NETGEAR ProSafe FVS318N Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. ProSafe FVS318N
  6. Reference manual

NETGEAR ProSafe FVS318N Reference Manual

Prosafe wireless-n 8-port gigabit vpn firewall
Hide thumbs Also See for ProSafe FVS318N:
1
2
3
Table Of Contents
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual, Setup Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
July, 2012
202-10836-04
v1.0
ProSafe Wireless-N 8-Port
Gigabit VPN Firewall
FVS318N
Reference M anua l

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR ProSafe FVS318N

Summary of Contents for NETGEAR ProSafe FVS318N

  • Page 1 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 July, 2012 202-10836-04 v1.0...

  • Page 2: Technical Support

    NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com.
  • Page 3 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (continued) • IPv6 firewall rules (see Configure LAN WAN Rules, Configure DMZ WAN Rules, Configure LAN DMZ Rules, and Examples of Firewall Rules) • IPv6 attack checks (see Attack Checks) • IPv6/MAC bindings (see...

  • Page 4: Table Of Contents

    Chapter 1 Introduction What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? . 10 Key Features and Capabilities ........11 Wireless Features.
  • Page 5 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Stateless IP/ICMP Translation ......49 Configure Advanced WAN Options and Other Tasks....50 Additional WAN-Related Configuration Tasks .
  • Page 6 Test the Connection and View Connection and Status Information ..218 Test the NETGEAR VPN Client Connection ....218 NETGEAR VPN Client Status and Log Information .
  • Page 7 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Wireless VPN Firewall IPSec VPN Log ....221 Manage IPSec VPN Policies ........222 Manage IKE Policies.
  • Page 8 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure User Accounts ........303 Set User Login Policies .
  • Page 9 What Is Two-Factor Authentication?......401 NETGEAR Two-Factor Authentication Solutions ....401...

  • Page 10: Chapter 1 Introduction

    This chapter provides an overview of the features and capabilities of the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N and explains how to log in to the device and use its web management interface. The chapter contains the following sections: •...

  • Page 11: Key Features And Capabilities

    Advanced stateful packet inspection (SPI) firewall with multi-NAT support • SNMP support with SNMPv1, SNMPv2c, and SNMPv3, and management optimized for the NETGEAR ProSafe Network Management Software (NMS200) over a LANJ connection. • Front panel LEDs for easy monitoring of status and activity •...

  • Page 12: Advanced Vpn Support For Both Ipsec And Ssl

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Hidden mode. The SSID is not broadcast, assuring that only clients configured with the correct SSID can connect. • Secure and economical operation. Adjustable power output allows more secure or economical operation.

  • Page 13: Security Features

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Security Features The wireless VPN firewall is equipped with several features designed to maintain security: • Computers hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN.

  • Page 14: Easy Installation And Management

    Internet connection, asking you only for the information required for your type of ISP account. • IPSec VPN Wizard. The wireless VPN firewall includes the NETGEAR IPSec VPN Wizard so you can easily configure IPSec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC). This ensures that the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and clients.

  • Page 15: Maintenance And Support

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Maintenance and Support NETGEAR offers the following features to help you maximize your use of the wireless VPN firewall: • Flash memory for firmware upgrades. • Technical support seven days a week, 24 hours a day. Information about support is available on the NETGEAR website at http://support.netgear.com/app/answers/detail/a_id/212.
  • Page 16 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in the following table. Some LED explanation is provided on the front panel.
  • Page 17 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 1. LED descriptions (continued) Activity Description LAN Ports Left LED The LAN port has no link. On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port.

  • Page 18: Rear Panel

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Rear Panel The rear panel of the wireless VPN firewall includes the antennas, a cable lock receptacle, a console port, a Reset button, a DC power connection, and a power switch. Antennas (1) and (7)

  • Page 19: Bottom Panel With Product Label

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Bottom Panel with Product Label The product label on the bottom of the wireless VPN firewall’s enclosure displays factory defaults settings, regulatory compliance, and other information. Figure 3. Choose a Location for the Wireless VPN Firewall The wireless VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack.

  • Page 20: Log In To The Wireless Vpn Firewall

    To connect the wireless VPN firewall physically to your network, connect the cables and restart your network according to the instructions in the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide. A PDF of this guide is on the NETGEAR support website at http://support.netgear.com/app/products/model/a_id/19435.
  • Page 21 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 4. In the User Name field, type admin. Use lowercase letters. In the Password / Passcode field, type password. Here, too, use lowercase letters. Note: The wireless VPN firewall user name and password are not the same as any user name or password you might use to log in to your Internet connection.

  • Page 22: Web Management Interface Menu Layout

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 5. Web Management Interface Menu Layout The following figure shows the menu at the top the web management interface: IP radio buttons 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray)
  • Page 23 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • 2nd level: Configuration menu links. The configuration menu links in the gray bar (immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background.

  • Page 24: Requirements For Entering Ip Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Any of the following table buttons might display onscreen: • Select All. Select all entries in the table. • Delete. Delete the selected entry or entries from the table. • Enable. Enable the selected entry or entries in the table.

  • Page 25: Chapter 2 Ipv4 And Ipv6 Internet And Broadband Settings

    IPv4 and IPv6 Internet and Broadband Settings This chapter explains how to configure the Internet and WAN settings. The chapter contains the following sections: • Internet and WAN Configuration Tasks • Configure the IPv4 Internet Connection and WAN Settings • Configure the IPv6 Internet Connection and WAN Settings •...

  • Page 26: Tasks To Set Up An Ipv6 Internet Connection To Your Isp

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (Optional) Configure Dynamic DNS on the WAN port. If required, configure your fully qualified domain names: See Configure Dynamic DNS on page 35. (Optional) Configure the WAN options. If required, change the factory default MTU size,...

  • Page 27: Configure The Ipv4 Wan Mode

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv4 WAN Mode By default, IPv4 is supported and functions in NAT mode but can also function in classical routing mode. IPv4 functions the same way in IPv4-only mode that it does in IPv4 / IPv6 mode.

  • Page 28: Let The Wireless Vpn Firewall Automatically Detect And Configure An Ipv4 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 9. Select the NAT radio button or the Classical Routing radio button. WARNING: Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings. Click Apply to save your settings.
  • Page 29 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
  • Page 30 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 2. IPv4 Internet connection methods Connection Method Manual Data Input Required DHCP (Dynamic IP) No manual data input is required. PPPoE The following fields are required: • Login • Password • Account Name •...

  • Page 31: Manually Configure An Ipv4 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, skip ahead to Manually Configure an IPv4 Internet Connection...
  • Page 32 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 13. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in the following table: Table 3. PPTP and PPPoE settings Setting Description Austria (PPTP)
  • Page 33 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 3. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio button, and enter the following settings: Note:...
  • Page 34 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the wireless VPN firewall using DHCP network protocol.

  • Page 35: Configure Dynamic Dns

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your changes. Click Test to evaluate your entries. The wireless VPN firewall attempts to make a connection according to the settings that you entered. To verify the connection, click the Broadband Status option arrow in the upper right of the screen to display the Connection Status pop-up screen.
  • Page 36 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N After you have configured your account information on the wireless VPN firewall, when your ISP-assigned IP address changes, your wireless VPN firewall automatically contacts your DDNS service provider, logs in to your account, and registers your new IP address.

  • Page 37: Configure The Ipv6 Internet Connection And Wan Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Access the website of the DDNS service provider, and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/). Configure the DDNS service settings as explained in the following table: Table 6. DDNS service settings...

  • Page 38: Configure The Ipv6 Routing Mode

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Isolated IPv6 network. If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you need to make sure that the IPv6 packets can travel over the IPv4 Internet backbone;...

  • Page 39: Use A Dhcpv6 Server To Configure An Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 18. Select the IPv4 / IPv6 mode radio button. By default, the IPv4 only mode radio button is selected, and IPv6 is disabled. WARNING: Changing the IP routing mode causes the wireless VPN firewall to reboot.
  • Page 40 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Stateful address autoconfiguration. The wireless VPN firewall obtains an interface address, configuration information such as DNS server information, and other parameters from a DHCPv6 server. The IP address is a dynamic address.

  • Page 41: Configure A Static Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N As an optional step: If you have selected the Stateless Address Auto Configuration radio button, you can select the Prefix Delegation check box: • Prefix delegation check box is selected. A prefix is assigned by the ISP’s stateful DHCPv6 server through prefix delegation, for example, 2001:db8:: /64.
  • Page 42 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 21. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static IPv6. In the Static IP Address section of the screen, enter the settings as explained in the following table.

  • Page 43: Configure A Pppoe Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your changes. To verify the connection, click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a static IP address configuration;...
  • Page 44 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 23. In the Internet Address section of the screen, from the IPv6 drop-down list, select PPPoE. In the PPPoE IPv6 section of the screen, enter the settings as explained in the following table.
  • Page 45 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 8. Broadband ISP Settings screen settings for a PPPoE IPv6 connection (continued) Setting Description DHCPv6 Option From the DHCPv6 Option drop-down list, select one of the following DHCPv6 server options, as directed by your ISP: •...

  • Page 46: Configure 6To4 Automatic Tunneling

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure 6to4 Automatic Tunneling If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you need to make sure that the IPv6 packets can travel over the IPv4 Internet backbone by enabling automatic 6to4 tunneling.

  • Page 47: Configure Isatap Automatic Tunneling

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Select the Enable Automatic Tunneling check box. Click Apply to save your changes. Configure ISATAP Automatic Tunneling If your network is an IPv4 network or IPv6 network that consists of both IPv4 and IPv6...
  • Page 48 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 25. Click the Add table button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays: Figure 26. Specify the tunnel settings as explained in the following table.

  • Page 49: View The Tunnel Status And Ipv6 Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Modify the settings as explained in the previous table. Click Apply to save your settings.  To delete one or more tunnels: On the ISATAP Tunnels screen, select the check box to the left of each tunnel that you want to delete, or click the Select All table button to select all tunnels.

  • Page 50: Configure Advanced Wan Options And Other Tasks

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For SIIT to function, the routing mode needs to be IPv4 / IPv6. NETGEAR’s implementation of SIIT lets you enter a single IPv4 address on the SIIT screen. This IPv4 address is then used in the IPv4-translated address for IPv6 devices to enable communication between IPv4-only devices on the wireless VPN firewall’s LAN and IPv6-only devices on the WAN.
  • Page 51 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 29. Enter the settings as explained in the following table: Table 10. Broadband Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value.
  • Page 52 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 10. Broadband Advanced Options screen settings (continued) Setting Description Speed In most cases, the wireless VPN firewall can automatically determine the connection speed of the WAN port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed.

  • Page 53: Additional Wan-Related Configuration Tasks

    (see Configure Remote Management Access on page 331). If you enable remote management, NETGEAR strongly recommends that you change your password (see Change Passwords and Administrator and Guest Settings on page 329). You can set up the traffic meter for the WAN interface, if you wish. See...

  • Page 54: Chapter 3 Lan Configuration

    LAN Configuration This chapter describes how to configure the LAN features of your wireless VPN firewall. The chapter contains the following sections: • Manage IPv4 Virtual LANs and DHCP Options • Configure IPv4 Multihome LAN IP Addresses on the Default VLAN •...

  • Page 55: Port-Based Vlans

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N same segment. The resources of other departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to specified individuals, depending on how the IT manager has set up the VLANs.

  • Page 56: Assign And Manage Vlan Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets.

  • Page 57: Vlan Dhcp Options

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 30. For each VLAN profile, the following fields display in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: Green circle.
  • Page 58 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DHCP Server The default VLAN (VLAN 1) has the DHCP server option enabled by default, allowing the wireless VPN firewall to assign IP, DNS server, WINS server, and default gateway addresses to all computers connected to the wireless VPN firewall’s LAN. The assigned default gateway address is the LAN address of the wireless VPN firewall.

  • Page 59: Configure A Vlan Profile

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LDAP Server A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, contact information, and other service information using an LDAP server. For each VLAN, you can specify an LDAP server and a search base that defines the location in the directory (that is, the directory tree) from which the LDAP search begins.
  • Page 60 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Add table button under the VLAN Profiles table. The Add VLAN Profile screen displays: Figure 32. LAN Configuration...
  • Page 61 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 11. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number.
  • Page 62 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 11. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the wireless VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.
  • Page 63 • OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 64: Configure Vlan Mac Addresses And Lan Advanced Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit a VLAN profile: On the LAN Setup screen for IPv4 (see Figure 31 on page 59), click the Edit button in the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile screen displays.

  • Page 65: Configure Ipv4 Multihome Lan Ip Addresses On The Default Vlan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 33. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.)
  • Page 66 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To add a secondary LAN IPv4 address: Select Network Configuration > LAN Setup > LAN Multi-homing. In the upper right of the screen, the IPv4 radio button is selected by default. The LAN Multi-homing screen displays the IPv4 settings.

  • Page 67: Manage Ipv4 Groups And Hosts (Ipv4 Lan Groups)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more secondary LAN IP addresses: On the LAN Multi-homing screen for IPv4 (see the previous figure), select the check box to the left of each secondary IP address that you want to delete, or click the Select All table button to select secondary IP addresses.

  • Page 68: Manage The Network Database

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • There is no need to use a fixed IP address on a computer. Because the IP address allocated by the DHCP server never changes, you do not need to assign a fixed IP address to a computer to ensure that it always has the same IP address.
  • Page 69 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box. Allows you to select the computer or device in the table.
  • Page 70 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 12. Add Known PCs and Devices section settings (continued) Setting Description IP Address Enter the IP address that this computer or device is assigned to: • If the IP address type is Fixed (set on PC), the IP address needs to be outside of the address range that is allocated to the DHCP server pool to prevent the IP address from also being allocated by the DHCP server.

  • Page 71: Change Group Names In The Network Database

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 36. Modify the settings as explained in Table 12 on page 69. Click Apply to save your settings in the Known PCs and Devices table. Deleting Computers or Devices from the Network Database ...

  • Page 72: Set Up Dhcp Address Reservation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Edit Group Names option arrow to the right of the LAN submenu tabs. The Network Database Group Names screen displays. (The following figure shows some examples.) Figure 37. Select the radio button next to the group name that you want to edit.

  • Page 73: Manage The Ipv6 Lan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The saved binding is also displayed on the IP/MAC Binding screen (see Figure 99 on page 186). Manage the IPv6 LAN • DHCPv6 Server Options • Configure the IPv6 LAN • Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the An IPv6 LAN typically functions with site-local and link-local unicast addresses.
  • Page 74 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DHCPv6 server. For stateless DHCPv6, you need to configure the RADVD and advertisement prefixes (see Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN on page 80). Stateless DHCPv6 Server With Prefix Delegation As an option for a stateless DHCPv6 server, you can enable prefix delegation.

  • Page 75: Configure The Ipv6 Lan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 LAN  To configure the IPv6 LAN settings: Select Network Configuration > LAN Setup. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings.
  • Page 76 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. Table 13. LAN Setup screen settings for IPv6...
  • Page 77 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 13. LAN Setup screen settings for IPv6 (continued) Setting Description DHCP Status Server Preference Enter the DHCP server preference value. The possible values (continued) are 0–255, with 255 as the default setting.
  • Page 78 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 39. Enter the settings as explained in the following table: Table 14. LAN IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool.
  • Page 79 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN Prefixes for Prefix Delegation If you configure a stateless DHCPv6 server for the LAN and select the Prefix Delegation check box (both on the ISP Broadband Settings screen for IPv6 and on the LAN Setup screen for IPv6, a prefix delegation pool is automatically added to the List of Prefixes for Prefix Delegation table.

  • Page 80: Configure The Ipv6 Router Advertisement Daemon And Advertisement Prefixes For The Lan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to configure the Router Advertisement Deamon (RADVD) and advertisement prefixes.
  • Page 81 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To configure the Router Advertisement Daemon for the LAN: Select Network Configuration > LAN Setup. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays...

  • Page 82: Advertisement Prefixes For The Lan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 16. RADVD screen settings for the LAN (continued) Setting Description Advertise Interval Enter the advertisement interval of unsolicited multicast packets in seconds. The minimum value is 10 seconds; the maximum value is 1800 seconds.
  • Page 83 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 42. Enter the settings as explained in the following table: Table 17. Add Advertisement Prefix screen settings for the LAN Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: •...

  • Page 84: Configure Ipv6 Multihome Lan Ip Addresses On The Default Vlan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more advertisement prefixes: On the RADVD screen for the LAN (see Figure 41 on page 81), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes.

  • Page 85: Enable And Configure The Dmz Port For Ipv4 And Ipv6 Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the wireless VPN firewall. In the Add Secondary LAN IP Address section of the screen, enter the following settings: •...

  • Page 86: Dmz Port For Ipv4 Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N firewall can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN. By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports.
  • Page 87 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 44. Enter the settings as explained in the following table: Table 18. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? •...
  • Page 88 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 18. DMZ Setup screen settings for IPv4 (continued) Setting Description Do you want to Subnet Mask Enter the IP subnet mask of the DMZ port. The subnet mask enable DMZ Port? specifies the network number portion of an IP address. The (continued) subnet mask for the DMZ port is 255.255.255.0.

  • Page 89: Dmz Port For Ipv6 Traffic

    • OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).
  • Page 90 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For the DMZ, there are two DHCPv6 server options: • Stateless DHCPv6 server. The IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements, but receive DNS server information from the DHCPv6 server.
  • Page 91 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 19. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? •...
  • Page 92 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 19. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCP Status DNS Server Select one of the DNS server options from the drop-down lists: (continued) • Use DNS Proxy. The wireless VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS...

  • Page 93: Configure The Ipv6 Router Advertisement Daemon And Advertisement Prefixes For The Dmz

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 20. DMZ IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool.
  • Page 94 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Hosts and routers in the LAN use NDP to determine the link-layer addresses and related information of neighbors in the LAN that can forward packets on their behalf. The wireless VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ.
  • Page 95 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 47. Enter the settings as explained in the following table: Table 22. RADVD screen settings for the DMZ Setting Description RADVD Status Specify the RADVD status by making a selection from the drop-down list: •...

  • Page 96: Advertisement Prefixes For The Dmz

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 22. RADVD screen settings for the DMZ (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the DMZ by making a selection from the drop-down list: •...
  • Page 97 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 48. Enter the settings as explained in the following table: Table 23. Add Advertisement Prefix screen settings for the DMZ Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: •...

  • Page 98: Manage Static Ipv4 Routing

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more advertisement prefixes: On the RADVD screen for the DMZ screen (see Figure 47 on page 95), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes.
  • Page 99 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Add table button under the Static Routes table. The Add Static Route screen displays: Figure 50. Enter the settings as explained in the following table: Table 24. Add Static Route screen settings for IPv4...

  • Page 100: Configure The Routing Information Protocol

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an IPv4 static route: On the Static Routing screen for IPv4 (see Figure 49 on page 98), click the Edit button in the Action column for the route that you want to modify. The Edit Static Route screen displays.
  • Page 101 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 51. Enter the settings as explained in the following table: Table 25. RIP Configuration screen settings Setting Description RIP Direction From the RIP Direction drop-down list, select the direction in which the wireless VPN firewall sends and receives RIP packets: •...
  • Page 102 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 25. RIP Configuration screen settings (continued) Setting Description RIP Version By default, the RIP version is set to Disabled. From the RIP Version drop-down list, select the version: • RIP-1. Classful routing that does not include subnet information. This is the most commonly supported version.

  • Page 103: Ipv4 Static Route Example

    RIP is activated. Manage Static IPv6 Routing At this time, NETGEAR’s implementation of IPv6 does not support RIP next generation (RIPng) to exchange routing information, and dynamic changes to IPv6 routes are not possible. To enable routers to exchange information over a static IPv6 route, you need to manually configure the static route information on each router.
  • Page 104 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 52. Click the Add table button under the Static Routes table. The Add IPv6 Static Routing screen displays: Figure 53. Enter the settings as explained in the following table: Table 26. Add IPv6 Static Routing screen settings...
  • Page 105 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 26. Add IPv6 Static Routing screen settings (continued) Setting Description Interface From the drop-down list, select the physical or virtual network interface (WAN1, sit0 Tunnel, LAN, or DMZ interface) through which the route is accessible.

  • Page 106: Chapter 4 Wireless Configuration And Security

    Wireless Configuration and Security This chapter describes how to configure the wireless features of your ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N. This chapter includes the following sections: • Overview of the Wireless Features • Configure the Basic Radio Settings •...

  • Page 107: Wireless Equipment Placement And Range Guidelines

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (NIC) through an antenna. Typically, an individual in-building wireless access point provides a maximum connectivity area of about a 300-foot radius. The wireless VPN firewall can support a small group of wireless users—typically 10 to 32 users.

  • Page 108: Configure The Basic Radio Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Basic Radio Settings The radio settings apply to all wireless profiles on the wireless VPN firewall. The default wireless mode is 802.11ng. You can change the wireless mode, country, and many other...
  • Page 109 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 27. Radio Settings screen settings (continued) Setting Descriptions Mode Specify the wireless mode in the 2.4-GHz band by making a selection from the drop-down list: • g and b. In addition to 802.11b- and 802.11g-compliant devices, 802.11n-compliant devices can connect to the wireless access point because...

  • Page 110: Operating Frequency (Channel) Guidelines

    If more than one wireless access point can be used, the one with the strongest signal is used. This can happen only when the wireless access points use the same SSID. The FVS318N wireless VPN firewall functions in infrastructure mode by default.

  • Page 111: Wireless Data Security Options

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Wireless Data Security Options Indoors, computers can connect over 802.11n wireless networks at a maximum range of 300 feet. Typically, a wireless VPN firewall inside a building works best with devices within a 100 foot radius.

  • Page 112: Wireless Security Profiles

    For more information about how to configure WPA+WPA2 mixed mode, see Configure and Enable Wireless Profiles on page 115. Note: TKIP provides only legacy (slower) rates of operation. NETGEAR recommends WPA2 with CCMP to make use of 802.11n rates and speed. Wireless Security Profiles •...
  • Page 113 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Each wireless profile provides the following features: • Capability to turn off the wireless profile during scheduled vacations and office shutdowns, on evenings, or on weekends. This a green feature that allows you to save energy.

  • Page 114: Before You Change The Ssid, Wep, And Wpa Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Before You Change the SSID, WEP , and WPA Settings For a new wireless network, print or copy the following form and fill in the settings. For an existing wireless network, the network administrator can provide this information. Be sure to set the Country/Region correctly as the first step.

  • Page 115: Configure And Enable Wireless Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure and Enable Wireless Profiles  To add a wireless profile: Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. (The following figure shows some examples.) Figure 56.
  • Page 116 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 57. Specify the settings as explained in the following table: Table 29. Add Wireless Profiles screen settings Setting Description Wireless Profile Configuration Profile Name The name for the default wireless profile is default1. You cannot change this name.
  • Page 117 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Add Wireless Profiles screen settings (continued) Setting Description SSID The wireless network name (SSID) for the wireless profile. The default SSID name is FVS318N_1. You can change this name by entering up to 32 alphanumeric characters.
  • Page 118 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Add Wireless Profiles screen settings (continued) Setting Description Encryption The encryption that you can select depends on the type of WPA security that you have selected: Note: WPA, WPA2, and • WPA. You can select the following encryption from the drop-down list: WPA+WPA2 only.
  • Page 119 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Add Wireless Profiles screen settings (continued) Setting Description WEP Index and Keys Authentication Specify the authentication by making a selection from the drop-down list: • Open System. Select this option to use WEP encryption without authentication.

  • Page 120: Restrict Wireless Access By Mac Address

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit a wireless profile: On the Wireless Profiles screen (see Figure 56 on page 115), click the Edit button in the Action column for the wireless profile that you want to modify. The Edit Profiles screen displays.
  • Page 121 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To allow or restrict access based on MAC addresses: On the Wireless Profiles screen (see Figure 56 on page 115), click the ACL button in the ACL column for the wireless profile for which you want to set up access control. The MAC Address Filtering screen displays.

  • Page 122: View The Status Of A Wireless Profile

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: When you configure the wireless VPN firewall from a wireless computer whose MAC address is not in the access control list and when the ACL policy status is set to deny access, you will lose your wireless connection when you click Apply.

  • Page 123: Configure Wi-Fi Protected Setup

    To use WPS, make sure that your wireless devices are Wi-Fi certified and support WPS. NETGEAR products that use WPS call it Push 'N' Connect. You can use a WPS button or the wireless router interface method to add wireless computers and devices to your wireless network.
  • Page 124 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable WPS and initiate the WPS process on the wireless VPN firewall: Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays (see Figure 56 on page 115).

  • Page 125: Configure Advanced Radio Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Push button configuration (PBC) method: a. Click the PBC button. b. Within 2 minutes, press the WPS button on your wireless device to enable the device to connect to the wireless VPN firewall, or follow the WPS instructions that came with the device.
  • Page 126 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the settings as explained in the following table: Table 31. Advanced Wireless screen settings Setting Description Beacon Interval Enter an interval between 40 ms and 3500 ms for each beacon transmission, which allows the wireless VPN firewall to synchronize the wireless network. The default setting is 100.

  • Page 127: Test Basic Wireless Connectivity

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test Basic Wireless Connectivity After you have configured the wireless VPN firewall as explained in the previous sections, test your wireless clients for wireless connectivity before you place the wireless VPN firewall at its permanent position.

  • Page 128: Chapter 5 Firewall Protection

    Firewall Protection This chapter describes how to use the firewall features of the wireless VPN firewall to protect your network. The chapter contains the following sections: • About Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of Traffic •...

  • Page 129: Administrator Tips

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N incoming packet is in response to an outgoing request, but true stateful packet inspection goes far beyond NAT. For IPv6, which in itself provides stronger security than IPv4, a firewall in particular controls the exchange of traffic between the Internet, DMZ, and LAN.

  • Page 130: Outbound Rules (Service Blocking)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the wireless VPN firewall are: • Inbound. Block all access from outside except responses to requests from the LAN side.
  • Page 131 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 65 on page 141, Figure 71 page 148, and Figure 77 on page 155).
  • Page 132 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Outbound rules overview (continued) Setting Description Outbound Rules WAN Users The settings that determine which Internet locations are covered LAN WAN rules by the rule, based on their IP address. The options are: DMZ WAN rules •...

  • Page 133: Inbound Rules (Port Forwarding)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Outbound rules overview (continued) Setting Description Outbound Rules The setting that determines whether packets covered by this rule All rules are logged. The options are: • Always. Always log traffic that matches this rule. This is useful when you are debugging your rules.
  • Page 134 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Groups screen to keep the computer’s IP address constant (see Set Up DHCP Address Reservation on page 72). • Local computers need to access the local server using the computers’ local LAN address.
  • Page 135 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Inbound rules overview Setting Description Inbound Rules Service The service or application to be covered by this rule. If the All rules service or application does not display in the list, you need to...
  • Page 136 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Inbound rules overview (continued) Setting Description Inbound Rules LAN Users These settings apply to a LAN WAN inbound rule when the WAN LAN WAN rules mode is classical routing, and determine which computers on LAN DMZ rules your network are affected by this rule.

  • Page 137: Order Of Precedence For Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location.

  • Page 138: Configure Lan Wan Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN WAN Rules • Create LAN WAN Outbound Service Rules • Create LAN WAN Inbound Service Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound).
  • Page 139 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Edit. Allows you to make any changes to the definition of an existing rule. Depending on your selection, one of the following screens displays: Edit LAN WAN Outbound Service screen for IPv4 (identical to...

  • Page 140: Create Lan Wan Outbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable, disable, or delete one or more IPv4 or IPv6 rules: Select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules.
  • Page 141 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 65. Enter the settings as explained in Table 33 on page 131. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...
  • Page 142 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN WAN Outbound Rules  To create a new IPv6 LAN WAN outbound rule: In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 64 on page 139).

  • Page 143: Create Lan Wan Inbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create LAN WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is blocked.
  • Page 144 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 67. IPv6 LAN WAN Inbound Rules  To create a new IPv6 LAN WAN inbound rule: In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen...

  • Page 145: Configure Dmz Wan Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 68. Enter the settings as explained in Table 34 on page 135. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...
  • Page 146 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Inbound rules on the LAN WAN Rules screen take precedence over inbound rules on the DMZ WAN Rules screen. When an inbound packet matches an inbound rule on the LAN WAN Rules screen, the packet is not matched against the inbound rules on the DMZ WAN Rules screen.
  • Page 147 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To access the DMZ WAN Rules screen for IPv6 or to change existing IPv6 rules: Select Security > Firewall > DMZ WAN Rules. The Firewall submenu tabs display with the DMZ WAN Rules screen for IPv4 in view.

  • Page 148: Create Dmz Wan Outbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Disable. Disables the rule or rules. The ! status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled. • Delete. Deletes the selected rule or rules.
  • Page 149 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in Table 33 on page 131. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...

  • Page 150: Create Dmz Wan Inbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in Table 33 on page 131. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...
  • Page 151 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 73. Enter the settings as explained in Table 34 on page 135. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...
  • Page 152 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 DMZ WAN Inbound Service Rules  To create a new IPv6 DMZ WAN inbound rule: In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen...

  • Page 153: Configure Lan Dmz Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN DMZ Rules • Create LAN DMZ Outbound Service Rules • Create LAN DMZ Inbound Service Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ.
  • Page 154 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Edit. Allows you to make any changes to the definition of an existing rule. Depending on your selection, one of the following screens displays: Edit LAN DMZ Outbound Service screen for IPv4 (identical to...

  • Page 155: Create Lan Dmz Outbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click one of the following table buttons: • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the selected rule or rules are enabled. (By default, when a rule is added to the table, it is automatically enabled.)
  • Page 156 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in Table 33 on page 131. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...

  • Page 157: Create Lan Dmz Inbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled.
  • Page 158 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule Click Apply to save your changes. The new rule is now added to the Inbound Services table.

  • Page 159: Examples Of Firewall Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Examples of Firewall Rules • Examples of Inbound Firewall Rules • Examples of Outbound Firewall Rules Examples of Inbound Firewall Rules IPv4 LAN WAN Inbound Rule: Host a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day.
  • Page 160 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN WAN Inbound Rule: Allow a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule (see the following figure).
  • Page 161 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures the wireless VPN firewall to host an additional public IP address and associate this address with a web server on the LAN.
  • Page 162 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 83. From the Service drop-down list, select HTTP for a web server. From the Action drop-down list, select ALLOW Always. In the Send to LAN Server field, enter the local IP address of your web server computer (192.168.1.2 in this example).
  • Page 163 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined.

  • Page 164: Examples Of Outbound Firewall Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to a Single LAN User If you want to restrict incoming RTelnet sessions from a single IPv6 WAN user to a single IPv6 LAN user, specify the initiating IPv6 WAN address and the receiving IPv6 LAN address.
  • Page 165 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 86. IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during working hours, you can create an outbound rule to allow such traffic by specifying the IPv6 DMZ start and finish addresses and the IPv6 WAN address.

  • Page 166: Configure Other Firewall Features

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 87. Configure Other Firewall Features • Attack Checks • Set Limits for IPv4 Sessions • Manage the Application Level Gateway for SIP Sessions You can configure attack checks, set session limits, and manage the application level gateway (ALG) for SIP sessions.
  • Page 167 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Attack Checks  To enable IPv4 attack checks for your network environment: Select Security > Firewall > Attack Checks. In the upper right of the screen, the IPv4 radio button is selected by default. The Attack Checks screen displays the IPv4 settings: Figure 88.
  • Page 168 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 35. Attack Checks screen settings for IPv4 (continued) Setting Description LAN Security Checks Block UDP flood Select the Block UDP flood check box (which is the default setting) to prevent the wireless VPN firewall from accepting more than 20 simultaneous, active User Datagram Protocol (UDP) connections from a single device on the LAN.
  • Page 169 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 35. Attack Checks screen settings for IPv4 (continued) Setting Description Jumbo Frames Enable Jumbo Jumbo frames allow multiple smaller packets to be combined into a single larger Frame packet, reducing network overhead and increasing data transfer performance.

  • Page 170: Set Limits For Ipv4 Sessions

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set Limits for IPv4 Sessions The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IPv4 connection across the wireless VPN firewall. The session limits feature is disabled by default.

  • Page 171: Manage The Application Level Gateway For Sip Sessions

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 36. Session Limit screen settings (continued) Setting Description User Limit Enter a number to indicate the user limit. Note the following: • If the User Limit Parameter is set to Percentage of Max Sessions, the number...

  • Page 172: Services, Bandwidth Profiles, And Qos Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Services, Bandwidth Profiles, and QoS Profiles • Add Customized Services • Create Bandwidth Profiles • Preconfigured Quality of Service Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
  • Page 173 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To define a new service, you need to determine first which port number or range of numbers is used by the application. You can usually determine this information by contacting the publisher of the application, user groups, or newsgroups. When you have the port number information, you can enter it on the Services screen.
  • Page 174 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 37. Services screen settings (continued) Setting Description Start Port The first TCP or UDP port of a range that the service uses. Note: This field is enabled only when you select TCP or UDP from the Type drop-down list.

  • Page 175: Create Bandwidth Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts. The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link.
  • Page 176 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 95. Enter the settings as explained in the following table: Table 38. Add Bandwidth Profile screen settings...

  • Page 177: Preconfigured Quality Of Service Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 38. Add Bandwidth Profile screen settings (continued) Setting Description Type From the Type drop-down list, select the type for the bandwidth profile: • Group. The profile applies to all users, that is, all users share the available bandwidth.

  • Page 178: Configure Content Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N These are the default QoS profiles that are preconfigured and that cannot be edited: • Normal-Service. Used when no special priority is given to the traffic. IP packets are marked with a ToS value of 0.
  • Page 179 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows computer running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded.
  • Page 180 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 96. In the Content Filtering section of the screen, select the Yes radio button. Firewall Protection...
  • Page 181 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Web Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): •...

  • Page 182: Set A Schedule To Block Or Allow Specific Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules.

  • Page 183: Enable Source Mac Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known computers or devices. By default, the source MAC address filter is disabled. All the traffic received from computers with any MAC address is allowed.

  • Page 184: Set Up Ip/Mac Bindings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the same section, from the Policy for MAC Addresses listed below drop-down list, select one of the following options: • Block and Permit the rest. Traffic coming from all addresses in the MAC Addresses table is blocked.
  • Page 185 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: You can bind IP addresses to MAC addresses for DHCP assignment on the LAN Groups submenu. See Manage the Network Database on page 68. As an example, assume that three computers on the LAN are set up as follows, and that their IPv4 and MAC addresses are added to the IP/MAC Bindings table: •...
  • Page 186 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 99. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: •...
  • Page 187 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an IP/MAC binding: In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays.
  • Page 188 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 101. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: •...
  • Page 189 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an IP/MAC binding: In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays.

  • Page 190: Configure Port Triggering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application.
  • Page 191 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 103. In the Add Port Triggering Rule section, enter the settings as explained in the following table: Table 41. Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes.

  • Page 192: Configure Universal Plug And Play

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To remove one or more port triggering rules from the table: Select the check box to the left of each port triggering rule that you want to delete, or click the Select All table button to select all rules.
  • Page 193 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the wireless VPN firewall and that have been automatically detected by the wireless VPN firewall: •...

  • Page 194: Chapter 6 Virtual Private Networking Using Ipsec And L2Tp Connections

    Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following sections provide wizard and NETGEAR ProSafe VPN Client software configuration procedures: • Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard on page 195 •...

  • Page 195: Create An Ipv4 Gateway-To-Gateway Vpn Tunnel With The Wizard

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configuring a VPN tunnel connection requires that you specify all settings on both sides of the VPN tunnel to match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPSec keys and VPN policies it sets up.
  • Page 196 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 107. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6.
  • Page 197 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 108. Complete the settings as explained in the following table: Table 42. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button. The local WAN port’s IP address or to the following peers Internet name displays in the End Point Information section of the screen.
  • Page 198 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 42. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IPv4 address of the remote gateway.

  • Page 199: Create An Ipv6 Gateway-To-Gateway Vpn Tunnel With The Wizard

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 110. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address.
  • Page 200 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 112. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6.
  • Page 201 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 113. Complete the settings as explained in the following table: Table 43. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button. The local WAN port’s IP address or to the following peers Internet name displays in the End Point Information section of the screen.
  • Page 202 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 43. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IPv6 address of the remote gateway.

  • Page 203: Create An Ipv4 Client-To-Gateway Vpn Tunnel With The Wizard

    Use the VPN Wizard to Configure the Gateway for a Client Tunnel on page 204. • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 206 or Manually Create a Secure Connection Using the NETGEAR VPN Client on page 211.
  • Page 204 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use the VPN Wizard to Configure the Gateway for a Client Tunnel  To set up a client-to-gateway VPN tunnel using the VPN Wizard: Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio button is selected by default.
  • Page 205 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 44. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN (remote.com) to the following peers and the default local FQDN (local.com) display in the End Point Information...
  • Page 206 Router’s LAN network IPv4 address 192.168.1.0 Router’s WAN IPv4 address 192.168.15.175 Use the NETGEAR VPN Client Wizard to Create a Secure Connection The VPN client lets you set up the VPN connection manually (see Manually Create a Secure Connection Using the NETGEAR VPN Client on page 211) or with the integrated Configuration Wizard, which is the easier and preferred method.
  • Page 207 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. The VPN Client supports IPv4 only; an upcoming release of the VPN Client will support IPv6.  To use the Configuration Wizard to set up a VPN connection between the VPN client...
  • Page 208 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 120. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays: Figure 121. Specify the following VPN tunnel parameters: •...
  • Page 209 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays: Figure 122. This screen is a summary screen of the new VPN configuration. Click Finish. Specify the local and remote IDs: a.
  • Page 210 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Specify the settings that are explained in the following table. Table 46. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the wireless VPN firewall.
  • Page 211 Instead of using the wizard on the VPN client, you can also manually configure the VPN client, which is explained in the following section. Manually Create a Secure Connection Using the NETGEAR VPN Client Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed.
  • Page 212 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Authentication Settings (Phase 1 Settings)  To create new authentication settings: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 125.
  • Page 213 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
  • Page 214 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Click the Advanced tab in the Authentication pane. The Advanced pane displays: Figure 128. Specify the settings that are explained in the following table.
  • Page 215 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 48. VPN client advanced authentication settings (continued) Setting Description Remote ID As the type of ID, select DNS from the Remote ID drop-down list because you specified an FQDN in the wireless VPN firewall configuration.
  • Page 216 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 129. Specify the settings that are explained in the following table. Table 49. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the wireless VPN firewall’s LAN;...
  • Page 217 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 49. VPN client IPSec configuration settings (continued) Setting Description PFS and Group Select the PFS check box, and then select the DH2 (1024) key group from the drop-down list. Note: On the wireless VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit).

  • Page 218: Test The Connection And View Connection And Status Information

    • View the Wireless VPN Firewall IPSec VPN Log Both the NETGEAR ProSafe VPN Client and the wireless VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
  • Page 219 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Use the Connection Panel screen. On the main menu of the Configuration Panel screen, select Tools > Connection Panel to open the Connection Panel screen. Perform one of the following tasks: Double-click Gateway-Tunnel.

  • Page 220: Netgear Vpn Client Status And Log Information

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N NETGEAR VPN Client Status and Log Information  To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays: Figure 136.

  • Page 221: View The Wireless Vpn Firewall Ipsec Vpn Log

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 10 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and then click the Set Interval button.

  • Page 222: Manage Ipsec Vpn Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage IPSec VPN Policies • Manage IKE Policies • Manage VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
  • Page 223 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IKE Policies Screen  To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view. In the upper right of the screen, the IPv4 radio button is selected by default.
  • Page 224 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more IKE polices: Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all IKE policies.
  • Page 225 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 140. Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 226 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 52. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Specify whether the IKE policy uses a Mode Config record. For information about...
  • Page 227 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 52. Add IKE Policy screen settings (continued) Setting Description Local Identifier From the drop-down list, select one of the following ISAKMP identifiers to be used by the wireless VPN firewall, and then specify the identifier in the Identifier field: •...
  • Page 228 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 52. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the wireless VPN firewall and the remote endpoint.
  • Page 229 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 52. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify...

  • Page 230: Manage Vpn Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Modify the settings that you wish to change (see the previous table). Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Manage VPN Policies You can create two types of VPN policies.
  • Page 231 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 141. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 54 on page 235. Table 53. VPN Policies screen information for IPv4 and IPv6...
  • Page 232 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more VPN polices: Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all VPN policies.
  • Page 233 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 142. Add New VPN Policy screen for IPv4 Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 234 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 143. Add New VPN Policy screen for IPv6 Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 235 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). Table 54. Add New VPN Policy screen settings for IPv4 and IPv6...
  • Page 236 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the wireless VPN firewall: •...
  • Page 237 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: •...

  • Page 238: Configure Extended Authentication (Xauth)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: •...

  • Page 239: Configure Xauth For Vpn Clients

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N authenticate users from a stored list of user accounts. XAUTH provides the mechanism for requesting individual authentication information from the user. A local user database or an external authentication server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network.

  • Page 240: User Database Configuration

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Extended Authentication section on the screen, complete the settings as explained in the following table: Table 55. Extended authentication settings for IPv4 and IPv6 Setting Description Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: •...
  • Page 241 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N information such as a user name and password or some encrypted response using his or her user name and password information. The gateway then attempts to verify this information first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server.
  • Page 242 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 56. RADIUS Client screen settings (continued) Setting Description Secret Phrase A shared secret phrase to authenticate the transactions between the client and the primary RADIUS server. The same secret phrase needs to be configured on both the client and the server.

  • Page 243: Assign Ipv4 Addresses To Remote Users (Mode Config)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Assign IPv4 Addresses to Remote Users (Mode Config) • Mode Config Operation • Configure Mode Config Operation on the Wireless VPN Firewall • Configure the ProSafe VPN Client for Mode Config Operation •...

  • Page 244: Configure Mode Config Operation On The Wireless Vpn Firewall

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Mode Config Operation on the Wireless VPN Firewall To configure Mode Config on the wireless VPN firewall, first create a Mode Config record, and then select the Mode Config record for an IKE policy.
  • Page 245 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 146. Complete the settings as explained in the following table: Table 57. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes.
  • Page 246 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 57. Add Mode Config Record screen settings (continued) Setting Description WINS Server If there is a WINS server on the local network, enter its IP address in the Primary field. You can enter the IP address of a second WINS server in the Secondary field.
  • Page 247 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your settings. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedure by configuring an IKE policy. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies...
  • Page 248 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 147. On the Add IKE Policy screen, complete the settings as explained in the following table. Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 249 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 52 on page 226 explains the general IKE policy settings. Table 58. Add IKE Policy screen settings for a Mode Config configuration...
  • Page 250 The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying occurs. The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour). Enable Dead Peer...

  • Page 251: Configure The Prosafe Vpn Client For Mode Config Operation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 58. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify...
  • Page 252 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters.
  • Page 253 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 149. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane.
  • Page 254 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the settings that are explained in the following table. Table 59. VPN client authentication settings (Mode Config) Setting Description Interface Select Any from the drop-down list. Remote Gateway Enter the remote IP address or DNS name of the wireless VPN firewall. For example, enter 192.168.15.175.
  • Page 255 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the settings that are explained in the following table. Table 60. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config.
  • Page 256 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the IPSec configuration that is used only for the VPN client, not during IPSec negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
  • Page 257 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 61. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Subnet mask Enter 255.255.255.0 as the remote subnet mask of the wireless VPN firewall that opens the VPN tunnel. This is the LAN IP subnet mask that you specified in the Local Subnet Mask field on the Add Mode Config Record screen of the wireless VPN firewall.

  • Page 258: Test The Mode Config Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the following default lifetimes in seconds to match the configuration on the wireless VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. Note: The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour).

  • Page 259: Modify Or Delete A Mode Config Record

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Verify that the wireless VPN firewall issued an IP address to the VPN client. This IP address displays in the VPN Client address field on the IPSec pane of the VPN client. (The following figure shows the upper part of the IPSec pane only.) Figure 156.

  • Page 260: Configure Keep-Alives

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N establishment time. If you require a VPN tunnel to remain connected, you can use the keep-alive and Dead Peer Detection (DPD) features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason.

  • Page 261: Configure Dead Peer Detection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 62. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the wireless VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.

  • Page 262: Configure Netbios Bridging With Ipsec Vpn

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 158. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 63. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Select the Yes radio button to enable DPD.

  • Page 263: Configure The L2Tp Server

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable NetBIOS bridging on a configured VPN tunnel: Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 141 on page 231). Specify the IP version for which you want to edit a VPN policy: •...
  • Page 264 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N is established, the L2TP user can connect to an L2TP client that is located behind the wireless VPN firewall. Note: IPSec VPN provides stronger authentication and encryption than L2TP. (Packets that traverse the L2TP tunnel are not encapsulated by IPSec.)

  • Page 265: View The Active L2Tp Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Active L2TP Users To view the active L2TP tunnel users, select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 161. The List of L2TP Active Users table lists each active connection with the information that is described in the following table.

  • Page 266: Chapter 7 Virtual Private Networking Using Ssl Connections

    Virtual Private Networking Using SSL Connections The wireless VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the wireless VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.

  • Page 267: Overview Of The Ssl Configuration Process

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The SSL VPN client provides a point-to-point (PPP) connection between the client and the wireless VPN firewall, and a virtual network interface is created on the user’s computer. The wireless VPN firewall assigns the computer an IP address and DNS server...

  • Page 268: Create The Portal Layout

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Because you need to assign a group when creating an SSL VPN user account, the user account is created after you have created the group. For port forwarding, define the servers and services (see...
  • Page 269 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options. The default portal layout is the SSL-VPN portal. You can add additional portal layouts. You can also make any portal the default portal for the wireless VPN firewall by clicking the Default button in the Action column of the List of Layouts table, to the right of the desired portal layout.
  • Page 270 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Layouts table displays the following fields: • Layout Name. The descriptive name of the portal. • Description. The banner message that is displayed at the top of the portal (see Figure 175 on page 290).
  • Page 271 <meta http-equiv=”cache-control” content=”no-cache”> <meta http-equiv=”cache-control” content=”must-revalidate”> Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache. Virtual Private Networking Using SSL Connections...

  • Page 272: Configure Domains, Groups, And Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 66. Add Portal Layout screen settings (continued) Setting Description ActiveX web cache Select this check box to enable ActiveX cache control to be loaded when users cleaner log in to the SSL VPN portal. The web cache cleaner prompts the user to delete all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window.

  • Page 273: Configure Applications For Port Forwarding

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then groups, and then user accounts. For information about how to configure domains, groups, and users, see...

  • Page 274: Add A New Host Name

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to.

  • Page 275: Configure The Ssl Vpn Client

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To add servers and host names for client name resolution: Select VPN > SSL VPN > Port Forwarding. The Port Forwarding screen displays (see Figure 165 on page 273). In the Add New Host Name for Port Forwarding section of the screen, specify information in the following fields: •...

  • Page 276: Configure The Client Ip Address Range

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N A split tunnel sends only traffic that is destined for the local network based on the specified client routes. All other traffic is sent to the Internet. A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only.
  • Page 277 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • IPv6. Select the IPv6 radio button. The SSL VPN Client screen displays the IPv6 settings (the following screen shows some examples). Figure 167. SSL VPN Client screen for IPv6 Complete the settings as explained in the following table: Table 68.

  • Page 278: Add Routes For Vpn Tunnel Clients

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 68. SSL VPN Client screen settings for IPv4 and IPv6 (continued) Setting Description Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients. This setting is optional.

  • Page 279: Use Network Resource Objects To Simplify Policies

    Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies.

  • Page 280: Edit Network Resources To Specify Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 168. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service drop-down list, select the type of service to which the resource applies: VPN Tunnel.
  • Page 281 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the IP version for which you want to add a portal layout: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step •...

  • Page 282: Configure User, Group, And Global Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 69. Resources screen settings to edit a resource (continued) Setting Description Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IPv4 or IPv6 address. You need to enter the IP address or the FQDN in the IP Address / Name field.

  • Page 283: View Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For example, a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy that is applied to all IP addresses.

  • Page 284: Add An Ipv4 Or Ipv6 Ssl Vpn Policy

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 170. Make your selection from the following Query options: • To view all global policies, select the Global radio button. • To view group policies, select the Group radio button, and then select the relevant group’s name from the drop-down list.
  • Page 285 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 171. Add SSL VPN Policy screen for IPv4 • IPv6. Select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6 settings: Figure 172. Add SSL VPN Policy screen for IPv6...
  • Page 286 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 70. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: •...
  • Page 287 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 70. Add SSL VPN Policy screen settings (continued) Setting Description Apply IP Address Permission From the drop-down list, select Permit or Deny to specify Policy to? (continued) whether the policy permits or denies access.

  • Page 288: Access The New Ssl Portal Login Screen

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If you have configured SSL VPN user policies, make sure that secure HTTP remote management is enabled (see Configure Remote Management Access on page 331). If secure HTTP remote management is not enabled, all SSL VPN user connections are disabled.
  • Page 289 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the IP version for which you want to open the SSL portal login screen: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step Figure 173.
  • Page 290 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 175. Enter a user name and password that are associated with a domain, that, in turn, is associated with the portal. For information about creating login credentials to access a portal, Configure Domains, Groups, and Users on page 272.
  • Page 291 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 176. Figure 177. The User Portal screen displays a simple menu that, depending on the resources allocated, provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity.

  • Page 292: View The Ssl Vpn Connection Status And Ssl Vpn Log

    Note: The first time that a user attempts to connect through the VPN tunnel, the NETGEAR SSL VPN tunnel adapter is installed; the first time that a user attempts to connect through the port forwarding tunnel, the NETGEAR port forwarding engine is installed.
  • Page 293 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 179. Virtual Private Networking Using SSL Connections...

  • Page 294: Chapter 8 Manage Users, Authentication, And Vpn Certificates

    Manage Users, Authentication, and VPN Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. The chapter contains the following sections: • The Wireless VPN Firewall’s Authentication Process and Options • Configure Authentication Domains, Groups, and Users •...
  • Page 295 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a group, you need to specify a domain. The following table summarizes the external authentication protocols and methods that the wireless VPN firewall supports.

  • Page 296: Configure Authentication Domains, Groups, And Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Authentication Domains, Groups, and Users • Configure Domains • Configure Groups • Configure User Accounts • Set User Login Policies • Change Passwords and Other User Settings Configure Domains The domain determines the authentication method to be used for associated users. For SSL connections, the domain also determines the portal layout that is presented, which in turn determines the network resources to which the associated users have access.
  • Page 297 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk.
  • Page 298 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 72. Add Domain screen settings (continued) Setting Description Authentication Type • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). (continued) Complete the following fields: - Authentication Server Note: If you select - Authentication Secret any type of RADIUS •...
  • Page 299 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 72. Add Domain screen settings (continued) Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This should be a user in the LDAP directory who has read access to all the users that you would like to import into the wireless VPN firewall.

  • Page 300: Configure Groups

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Domains  To edit a domain: Select Users > Domains. The Domains screen displays (see Figure 180 on page 296). In the Action column of the List of Domains table, click the Edit table button for the domain that you want to edit.
  • Page 301 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Groups  To create a VPN group: Select Users > Groups. The Groups screen displays. (The following figure shows the wireless VPN firewall’s default group—geardomain—and, as an example, several other groups in the List of Groups table.) Figure 182.
  • Page 302 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 183. Complete the settings as explained in the following table: Table 73. Add Group screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The drop-down list shows the domains that are listed on the Domain screen.

  • Page 303: Configure User Accounts

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Groups For groups that were automatically created when you created a domain, you can modify only the idle time-out settings but not the group name or associated domain. For groups that you created on the Add Groups screen, you can modify the domain and the idle time-out settings but not the group name.
  • Page 304 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 238).
  • Page 305 • Guest User. A user who can only view the wireless VPN firewall configuration (that is, read-only access). • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 238).

  • Page 306: Set User Login Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more user accounts: In the List of Users table, select the check box to the left of each user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account.
  • Page 307 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Make the following optional selections: • To prohibit the user from logging in to the wireless VPN firewall, select the Disable Login check box. • To prohibit the user from logging in from the WAN interface, select the Deny Login from WAN Interface check box.
  • Page 308 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table.
  • Page 309 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 188. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table.
  • Page 310 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Repeat Step 7 Step 8 for any other addresses that you want to add to the Defined Addresses table.  To delete one or more IPv6 addresses: In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses.

  • Page 311: Change Passwords And Other User Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your settings. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers table by selecting one of the following browsers from the drop-down list: •...
  • Page 312 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To modify user settings, including passwords: Select Users > Users. The Users screen displays (see Figure 184 on page 304). In the Action column of the List of Users table, click the Edit table button for the user for which you want to modify the settings.

  • Page 313: Manage Digital Certificates For Vpn Connections

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 77. Edit User screen settings (continued) Setting Description Check to Edit Select this check box to make the password fields accessible to modify the password. Password Enter Your Password Enter the password with which you have logged in.

  • Page 314: Vpn Certificates Screen

    The wireless VPN firewall contains a self-signed digital certificate from NETGEAR. This certificate can be downloaded from the wireless VPN firewall login screen for browser import.

  • Page 315: Manage Vpn Ca Certificates

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Self Certificate Requests table. Contains the self-signed certificate requests that you generated. These requests might or might not have been submitted to CAs, and CAs might or might not have issued digital certificates for these requests. Only the self-signed...

  • Page 316: Manage Vpn Self-Signed Certificates

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Upload table button. If the verification process on the wireless VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Trusted Certificates (CA Certificates) table.
  • Page 317 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Generate a CSR and Obtain a Self-Signed Certificate from a CA To use a self-signed certificate, you first need to request the digital certificate from a CA, and then download and activate the digital certificate on the wireless VPN firewall. To request a self-signed certificate from a CA, you need to generate a certificate signing request (CSR) for and on the wireless VPN firewall.
  • Page 318 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Generate Self Certificate Request section of the screen, enter the settings as explained in the following table: Table 78. Generate self-signed certificate request settings Setting Description Name A descriptive name of the domain for identification and management purposes.
  • Page 319 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 194. Copy the contents of the Data to supply to CA text field into a text file, including all of the data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----.” Submit your SCR to a CA: a.

  • Page 320: Manage The Vpn Certificate Revocation List

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more SCRs: In the Self Certificate Requests table, select the check box to the left of each SCR that you want to delete, or click the Select All table button to select all SCRs.
  • Page 321 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 195. Certificates, screen 3 of 3 The Certificate Revocation Lists (CRL) table lists the active CAs and their critical release dates: • CA Identity. The official name of the CA that issued the CRL.

  • Page 322: Chapter 9 Network And System Management

    Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the wireless VPN firewall. The chapter contains the following sections: • Performance Management • System Management Performance Management •...

  • Page 323: Features That Reduce Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Features That Reduce Traffic You can adjust the following features of the wireless VPN firewall in such a way that the traffic load on the WAN side decreases: • LAN WAN outbound rules (also referred to as service blocking) •...

  • Page 324: Content Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Single address. The rule applies to the address of a particular computer. Address range. The rule applies to a range of addresses. Groups. The rule applies to a group of computers. (You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs and...

  • Page 325: Features That Increase Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain computers on the LAN, you can use the source MAC filtering feature to drop the traffic received from the computers with the specified MAC addresses.
  • Page 326 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N rules, see Configure LAN WAN Rules on page 138 and Configure DMZ WAN Rules page 145. When you define inbound firewall rules, you can further refine their application according to the following criteria: •...

  • Page 327: Port Triggering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application. Without port triggering, the response from the external application would be treated as a new connection request rather than a response to a request from the LAN network.

  • Page 328: Use Qos And Bandwidth Assignment To Shift The Traffic Mix

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use QoS and Bandwidth Assignment to Shift the Traffic Mix By setting the QoS priority and assigning bandwidth profiles to firewall rules, you can shift the traffic mix to aim for optimum performance of the wireless VPN firewall.

  • Page 329: System Management

    The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
  • Page 330 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit Users screen displays: Figure 197. You cannot modify the administrator user name, user type, or group assignment.

  • Page 331: Configure Remote Management Access

    IP address and default password. Because a malicious WAN user can reconfigure the wireless VPN firewall and misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before continuing (see...
  • Page 332 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To configure the wireless VPN firewall for remote management: Select Administration > Remote Management. The Remote Management screen displays the IPv4 settings (see the next figure). Specify the IP version for which you want to configure remote management: •...
  • Page 333 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 199. Remote Management screen for IPv6 Enter the settings as explained in the following table: Table 79. Remote Management screen settings for IPv4 and IPv6 Setting Description Secure HTTP Management Allow Secure HTTP...
  • Page 334 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 79. Remote Management screen settings for IPv4 and IPv6 (continued) Setting Description Allow Secure HTTP Port Number Enter the port number through which access is allowed. The default Management? port number is 443.

  • Page 335: Use The Command-Line Interface

    Simple Network Management Protocol (SNMP) forms part of the Internet Protocol Suite as defined by the Internet Engineering Task Force (IETF). SNMP is used in network management systems such as the NETGEAR ProSafe Network Management Software (NMS200) to monitor network-attached devices for conditions that warrant administrative attention.
  • Page 336 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N SNMP lets you monitor and manage your wireless VPN firewall from an SNMP manager. It provides a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. The wireless VPN firewall supports SNMPv1, SNMPv2c, and SNMPv3.
  • Page 337 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To specify a new SNMP configuration, in the Create New SNMP Configuration Entry section of the screen, enter the settings as explained in the following table: Table 80. SNMP screen settings Setting Description IP Address Enter the IP address of the new SNMP manager.
  • Page 338 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more SNMP configurations: On the SNMP screen (see Figure 200 on page 336), select the check box to the left of each SNMP configuration that you want to delete, or click the Select All table button to select all SNMP configurations.
  • Page 339 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 81. Edit User screen settings for SNMPv3 users (continued) Setting Description Authentication Algorithm From the drop-down list, select the protocol for authenticating an SNMPv3 user: • MD5. Message Digest 5. This is a hash algorithm that produces a 128-bit digest.

  • Page 340: Manage The Configuration File

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 82. SNMP SysConfiguration screen settings (continued) Setting Description SysName Enter the name of the wireless VPN firewall for SNMP identification purposes. The default name is FVS318N. Click Apply to save your changes.
  • Page 341 On the Settings Backup and Firmware Upgrade screen (see the previous figure), next to Save a copy of current settings, click the Backup button to save a copy of your current settings. A screen displays, showing the file name of the backup file (FVS318N.cfg). Select Save file, and then click OK.
  • Page 342 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: Once you start restoring settings, do not interrupt the process. Do not try to go online, turn off the wireless VPN firewall, shut down the computer, or do anything else to the wireless VPN firewall until the settings have been fully restored.

  • Page 343: Update The Firmware

    To download a firmware version and upgrade the firmware: Go to the NETGEAR website at http://support.netgear.com. Navigate to the FVS318N support page, and click the Downloads tab. Click the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the wireless VPN firewall’s software.

  • Page 344: Configure Date And Time Service

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Date and Time Service Configure date, time, and NTP server designations on the System Date & Time screen. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers.
  • Page 345 Note: If you select the Use Custom NTP Servers option but leave either the Server 1 or Server 2 field blank, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://support.ntp.org/bin/view/Servers/WebHome.

  • Page 346: Chapter 10 Monitor System Access And Performance

    Monitor System Access and Performance This chapter describes the system-monitoring features of the wireless VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.
  • Page 347 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 206. Enter the settings as explained in the following table: Monitor System Access and Performance...
  • Page 348 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 84. Broadband Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic • Yes. Traffic metering is enabled, and the traffic meter records the volume of Metering on Internet traffic passing through the WAN interface.

  • Page 349: Configure Logging, Alerts, And Event Notifications

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 84. Broadband Traffic Meter screen settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the wireless VPN firewall performs when the traffic limit has been reached: •...
  • Page 350 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 208. Monitor System Access and Performance...
  • Page 351 Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages. The default identifier is FVS318N. Routing Logs In the Accepted Packets and Dropped Packets columns, select check boxes to specify which traffic is logged: •...
  • Page 352 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 85. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want Select the Yes radio button to enable the wireless VPN firewall to email logs to a specified logs to be email address.

  • Page 353: How To Send Syslogs Over A Vpn Tunnel Between Sites

    Click Apply to save your settings. Note: Enabling routing and other event logs might generate a significant volume of log messages. NETGEAR recommends that you enable firewall logs for debugging purposes only. How to Send Syslogs over a VPN Tunnel between Sites ...
  • Page 354 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following sections describe steps 2 through 4, using the topology that is described in the following table: Type of Address Gateway 1 at Site 1 Gateway 2 at Site 2 WAN IP address 10.0.0.1...
  • Page 355 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Gateway 2 at Site 2  To create a gateway-to-gateway VPN tunnel to Gateway 1, using the IPSec VPN wizard: Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays.

  • Page 356: View Status Screens

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View Status Screens • View the System Status • View the VPN Connection Status and L2TP Users • View the VPN Logs • View the Port Triggering Status • View the WAN Port Status •...
  • Page 357 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 209. The following table explains the fields of the Router Status screen: Table 86. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The installed firmware version.
  • Page 358 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 86. Router Status screen information (continued) Item Description LAN IPv4/IPv6 Information MAC Address The MAC address of the wireless VPN firewall. IPv6 Address The IPv6 address that is assigned to the wireless VPN firewall. For information...
  • Page 359 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 210. The following table explains the fields of the Router Statistics screen. To change the poll interval period, enter a new value (in seconds) in the Poll Interval field, and then click Set interval. To stop polling, click Stop.
  • Page 360 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 211. Monitor System Access and Performance...
  • Page 361 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table explains the fields of the Detailed Status screen: Table 88. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports.
  • Page 362 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 88. Detailed Status screen information (continued) Item Description NAT (IPv4 only) The NAT state can be either Enabled or Disabled, depending on whether NAT is enabled (see Network Address Translation on page 27) or classical routing is enabled...
  • Page 363 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 88. Detailed Status screen information (continued) Item Description Wireless Profile Information SSID The SSID of the wireless profile. Security Settings The security settings of the wireless profile. Encryption The encryption that is configured on the...

  • Page 364: View The Vpn Connection Status And L2Tp Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the VPN Connection Status and L2TP Users The Connection Status screens display a list of IPSec VPN connections, SSL VPN connections, and L2TP users who are currently logged in to the wireless VPN firewall.

  • Page 365: View The Vpn Logs

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To disconnect an active user, click the Disconnect table button to the right of the user’s table entry.  To view the active L2TP tunnel users: Select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 215.

  • Page 366: View The Port Triggering Status

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 217. View the Port Triggering Status  To view the status of the port triggering feature: Select Security >...

  • Page 367: View The Wan Port Status

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status pop-up screen displays. Figure 219. The Port Triggering Status screen displays the information that is described in the following table: Table 89.
  • Page 368 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 220. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 90. Connection Status screen information for an IPv4 connection...
  • Page 369 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 WAN Port Status  To view the IPv6 status of the WAN port: Select Network Configuration > WAN Settings > Broadband ISP Settings (IPv6). The Broadband ISP Settings (IPv6) screen displays (see Figure 19 on page 40).

  • Page 370: View The Attached Devices And The Dhcp Log

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Attached Devices and the DHCP Log The LAN Groups screen shows the network database, which is the Known PCs and Devices table, which contains all IP devices that wireless VPN firewall has discovered on the local network.
  • Page 371 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N assigned a static IP address, you need to update this entry manually after the IP address on the computer or device has changed. • MAC Address. The MAC address of the computer’s or device’s network interface.

  • Page 372: View The Status Of A Wireless Profile

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Status of a Wireless Profile  To view the status of a specific wireless profile: Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. Click the Status button in the Status column for the wireless profile for which you want to display the status information.

  • Page 373: Diagnostics Utilities

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 92. Wireless Profile Status screen fields (continued) Item Description Connected Clients MAC Address The MAC address of the client. Radio The radio to which the client is connected. By default, the radio is always 1, indicating the 2.4 GHz radio.
  • Page 374 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 225. • IPv6. Select the IPv6 radio button. The Diagnostics screen displays the IPv6 settings: Figure 226. The various tasks that you can perform on the Diagnostics screen are explained in the following sections.

  • Page 375: Send A Ping Packet

    Diagnostics screen, click Back on the browser menu bar. Look Up a DNS Address A Domain Name Server (DNS) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.

  • Page 376: Display The Routing Tables

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Display the Routing Tables Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems.  To display the routing table: On the Diagnostics screen for IPv4, in the Router Options section of the screen, click the Display button next to Display the IPv4 Routing Table.

  • Page 377: Reboot The Wireless Vpn Firewall Remotely

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reboot the Wireless VPN Firewall Remotely You can perform a remote reboot, for example, when the wireless VPN firewall seems to have become unstable or is not operating normally. Rebooting breaks any existing connections either to the wireless VPN firewall (such as your management session) or through the wireless VPN firewall (for example, LAN users accessing the Internet).

  • Page 378: Chapter 11 Troubleshooting

    Troubleshooting This chapter provides troubleshooting tips and information for the wireless VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the wireless VPN firewall on? Go to Basic Functioning on page 379.

  • Page 379: Basic Functioning

    VPN firewall and that the power supply adapter is correctly connected to a functioning power outlet. If the error persists, you have a hardware problem and should contact NETGEAR technical support.

  • Page 380: Lan Or Wan Port Leds Not On

    VPN firewall’s IP address to 192.168.1.1. This procedure is explained in Restore the Default Configuration and Password on page 388. If the error persists, you might have a hardware problem and should contact NETGEAR technical support. LAN or WAN Port LEDs Not On ...

  • Page 381: When You Enter A Url Or Ip Address, A Time-Out Error Occurs

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that you are using the SSL https://address login rather than the http://address login. • Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure that the Java applet is loaded.

  • Page 382: Troubleshoot The Isp Connection

     To check the WAN IP address: Launch your browser and navigate to an external site such as www.netgear.com. Access the web management interface of the wireless VPN firewall’s configuration at https://192.168.1.1. Select Network Configuration > WAN Settings > Broadband ISP Settings. The Broadband ISP Settings screen for IPv4 displays.

  • Page 383: Troubleshooting The Ipv6 Connection

    A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of one or two DNS servers for your use. You can configure your computer manually with DNS addresses, as explained in your operating system documentation.
  • Page 384 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Check the computer: • Make sure that the operating system supports IPv6. Normally, the following operating systems support IPv6: Windows 7, all 32- and 64-bit versions Windows Vista, all 32- and 64-bit versions...
  • Page 385 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Make sure that Internet Protocol Version 6 (TCP/IPv6) displays, as is shown in the previous figure. • Make sure that the computer has an IPv6 address. If the computer has a link-local address only, it cannot reach the wireless VPN firewall or the Internet.

  • Page 386: Troubleshoot A Tcp/Ip Network Using A Ping Utility

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 230. f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with FE80.

  • Page 387: Test The Path From Your Computer To A Remote Device

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click OK. A message similar to the following should display: Pinging <IP address> with 32 bytes of data If the path is working, you see this message: Reply from <IP address>: bytes=32 time=NN ms TTL=xxx...

  • Page 388: Restore The Default Configuration And Password

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N information. For more information, see Manually Configure an IPv4 Internet Connection on page 31. • Your ISP could be rejecting the Ethernet MAC addresses of all but one of your computers. Many broadband ISPs restrict access by allowing traffic only from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single computer connected to that modem.

  • Page 389: Address Problems With Date And Time

    Access the Knowledge Base and Documentation  To access NETGEAR’s knowledge base for the wireless VPN firewall: Select Web Support > Knowledgebase.  To access NETGEAR’s documentation library for your wireless VPN firewall model: Select Web Support > Documentation. Troubleshooting...

  • Page 390: Appendix A Default Settings And Technical Specifications

    Default Settings and Technical Specifications This appendix provides the default settings and the physical and technical specifications of the wireless VPN firewall in the following sections: • Factory Default Settings • Physical and Technical Specifications Factory Default Settings You can use the factory default Reset button located on the rear panel to reset all settings to their factory defaults.
  • Page 391 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Stateless IP/ICMP Translation (SIIT) Disabled WAN MAC address Use default MAC address of the wireless VPN firewall WAN MTU size...
  • Page 392 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior DMZ port for IPv6 Disabled DMZ IPv6 address (Port 8) 176::1 DMZ IPv6 prefix length (Port 8) DMZ DHCPv6 server...
  • Page 393 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior UPnP Disabled Bandwidth profiles None QoS profiles Normal-Service Minimize-Cost Maximize-Reliability Maximize-Throughput Minimize-Delay Content filtering Disabled Proxy server blocking Disabled Java applets blocking...
  • Page 394 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Encryption None Authentication None Transmission rate Best Default transmit power Full 802.11 wireless mode 802.11ng (for most countries) 802.11b/g/n radio frequency channel Auto 802.11n channel spacing...
  • Page 395 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Key group DH-Group 2 (1024 bit) NetBIOS Enabled VPN IPsec Wizard: IKE policy settings for IPv4 gateway-to-client tunnels Exchange mode...

  • Page 396: Physical And Technical Specifications

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior admin, password default users, default passwords guest, password Administrative and monitoring settings Secure HTTP management Enabled Telnet management Disabled Traffic meter...
  • Page 397 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 94. Wireless VPN firewall physical and technical specifications (continued) Feature Specification Power plug (localized to the country of sale) North America 120V, 60 Hz, input United Kingdom, Australia 240V, 50 Hz, input...
  • Page 398 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table shows the IPSec VPN specifications for the wireless VPN firewall: Table 95. Wireless VPN firewall IPSec VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported...
  • Page 399 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table shows the wireless specifications for the wireless VPN firewall: Table 97. Wireless VPN firewall wireless specifications Setting Specification 802.11bg data rates 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps, and auto-rate capable 802.11ng/n data rates...

  • Page 400: Appendix B Two-Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. NETGEAR has implemented a more robust authentication system known as two-factor authentication (2FA or T-FA) to help address the fast-growing network security issues.

  • Page 401: What Is Two-Factor Authentication

    NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 two-factor authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform two-factor authentication on NETGEAR SSL and VPN firewall products.
  • Page 402 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 232. A one-time passcode (something the user has) is generated. Figure 233. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time.
  • Page 403 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 234. Two-Factor Authentication...

  • Page 404: Appendix C Notification Of Compliance (Wired)

    FCC Declaration Of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with Part 15 of FCC Rules.
  • Page 405 • Consult the dealer or an experienced radio/TV technician for help. Modifications made to the product, unless expressly approved by NETGEAR, Inc., could void the user's right to operate the equipment. Canadian Department of Communications Radio Interference Regulations...
  • Page 406 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional Copyrights Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1.
  • Page 407 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.

  • Page 408: Appendix D Notification Of Compliance (Wireless)

    EDOC in Languages of the European Community Language Statement Cesky [Czech] NETGEAR Inc. tímto prohlašuje, že tento Radiolan je ve shode se základními požadavky a dalšími príslušnými ustanoveními smernice 1999/5/ES. Dansk [Danish] Undertegnede NETGEAR Inc. erklærer herved, at følgende udstyr Radiolan overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
  • Page 409 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Español [Spanish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Ελληνική [Greek] ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc. ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ...
  • Page 410 This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. FCC Declaration of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with Part 15 Subpart B of FCC CFR47 Rules.
  • Page 411 Canadian Department of Communications Radio Interference Regulations This digital apparatus (ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N) does not exceed the Class B limits for radio-noise emissions from digital apparatus as set out in the Radio Interference Regulations of the Canadian Department of Communications.

  • Page 412: Index

    Index Numerics administrator default name and password 10BASE-T, 100BASE-T, and 1000BASE-T speeds receiving logs by email 2.4-GHz wireless mode settings (admin) user account 20- and 40-MHz channel spacing – advertisement prefixes, IPv6 3322.org DMZ, configuring for 64-bit and 128-bit WEP LAN, configuring for 6to4 tunnels advertisement, UPnP information...
  • Page 413 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Auto Uplink, autosensing Ethernet connections certificates commercial CAs autodetecting IPv4 Internet settings autoinitiating VPN tunnels autosensing port speed overview – self-signed signature key length – trusted b mode, wireless – certification authority (CA)
  • Page 414 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N crossover cable radio remote management CSMA (Carrier Sense Multiple Access) router lifetime CSR (certificate signing request) DMZ RADVD CTS (Clear to Send) packets and self-protection LAN RADVD custom services, firewall secure HTTP access...
  • Page 415 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N dipole antenna ESS (extended service set) direction, bandwidth profiles Ethernet ports DMZ (demilitarized zone) event logs – configuring – examples of firewall rules increasing traffic exchange mode, IKE policies port exposed hosts DNS (Domain Name Server)
  • Page 416 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN-to-WAN rules IPv6 g mode, wireless DMZ-to-WAN rules gateway, ISP LAN-to-DMZ rules IPv4 address LAN-to-WAN rules IPv6 address order of precedence generating keys, WEP overview global addresses, IPv6 scheduling – settings global IPv6 tunnels...
  • Page 417 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N ISATAP tunnel address unique global address – LAN, secondary VPN tunnels MAC bindings IPv6 connection, troubleshooting port forwarding, SSL VPN – IPv6 DMZ, configuring requirements IPv6 gateway reserved IPv6 Internet connection secondary LAN...
  • Page 418 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N key generation, WEP location of wireless VPN firewall keyword blocking lock, security knowledge base login attempts login default settings – login policies, user login time-out L2TP (Layer 2 Tunneling Protocol) server changing L2TP Access Concentrator (LAC)
  • Page 419 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N monitoring default settings online games, DMZ port MTU (maximum transmission unit) open system (no wireless security) default operating frequency, radio IPv6 DMZ packets option arrows (web management interface) IPv6 LAN packets – Oray.net...
  • Page 420 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N PFS (Perfect Forward Secrecy) portals, SSL VPN accessing physical specifications – configuring PIN method, WPS options for pinging ports checking connections console responding on Internet ports LAN and WAN and their LEDs responding on LAN ports...
  • Page 421 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N – VLANs remote management access – wireless security remote users, assigning addresses (Mode Config) – protection from common attacks Request to Send (RTS) threshold protocols reserved IPv4 addresses, configuring compatibilities – resources, SSL VPN, configuring...
  • Page 422 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security lock receptacle SSIDs (service set identifiers) assigning a name and broadcasting Security Parameters Index (SPI) broadcasting and security security profiles, wireless – SSL VPN creating and configuring ActiveX web cache cleaner –...
  • Page 423 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N – status, viewing IPv6 connection updating firmware ISP connection – LEDs testing your setup time-out error table buttons (web management interface) web management interface tabs, submenu (web management interface) – trusted certificates TCP (Transmission Control Protocol)
  • Page 424 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N manually generated – IPSec VPN user account vendor class identifier (VCI) keep-alives version, SNMP NetBIOS pass-through (IPSec, PPTP, L2TP) videoconferencing pre-shared key DMZ port from restricted address (rule example) client-to-gateway tunnel – gateway-to-gateway tunnel...
  • Page 425 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N testing wireless equipment, placement and range wireless mode wireless network name (SSID) broadcasting broadcasting and security wireless radio advanced settings, configuring basic settings, configuring – wireless security wireless separation wireless specifications wireless status, viewing...

Table of Contents