NETGEAR ProSafe FVS318N Reference Manual
  1. Manuals
  2. Brands
  3. NETGEAR Manuals
  4. Firewall
  5. ProSafe FVS318N
  6. Reference manual

NETGEAR ProSafe FVS318N Reference Manual

Wireless-n 8-port gigabit vpn firewall
Hide thumbs Also See for ProSafe FVS318N:
1
2
3
Table Of Contents
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
Table of Contents

Advertisement

Quick Links

Download this manual See also: Reference Manual, User Manual
350 East Plumeria Drive
San Jose, CA 95134
USA
March 16, 2012
202-10836-02
v1.0
ProSafe Wireless-N 8-Port
Gigabit VPN Firewall
FVS318N
Reference M anua l

Advertisement

Table of Contents
loading

Related Manuals for NETGEAR ProSafe FVS318N

Summary of Contents for NETGEAR ProSafe FVS318N

  • Page 1 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 March 16, 2012 202-10836-02 v1.0...

  • Page 2: Technical Support

    NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or for more information about the topics covered in this manual, visit the Support website at http://support.netgear.com.
  • Page 3 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (continued) • User login restrictions based on IPv6 addresses (see Configure Login Restrictions Based on IPv6 Addresses) • IPv6 remote management access (see Configure Remote Management Access) • IPv6 time zone (see Configure Date and Time Service) •...

  • Page 4: Table Of Contents

    Contents Chapter 1 Introduction What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? . 10 Key Features and Capabilities ........11 Wireless Features.
  • Page 5 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional WAN-Related Configuration Tasks ....50 Verify the Connection ........50 What to Do Next .
  • Page 6 Test the Connection and View Connection and Status Information ..213 Test the NETGEAR VPN Client Connection ....213 NETGEAR VPN Client Status and Log Information .
  • Page 7 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage VPN Policies ........225 Configure Extended Authentication (XAUTH) .
  • Page 8 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage Digital Certificates for VPN Connections ....306 VPN Certificates Screen........307 Manage VPN CA Certificates .
  • Page 9 What Is Two-Factor Authentication?......390 NETGEAR Two-Factor Authentication Solutions ....390...

  • Page 10: Chapter 1 Introduction

    Log In to the Wireless VPN Firewall Note: For more information about the topics covered in this manual, visit the FVS318N support website at http://support.netgear.com. What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? The ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N, hereafter referred to as the...

  • Page 11: Key Features And Capabilities

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Key Features and Capabilities The wireless VPN firewall provides the following key features and capabilities: • A single 10/100/1000 Mbps Gigabit Ethernet WAN port • Built-in eight-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources •...

  • Page 12: A Powerful, True Firewall

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • SSL VPN provides remote access for mobile users to selected corporate resources without requiring a preinstalled VPN client on their computers. Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories.

  • Page 13: Autosensing Ethernet Connections With Auto Uplink

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Autosensing Ethernet Connections with Auto Uplink With its internal eight-port 10/100/1000 Mbps switch and 10/100/1000 WAN port, the wireless VPN firewall can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network.

  • Page 14: Easy Installation And Management

    Visual monitoring. The wireless VPN firewall’s front panel LEDs provide an easy way to monitor its status and activity. Maintenance and Support NETGEAR offers the following features to help you maximize your use of the wireless VPN firewall: • Flash memory for firmware upgrades.

  • Page 15: Package Contents

    30-day trial license for the ProSafe VPN Client software (VPN01L) If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep the carton, including the original packing materials, in case you need to return the product for repair.
  • Page 16 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Left WAN LED Power Left LAN LEDs (green) (green, one for each port) Right LAN LEDs Right WAN LED Wireless LED (one for each port) Active WAN LED Test LED DMZ LED Figure 1. The following table describes the function of each LED.
  • Page 17 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 1. LED descriptions (continued) Activity Description LAN Ports Left LED The LAN port has no link. On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port.

  • Page 18: Rear Panel

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Rear Panel The rear panel of the wireless VPN firewall includes the antennas, a cable lock receptacle, a console port, a Reset button, a DC power connection, and a power switch. Antennas (1) and (7) (6) Power switch (2) Security lock...

  • Page 19: Bottom Panel With Product Label

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Bottom Panel with Product Label The product label on the bottom of the wireless VPN firewall’s enclosure displays factory defaults settings, regulatory compliance, and other information. Figure 3. Choose a Location for the Wireless VPN Firewall The wireless VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack.

  • Page 20: Log In To The Wireless Vpn Firewall

    Installation Guide. See the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR support website at http://support.netgear.com/app/products/model/a_id/19435.
  • Page 21 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 4. In the User Name field, type admin. Use lowercase letters. In the Password / Passcode field, type password. Here, too, use lowercase letters. Note: The wireless VPN firewall user name and password are not the same as any user name or password you might use to log in to your Internet connection.

  • Page 22: Web Management Interface Menu Layout

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 5. Web Management Interface Menu Layout The following figure shows the menu at the top the web management interface: IP radio buttons 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) Option arrows: Additional screen for submenu item 1st level: Main navigation menu link (orange) Figure 6.
  • Page 23 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • 2nd level: Configuration menu links. The configuration menu links in the gray bar (immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background.

  • Page 24: Requirements For Entering Ip Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Any of the following table buttons might display onscreen: • Select All. Select all entries in the table. • Delete. Delete the selected entry or entries from the table. • Enable. Enable the selected entry or entries in the table. •...

  • Page 25: Chapter 2 Internet And Broadband Settings

    Internet and Broadband Settings This chapter explains how to configure the Internet and WAN settings. This chapter contains the following sections: • Internet and WAN Configuration Tasks • Configure the IPv4 Internet Connection and WAN Settings • Configure the IPv6 Internet Connection and WAN Settings •...

  • Page 26: Tasks To Set Up An Ipv6 Internet Connection To Your Isp

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the WAN options (optional). If required, change the factory default MTU size, port speed, and MAC address of the wireless VPN firewall: see Configure Advanced WAN Options and Other Tasks on page 47. These are advanced features, and you usually do not need to change them.

  • Page 27: Network Address Translation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Network Address Translation Network Address Translation (NAT) allows all computers on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the wireless VPN firewall) and a single IP address.

  • Page 28: Let The Wireless Vpn Firewall Automatically Detect And Configure An Ipv4 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 9. Select the NAT radio button or the Classical Routing radio button. WARNING: Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings. Click Apply to save your settings. Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection ...
  • Page 29 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support.
  • Page 30 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 2. IPv4 Internet connection methods Connection Method Manual Data Input Required DHCP (Dynamic IP) No manual data input is required. PPPoE The following fields are required: • Login • Password • Account Name •...

  • Page 31: Manually Configure An Ipv4 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, skip ahead to Manually Configure an IPv4 Internet Connection on page 31, or see Troubleshoot the ISP Connection...
  • Page 32 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 13. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in the following table: Table 3. PPTP and PPPoE settings Setting Description Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio button, and enter the following settings: Account Name...
  • Page 33 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 3. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio button, and enter the following settings: Note: For login Account Name The valid account name for the PPPoE connection.
  • Page 34 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the wireless VPN firewall using DHCP network protocol.

  • Page 35: Configure The Ipv6 Internet Connection And Wan Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Test to evaluate your entries. The wireless VPN firewall attempts to make a connection according to the settings that you entered. Click Apply to save your changes. To verify the connection, click the Broadband Status option arrow in the upper right of the screen to display the Connection Status pop-up screen.

  • Page 36: Configure The Ipv6 Routing Mode

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N travel over the IPv4 intranet; you do this by enabling and configuring ISATAP tunneling (see Configure ISATAP Automatic Tunnelling on page 42). Note: A network can be both and isolated IPv6 network and a mixed network with IPv4 and IPv6 devices.

  • Page 37: Use A Dhcpv6 Server To Configure An Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 16. Select the IPv4 / IPv6 mode radio button. By default, the IPv4 only mode radio button is selected, and IPv6 is disabled. WARNING: Changing the IP routing mode causes the wireless VPN firewall to reboot.
  • Page 38 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To automatically configure the WAN port for an IPv6 connection to the Internet: Select Network Configuration > WAN Settings > Broadband ISP Settings. In the upper right of the screen, select the IPv6 radio button. The ISP Broadband Settings screen displays the IPv6 settings: Figure 17.

  • Page 39: Configure A Static Ipv6 Internet Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To verify the connection, click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a dynamic IP address configuration.) Figure 18. The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet.
  • Page 40 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 19. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static IPv6. In the Static IP Address section of the screen, enter the settings as explained in the following table.

  • Page 41: Configure 6To4 Automatic Tunneling

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To verify the connection, click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a static IP address configuration; the IP addresses are not related to any other examples in this manual.) Figure 20.

  • Page 42: Configure Isatap Automatic Tunnelling

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N With 6to4 tunnels, IPv6 packets are embedded within the IPv4 packet and then transported over the IPv4 network. You do not need to specify remote tunnel endpoints, which are automatically determined by relay routers on the Internet. You cannot use 6to4 tunnels for traffic between IPv4-only devices and IPv6-only devices.
  • Page 43 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N enabling and configuring Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling. ISATAP is a LAN tunnel mechanism in which the IPv4 network functions as a virtual IPv6 local link. Each IPv4 address is mapped to a link-local IPv6 address, that is, the IPv4 address is used in the interface portion of the IPv6 address.
  • Page 44 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Add table button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays: Figure 23. Specify the tunnel settings as explained in the following table. Table 7. Add ISATAP Tunnel screen settings Setting Description ISATAP Subnet Prefix...

  • Page 45: View The Tunnel Status And Ipv6 Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Tunnel Status and IPv6 Addresses The IPv6 Tunnel Status screen displays the status of all active 6to4 and ISATAP tunnels and their IPv6 addresses.  To view the status of the tunnels and IPv6 addresses: Select Monitoring >...
  • Page 46 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the DDNS service does not work because private addresses are not routed on the Internet.  To configure DDNS: Select Network Configuration >...

  • Page 47: Configure Advanced Wan Options And Other Tasks

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the DDNS service settings as explained in the following table: Table 8. DDNS service settings Setting Description Change DNS to Select the Yes radio button to enable the DDNS service. The fields that display on the (DynDNS, TZO, screen depend on the DDNS service provider that you have selected.
  • Page 48 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 27. Enter the settings as explained in the following table: Table 9. Broadband Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value.
  • Page 49 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 9. Broadband Advanced Options screen settings (continued) Setting Description Speed In most cases, the wireless VPN firewall can automatically determine the connection speed of the WAN port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed.

  • Page 50: Additional Wan-Related Configuration Tasks

    If you want the ability to manage the wireless VPN firewall remotely, enable remote management (see Configure Remote Management Access on page 322). If you enable remote management, NETGEAR strongly recommends that you change your password (see Change Passwords and Administrator and Guest Settings on page 320).

  • Page 51: Chapter 3 Lan Configuration

    LAN Configuration This chapter describes how to configure the advanced LAN features of your wireless VPN firewall. This chapter contains the following sections: • Manage IPv4 Virtual LANs and DHCP Options • Configure IPv4 Multihome LAN IP Addresses on the Default VLAN •...

  • Page 52: Port-Based Vlans

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N VLANs have a number of advantages: • It is easy to set up network segmentation. Users who communicate most frequently with each other can be grouped into common VLANs, regardless of physical location. Each group’s traffic is contained largely within the VLAN, reducing extraneous traffic and improving the efficiency of the whole network.

  • Page 53: Assign And Manage Vlan Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This is a typical scenario for a configuration with an IP phone that has two Ethernet ports, one of which is connected to the wireless VPN firewall, the other one to another device: Packets coming from the IP phone to the wireless VPN firewall LAN port are tagged.

  • Page 54: Vlan Dhcp Options

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For each VLAN profile, the following fields display in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: Green circle.
  • Page 55 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • WINS server (if you entered a WINS server address in the DHCP Setup screen) • Lease time (the date obtained and the duration of the lease) DHCP Relay DHCP relay options allow you to make the wireless VPN firewall a DHCP relay agent for a VLAN.

  • Page 56: Configure A Vlan Profile

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure a VLAN Profile For each VLAN on the wireless VPN firewall, you can configure its profile, port membership, LAN TCP/IP settings, DHCP options, DNS server, and inter-VLAN routing capability.  To add a VLAN profile: Select Network Configuration >...
  • Page 57 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 30. LAN Configuration...
  • Page 58 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 10. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number.
  • Page 59 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 10. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the wireless VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN.
  • Page 60 • OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).

  • Page 61: Configure Vlan Mac Addresses And Lan Advanced Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit a VLAN profile: On the LAN Setup screen for IPv4 (see Figure 29 on page 56), click the Edit button in the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile screen displays.

  • Page 62: Configure Ipv4 Multihome Lan Ip Addresses On The Default Vlan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 31. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.) Click Apply to save your settings.
  • Page 63 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0 • Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0  To add a secondary LAN IPv4 address: Select Network Configuration > LAN Setup > LAN Multi-homing. In the upper right of the screen, the IPv4 radio button is selected by default.

  • Page 64: Manage Ipv4 Groups And Hosts (Ipv4 Lan Groups)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your settings.  To delete one or more secondary LAN IP addresses: On the LAN Multi-homing screen for IPv4 (see the previous figure), select the check box to the left of each secondary IP address that you want to delete, or click the Select All table button to select secondary IP addresses.

  • Page 65: Manage The Network Database

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • There is no need to use a fixed IP address on a computer. Because the IP address allocated by the DHCP server never changes, you do not need to assign a fixed IP address to a computer to ensure that it always has the same IP address.
  • Page 66 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box. Allows you to select the computer or device in the table. •...
  • Page 67 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 11. Add Known PCs and Devices section settings (continued) Setting Description IP Address Enter the IP address that this computer or device is assigned to: • If the IP address type is Fixed (set on PC), the IP address needs to be outside of the address range that is allocated to the DHCP server pool to prevent the IP address from also being allocated by the DHCP server.

  • Page 68: Change Group Names In The Network Database

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 34. Modify the settings as explained in Table 11 on page 66. Click Apply to save your settings in the Known PCs and Devices table. Deleting Computers or Devices from the Network Database ...

  • Page 69: Set Up Dhcp Address Reservation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Edit Group Names option arrow to the right of the LAN submenu tabs. The Network Database Group Names screen displays. (The following figure shows some examples.) Figure 35. Select the radio button next to the group name that you want to edit. Type a new name in the field.

  • Page 70: Manage The Ipv6 Lan

    LAN use. Note: Site-local addresses, that is, addresses that start with FEC0, have been depreciated. However, NETGEAR has implemented a site-local address as a temporary default IPv6 LAN address that you can replace with another LAN address. The firewall restricts external communication of this default site-local address.
  • Page 71 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Stateless DHCPv6 Server With Prefix Delegation As an option for a stateless DHCPv6 server, you can enable prefix delegation. The ISP’s stateful DHCPv6 server assigns a prefix that is used by the wireless VPN firewall’s stateless DHCPv6 server to assign to its IPv6 LAN clients.

  • Page 72: Configure The Ipv6 Lan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 LAN  To configure the IPv6 LAN settings: Select Network Configuration > LAN Setup. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings.
  • Page 73 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. Table 12. LAN Setup screen settings for IPv6 Setting Description IPv6 LAN Setup...
  • Page 74 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 12. LAN Setup screen settings for IPv6 (continued) Setting Description DHCP Status Server Preference Enter the DHCP server preference value. The possible values (continued) are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message.
  • Page 75 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 37. Enter the settings as explained in the following table: Table 13. LAN IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool.
  • Page 76 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN Prefixes for Prefix Delegation If you configure a stateless DHCPv6 server for the LAN and select the Prefix Delegation check box (both on the ISP Broadband Settings screen for IPv6 and on the LAN Setup screen for IPv6, a prefix delegation pool is automatically added to the List of Prefixes for Prefix Delegation table.

  • Page 77: Configure The Ipv6 Router Advertisement Daemon And Advertisement Prefixes For The Lan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to configure the Router Advertisement Deamon (RADVD) and advertisement prefixes.
  • Page 78 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings (see Figure 36 on page 72.) To the right of the LAN Setup tab, click the RADVD option arrow. The RADVD screen for the LAN displays.

  • Page 79: Advertisement Prefixes For The Lan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 15. RADVD screen settings for the LAN (continued) Setting Description Advertise Interval Enter the advertisement interval of unsolicited multicast packets in seconds. The minimum value is 10 seconds; the maximum value is 1800 seconds. RA Flags Specify what type of information the DHCPv6 server provides in the LAN by making a selection from the drop-down list:...
  • Page 80 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 40. Enter the settings as explained in the following table: Table 16. Add Advertisement Prefix screen settings for the LAN Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: •...

  • Page 81: Configure Ipv6 Multihome Lan Ip Addresses On The Default Vlan

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more advertisement prefixes: On the RADVD screen for the LAN (see Figure 39 on page 78), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes.

  • Page 82: Enable And Configure The Dmz Port For Ipv4 And Ipv6 Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Add Secondary LAN IP Address section of the screen, enter the following settings: • IPv6 Address. Enter the secondary address that you want to assign to the LAN ports. • Prefix Length. Enter the prefix length for the secondary IP address. Click the Add table button in the rightmost column to add the secondary IP address to the Available Secondary LAN IPs table.

  • Page 83: Dmz Port For Ipv4 Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT. The wireless VPN firewall is programmed to recognize some of these applications and to work correctly with them, but there are other applications that might not function well.
  • Page 84 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 42. Enter the settings as explained in the following table: Table 17. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? •...
  • Page 85 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 17. DMZ Setup screen settings for IPv4 (continued) Setting Description Do you want to Subnet Mask Enter the IP subnet mask of the DMZ port. The subnet mask enable DMZ Port? specifies the network number portion of an IP address. The (continued) subnet mask for the DMZ port is 255.255.255.0.

  • Page 86: Dmz Port For Ipv6 Traffic

    • OU (for organizational unit) • O (for organization) • C (for country) • DC (for domain) For example, to search the Netgear.net domain for all last names of Johnson, you would enter: cn=Johnson,dc=Netgear,dc=net Port The port number for the LDAP server. The default setting is 0 (zero).
  • Page 87 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For the DMZ, there are two DHCPv6 server options: • Stateless DHCPv6 server. The IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements, but receive DNS server information from the DHCPv6 server.
  • Page 88 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 18. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to Select one of the following radio buttons: enable DMZ Port? •...
  • Page 89 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 18. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCP Status DNS Server Select one of the DNS server options from the drop-down lists: (continued) • Use DNS Proxy. The wireless VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers that you configured on the Broadband ISP Settings (IPv6) screen (see...

  • Page 90: Configure The Ipv6 Router Advertisement Daemon And Advertisement Prefixes For The Dmz

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 19. DMZ IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool.
  • Page 91 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Hosts and routers in the LAN use NDP to determine the link-layer addresses and related information of neighbors in the LAN that can forward packets on their behalf. The wireless VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ.
  • Page 92 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 45. Enter the settings as explained in the following table: Table 21. RADVD screen settings for the DMZ Setting Description RADVD Status Specify the RADVD status by making a selection from the drop-down list: •...

  • Page 93: Advertisement Prefixes For The Dmz

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 21. RADVD screen settings for the DMZ (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the DMZ by making a selection from the drop-down list: •...
  • Page 94 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 46. Enter the settings as explained in the following table: Table 22. Add Advertisement Prefix screen settings for the DMZ Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: •...

  • Page 95: Manage Static Ipv4 Routing

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more advertisement prefixes: On the RADVD screen for the DMZ screen (see Figure 45 on page 92), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes.
  • Page 96 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 48. Enter the settings as explained in the following table: Table 23. Add Static Route screen settings for IPv4 Setting Description Route Name The route name for the static route (for purposes of identification and management).

  • Page 97: Configure The Routing Information Protocol

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an IPv4 static route: On the Static Routing screen for IPv4 (see Figure 47 on page 95), click the Edit button in the Action column for the route that you want to modify. The Edit Static Route screen displays.
  • Page 98 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 49. Enter the settings as explained in the following table: Table 24. RIP Configuration screen settings Setting Description RIP Direction From the RIP Direction drop-down list, select the direction in which the wireless VPN firewall sends and receives RIP packets: •...
  • Page 99 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 24. RIP Configuration screen settings (continued) Setting Description RIP Version By default, the RIP version is set to Disabled. From the RIP Version drop-down list, select the version: • RIP-1. Classful routing that does not include subnet information. This is the most commonly supported version.

  • Page 100: Ipv4 Static Route Example

    RIP is activated. Manage Static IPv6 Routing At this time, NETGEAR’s implementation of IPv6 does not support RIP next generation (RIPng) to exchange routing information, and dynamic changes to IPv6 routes are not possible. To enable routers to exchange information over a static IPv6 route, you need to manually configure the static route information on each router.
  • Page 101 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 50. Click the Add table button under the Static Routes table. The Add IPv6 Static Routing screen displays: Figure 51. Enter the settings as explained in the following table: Table 25. Add IPv6 Static Routing screen settings Setting Description Route Name...
  • Page 102 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 25. Add IPv6 Static Routing screen settings (continued) Setting Description Interface From the drop-down list, select the physical or virtual network interface (WAN1, sit0 Tunnel, or LAN) through which the route is accessible. IPv6 Gateway The gateway IPv6 address through which the destination host or network can be reached.

  • Page 103: Chapter 4 Wireless Configuration And Security

    Wireless Configuration and Security This chapter describes how to configure the wireless features of your ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N. This chapter includes the following sections: • Overview of the Wireless Features • Configure the Basic Radio Settings •...

  • Page 104: Wireless Equipment Placement And Range Guidelines

    Failure to follow these guidelines can result in significant performance degradation or inability to wirelessly connect to the wireless VPN firewall. For complete performance specifications, see the Data Sheet at http://www.netgear.com/images/FVS318N_DS_23Aug1118-36060.pdf. For best results, place your wireless VPN firewall according to the following general guidelines: •...

  • Page 105: Configure The Basic Radio Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Basic Radio Settings The radio settings apply to all wireless profiles on the wireless VPN firewall. The default wireless mode is 802.11ng. You can change the wireless mode, country, and many other radio settings on the Radio Settings screen (described in this section) and on the Advanced Wireless screen (see Configure Advanced Radio Settings...
  • Page 106 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 26. Radio Settings screen settings (continued) Setting Descriptions Mode Specify the wireless mode in the 2.4-GHz band by making a selection from the drop-down list: • g and b. In addition to 802.11b- and 802.11g-compliant devices, 802.11n-compliant devices can connect to the wireless access point because they are backward compatible.

  • Page 107: Operating Frequency (Channel) Guidelines

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 26. Radio Settings screen settings (continued) Setting Descriptions Transmit Power This is a nonconfigurable field that shows the actual transmit power in dBm. Transmission rate Specify the transmission data rate by making a selection from the drop-down list. The default setting is Best (Automatic).
  • Page 108 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security features that are covered in detail in this chapter. Deploy the security features appropriate to your needs. Figure 53. There are several ways you can enhance the security of your wireless network: •...

  • Page 109: Wireless Security Profiles

    Configure and Enable Wireless Profiles on page 112. Note: TKIP provides only legacy (slower) rates of operation. NETGEAR recommends WPA2 with CCMP to make use of 802.11n rates and speed. Wireless Security Profiles This section consists of the following subsections: •...

  • Page 110: Before You Change The Ssid, Wep, And Wpa Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To set up a wireless profile, specify a name for the profile and the SSID, type of security with authentication and data encryption, and whether or not the SSID is broadcast. • Network authentication The wireless VPN firewall is set by default as an open system with no authentication.
  • Page 111 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N _________________________________________________________________________ Store this information in a safe place: • SSID The service set identifier (SSID) identifies the wireless local area network. You can customize it by using up to 32 alphanumeric characters. Write your SSID on the line. SSID: ___________________________________ The SSID in the wireless access point is the SSID you configure on the wireless adapter card.

  • Page 112: Configure And Enable Wireless Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure and Enable Wireless Profiles  To add a wireless profile: Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. (The following figure shows some examples.) Figure 54. The following table explains the fields of the Wireless Profiles screen: Table 27.
  • Page 113 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 55. Specify the settings as explained in the following table: Table 28. Add Wireless Profiles screen settings Setting Description Wireless Profile Configuration Profile Name The name for the default wireless profile is default1. You cannot change this name.
  • Page 114 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 28. Add Wireless Profiles screen settings (continued) Setting Description SSID The wireless network name (SSID) for the wireless profile. The default SSID name is FVS318N_1. You can change this name by entering up to 32 alphanumeric characters.
  • Page 115 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 28. Add Wireless Profiles screen settings (continued) Setting Description Encryption The encryption that you can select depends on the type of WPA security that you have selected: Note: WPA, WPA2, and • WPA. You can select the following encryption from the drop-down list: WPA+WPA2 only.
  • Page 116 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 28. Add Wireless Profiles screen settings (continued) Setting Description WEP Index and Keys Authentication Specify the authentication by making a selection from the drop-down list: • Open System. Select this option to use WEP encryption without authentication.

  • Page 117: Restrict Wireless Access By Mac Address

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit a wireless profile: On the Wireless Profiles screen (see Figure 54 on page 112), click the Edit button in the Action column for the wireless profile that you want to modify. The Edit Profiles screen displays.
  • Page 118 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: For wireless adapters, you can usually find the MAC address printed on the wireless adapter.  To allow or restrict access based on MAC addresses: On the Wireless Profiles screen (see Figure 54 on page 112), click the ACL button in the ACL column for the wireless profile for which you want to set up access control.

  • Page 119: View The Status Of A Wireless Profile

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: When configuring the wireless VPN firewall from a wireless computer whose MAC address is not in the access control list and when the ACL policy status is set to deny access, you will lose your wireless connection when you click Apply.

  • Page 120: Configure Wi-Fi Protected Setup

    To use WPS, make sure that your wireless devices are Wi-Fi certified and support WPS. NETGEAR products that use WPS call it Push 'N' Connect. You can use a WPS button or the wireless router interface method to add wireless computers and devices to your wireless network.
  • Page 121 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: For a list of other Wi-Fi-certified products available from NETGEAR, go to http://www.wi-fi.org.  To enable WPS and initiate the WPS process on the wireless VPN firewall: Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless...

  • Page 122: Configure Advanced Radio Settings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the WPS Setup Method section of the screen, use one of the following methods to initiate the WPS process for a wireless device: • PIN method: a. Collect the pin of the wireless device. b.
  • Page 123 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the settings as explained in the following table: Table 30. Advanced Wireless screen settings Setting Description Beacon Interval Enter an interval between 40 ms and 3500 ms for each beacon transmission, which allows the wireless VPN firewall to synchronize the wireless network. The default setting is 100.

  • Page 124: Test Basic Wireless Connectivity

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test Basic Wireless Connectivity After you have configured the wireless VPN firewall as explained in the previous sections, test your wireless clients for wireless connectivity before you place the wireless VPN firewall at its permanent position. ...

  • Page 125: Chapter 5 Firewall Protection

    Firewall Protection This chapter describes how to use the firewall features of the wireless VPN firewall to protect your network. This chapter contains the following sections: • About Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of Traffic •...

  • Page 126: Administrator Tips

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N the incoming packet is in response to an outgoing request, but true stateful packet inspection goes far beyond NAT. For IPv6, which in itself provides stronger security than IPv4, a firewall in particular controls the exchange of traffic between the Internet, DMZ, and LAN.

  • Page 127: Outbound Rules (Service Blocking)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the wireless VPN firewall are: • Inbound. Block all access from outside except responses to requests from the LAN side. •...
  • Page 128 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 63 on page 138, Figure 69 page 145, and Figure 75 on page 152).
  • Page 129 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 32. Outbound rules overview (continued) Setting Description Outbound Rules WAN Users The settings that determine which Internet locations are covered LAN WAN rules by the rule, based on their IP address. The options are: DMZ WAN rules •...

  • Page 130: Inbound Rules (Port Forwarding)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 32. Outbound rules overview (continued) Setting Description Outbound Rules The setting that determines whether packets covered by this rule All rules are logged. The options are: • Always. Always log traffic that matches this rule. This is useful when you are debugging your rules.
  • Page 131 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Groups screen to keep the computer’s IP address constant (see Set Up DHCP Address Reservation on page 69). • Local computers need to access the local server using the computers’ local LAN address. Attempts by local computers to access the server using the external WAN IP address will fail.
  • Page 132 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Inbound rules overview Setting Description Inbound Rules Service The service or application to be covered by this rule. If the All rules service or application does not display in the list, you need to define it using the Services screen (see Add Customized Services...
  • Page 133 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Inbound rules overview (continued) Setting Description Inbound Rules LAN Users These settings apply to a LAN WAN inbound rule when the WAN LAN WAN rules mode is classical routing, and determine which computers on LAN DMZ rules your network are affected by this rule.

  • Page 134: Order Of Precedence For Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location.

  • Page 135: Configure Lan Wan Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound).
  • Page 136 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Edit. Allows you to make any changes to the definition of an existing rule. Depending on your selection, one of the following screens displays: Edit LAN WAN Outbound Service screen for IPv4 (identical to Figure 63 on page 138) Edit LAN WAN Inbound Service screen for IPv4 (identical to...

  • Page 137: Create Lan Wan Outbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable, disable, or delete one or more IPv4 or IPv6 rules: select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules. Click one of the following table buttons: •...
  • Page 138 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 63. Enter the settings as explained in Table 32 on page 128. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...

  • Page 139: Create Lan Wan Inbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN WAN Outbound Rules  To create a new IPv6 LAN WAN outbound rule: In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 62 on page 136).
  • Page 140 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N blocked. Remember that allowing inbound services opens potential security holes in your firewall. Enable only those ports that are necessary for your network. WARNING: Make sure that you understand the consequences of a LAN WAN inbound rule before you apply the rule.
  • Page 141 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in Table 33 on page 132. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...

  • Page 142: Configure Dmz Wan Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in Table 33 on page 132. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...
  • Page 143 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 67. To make changes to an existing outbound or inbound service rule, in the Action column to the right of to the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. •...
  • Page 144 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 68. To make changes to an existing outbound or inbound service rule, in the Action column to the right of to the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. •...

  • Page 145: Create Dmz Wan Outbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create DMZ WAN Outbound Service Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.
  • Page 146 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • QoS Priority • NAT IP (This drop-down list is available only when the WAN mode is NAT. If you select Single Address, the IP address specified should fall under the WAN subnet.) Click Apply.

  • Page 147: Create Dmz Wan Inbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • QoS Priority Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled.
  • Page 148 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 71. Enter the settings as explained in Table 33 on page 132. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: WAN Destination IP Address •...
  • Page 149 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 DMZ WAN Inbound Service Rules  To create a new IPv6 DMZ WAN inbound rule: In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 68 on page 144).

  • Page 150: Configure Lan Dmz Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to block all traffic between the local LAN and DMZ network.
  • Page 151 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To access the LAN DMZ Rules screen for IPv6 or to make changes to existing IPv6 rules: Select Security > Firewall > LAN DMZ Rules. The Firewall submenu tabs display with the LAN DMZ Rules screen for IPv4 in view. In the upper right of the screen, select the IPv6 radio button.

  • Page 152: Create Lan Dmz Outbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create LAN DMZ Outbound Service Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day.

  • Page 153: Create Lan Dmz Inbound Service Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN DMZ Outbound Service Rules  To create a new IPv6 LAN DMZ outbound rule: In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 74 on page 151).
  • Page 154 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN DMZ Inbound Service Rules  To create a new IPv4 LAN DMZ inbound rule: In the upper right of the LAN DMZ Rules screen, select the IPv4 radio button. The screen displays the IPv4 settings (see Figure 73 on page 150).

  • Page 155: Examples Of Firewall Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Add table button under the Inbound Services table. The Add LAN DMZ Inbound Service screen for IPv6 displays: Figure 78. Enter the settings as explained in Table 33 on page 132. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: •...
  • Page 156 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 79. IPv4 LAN WAN Inbound Rule: Allow a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule (see the following figure).
  • Page 157 LAN. The following addressing scheme is used to illustrate this procedure: • NETGEAR wireless VPN firewall: WAN IP address. 10.1.0.118 LAN IP address subnet. 192.168.1.1 with subnet 255.255.255.0 DMZ IP address subnet. 192.168.10.1 with subnet 255.255.255.0 •...
  • Page 158 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN computers through NAT.
  • Page 159 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Send to LAN Server field, enter the local IP address of your web server computer (192.168.1.2 in this example). In the WAN Destination IP Address fields, enter 10.1.0.52. Click Apply to save your settings. The rule is now added to the Inbound Services table of the LAN WAN Rules screen.

  • Page 160: Examples Of Outbound Firewall Rules

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet.
  • Page 161 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can also enable the wireless VPN firewall to log any attempt to use Instant Messenger during the blocked period. See an example in the following figure. Figure 84. IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during working hours, you can create an outbound rule to allow such traffic by specifying the...

  • Page 162: Configure Other Firewall Features

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 85. Configure Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the wireless VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
  • Page 163 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Attack Checks  To enable IPv4 attack checks for your network environment: Select Security > Firewall > Attack Checks. In the upper right of the screen, the IPv4 radio button is selected by default. The Attack Checks screen displays the IPv4 settings: Figure 86.
  • Page 164 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Attack Checks screen settings for IPv4 (continued) Setting Description LAN Security Checks Block UDP flood Select the Block UDP flood check box (which is the default setting) to prevent the wireless VPN firewall from accepting more than 20 simultaneous, active User Datagram Protocol (UDP) connections from a single device on the LAN.
  • Page 165 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Attack Checks screen settings for IPv4 (continued) Setting Description Jumbo Frames Enable Jumbo Jumbo frames allow multiple smaller packets to be combined into a single larger Frame packet, reducing network overhead and increasing data transfer performance. Jumbo frames are supported on ports 1, 2, 3, and 4 only.

  • Page 166: Set Limits For Ipv4 Sessions

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set Limits for IPv4 Sessions The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IPv4 connection across the wireless VPN firewall. The session limits feature is disabled by default.

  • Page 167: Manage The Application Level Gateway For Sip Sessions

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 35. Session Limit screen settings (continued) Setting Description Total Number of This is a nonconfigurable counter that displays the total number of dropped packets Packets Dropped due when the session limit is reached. to Session Limit Session Timeout TCP Timeout...

  • Page 168: Services, Bandwidth Profiles, And Qos Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Services, Bandwidth Profiles, and QoS Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: •...
  • Page 169 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To add a customized service: Select Security > Services. The Services screen displays. The Custom Services table shows the user-defined services. (The following figure shows some examples.) Figure 90. In the Add Customer Service section of the screen, enter the settings as explained in the following table: Table 36.
  • Page 170 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 36. Services screen settings (continued) Setting Description Finish Port The last TCP or UDP port of a range that the service uses. If the service uses only a single port number, enter the same number in the Start Port and Finish Port fields. Note: This field is enabled only when you select TCP or UDP from the Type drop-down list.

  • Page 171: Create Bandwidth Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts. The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link.
  • Page 172 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 93. Enter the settings as explained in the following table: Table 37. Add Bandwidth Profile screen settings Setting Description Profile Name...

  • Page 173: Preconfigured Quality Of Service Profiles

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 37. Add Bandwidth Profile screen settings (continued) Setting Description Outbound Maximum The outbound maximum allowed bandwidth in Kbps. The maximum allowable Bandwidth bandwidth is 100000 Kbps, and you cannot configure less than 100 Kbps. There is no default setting.

  • Page 174: Configure Content Filtering

    If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message. Note: Content filtering is supported for IPv4 users and groups only.
  • Page 175 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows computer running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded.
  • Page 176 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 94. In the Content Filtering section of the screen, select the Yes radio button. Firewall Protection...
  • Page 177 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Web Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): •...

  • Page 178: Set A Schedule To Block Or Allow Specific Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules.

  • Page 179: Enable Source Mac Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known computers or devices. By default, the source MAC address filter is disabled. All the traffic received from computers with any MAC address is allowed.

  • Page 180: Set Up Ip/Mac Bindings

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your settings. The MAC Address field in the Add Source MAC Address section of the screen now becomes available. Build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field.
  • Page 181 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Host 3. MAC address (00:01:02:03:04:07) and IP address (192.168.10.12) There are three possible scenarios in relation to the addresses in the IP/MAC Bindings table: • Host 1 has not changed its IP and MAC addresses. A packet coming from Host 1 has IP and MAC addresses that match those in the IP/MAC Bindings table.
  • Page 182 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: •...
  • Page 183 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 98. Click the Stop button. Wait until the Poll Interval field becomes available. Enter new poll interval in seconds. Click the Set Interval button. Wait for the confirmation that the operation has succeeded before you close the window.
  • Page 184 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: •...

  • Page 185: Configure Port Triggering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 100. Click the Stop button. Wait until the Poll Interval field becomes available. Enter new poll interval in seconds. Click the Set Interval button. Wait for the confirmation that the operation has succeeded before you close the window.
  • Page 186 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note these restrictions on port triggering: • Only one computer can use a port-triggering application at any time. • After a computer has finished using a port-triggering application, there is a short time-out period before the application can be used by another computer.

  • Page 187: Configure Universal Plug And Play

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 40. Port Triggering screen settings (continued) Setting Description Outgoing (Trigger) Start Port The start port (1–65535) of the range for triggering. Port Range End Port The end port (1–65535) of the range for triggering. Incoming (Response) Start Port The start port (1–65535) of the range for responding.
  • Page 188 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To configure UPnP: Select Security > UPnP. The UPnP screen displays: Figure 103. The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the wireless VPN firewall and that have been automatically detected by the wireless VPN firewall: •...

  • Page 189: Chapter 6 Virtual Private Networking Using Ipsec And L2Tp Connections

    Configurations You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel policies. The following sections provide wizard and NETGEAR ProSafe VPN Client software configuration procedures: • Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard on page 190 •...

  • Page 190: Create An Ipv4 Gateway-To-Gateway Vpn Tunnel With The Wizard

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configuring a VPN tunnel connection requires that you specify all settings on both sides of the VPN tunnel to match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPSec keys and VPN policies it sets up.
  • Page 191 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 105. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6. Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 192 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 106. Complete the settings as explained in the following table: Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button. The local WAN port’s IP address or to the following peers Internet name displays in the End Point Information section of the screen.
  • Page 193 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IPv4 address of the remote gateway. Address? Note: The remote LAN IPv4 address needs to be in a different subnet from...

  • Page 194: Create An Ipv6 Gateway-To-Gateway Vpn Tunnel With The Wizard

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 108. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address.
  • Page 195 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 110. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6. Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 196 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 111. Complete the settings as explained in the following table: Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the Gateway radio button. The local WAN port’s IP address or to the following peers Internet name displays in the End Point Information section of the screen.
  • Page 197 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Enter the LAN IPv6 address of the remote gateway. Address? Note: The remote LAN IPv6 address needs to be different from the local...

  • Page 198: Create An Ipv4 Client-To-Gateway Vpn Tunnel With The Wizard

    Use the VPN Wizard to Configure the Gateway for a Client Tunnel on page 199. • Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 201 or Manually Create a Secure Connection Using the NETGEAR VPN Client on page 206.
  • Page 199 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use the VPN Wizard to Configure the Gateway for a Client Tunnel  To set up a client-to-gateway VPN tunnel using the VPN Wizard: Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio button is selected by default.
  • Page 200 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 43. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN (remote.com) to the following peers and the default local FQDN (local.com) display in the End Point Information section of the screen.
  • Page 201 Router’s LAN network IPv4 address 192.168.1.0 Router’s WAN IPv4 address 192.168.15.175 Use the NETGEAR VPN Client Wizard to Create a Secure Connection The VPN client lets you set up the VPN connection manually (see Manually Create a Secure Connection Using the NETGEAR VPN Client on page 206) or with the integrated Configuration Wizard, which is the easier and preferred method.
  • Page 202 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. The VPN Client supports IPv4 only; an upcoming release of the VPN Client will support IPv6.  To use the Configuration Wizard to set up a VPN connection between the VPN client...
  • Page 203 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 118. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays: Figure 119. Specify the following VPN tunnel parameters: •...
  • Page 204 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays: Figure 120. This screen is a summary screen of the new VPN configuration. Click Finish. Specify the local and remote IDs: a.
  • Page 205 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Specify the settings that are explained in the following table. Table 45. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the wireless VPN firewall.
  • Page 206 Instead of using the wizard on the VPN client, you can also manually configure the VPN client, which is explained in the following section. Manually Create a Secure Connection Using the NETGEAR VPN Client Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed.
  • Page 207 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Authentication Settings (Phase 1 Settings)  To create new authentication settings: Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 123. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1.
  • Page 208 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default.
  • Page 209 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Click the Advanced tab in the Authentication pane. The Advanced pane displays: Figure 126. Specify the settings that are explained in the following table. Table 47.
  • Page 210 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 47. VPN client advanced authentication settings (continued) Setting Description Remote ID As the type of ID, select DNS from the Remote ID drop-down list because you specified an FQDN in the wireless VPN firewall configuration. As the value of the ID, enter local.com as the remote ID for the wireless VPN firewall.
  • Page 211 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 127. Specify the settings that are explained in the following table. Table 48. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the wireless VPN firewall’s LAN;...
  • Page 212 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters  To specify the global parameters: Click Global Parameters in the left column of the Configuration Panel screen.

  • Page 213: Test The Connection And View Connection And Status Information

    Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the wireless VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection.
  • Page 214 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Use the system-tray icon. Right-click the system tray icon, and select Open tunnel ‘Tunnel’. Figure 131. Whichever way you choose to open the tunnel, when the tunnel opens successfully, the Tunnel opened message displays above the system tray: Figure 132.

  • Page 215: Netgear Vpn Client Status And Log Information

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N NETGEAR VPN Client Status and Log Information  To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays: Figure 134.

  • Page 216: View The Wireless Vpn Firewall Ipsec Vpn Log

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 10 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and then click the Set Interval button.

  • Page 217: Manage Ipsec Vpn Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
  • Page 218 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IKE Policies Screen  To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view. In the upper right of the screen, the IPv4 radio button is selected by default. The IKE Policies screen displays the IPv4 settings.
  • Page 219 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more IKE polices: Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all IKE policies. Click the Delete table button.
  • Page 220 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 138. Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 221 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 51. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Specify whether or not the IKE policy uses a Mode Config record. For information Mode Config Record? about how to define a Mode Config record, see Mode Config Operation...
  • Page 222 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 51. Add IKE Policy screen settings (continued) Setting Description Local Identifier From the drop-down list, select one of the following ISAKMP identifiers to be used by the wireless VPN firewall, and then specify the identifier in the Identifier field: •...
  • Page 223 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 51. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the wireless VPN firewall and the remote endpoint.
  • Page 224 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 51. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more...

  • Page 225: Manage Vpn Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Manage VPN Policies You can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy, only the Auto method is available.
  • Page 226 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 139. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 53 on page 230. Table 52. VPN Policies screen information for IPv4 and IPv6 Item Description ! (Status)
  • Page 227 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable or disable one or more VPN policies: Select the check box to the left of each policy that you want to enable or disable, or click the Select All table button to select all VPN Policies. Click the Enable or Disable table button.
  • Page 228 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 140. Add New VPN Policy screen for IPv4 Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 229 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 141. Add New VPN Policy screen for IPv6 Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 230 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 Setting Description General...
  • Page 231 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the wireless VPN firewall: •...
  • Page 232 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: •...

  • Page 233: Configure Extended Authentication (Xauth)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: •...

  • Page 234: Configure Xauth For Vpn Clients

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are available: Edge Device. The wireless VPN firewall is used as a VPN concentrator on which one or •...

  • Page 235: User Database Configuration

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Extended authentication settings for IPv4 and IPv6 Setting Description Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: •...
  • Page 236 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. Note: Even though you can configure RADIUS servers with IPv4 addresses only, the servers can be used for authentication, authorization, and accounting of both IPv4 and IPv6 users.

  • Page 237: Assign Ipv4 Addresses To Remote Users (Mode Config)

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 55. RADIUS Client screen settings (continued) Setting Description Primary Server NAS The primary Network Access Server (NAS) identifier that needs to be present Identifier in a RADIUS request. Note: The wireless VPN firewall functions as an NAS, allowing network access to external users after verification of their authentication information.

  • Page 238: Mode Config Operation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4 addresses to clients, but you cannot assign IPv6 addresses to clients. Mode Config Operation After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote user with a VPN client) requests the IP configuration settings such as the IP address, subnet mask, WINS server, and DNS address from the wireless VPN firewall.
  • Page 239 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: • For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool (172.16.200.1 through 172.16.200.99) are shown. •...
  • Page 240 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 56. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes.
  • Page 241 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 56. Add Mode Config Record screen settings (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: •...
  • Page 242 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 145. On the Add IKE Policy screen, complete the settings as explained in the following table. Virtual Private Networking Using IPSec and L2TP Connections...
  • Page 243 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 51 on page 221 explains the general IKE policy settings. Table 57. Add IKE Policy screen settings for a Mode Config configuration Setting Description Mode Config Record...
  • Page 244 The period in seconds for which the IKE SA is valid. When the period times out, the next rekeying occurs. The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour). Enable Dead Peer...

  • Page 245: Configure The Prosafe Vpn Client For Mode Config Operation

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 57. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more...
  • Page 246 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters.
  • Page 247 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation.
  • Page 248 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 58. VPN client authentication settings (Mode Config) (continued) Setting Description Encryption Select the 3DES encryption algorithm from the drop-down list. Authentication Select the SHA1 authentication algorithm from the drop-down list. Key Group Select the DH2 (1024) key group from the drop-down list.
  • Page 249 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 59. VPN client advanced authentication settings (Mode Config) (continued) Setting Description NAT-T Select Automatic from the drop-down list to enable the VPN client and wireless VPN firewall to negotiate NAT-T. Local and Remote ID Local ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the wireless VPN firewall configuration.
  • Page 250 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 150. Specify the settings that are explained in the following table. Table 60. VPN client IPSec configuration settings (Mode Config) Setting Description VPN Client This field is masked out because Mode Config is selected. After an IPSec connection is address established, the IP address that is issued by the wireless VPN firewall displays in this field (see...
  • Page 251 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 60. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list. Mode Select Tunnel as the encapsulation mode from the drop-down list.

  • Page 252: Test The Mode Config Connection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings to match the configuration on the wireless VPN firewall: • Check Interval. Enter 30 seconds. • Max. number of entries. Enter 3 retries. •...

  • Page 253: Modify Or Delete A Mode Config Record

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 154. From the client computer, ping a computer on the wireless VPN firewall LAN. Modify or Delete a Mode Config Record Note: Before you modify or delete a Mode Config record, make sure it is not used in an IKE policy.

  • Page 254: Configure Keep-Alives

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Keep-Alives The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies.  To configure the keep-alive feature on a configured VPN policy: Select VPN >...

  • Page 255: Configure Dead Peer Detection

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 61. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the wireless VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.

  • Page 256: Configure Netbios Bridging With Ipsec Vpn

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 156. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 62. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Select the Yes radio button to enable DPD.

  • Page 257: Configure The L2Tp Server

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To enable NetBIOS bridging on a configured VPN tunnel: Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 139 on page 226). Specify the IP version for which you want to edit a VPN policy: •...
  • Page 258 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N is established, the L2TP user can connect to an L2TP client that is located behind the wireless VPN firewall. Note: IPSec VPN provides stronger authentication and encryption than L2TP. (Packets that traverse the L2TP tunnel are not encapsulated by IPSec.) You need to enable the L2TP server on the wireless VPN firewall, specify an L2TP server address pool, and create L2TP user accounts.

  • Page 259: View The Active L2Tp Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Active L2TP Users To view the active L2TP tunnel users, select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 159. The List of L2TP Active Users table lists each active connection with the information that is described in the following table.

  • Page 260: Chapter 7 Virtual Private Networking Using Ssl Connections

    Virtual Private Networking Using SSL Connections The wireless VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the wireless VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.

  • Page 261: Overview Of The Ssl Configuration Process

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N computer. The wireless VPN firewall assigns the computer an IP address and DNS server IP addresses, allowing the remote computer to access network resources in the same manner as if it were connected directly to the corporate network, subject to any policy restrictions that you configure.

  • Page 262: Create The Portal Layout

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For port forwarding, define the servers and services (see Configure Applications for Port Forwarding on page 267). Create a list of servers and services that can be made available through user, group, or global policies.
  • Page 263 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options. The default portal layout is the SSL-VPN portal. You can add additional portal layouts. You can also make any portal the default portal for the wireless VPN firewall by clicking the Default button in the Action column of the List of Layouts table, to the right of the desired portal layout.
  • Page 264 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Layouts table displays the following fields: • Layout Name. The descriptive name of the portal. • Description. The banner message that is displayed at the top of the portal (see Figure 171 on page 283).
  • Page 265 <meta http-equiv=”cache-control” content=”no-cache”> <meta http-equiv=”cache-control” content=”must-revalidate”> Note: NETGEAR strongly recommends enabling HTTP meta tags for security reasons and to prevent out-of-date web pages, themes, and data being stored in a user’s web browser cache. Virtual Private Networking Using SSL Connections...

  • Page 266: Configure Domains, Groups, And Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 65. Add Portal Layout screen settings (continued) Setting Description ActiveX web cache Select this check box to enable ActiveX cache control to be loaded when users cleaner log in to the SSL VPN portal. The web cache cleaner prompts the user to delete all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window.

  • Page 267: Configure Applications For Port Forwarding

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then groups, and then user accounts. For information about how to configure domains, groups, and users, see Configure Authentication Domains, Groups, and Users on page 289.

  • Page 268: Add A New Host Name

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • TCP Port. The TCP port number of the application that is accessed through the SSL VPN tunnel. The following table lists some commonly used TCP applications and port numbers. Table 66. Port-forwarding applications/TCP port numbers TCP Application Port Number FTP data (usually not needed)

  • Page 269: Configure The Ssl Vpn Client

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Add New Host Name for Port Forwarding section of the screen, specify information in the following fields: • Local Server IP Address. The IP address of an internal server or host computer that you want to name.
  • Page 270 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N route to ensure that a VPN tunnel client connects to the local network over the VPN tunnel. Configure the Client IP Address Range First determine the address range to be assigned to VPN tunnel clients, and then define the address range.
  • Page 271 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 165. SSL VPN Client screen for IPv6 Complete the settings as explained in the following table: Table 67. SSL VPN Client screen settings for IPv4 and IPv6 Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support.

  • Page 272: Add Routes For Vpn Tunnel Clients

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 67. SSL VPN Client screen settings for IPv4 and IPv6 (continued) Setting Description Client Address The first IP address of the IPv4 address range that you Range Begin want to assign to the VPN tunnel clients. By default, the first IPv4 address is 192.168.251.1.

  • Page 273: Use Network Resource Objects To Simplify Policies

    Defining network resources is optional; smaller organizations can choose to create access policies using individual IP addresses or IP networks rather than predefined network resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updating all of the user and group policies.

  • Page 274: Edit Network Resources To Specify Addresses

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 166. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service drop-down list, select the type of service to which the resource applies: VPN Tunnel.
  • Page 275 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the IP version for which you want to add a portal layout: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step •...

  • Page 276: Configure User, Group, And Global Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 68. Resources screen settings to edit a resource (continued) Setting Description Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IPv4 or IPv6 address. You need to enter the IP address or the FQDN in the IP Address / Name field.

  • Page 277: View Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IP address ranges are configured, then the smallest address range takes precedence. Host names are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource.

  • Page 278: Add An Ipv4 Or Ipv6 Ssl Vpn Policy

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 168. Make your selection from the following Query options: • To view all global policies, select the Global radio button. • To view group policies, select the Group radio button, and then select the relevant group’s name from the drop-down list.
  • Page 279 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 169. Add SSL VPN Policy screen for IPv4 • IPv6. Select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6 settings: Figure 170. Add SSL VPN Policy screen for IPv6 Virtual Private Networking Using SSL Connections...
  • Page 280 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Complete the settings as explained in the following table: Table 69. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: •...
  • Page 281 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 69. Add SSL VPN Policy screen settings (continued) Setting Description Apply IP Address Permission From the drop-down list, select Permit or Deny to specify Policy to? (continued) whether the policy permits or denies access. (continued) IP Network Policy Name...

  • Page 282: Access The New Ssl Portal Login Screen

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If you have configured SSL VPN user policies, make sure that secure HTTP remote management is enabled (see Configure Remote Management Access on page 322). If secure HTTP remote management is not enabled, all SSL VPN user connections are disabled.
  • Page 283 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 171. Enter the user name and password that you just created with the help of the SSL VPN Wizard. Click Login. The User Portal screen displays. The format of the User Portal screen depends on the settings that you selected on the Add Portal Layout screen (see Create the Portal Layout...
  • Page 284 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 172. Figure 173. The User Portal screen displays a simple menu that, depending on the resources allocated, provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. •...

  • Page 285: View The Ssl Vpn Connection Status

    Note: The first time that a user attempts to connect through the VPN tunnel, the NETGEAR SSL VPN tunnel adapter is installed; the first time that a user attempts to connect through the port-forwarding tunnel, the NETGEAR port-forwarding engine is installed.
  • Page 286 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 175. Virtual Private Networking Using SSL Connections...

  • Page 287: Chapter 8 Manage Users, Authentication, And Vpn Certificates

    Manage Users, Authentication, and VPN Certificates This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. This chapter contains the following sections: • The Wireless VPN Firewall’s Authentication Process and Options • Configure Authentication Domains, Groups, and Users •...
  • Page 288 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a group, you need to specify a domain. The following table summarizes the external authentication protocols and methods that the wireless VPN firewall supports.

  • Page 289: Configure Authentication Domains, Groups, And Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Authentication Domains, Groups, and Users This section contains the following subsections: • Configure Domains • Configure Groups • Configure User Accounts • Set User Login Policies • Change Passwords and Other User Settings Configure Domains The domain determines the authentication method to be used for associated users.
  • Page 290 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk.
  • Page 291 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 71. Add Domain screen settings (continued) Setting Description Authentication Type • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). (continued) Complete the following fields: - Authentication Server Note: If you select - Authentication Secret any type of RADIUS •...
  • Page 292 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 71. Add Domain screen settings (continued) Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This should be a user in the LDAP directory who has read access to all the users that you would like to import into the wireless VPN firewall.

  • Page 293: Configure Groups

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Domains  To edit a domain: Select Users > Domains. The Domains screen displays (see Figure 176 on page 289). In the Action column of the List of Domains table, click the Edit table button for the domain that you want to edit.
  • Page 294 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Groups  To create a VPN group: Select Users > Groups. The Groups screen displays. (The following figure shows the wireless VPN firewall’s default group—geardomain—and, as an example, several other groups in the List of Groups table.) Figure 178.
  • Page 295 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 179. Complete the settings as explained in the following table: Table 72. Add Group screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The drop-down list shows the domains that are listed on the Domain screen.

  • Page 296: Configure User Accounts

    Guest user. A user who can only view the wireless VPN firewall configuration (that is, read-only access). • IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 233). •...
  • Page 297 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To create a user account: Select Users > Users. The Users screen displays. (The following figure shows the wireless VPN firewall’s default users—admin and guest—and, as an example, several other users in the List of Users table.) Figure 180.
  • Page 298 • Guest User. User who can only view the wireless VPN firewall configuration (that is, read-only access). • IPSEC VPN User. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 233).

  • Page 299: Set User Login Policies

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more user accounts: In the List of Users table, select the check box to the left of each user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account.
  • Page 300 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • To prohibit the user from logging in from the WAN interface, select the Deny Login from WAN Interface check box. In this case, the user can log in only from the LAN interface.
  • Page 301 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. •...
  • Page 302 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 184. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table.
  • Page 303 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Repeat Step 7 Step 8 for any other addresses that you want to add to the Defined Addresses table.  To delete one or more IPv6 addresses: In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses.

  • Page 304: Change Passwords And Other User Settings

    All other users have read-only access. Note: The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
  • Page 305 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To modify user settings, including passwords: Select Users > Users. The Users screen displays (see Figure 180 on page 297). In the Action column of the List of Users table, click the Edit table button for the user for which you want to modify the settings.

  • Page 306: Manage Digital Certificates For Vpn Connections

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 76. Edit User screen settings (continued) Setting Description Check to Edit Select this check box to make the password fields accessible to modify the password. Password Enter Your Password Enter the password with which you have logged in. New Password Enter the new password.

  • Page 307: Vpn Certificates Screen

    The wireless VPN firewall contains a self-signed digital certificate from NETGEAR. This certificate can be downloaded from the wireless VPN firewall login screen for browser import.

  • Page 308: Manage Vpn Ca Certificates

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N certificates in the Active Self Certificates table are active on the wireless VPN firewall (see Manage VPN Self-Signed Certificates on page 309). • Certificate Revocation Lists (CRL) table. Contains the lists with digital certificates that have been revoked and are no longer valid, that were issued by CAs, and that you uploaded.

  • Page 309: Manage Vpn Self-Signed Certificates

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To delete one or more digital certificates: In the Trusted Certificates (CA Certificate) table, select the check box to the left of each digital certificate that you want to delete, or click the Select All table button to select all digital certificates.
  • Page 310 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To generate a new CSR file, obtain a digital certificate from a CA, and upload it to the wireless VPN firewall: Select VPN > Certificates. The Certificates screen displays. The following figure shows the middle section of the screen with the Active Self Certificates section, Generate Self Certificate Request section, and Self Certificate Requests section.
  • Page 311 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 77. Generate self-signed certificate request settings (continued) Setting Description Hash Algorithm From the drop-down list, select one of the following hash algorithms: • MD5. A 128-bit (16-byte) message digest, slightly faster than SHA-1. •...
  • Page 312 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Copy the contents of the Data to supply to CA text field into a text file, including all of the data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----.” Submit your SCR to a CA: a.

  • Page 313: Manage The Vpn Certificate Revocation List

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Delete table button. Manage the VPN Certificate Revocation List A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date.

  • Page 314: Chapter 9 Network And System Management

    Network and System Management This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the wireless VPN firewall. This chapter contains the following sections: • Performance Management • System Management Performance Management Performance management consists of controlling the traffic through the wireless VPN firewall so that the necessary traffic gets through when there is a bottleneck.
  • Page 315 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Content filtering • Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) You can control specific outbound traffic (from LAN to WAN and from the DMZ to WAN). The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for outbound traffic.

  • Page 316: Content Filtering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • WAN users. You can specify which Internet locations are covered by an outbound rule, based on their IP address: Any. The rule applies to all Internet IP address. Single address. The rule applies to a single Internet IP address. Address range.

  • Page 317: Features That Increase Traffic

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Features That Increase Traffic The following features of the wireless VPN firewall tend to increase the traffic load on the WAN side: • LAN WAN inbound rules (also referred to as port forwarding) •...

  • Page 318: Port Triggering

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • LAN users. You can specify which computers on your network are affected by an inbound rule. There are several options: Any. The rule applies to all computers and devices on your LAN. Single address.

  • Page 319: Use Qos And Bandwidth Assignment To Shift The Traffic Mix

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N safely provide services to the Internet without compromising security on your LAN. By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports.

  • Page 320: Monitoring Tools For Traffic Management

    The default administrator and default guest passwords for the web management interface are both password. NETGEAR recommends that you change the password for the administrator account to a more secure password, and that you configure a separate secure password for the guest account.
  • Page 321 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To modify the administrator and guest passwords and idle time-out settings: Select Users > Users. The Users screen displays. (The following figure shows the wireless VPN firewall’s default users—admin and guest—and, as an example, several other users in the List of Users table.) Figure 192.

  • Page 322: Configure Remote Management Access

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both uppercase and lowercase), numbers, and symbols. Your password can be up to 32 characters. As an option, you can change the idle time-out for an administrator login session.
  • Page 323 IP address and default password. Because a malicious WAN user can reconfigure the wireless VPN firewall and misuse it in many ways, NETGEAR highly recommends that you change the admin and guest default passwords before continuing (see...
  • Page 324 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • IPv6. Select the IPv6 radio button. The Remote Management screen displays the IPv6 settings: Figure 195. Remote Management screen for IPv6 Network and System Management...
  • Page 325 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 78. Remote Management screen settings for IPv4 and IPv6 Setting Description Secure HTTP Management Allow Secure HTTP To enable secure HTTP management, select the Yes radio button, which is the Management? default setting.

  • Page 326: Use A Simple Network Management Protocol Manager

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N About Remote Access When remote management is enabled, you need to use an SSL connection to access the wireless VPN firewall from the Internet. You need to enter https:// (not http://) and type the wireless VPN firewall’s WAN IP address and port number in your browser.
  • Page 327 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To configure the SNMP settings: Select Administration > SNMP. The SNMP screen displays. (The following figure contains an example.) Figure 196. The SNMP Configuration table shows the following columns: • IP Address. The IP address of the SNMP manager. •...
  • Page 328 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To edit an SNMP configuration: On the SNMP screen (see the previous figure), click the Edit button in the Action column for the SNMP configuration that you want to modify. The Edit SNMP screen displays: Figure 197.

  • Page 329: Manage The Configuration File

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 80. SNMP SysConfiguration screen settings Setting Description SysContact Enter the SNMP system contact information that is available to the SNMP manager. This setting is optional. SysLocation Enter the physical location of the wireless VPN firewall.
  • Page 330 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 199. Back Up Settings The backup feature saves all wireless VPN firewall settings to a file. Back up your settings periodically, and store the backup file in a safe place. Tip: You can use a backup file to export all settings to another wireless VPN firewall that has the same language and management software versions.
  • Page 331 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Restore Settings WARNING: Restore only settings that were backed up from the same software version. Restoring settings from a different software version can corrupt your backup file or the wireless VPN firewall system software.

  • Page 332: Update The Firmware

     To download a firmware version and upgrade the firmware: Go to the NETGEAR website at http://support.netgear.com. Navigate to the FVS318N support page, and click the Downloads tab. Click the desired firmware version to reach the download page. Be sure to read the release notes on the download page before upgrading the wireless VPN firewall’s software.

  • Page 333: Configure Date And Time Service

    VPN firewall after upgrading it. See the firmware release notes that NETGEAR makes available. Configure Date and Time Service Configure date, time, and NTP server designations on the System Date & Time screen.
  • Page 334 Note: If you select the Use Custom NTP Servers option but leave either the Server 1 or Server 2 field blank, both fields are set to the default NETGEAR NTP servers. Note: A list of public NTP servers is available at http://support.ntp.org/bin/view/Servers/WebHome.

  • Page 335: Chapter 10 Monitor System Access And Performance

    Monitor System Access and Performance This chapter describes the system-monitoring features of the wireless VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more.
  • Page 336 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 201. Enter the settings as explained in the following table: Monitor System Access and Performance...
  • Page 337 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 82. Broadband Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to Select one of the following radio buttons to configure traffic metering: enable Traffic • Yes. Traffic metering is enabled, and the traffic meter records the volume of Metering on Internet traffic passing through the WAN interface.

  • Page 338: Configure Logging, Alerts, And Event Notifications

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 82. Broadband Traffic Meter screen settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the wireless VPN firewall performs when the traffic limit has been reached: •...
  • Page 339 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To configure and activate logs: Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen displays: Figure 203. Monitor System Access and Performance...
  • Page 340 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enter the settings as explained in the following table: Table 83. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages.
  • Page 341 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 83. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want Select the Yes radio button to enable the wireless VPN firewall to email logs to a specified logs to be email address.

  • Page 342: How To Send Syslogs Over A Vpn Tunnel Between Sites

    Click Apply to save your settings. Note: Enabling routing and other event logs might generate a significant volume of log messages. NETGEAR recommends that you enable firewall logs for debugging purposes only. How to Send Syslogs over a VPN Tunnel between Sites ...
  • Page 343 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This section describes steps 2 through 4, using the topology that is described in the following table: Type of Address Gateway 1 at Site 1 Gateway 2 at Site 2 WAN IP address 10.0.0.1 10.0.0.2 LAN IP address...
  • Page 344 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Remote WAN IP address. 10.0.0.1 • Local WAN IP address. 10.0.0.2 • Remote LAN IP Address. 192.168.10.0 • Remote LAN subnet mask. 255.255.255.0 Click Apply to save the settings.  To change the local IP address in the VPN policy: Select VPN >...

  • Page 345: View Status Screens

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View Status Screens The wireless VPN firewall provides real-time information in a variety of status screens that are described in the following sections: • View the System Status • View the VPN Connection Status and L2TP Users •...
  • Page 346 Figure 204. The following table explains the fields of the Router Status screen: Table 84. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The currently installed firmware version. Monitor System Access and Performance...
  • Page 347 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 84. Router Status screen information (continued) Item Description LAN (VLAN) Information For each of the LAN ports, the screen shows the IP address and subnet mask. For more detailed information, Table 86 on page 350.
  • Page 348 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 205. The following table explains the fields of the Router Statistics screen. To change the poll interval period, enter a new value (in seconds) in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 85.
  • Page 349 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 206. Monitor System Access and Performance...
  • Page 350 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table explains the fields of the Detailed Status screen: Table 86. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to this port on the LAN Setup screen (see...
  • Page 351 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 86. Detailed Status screen information (continued) Item Description IPv6 Address The IPv6 address of the WAN port. For information about configuring the IPv4 address of the WAN port, see Configure the IPv6 Internet Connection and WAN Settings page 35.
  • Page 352 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 86. Detailed Status screen information (continued) Item Description Wireless Configuration Wireless Status The wireless status can be Enabled or Disabled, depending on whether or not the default wireless profile is enabled. For information about enabling the default wireless profile, see Configure and Enable Wireless Profiles on page 112.

  • Page 353: View The Vpn Connection Status And L2Tp Users

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The IPv6 Tunnel Status table shows the following fields: • Tunnel Name. The tunnel name for the 6to4 tunnel is always sit0-WAN1 (SIT stands for simple Internet transition); the tunnel name for an ISATAP tunnel is isatapx-LAN, in which x is an integer.

  • Page 354: View The Vpn Logs

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To view the active L2TP tunnel users: Select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 209. The active user name, client’s IP address on the remote LAC, and IP address that is assigned by the L2TP server on the wireless VPN firewall are listed in the table.

  • Page 355: View The Port Triggering Status

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 211. View the Port Triggering Status  To view the status of the port-triggering feature: Select Security >...

  • Page 356: View The Wan Port Status

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status screen displays in a pop-up screen. Figure 213. The Port Triggering Status screen displays the information that is described in the following table: Table 87.
  • Page 357 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 214. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 88. Connection Status screen information for an IPv4 connection Item Description Connection Time...
  • Page 358 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 WAN Port Status  To view the IPv6 status of the WAN port: Select Network Configuration > WAN Settings > Broadband ISP Settings (IPv6). The Broadband ISP Settings (IPv6) screen displays (see Figure 17 on page 38).

  • Page 359: View The Attached Devices And The Dhcp Log

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Attached Devices and the DHCP Log The LAN Groups screen shows the network database, which is the Known PCs and Devices table, which contains all IP devices that wireless VPN firewall has discovered on the local network.
  • Page 360 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • MAC Address. The MAC address of the computer’s or device’s network interface. • Group. Each computer or device can be assigned to a single LAN group. By default, a computer or device is assigned to Group 1. You can select a different LAN group from the Group drop-down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen.

  • Page 361: View The Status Of A Wireless Profile

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Status of a Wireless Profile  To view the status of a specific wireless profile: Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. Click the Status button in the Status column for the wireless profile for which you want to display the status information.

  • Page 362: Diagnostics Utilities

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 90. Access Point screen fields (continued) Item Description Dropped The number of received (rx) and transmitted (tx) dropped packets on the access point. Multicast The number of received (rx) and transmitted (tx) multicast packets on the access point. Collisions The number of signal collisions that have occurred on the access point.
  • Page 363 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Specify the IP version for which you want to display the Diagnostics screen: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Figure 219. •...

  • Page 364: Send A Ping Packet

    Diagnostics screen, click Back on the browser menu bar. Look Up a DNS Address A Domain Name Server (DNS) converts the Internet name (for example, www.netgear.com) to an IP address. If you need the IP address of a web, FTP, mail, or other server on the Internet, request a DNS lookup to find the IP address.

  • Page 365: Display The Routing Tables

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Display the Routing Tables Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems.  To display the routing table: On the Diagnostics screen for IPv4, in the Router Options section of the screen, click the Display button next to Display the IPv4 Routing Table.

  • Page 366: Reboot The Wireless Vpn Firewall Remotely

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reboot the Wireless VPN Firewall Remotely You can perform a remote reboot, for example, when the wireless VPN firewall seems to have become unstable or is not operating normally. Rebooting breaks any existing connections either to the wireless VPN firewall (such as your management session) or through the wireless VPN firewall (for example, LAN users accessing the Internet).

  • Page 367: Chapter 11 Troubleshooting

    Troubleshooting This chapter provides troubleshooting tips and information for the wireless VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the wireless VPN firewall on? Go to Basic Functioning on page 368.

  • Page 368: Basic Functioning

    VPN firewall and that the power supply adapter is correctly connected to a functioning power outlet. If the error persists, you have a hardware problem and should contact NETGEAR technical support.

  • Page 369: Lan Or Wan Port Leds Not On

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN or WAN Port LEDs Not On  If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the wireless VPN firewall and at the hub, router, or workstation.

  • Page 370: When You Enter A Url Or Ip Address, A Time-Out Error Occurs

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that you are using the correct login information. The factory default login name is admin, and the password is password. Make sure that Caps Lock is off when entering this information. Note: To be able to configure the wireless VPN firewall, your computer’s IP address does not need to be on the same subnet as the wireless...
  • Page 371 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  To check the WAN IP address: Launch your browser and navigate to an external site such as www.netgear.com. Access the web management interface of the wireless VPN firewall’s configuration at https://192.168.1.1. Select Network Configuration > WAN Settings > Broadband ISP Settings. The Broadband ISP Settings screen for IPv4 displays.

  • Page 372: Troubleshooting The Ipv6 Connection

    A DNS server is a host on the Internet that translates Internet names (such as www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of one or two DNS servers for your use. You can configure your computer manually with DNS addresses, as explained in your operating system documentation.
  • Page 373 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that IPv6 is enabled on the computer. On a computer that runs a Windows-based operating system, do the following (note that the steps might differ on the various Windows operating systems): a.
  • Page 374 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Click or double-click View status of this connection. The Local Area Connection Status screen displays: Figure 223. d. Make sure that Internet access shows for the IPv6 connection. (The previous screen shows that there is no Internet access.) e.

  • Page 375: Troubleshoot A Tcp/Ip Network Using A Ping Utility

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N f. Make sure that an IPv6 address shows. The previous screen does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with FE80. Troubleshoot a TCP/IP Network Using a Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device.

  • Page 376: Test The Path From Your Computer To A Remote Device

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly, test the path from your computer to a remote device. From the Windows Run dialog box, type: ping -n 10 <IP address>...

  • Page 377: Address Problems With Date And Time

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 225. b. Click the Default button. The wireless VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible, or a status message with a counter might show the number of seconds left until the reboot process is complete.

  • Page 378: Access The Knowledge Base And Documentation

    Adjust for Daylight Savings Time check box. Access the Knowledge Base and Documentation  To access NETGEAR’s knowledge base for the wireless VPN firewall: Select Support > Knowledge Base.  To access NETGEAR’s documentation library for your wireless VPN firewall model: Select Support > Documentation. Troubleshooting...

  • Page 379: Appendix A Default Settings And Technical Specifications

    Default Settings and Technical Specifications This appendix provides the default settings and the physical and technical specifications of the wireless VPN firewall in the following sections: • Factory Default Settings • Physical and Technical Specifications Factory Default Settings You can use the factory default Reset button located on the rear panel to reset all settings to their factory defaults.
  • Page 380 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior WAN MAC address Use default MAC address of the wireless VPN firewall WAN MTU size 1500 bytes 1492 bytes for PPPoE connections Port speed AutoSense IPv4 LAN, DMZ, and routing settings...
  • Page 381 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Firewall and security settings Inbound LAN WAN rules (communications coming in from All traffic is blocked, except for traffic the Internet) in response to requests from the LAN.
  • Page 382 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Proxy server blocking Disabled Java applets blocking Disabled ActiveX controls blocking Disabled Cookies blocking Disabled Blocked keywords None Trusted domains Wireless radio and access point settings Wireless radio Enabled...
  • Page 383 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Beacon interval 100 ms DTIM interval RTS threshold 2346 bytes Fragmentation threshold 2346 bytes Preamble mode Long Protection mode None Power save Disabled VPN IPsec Wizard: IKE policy settings for IPv4 and IPv6 gateway-to-gateway tunnels...
  • Page 384 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Authentication algorithm SHA-1 Authentication method Pre-shared Key Key group DH-Group 2 (1024 bit) Life time 8 hours VPN IPsec Wizard: VPN policy settings for IPv4 gateway-to-client tunnels Encryption algorithm 3DES Authentication algorithm...

  • Page 385: Physical And Technical Specifications

    ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Administrative and monitoring settings Secure HTTP management Enabled Telnet management Disabled Traffic meter Disabled SNMP Disabled Time zone Time zone adjusted for daylight saving time Disabled Routing logs Disabled...
  • Page 386 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 92. Wireless VPN firewall physical and technical specifications (continued) Feature Specification Dimensions and weight Dimensions (W x H x D) 19 x 12.5 x 3.5 cm (7.5 X 4.9 X 1.4 in) Weight 0.59 kg (1.3 lb) Environmental specifications...
  • Page 387 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall IPSec VPN specifications (continued) Setting Specification IPSec encryption algorithm DES, 3DES, AES-128, AES-192, AES-256 IPSec key exchange IKE, manual key, pre-shared key, X.509 certificate IPSec authentication types Local user database, RADIUS PAP, RADIUS CHAP IPSec certificates supported CA certificates, self-signed certificate The following table shows the SSL VPN specifications for the wireless VPN firewall:...
  • Page 388 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 95. Wireless VPN firewall wireless specifications (continued) Setting Specification 802.11 b/bg/ng/n 64-bits and 128-bits WEP, TKIP, CCMP data encryption encryption Network management Web-based configuration and status monitoring Default Settings and Technical Specifications...

  • Page 389: Appendix B Two-Factor Authentication

    NETGEAR has also recognized the need to provide more than just a firewall to protect the networks. NETGEAR has implemented a more robust authentication system known as two-factor authentication (2FA or T-FA) to help address the fast-growing network security issues.

  • Page 390: What Is Two-Factor Authentication

    NETGEAR Two-Factor Authentication Solutions NETGEAR has implemented 2 two-factor authentication solutions from WiKID. WiKID is the software-based token solution. So instead of using only Windows Active Directory or LDAP as the authentication server, administrators now have the option to use WiKID to perform two-factor authentication on NETGEAR SSL and VPN firewall products.
  • Page 391 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 226. A one-time passcode (something the user has) is generated. Figure 227. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time.
  • Page 392 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 228. Two-Factor Authentication...

  • Page 393: Appendix C Notification Of Compliance (Wired)

    FCC Declaration Of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with Part 15 of FCC Rules.
  • Page 394 • Consult the dealer or an experienced radio/TV technician for help. Modifications made to the product, unless expressly approved by NETGEAR, Inc., could void the user's right to operate the equipment. Canadian Department of Communications Radio Interference Regulations...
  • Page 395 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional Copyrights Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1.
  • Page 396 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function.

  • Page 397: Appendix D Notification Of Compliance (Wireless)

    EDOC in Languages of the European Community Language Statement Cesky [Czech] NETGEAR Inc. tímto prohlašuje, že tento Radiolan je ve shode se základními požadavky a dalšími príslušnými ustanoveními smernice 1999/5/ES. Dansk [Danish] Undertegnede NETGEAR Inc. erklærer herved, at følgende udstyr Radiolan overholder de væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
  • Page 398 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Español [Spanish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Ελληνική [Greek] ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc. ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ...
  • Page 399 This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter. FCC Declaration of Conformity We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with Part 15 Subpart B of FCC CFR47 Rules.
  • Page 400 For GNU General Public License (GPL) related information, please visit http://support.netgear.com/app/answers/detail/a_id/2649. Interference Reduction Table The following table shows the Recommended Minimum Distance between NETGEAR equipment and household appliances to reduce interference (in feet and meters). Household Appliance Recommended Minimum Distance (in feet and meters)
  • Page 401 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Household Appliance Recommended Minimum Distance (in feet and meters) Cordless phone - Digital 30 feet / 9 meters Bluetooth devices 20 feet / 6 meters ZigBee 20 feet / 6 meters Notification of Compliance (Wireless)

  • Page 402: Index

    Index Numerics administrative default settings administrator 10BASE-T, 100BASE-T, and 1000BASE-T speeds default name and password 2.4-GHz wireless mode receiving logs by email 20- and 40-MHz channel spacing settings (admin) – user account 3322.org advertisement prefixes, IPv6 64-bit and 128-bit WEP DMZ, configuring for 6to4 tunnels LAN, configuring for...
  • Page 403 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N – autodetecting IPv4 Internet settings self-signed signature key length autoinitiating VPN tunnels – trusted autosensing port speed – certification authority (CA) channel spacing, wireless channels and frequencies, selecting b mode, wireless CHAP (Challenge Handshake Authentication Protocol) backing up configuration file See also bandwidth capacity...
  • Page 404 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DMZ (demilitarized zone) – configuring Data Encryption Standard. See DES. increasing traffic data rates, 802.11b/bg/ng/n port database, local users DNS (Domain Name Server) automatic configuration of computers date and daylight saving time – dynamic settings looking up an address...
  • Page 405 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N event logs gateway, ISP IPv4 address – examples of firewall rules IPv6 address exchange mode, IKE policies generating keys, WEP exposed hosts global addresses, IPv6 increasing traffic specifying (rule example) global IPv6 tunnels DMZ, configuring for extended authentication (XAUTH) –...
  • Page 406 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N – IPv6 LAN, secondary MAC bindings DMZ-to-WAN rules port forwarding, SSL VPN LAN-to-DMZ rules reserved LAN-to-WAN rules secondary LAN order of precedence SSL VPN overview clients, configuring scheduling – policies, configuring settings resources, configuring inbound traffic, bandwidth static or permanent increasing traffic...
  • Page 407 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 Internet connection manually configuring L2TP (Layer 2 Tunneling Protocol) server setting up L2TP Access Concentrator (LAC) IPv6 mode, configuring L2TP users IPv6 prefix length DMZ address LAC (L2TP Access Concentrator) DMZ advertisements DMZ DHCPv6 address pools address pools (IPv6) IPSec VPN policies...
  • Page 408 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N – login policies, user multicast pass-through login time-out multihome LAN addresses – changing IPv4, configuring – default IPv6, configuring logs, configuring long preamble looking up DNS address n and ng modes, wireless losing wireless connection names, changing DDNS host and domain ISP login...
  • Page 409 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N order of precedence, firewall rules troubleshooting TCP/IP using the ping utility – OTP (one-time passcode) placement of wireless VPN firewall outbound rules default plug and play (UPnP), configuring – examples Point-to-Point Tunneling Protocol (PPTP) settings IPv4 policies DMZ-to-WAN rules...
  • Page 410 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N power plug receptacle and Power On/Off switch Push ’N’ Connect power specifications Push button configuration (PBC) method, WPS PPP connection PVID (Port VLAN Identifier) PPPoE (PPP over Ethernet) description settings QoS (Quality of Service) PPTP (Point-to-Point Tunneling Protocol) settings profiles preamble type...
  • Page 411 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N RFC 2865 Session Initiation Protocol (SIP) – RIP (Routing Information Protocol), configuring session limits configuring roaming logging dropped packets Router Advertisement Deamon (RADVD) severities, syslog DMZ, configuring for LAN, configuring for SHA-1 IKE policies router advertisements (RAs) and router lifetime (IPv6) Mode Config operation DMZ, configuring for...
  • Page 412 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N policies Telnet management managing temperatures, operating and storage settings Temporal Key Integrity Protocol (TKIP) port forwarding Test LED – configuring testing description Internet connectivity portals wireless connectivity accessing time settings – configuring configuring options troubleshooting –...
  • Page 413 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WiKID-PAP and WiKID-CHAP configuring manually Mode Config tunnel, opening Type of Service (ToS), QoS profile Mode Config, configuring – TZO.com tunnel, opening VPN IPSec Wizard. See IPSec VPN Wizard. VPN tunnels – active users UDP (User Datagram Protocol) autoinitiating UDP flood, blocking...
  • Page 414 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DHCPv6 client, prefix delegation WAN LEDs XAUTH (extended authentication) WAN ports – configuring WAN traffic meter (or counter) IKE policies web component blocking web management interface description troubleshooting weight WEP (wired equivalent privacy) –...

Table of Contents