • Page 265: Manage Vpn Self-Signed Certificates

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Upload table button. If the verification process on the wireless VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Trusted Certificates (CA Certificates) table.
  • Page 266 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To generate a new CSR file, obtain a digital certificate from a CA, and upload it to the wireless VPN firewall: Select VPN > Certificates. The Certificates screen displays. The following figure shows the middle section of the screen with the Active Self Certificates section, Generate Self Certificate Request section, and Self Certificate Requests section.
  • Page 267 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 68. Generate self-signed certificate request settings (continued) Setting Description Hash Algorithm From the drop-down list, select one of the following hash algorithms: • MD5. A 128-bit (16-byte) message digest, slightly faster than SHA-1.
  • Page 268 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Copy the contents of the Data to supply to CA text field into a text file, including all of the data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----.” Submit your SCR to a CA: a.

  • Page 269: Manage The Vpn Certificate Revocation List

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more self-signed certificates: In the Active Self Certificates table, select the check box to the left of each self-signed certificate that you want to delete, or click the Select All table button to select all self-signed certificates.

  • Page 270: Chapter 9 Network And System Management

    Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the wireless VPN firewall. This chapter contains the following sections: • Performance Management • System Management Performance Management Performance management consists of controlling the traffic through the wireless VPN firewall so that the necessary traffic gets through when there is a bottleneck.
  • Page 271 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Content filtering • Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) You can control specific outbound traffic (from LAN to WAN and from the DMZ to WAN). The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for outbound traffic.

  • Page 272: Content Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • WAN users. You can specify which Internet locations are covered by an outbound rule, based on their IP address: Any. The rule applies to all Internet IP address. Single address. The rule applies to a single Internet IP address.

  • Page 273: Features That Increase Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Features That Increase Traffic The following features of the wireless VPN firewall tend to increase the traffic load on the WAN side: • LAN WAN inbound rules (also referred to as port forwarding) •...

  • Page 274: Port Triggering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • LAN users. You can specify which computers on your network are affected by an inbound rule. There are several options: Any. The rule applies to all PCs and devices on your LAN.

  • Page 275: Use Qos And Bandwidth Assignment To Shift The Traffic Mix

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N FTP server, or email server) and provide public access to them. The eighth LAN port on the wireless VPN firewall (the rightmost LAN port) can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN.

  • Page 276: Monitoring Tools For Traffic Management

    The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
  • Page 277 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 160. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit Users screen displays: Figure 161. You cannot modify the administrator user name, user type, or group assignment.

  • Page 278: Configure Remote Management Access

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both uppercase and lowercase), numbers, and symbols. Your password can be up to 30 characters.
  • Page 279 IP address and default password. Because a malicious WAN user can reconfigure the wireless VPN firewall and misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before continuing (see...
  • Page 280 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 69. Remote Management screen settings Setting Description Secure HTTP Management Allow Secure HTTP To enable secure HTTP management, select the Yes radio button, which is the Management? default setting.

  • Page 281: Use A Simple Network Management Protocol Manager

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N the wireless VPN firewall’s WAN IP address is 192.168.15.175 and the port number is 443, type the following in your browser: https://192.168.15.175:443. The wireless VPN firewall’s remote login URL is: https://<IP_address>:<port_number> or https://<FullyQualifiedDomainName>:<port_number>...
  • Page 282 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To configure the SNMP settings: Select Administration > SNMP. The SNMP screen displays. (The following figure contains an example.) Figure 163. The SNMP Configuration table shows the following columns: • IP Address. The IP address of the SNMP manager.
  • Page 283 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an SNMP configuration: On the SNMP screen (see the previous figure), click the Edit button in the Action column for the SNMP configuration that you want to modify. The Edit SNMP screen displays.

  • Page 284: Manage The Configuration File

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 71. SNMP SysConfiguration screen settings Setting Description SysContact Enter the SNMP system contact information that is available to the SNMP manager. This setting is optional.
  • Page 285 On the Settings Backup and Firmware Upgrade screen (see the previous figure), next to Save a copy of current settings, click the Backup button to save a copy of your current settings. A screen displays, showing the file name of the backup file (FVS318N.cfg). Select Save file, and then click OK.
  • Page 286 On the Settings Backup and Firmware Upgrade screen (see the previous figure), next to Restore saved settings from file, click Browse. Locate and select the previously saved backup file (by default, FVS318N.cfg). After you have selected the file, click the Restore button. A warning message might display, and you might have to confirm that you want to restore the configuration.

  • Page 287: Update The Firmware

    To download a firmware version and upgrade the firmware: Go to the NETGEAR website at http://support.netgear.com. Navigate to the FVS318N support page, and click the Downloads tab. Click the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the wireless VPN firewall’s software.

  • Page 288: Configure Date And Time Service

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING! After you have started the firmware installation process, do not interrupt the process. Do not try to go online, turn off the wireless VPN firewall, or do anything else to the wireless VPN firewall until the wireless VPN firewall has fully rebooted.
  • Page 289 Note: If you select the Use Custom NTP Servers option but leave either the Server 1 or Server 2 field blank, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://support.ntp.org/bin/view/Servers/WebHome.

  • Page 290: Chapter 10 Monitor System Access And Performance

    Monitor System Access and Performance This chapter describes the system-monitoring features of the wireless VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.
  • Page 291 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 168. Enter the settings as explained in the following table: Monitor System Access and Performance...
  • Page 292 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 73. Broadband Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic • Yes. Traffic metering is enabled, and the traffic meter records the volume of Metering on Internet traffic passing through the WAN interface.

  • Page 293: Configure Logging, Alerts, And Event Notifications

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 73. Broadband Traffic Meter screen settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the wireless VPN firewall performs when the traffic limit has been reached: •...
  • Page 294 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To configure and activate logs: Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen displays: Figure 170. Monitor System Access and Performance...
  • Page 295 Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages. The default identifier is FVS318N. Routing Logs In the Accepted Packets and Dropped Packets columns, select check boxes to specify which traffic is logged: •...
  • Page 296 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 74. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want Select the Yes radio button to enable the wireless VPN firewall to email logs to a specified logs to be email address.

  • Page 297: How To Send Syslogs Over A Vpn Tunnel Between Sites

    Click Apply to save your settings. Note: Enabling routing and other event logs might generate a significant volume of log messages. NETGEAR recommends that you enable firewall logs for debugging purposes only. How to Send Syslogs over a VPN Tunnel between Sites ...
  • Page 298 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This section describes steps 2 through 4, using the topology that is described in the following table: Type of address Gateway 1 at Site 1 Gateway 2 at Site 2 WAN IP address 10.0.0.1...
  • Page 299 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure a gateway-to-gateway VPN tunnel using the following information: • Connection name. Any name of your choice • Pre-shared key. The same key as you configured on Gateway 1 • Remote WAN IP address. 10.0.0.1 •...

  • Page 300: View Status Screens

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View Status Screens The wireless VPN firewall provides real-time information in a variety of status screens that are described in the following sections: • View the System Status • View the VPN Connection Status and L2TP Users •...
  • Page 301 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 171. The following table explains the fields of the Router Status screen: Table 75. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The currently installed firmware version.
  • Page 302 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 75. Router Status screen information (continued) Item Description LAN IPv4/IPv6 Information MAC Address The MAC address of the wireless VPN firewall. IPv6 Address The IPv6 address that is assigned to the wireless VPN firewall. For information...
  • Page 303 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 172. The following table explains the fields of the Router Statistics screen. To change the poll interval period, enter a new value (in seconds) in the Poll Interval field, and then click Set interval. To stop polling, click Stop.
  • Page 304 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 173. Monitor System Access and Performance...
  • Page 305 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table explains the fields of the Detailed Status screen: Table 77. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports.
  • Page 306 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 77. Detailed Status screen information (continued) Item Description NAT (IPv4 only) The NAT state can be either Enabled or Disabled, depending on whether or not NAT is enabled (see Network Address Translation...

  • Page 307: View The Vpn Connection Status And L2Tp Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 77. Detailed Status screen information (continued) Item Description Wireless Configuration Wireless Status The wireless status can be Enabled or Disabled, depending on whether or not the default virtual access point is enabled. For information about enabling the default...
  • Page 308 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To disconnect an active connection, click the Disconnect table button to the right of the policy’s table entry.  To view the active SSL VPN connections: Select VPN > Connection Status > SSL VPN Connection Status. The SSL VPN Connection Status screen displays: Figure 175.

  • Page 309: View The Vpn Logs

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the VPN Logs  To display the IPSec VPN log: Select Monitoring > VPN Logs > IPSec VPN Logs. The IPSec VPN Logs screen displays. Figure 177.  To display the SSL VPN log: Select Monitoring >...

  • Page 310: View The Port Triggering Status

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Port Triggering Status  To view the status of the port-triggering feature: Select Security > Port Triggering. The Port Triggering screen displays. (The following figure shows one rule in the Port Triggering Rules table as an example.) Figure 179.

  • Page 311: View The Wan Port Status

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 78. Port Triggering Status screen information (continued) Item Description Open Ports The incoming ports that are associated with this rule. Incoming traffic using one of these ports is sent to the IP address that is listed in the LAN IP Address field.
  • Page 312 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 79. Connection Status screen information for an IPv4 connection (continued) Item Description Connection Status The connection status can be either Connected or Disconnected. IP Address The addresses that were automatically detected or that you configured on the Broadband ISP Settings (IPv4) screen.

  • Page 313: View The Attached Devices And The Dhcp Log

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 80. Connection Status screen information for an IPv6 connection...
  • Page 314 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Attached Devices  To view the attached devices in the LAN Groups screen: Select Network Configuration > LAN Settings > LAN Groups (IPv4). The LAN Groups (IPv4) screen displays. (The following figure shows some examples in the Known PCs and Devices table.)
  • Page 315 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N drop-down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen. • Action. The Edit table button, which provides access to the Edit Groups and Hosts screen.

  • Page 316: Diagnostics Utilities

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Diagnostics Utilities The wireless VPN firewall provides diagnostic tools that help you analyze the status of the network and traffic conditions. Two types of tools are available: • Network diagnostic tools. These tools include a ping utility, traceroute utility, and DNS lookup utility, and the option to display the routing tables.

  • Page 317: Trace A Route

    Diagnostics screen, click Back on the browser menu bar. Look Up a DNS Address A Domain Name Server (DNS) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.

  • Page 318: Capture Packets In Real Time

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Capture Packets in Real Time Capturing packets can assist NETGEAR technical support in diagnosing packet transfer problems. You can also use a traffic analyzer to do your own problem diagnoses.  To capture packets in real time: In Router Options section of the screen, next to Capture Packets, click the Packet Trace button.

  • Page 319: Chapter 11 Troubleshooting

    Troubleshooting This chapter provides troubleshooting tips and information for the wireless VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the wireless VPN firewall on? Go to Basic Functioning on page 320.

  • Page 320: Basic Functioning

    VPN firewall and that the power supply adapter is correctly connected to a functioning power outlet. If the error persists, you have a hardware problem and should contact NETGEAR technical support.

  • Page 321: Lan Or Wan Port Leds Not On

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N If the error persists, you might have a hardware problem and should contact NETGEAR technical support. LAN or WAN Port LEDs Not On  If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: •...

  • Page 322: When You Enter A Url Or Ip Address, A Time-Out Error Occurs

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Tip: If you do not want to revert to the factory default settings and lose your configuration settings, you can reboot the wireless VPN firewall and use a sniffer to capture packets sent during the reboot. Look at the ARP packets to locate the wireless VPN firewall’s LAN interface address.

  • Page 323: Troubleshoot The Isp Connection

     To check the WAN IP address: Launch your browser and navigate to an external site such as www.netgear.com. Access the web management interface of the wireless VPN firewall’s configuration at https://192.168.1.1. Select Network Configuration > WAN Settings. The WAN Settings screen displays.

  • Page 324: Troubleshooting The Ipv6 Connection

    A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of one or two DNS servers for your use. You can configure your PC manually with DNS addresses, as explained in your operating system documentation.
  • Page 325 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Windows Server 2003, all versions Windows server 2003 R2, all versions Linux and other UNIX-based systems with a correctly configured kernel MAC OS X • Make sure that IPv6 is enabled on the computer. On a computer that runs a...
  • Page 326 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Click or double-click View status of this connection. The Local Area Connection Status screen displays: Figure 187. d. Make sure that Internet access shows for the IPv6 connection. (The previous screen shows that there is no Internet access.) e.

  • Page 327: Troubleshoot A Tcp/Ip Network Using A Ping Utility

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N f. Make sure that an IPv6 address shows. The previous screen does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start with FE80.

  • Page 328: Test The Path From Your Pc To A Remote Device

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test the Path from Your PC to a Remote Device After verifying that the LAN path works correctly, test the path from your PC to a remote device. From the Windows Run dialog box, type: ping -n 10 <IP address>...
  • Page 329 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 189. b. Click the Default button. The wireless VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible, or a status message with a counter might show the number of seconds left until the reboot process is complete.

  • Page 330: Address Problems With Date And Time

    Adjust for Daylight Savings Time check box. Access the Knowledge Base and Documentation  To access NETGEAR’s knowledge base for the wireless VPN firewall: Select Support > Knowledge Base.  To access NETGEAR’s documentation library for your wireless VPN firewall model: Select Support > Documentation. Troubleshooting...

  • Page 331: Appendix A Default Settings And Technical Specifications

    Default Settings and Technical Specifications This appendix provides the default settings and the physical and technical specifications of the wireless VPN firewall in the following sections: • Default Settings • Physical and Technical Specifications Default Settings You can use the factory default Reset button located on the rear panel to reset all settings to their factory defaults.
  • Page 332 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 81. Wireless VPN firewall factory default configuration settings (continued) Feature Default behavior Internet connection WAN MAC address Use default address WAN MTU size 1500 Port speed AutoSense Local area network (LAN) LAN IPv4 address 192.168.1.1...

  • Page 333: Physical And Technical Specifications

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 81. Wireless VPN firewall factory default configuration settings (continued) Feature Default behavior Wireless radio and access point Wireless radio Enabled Default virtual access point Default network name (SSID) FVS318N_1 Broadcast SSID Enabled...
  • Page 334 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 82. Wireless VPN firewall physical and technical specifications (continued) Feature Specification Dimensions and weight Dimensions (W x H x D) 19 x 12.5 x 3.5 cm (7.5 X 4.9 X 1.4 in) Weight 0.59 kg (1.3 lb)
  • Page 335 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 83. Wireless VPN firewall IPSec VPN specifications (continued) Setting Specification IPSec authentication types Local user database, RADIUS PAP, RADIUS CHAP IPSec certificates supported CA certificates, self-signed certificate The following table shows the SSL VPN specifications for the wireless VPN firewall: Table 84.

  • Page 336: Appendix B Two-Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. NETGEAR has implemented a more robust authentication system known as two-factor authentication (2FA or T-FA) to help address the fast-growing network security issues.

  • Page 337: What Is Two-Factor Authentication

    NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 two-factor authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform two-factor authentication on NETGEAR SSL and VPN firewall products.
  • Page 338 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 190. A one-time passcode (something the user has) is generated. Figure 191. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time.
  • Page 339 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 192. Two-Factor Authentication...

  • Page 340: Appendix C Notification Of Compliance (Wired)

    This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. FCC Declaration Of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with Part 15 of FCC Rules.

  • Page 341: European Union

    • Consult the dealer or an experienced radio/TV technician for help. Modifications made to the product, unless expressly approved by NETGEAR, Inc., could void the user's right to operate the equipment. Canadian Department of Communications Radio Interference Regulations...
  • Page 342 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional Copyrights Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1.
  • Page 343 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.

  • Page 344: Appendix D Notification Of Compliance (Wireless)

    EDOC in Languages of the European Community Language Statement Cesky [Czech] NETGEAR Inc. tímto prohlašuje, že tento Radiolan je ve shode se základními požadavky a dalšími príslušnými ustanoveními smernice 1999/5/ES. Dansk [Danish] Undertegnede NETGEAR Inc. erklærer herved, at følgende udstyr Radiolan overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
  • Page 345 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Español Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los [Spanish] requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Ελληνική ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc. ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ...

  • Page 346: Fcc Declaration Of Conformity

    This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. FCC Declaration of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with Part 15 Subpart B of FCC CFR47 Rules.

  • Page 347: Canadian Department Of Communications Radio Interference Regulations

    Canadian Department of Communications Radio Interference Regulations This digital apparatus (ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N) does not exceed the Class B limits for radio-noise emissions from digital apparatus as set out in the Radio Interference Regulations of the Canadian Department of Communications.
  • Page 348 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Household Appliance Recommended Minimum Distance (in feet and meters) Cordless phone - Digital 30 feet / 9 meters Bluetooth devices 20 feet / 6 meters ZigBee 20 feet / 6 meters Notification of Compliance (Wireless)

  • Page 349: Index

    Index Numerics user account advertisement prefixes, IPv6 10BASE-T, 100BASE-T, and 1000BASE-T speeds advertisement, UPnP information 2.4-GHz wireless mode AES (Advanced Encryption Standard) 20- and 40-MHz channel spacing IKE policy settings – 3322.org Mode Config settings – 64-bit and 128-bit WEP VPN policy settings 6to4 tunnels ALG (Application Level Gateway)
  • Page 350 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N backing up configuration file See also bandwidth capacity MIAS (Microsoft Internet Authentication Ser- bandwidth limits, logging dropped packets vice) bandwidth profiles RADIUS authentication – creating WiKID shifting traffic mix classical routing (IPv4), configuring...
  • Page 351 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Dead Peer Detection (DPD) domain name blocking defaults Domain Name Server. See DNS. configuration settings domain name, PPTP and PPPoE connections configuration, restoring domains for authentication factory DoS (denial of service) firewall IPv4 address and subnet mask...
  • Page 352 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N default settings humidity, operating and storage inbound rules. See inbound rules. outbound rules. See outbound rules. overview QoS profiles ICMP (Internet Control Message Protocol) rules time-out See also inbound rules. type See also outbound rules.
  • Page 353 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPSec VPN Wizard ISAKMP identifier client-to-gateway tunnels, setting up ISATAP (Intra-Site Automatic Tunnel Addressing default settings Protocol) tunnel description ISP (Internet service provider) gateway-to-gateway tunnels, setting up connection, troubleshooting IPSec VPN. See VPN tunnels.
  • Page 354 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Lightweight Directory Access Protocol. See LDAP. Mode Config operation – configuring limit, traffic meter (or counter) record limits, sessions mode, wireless link-local addresses, IPv6 MTU (maximum transmission unit) link-local advertisements, IPv6 default local area network. See LAN.
  • Page 355 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N order of precedence, firewall rules policies – OTP (one-time passcode) exchange mode outbound rules ISAKMP identifier default managing DMZ-to-WAN rules examples Mode Config operation LAN-to-DMZ rules XAUTH LAN-to-WAN rules IPSec VPN order of precedence...
  • Page 356 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N preamble type regulatory compliance – wired products preference, router (IPv6) relay gateway prefixes, IPv6 Remote Authentication Dial In User Service pre-shared key See RADIUS authentication. client-to-gateway VPN tunnel See RADIUS server. gateway-to-gateway VPN tunnel...
  • Page 357 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N – description cache control – client IP address range and routes separation, wireless configuration steps server preference, DHCPv6 connection status service blocking FQDNs, configuring port forwarding reducing traffic logs rules, firewall network resources...
  • Page 358 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N TCP time-out WiKID-PAP and WiKID-CHAP TCP/IP network, troubleshooting Type of Service (ToS), QoS profile – technical specifications TZO.com technical support temperatures, operating and storage Temporal Key Integrity Protocol (TKIP) UDP (User Datagram Protocol)
  • Page 359 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Mode Config, configuring WEP (wired equivalent privacy) – tunnel, opening configuring types of encryption VPN IPSec Wizard. See IPSec VPN Wizard. Wi-Fi Multimedia (WMM) VPN tunnels – active users Wi-Fi protected access (WPA), WPA2, and mixed mode –...

Table of Contents