NETGEAR FVS318N-100NAS manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of NETGEAR FVS318N-100NAS, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of NETGEAR FVS318N-100NAS one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of NETGEAR FVS318N-100NAS. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of NETGEAR FVS318N-100NAS should contain:
- informations concerning technical data of NETGEAR FVS318N-100NAS
- name of the manufacturer and a year of construction of the NETGEAR FVS318N-100NAS item
- rules of operation, control and maintenance of the NETGEAR FVS318N-100NAS item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of NETGEAR FVS318N-100NAS alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of NETGEAR FVS318N-100NAS, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the NETGEAR service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of NETGEAR FVS318N-100NAS.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the NETGEAR FVS318N-100NAS item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    350 East Plumeria Drive San Jose, CA 95134 USA March 16, 2012 202-10836-02 v1.0 Pr oSaf e W ir eless -N 8-P ort Gi gab it VPN F ir e w all FVS318N Refe ren c e M a nu a l[...]

  • Page 2

    2 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N © 201 1–2012 NETGEAR, Inc. All right s reserv ed. No part of this publication may be re produced, transmitted, tran scribed, stored in a retrie val system, or translated into any langu age in any form or by any means without the written permission of NETGEAR, Inc. Te c h n i c a l S u p p [...]

  • Page 3

    3 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (continued) • User login restricti ons based on IPv6 addresses (see Config ure Login Restrictions Based on IPv6 Addresses ) • IPv6 remote management access (see Configure Remote Management Access ) • IPv6 time zone (see Configu re Date and Time Service ) • IPv6 diagnostics (see Diagno[...]

  • Page 4

    4 Contents Chapter 1 Introduction What Is the ProSafe Wireless- N 8- Port Gigabit VPN Fire wall FVS318N? . 10 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Wireless Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Advanced VPN Support for Both IPSe[...]

  • Page 5

    5 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional WAN-Related Configuration Task s . . . . . . . . . . . . . . . . . . . . 50 Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 6

    6 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Chapter 5 Firewall Protection About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Overview of Rules to Block or Allow Specific Kinds of T[...]

  • Page 7

    7 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . . 233 Configure XAUTH for VPN C lients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 User Databas[...]

  • Page 8

    8 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . . 3 06 VPN Certificates Screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Manage VP[...]

  • Page 9

    9 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N When You Enter a URL or IP Address, a Time-Out Erro r Occurs . . . . . . 370 Troubleshoot the ISP Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Troubleshoot a TCP/IP Ne[...]

  • Page 10

    10 1 1. Intr oduc ti on This chapter provides an ove rview of the features and cap abilities of the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N and explains how to log in to the device and use it s web management interface. This chapter cont ains the following section s: • What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS3[...]

  • Page 11

    Introduction 11 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N K ey Features and Capabilities The wireless VPN firewall provides the following key feature s and capabilities: • A sing le 10/100/1000 Mbp s Gigabit Ethernet W AN port • Built-in eig ht-port 10/100/1000 Mbp s Gigabit Ethernet LAN switch for extremely fast dat a transfer bet[...]

  • Page 12

    Introduction 12 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • SSL VPN provides remote access for mobi le users to se lected corporate resources without requiring a preinst alled VPN client on their computers. - Uses the fa miliar Secure Socket s Layer (SSL) protocol, commonly used for e-commerce transactions, to provide client-f ree ac[...]

  • Page 13

    Introduction 13 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Autosensing Ethernet Connections with Auto Uplink With its internal e ight-port 10/100/1000 Mbps switch an d 10/100/1000 W AN port, the wireless VPN firewall can connect to either a 10 Mbps st andard Ethernet network, a 100 Mbp s Fast Ethernet network, or a 1000 Mb ps Gigabit Et[...]

  • Page 14

    Introduction 14 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Easy Installation and Management Y ou can install, configure, and operate the wireless VPN firewall within minutes af ter connecting it to the network. The following fe atures simplify inst allation and management task s: • Bro wser-based management . Browser-b ased configurat[...]

  • Page 15

    Introduction 15 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N P ackage Contents The wireless VPN firewall product p ackage cont ains the following items: • ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS3 18N • One 1 2V 1A power supply unit for your regio n • Rub ber feet • Eth ernet cable • Pro Safe Wireless-N 8-Port Gigabit [...]

  • Page 16

    Introduction 16 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 1. The following t able describes t he function of each LED. T able 1. LED descriptions LED Activity Description Power LED On (green) Power is supplied to the wireless VPN firewall. Off Power is not supplied to the wireless VPN firewall. T est LED On (amber) during startu[...]

  • Page 17

    Introduction 17 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Ports Left LED Off The LAN port ha s no link. On (green) The LAN p ort has detected a l ink with a connected Ethernet device. Blinking (green) Data is being transmi tted or re ceived by the LAN port. Right LED Off The LAN port is operating at 10 Mbps. On (amber) The LAN port[...]

  • Page 18

    Introduction 18 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Rea r P a ne l The rear panel of the wireless VPN firewall includes the antenna s, a cable lock recept acle, a console port, a Reset button, a DC power connectio n, and a power switch. Figure 2. Viewed from lef t to right, the rear panel cont ains the following component s: 1. D[...]

  • Page 19

    Introduction 19 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Bottom P anel with Product Label The product label on the bottom of the wireless VPN firewall’s en closure displays factory defaults set tings, regulatory co mpliance, and other information. Figure 3. Choose a Location for the Wireless VPN Firewall The wireless VPN firewall is[...]

  • Page 20

    Introduction 20 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Log In to the Wireless VPN Firewall Note: T o connect the wireless VPN firewall physically to your network, connect the cables and rest art your network according to the instructions in the Installa tion Guide . See the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Inst[...]

  • Page 21

    Introduction 21 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 4. 3. In the User Name field, type admin . Use lowercase letters. 4. In the Password / Pa sscode field, type p assword . Here, too, use lowercase letters. Note: The wireless VPN firewall user name and p assword are not the same as any user name or p assword yo u might use[...]

  • Page 22

    Introduction 22 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 5. W eb Management Interface Menu Layout The following figure shows the menu at t he top the web management in terface: Figure 6. The web management interface menu consist s of the following compo nents: • 1st le vel: Main navigation menu links . The main navigation men[...]

  • Page 23

    Introduction 23 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • 2nd level: Configuration menu links . The configuration menu lin ks in the gray bar (immediately below the main navigation menu bar) chan ge according to the main navigation menu link that you se lect. When you select a configura tion menu link, the letters are displayed in [...]

  • Page 24

    Introduction 24 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Any of the following t able buttons might display onscreen: • Select All . Select all entries in the tab le. • Delete . Delete th e selected entry or entrie s from the table. • Enable . Enable the selected entry o r entries in the table. • Disable . Disable the selected [...]

  • Page 25

    25 2 2. Int e r net and Br oadband Setting s This chapter explains how to configu re the Intern et an d W AN settings. This chapter cont ains th e following sections: • Internet and W AN Configu ration T asks • Configure the IPv4 Internet Conn ection and WAN Settings • Configure the IPv6 Internet Conn ection and WAN Settings • Configure Dyn[...]

  • Page 26

    Internet and Broadband Settings 26 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Configure the W AN options (optio nal) . If required, change the factory default MTU size, port speed, and MAC address of the wireless VPN firewall: see Configure Advanced WAN Options and Other T asks on p age 47 . These are advanced features, and you usual[...]

  • Page 27

    Internet and Broadband Sett ings 27 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Network A ddress T ranslation Network Address T ranslation (NA T) allows all co mputers on your LAN to share a single public Internet IP address. From t he Internet, there is only a single device (the wireless VPN firewall) and a single IP address. Co mputers[...]

  • Page 28

    Internet and Broadband Settings 28 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 9. 2. Select the NA T radio button or the Classical Rou ting radio button. W ARNING: Changing the W AN mode causes all LAN W AN and DMZ W AN inbound rules to revert to default settings. 3. Click Apply to save your settings. Let the Wireless VPN Firewall[...]

  • Page 29

    Internet and Broadband Sett ings 29 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10. 2. Click the Auto Det ect button at the bottom of the screen. The autodetect process probes the W AN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of th e followi[...]

  • Page 30

    Internet and Broadband Settings 30 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • If the autodetect process does not find a connection, you are prompted either to check the physical connection between your wi reless VPN firewall and the cable, DSL line, or satellite or wireless Internet dish, or to check your wireless VPN firewa ll’s [...]

  • Page 31

    Internet and Broadband Sett ings 31 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Connection S tatus screen should show a valid IP addr ess and gat eway , and you are connected to the Internet. If the configur ation was not successful, skip ahead to Manually Configure an IPv4 Internet Connectio n on p age 31 , or see T roubleshoot the [...]

  • Page 32

    Internet and Broadband Settings 32 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 13. 5. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter t he settings as explained in the following table: T able 3. PPTP and PPPoE settings Setting Description Austria (PPTP) Note: For login and password information, se e [...]

  • Page 33

    Internet and Broadband Sett ings 33 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. In the Interne t (IP) Address section of the screen (see the following figure), configure the IP address settings as explained in the following table. Click the Current IP Address link to see the currently assigned IP address. Other (PPPoE) Note: For login[...]

  • Page 34

    Internet and Broadband Settings 34 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 7. In the Domain Name Server (DNS) Se rvers section of the screen (see the following figure), specify the DNS settings as explained in the following table. Figure 14. T able 4. Interne t IP address settings Setting Description Get Dynamically from ISP If your [...]

  • Page 35

    Internet and Broadband Sett ings 35 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 8. Click Te s t to evaluate your entries. The wireless VPN firewall attempts to make a connection according to the settings that you entered. 9. Click App ly to save your changes. 10. T o verify the connection, click the Broadband S t atus option arrow in the[...]

  • Page 36

    Internet and Broadband Settings 36 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N travel over the IPv4 intranet; you do this by enabling and configuring ISA T AP tunneling (see Configure ISA T AP Automatic T unnelling on p age 42 ). Note: A network can be both and isolat ed IPv6 network and a mixed network with IPv4 and IPv6 devices. After [...]

  • Page 37

    Internet and Broadband Sett ings 37 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 16. 2. Select the IPv4 / IPv6 mode radio button. By default, the IPv4 only mode radio button is selected, and IPv6 is disabled. W ARNING: Changing the IP routing mode causes the wireless VPN firewal l to reboot. 3. Click Apply to save your changes. Use[...]

  • Page 38

    Internet and Broadband Settings 38 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o automatically configure the W AN port for an IPv6 connection to the Internet: 1. Select Network Configuration > W AN Settings > Broadband ISP Settings . 2. In th e upper right of the screen, select the IPv6 radio button. The ISP Broadband Setting[...]

  • Page 39

    Internet and Broadband Sett ings 39 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 7. T o verify t he connection, click the Sta tu s option arrow in the upper right of the screen to display the Connection S t atus pop-up screen. (The following figure shows a dynamic IP address configuration.) Figure 18. The Connection S tatus screen should [...]

  • Page 40

    Internet and Broadband Settings 40 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 19. 3. In the Internet Address section of the screen, from the IPv6 drop-down list, select Stat ic IPv6 . 4. In the S t atic IP Address section of the screen, enter the settings as explained in the f ollowing table. Y ou should have received static IPv6[...]

  • Page 41

    Internet and Broadband Sett ings 41 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. T o verify t he connection, click the Sta tu s option arrow in the upper right of the screen to display the Connection S tatus pop-up screen. (The following figu re shows a st atic IP address configuration; the IP addresses are not related to any othe r ex[...]

  • Page 42

    Internet and Broadband Settings 42 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N With 6to4 tunnels, IPv6 p ackets are emb edded within the IPv4 p acket and then transported over the IPv4 network. Y ou do not need to specify remote tunnel end point s, which are automatically determined by relay routers on the Inte rnet. Y ou cannot use 6to4[...]

  • Page 43

    Internet and Broadband Sett ings 43 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N enabling and configuring Intra-Site Automa tic T unnel Addressing Protocol (ISA T AP) tunneling. ISA T AP is a LAN tunnel mechanism in which the IPv4 network functions as a virtual IPv6 local link. Each IPv4 address is ma pped to a link-local IPv6 address, th[...]

  • Page 44

    Internet and Broadband Settings 44 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Add table button under the List of Available ISA T AP Tunnels t able. The Add ISA T AP T unnel screen displays: Figure 23. 3. S pecify the tun nel settings as explained in the following table. 4. Click Apply to save your changes.  T o edit an I[...]

  • Page 45

    Internet and Broadband Sett ings 45 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the T unnel Status and IPv6 Addresses The IPv6 T unnel S t atus screen displays the st a t us o f all active 6 to4 and ISA T AP tunnels and their IPv6 addresses.  T o view the st atus of the tunnels and IPv6 addresses : Select Monitoring > Router S[...]

  • Page 46

    Internet and Broadband Settings 46 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If your ISP assigns a private W AN IP address such a s 192.168.x.x or 10.x.x.x, the DDNS service does not work because private addresses are not routed on the Internet.  T o configure DDNS: 1. Select Netwo rk Configuration > Dynamic DNS . The Dynam[...]

  • Page 47

    Internet and Broadband Sett ings 47 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Configure the DDNS service settings as explained in the following t able: 6. Click App ly to save your configuration. Configure Advanced W AN Options and Other T asks The advanced options include configu ring the maximum transmission unit (MTU) size, port [...]

  • Page 48

    Internet and Broadband Settings 48 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 27. 3. Enter the settings as explained in the following table: T able 9. Broadband Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmi[...]

  • Page 49

    Internet and Broadband Sett ings 49 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your changes. Spe ed In most cases, the wireless VPN firewall can autom atically determine the conn ection spee d of the W AN port of the device (modem, dish, or router) that prov ides the W AN connection. If you cannot establish an Int[...]

  • Page 50

    Internet and Broadband Settings 50 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional WA N-Related Configuration T asks • If you want the ability to manage the wireless VPN firewall re motely , enable remote management (see Configure Remote Management Access on p age 322 ). If you enable remote management, NETGEAR strongly recommen[...]

  • Page 51

    51 3 3. L AN Co nfigu r a tio n This chapter describes how to configure the advanced LAN features of you r wireless VPN firewall. This chapter contains t he following sections: • Manage IPv4 Virtual LANs and DHCP Options • Configure IPv4 Multihome LAN IP Addresse s on the Default VLAN • Manage IPv4 Group s and Host s (IPv4 LAN Group s) • Ma[...]

  • Page 52

    LAN Configuration 52 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N VLANs have a number of advant ages: • It is easy to set up networ k segmenta tion. Users who communicate most f requently with each other can be grouped into common VLANs, regardless of physical location. Each group’s traffic is cont ained largely within the VLAN, re du[...]

  • Page 53

    LAN Configuration 53 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This is a typical scenario for a configuration with an IP phone that has two Ethernet ports, one of which is connected to the wireless VPN f irewall, the other one to another device: Packets coming from the IP phone to the wireless VPN firewall LAN port are tagged. Pa ckets[...]

  • Page 54

    LAN Configuration 54 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For each VLAN profile, the following fields displa y in the VLAN Profiles table: • Check box . Allows you to select the VLAN profile in the table. • St atus icon . Indicates the status of the VLAN profile: - Green circle . The VLAN profile is enabled. - Gray circle . Th[...]

  • Page 55

    LAN Configuration 55 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • WINS server (if you entered a WINS server address in the DHCP Setup screen) • Lease time (the date obt ained and the duration of the lease) DHCP Re lay DHCP relay options allow you to make the wi reless VPN firewall a DHCP relay agent for a VLAN. The DHCP relay agent [...]

  • Page 56

    LAN Configuration 56 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure a VLAN P rofile For each VLAN on the wireless VPN firewall, y ou can configure it s profile, po rt membership, LAN TCP/IP settings, DHCP options, DNS se rver , and inter-VLAN routing capab ility .  T o add a VLAN profile: 1. Select Network Configu ration > L[...]

  • Page 57

    LAN Configuration 57 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 30.[...]

  • Page 58

    LAN Configuration 58 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table: T able 10. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID numbe r for the VLAN profile. No two VLANs can have the s[...]

  • Page 59

    LAN Configuration 59 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable DHCP Server Select the Enable DHCP Server radio button to e na b l e t he w i rel e ss VPN fi re w all to function as a Dynamic Host Configur ation Protocol (DHCP) server , providing TCP/IP configuration for all computers c onnected to the VLAN. (For the default VLAN[...]

  • Page 60

    LAN Configuration 60 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. Note: Once you have completed the LAN setup, all outbound tra ffic is allowed and all inbound traf fic is discarded except responses to requests fro m the LAN side. For information abou t how to change these default traf fic rules, see [...]

  • Page 61

    LAN Configuration 61 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o edit a VLAN profile: 1. On the LAN Setup screen for IPv4 (see Figure 29 on p age 56 ), click the Edit button in the Action column for the VLAN profile that you want to mod ify . The Edit VLAN Profile scre en displays. This screen is identica l to the Add VLAN Profil[...]

  • Page 62

    LAN Configuration 62 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 31. 3. From the MAC Address for VLANs drop-down list, select Unique . (The default is Same.) 4. As an option, you can disable the broadcast of ARP packet s for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled b[...]

  • Page 63

    LAN Configuration 63 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Primary LAN IP address. 192.168.1.1 with subnet 255.25 5.255.0 • Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0  T o add a secondary LAN IPv4 address: 1. Select Ne twork Configuration > LAN Setup > LAN Multi-homing . In the u pper right of t[...]

  • Page 64

    LAN Configuration 64 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click Apply to save your settings.  T o delete one or more secondary LAN IP addresses : 1. On the LAN Multi-homing screen for IPv4 (see the previous figure), select the check box to the left of each secondary IP address that yo u want to delete, or click the Select Al[...]

  • Page 65

    LAN Configuration 65 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • There is no need to use a fixed IP a ddress on a computer . Because the IP address allocated by the DHCP serve r never changes , you do not need to assign a fixed IP address to a computer to en sure that it always has the same IP address. • A computer is identified b [...]

  • Page 66

    LAN Configuration 66 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Known PCs and Devices t able list s the entries in the network dat abase. For each computer or device, the following fields display: • Check box . Allows you to select the computer or device in t he table. • Name . The name of the computer or device. Fo r computers [...]

  • Page 67

    LAN Configuration 67 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Ad d t able button to add the computer or device to the Known PCs and Devices tab le . 3. As an optiona l step: T o save the binding between the IP address and MAC address for the entry that you just added to the Known PCs and Devices table, select the check bo[...]

  • Page 68

    LAN Configuration 68 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 34. 2. Modify the settings as explained in T able 11 on page 66 . 3. Click Apply to save your settings in the Known PCs and Devices table. Deleting Computers or Device s from the Network Database  T o delete one or more computers or devices from the network d at a[...]

  • Page 69

    LAN Configuration 69 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Edit Group Names option arrow to the right of the LAN submenu tabs. The Network Database Group Names screen displays. (The following figure shows some examples.) Figure 35. 3. Select the radio button next to the gro up name that you want to edit. 4. T ype a new[...]

  • Page 70

    LAN Configuration 70 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The saved binding is also displa yed on the IP/MAC Binding screen (see Figure 97 on p age 181 ). Manage the IPv6 LAN An IPv6 LAN typically functions with site-local and link-local unicast addresses. Each physical interface requires an IPv6 link-local address that is a[...]

  • Page 71

    LAN Configuration 71 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Stateless DHCPv6 Server With Prefix Delegatio n As an option for a stateless DHCPv6 server , you can enable prefix delegation. The ISP’s stateful DHCPv6 server assigns a prefix that is used by the wireless VPN firewall’ s stateless DHCPv6 server to assign to its IPv6 LA[...]

  • Page 72

    LAN Configuration 72 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 LAN  T o configure the IPv6 LAN settings: 1. Select Netwo rk Configuration > LAN Setup . 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings. (The following figure contains some examples[...]

  • Page 73

    LAN Configuration 73 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the setting s as explained in the following table. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. T a ble 12. LAN Setup screen settings for I Pv6 Setting Description IPv6 LAN Setup IPv6 Address Enter the[...]

  • Page 74

    LAN Configuration 74 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your changes. IPv6 LAN A ddress P ools If you configure a st ateful DHCPv6 server for the LAN, you need to add local DHCP IPv6 address pools so the DHCPv6 server can control the allocation of IPv6 ad dresses in the LAN.  T o add an IPv6 LAN address[...]

  • Page 75

    LAN Configuration 75 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 37. 2. Enter the setting s as explained in the following table: 3. Click App ly to save your changes and add the new IPv6 address pool to the L is t o f I Pv 6 Address Pools table on the LAN Setup screen for IPv6.  T o edit an IPv6 LAN address pool: 1. On the LAN [...]

  • Page 76

    LAN Configuration 76 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN Prefixes fo r P refix Delegation If you configure a st ateless DHCPv6 server for the LAN and select the Prefix Delegation check box (both on the ISP Broadband Settings screen for IPv6 and o n the LAN Setup screen for IPv6, a prefix delegation p ool is automatically[...]

  • Page 77

    LAN Configuration 77 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 R outer Advertisement Daemon and Advertisement P refixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you ne ed to configure the Router Advertisement Deamon (RADVD) and advertise ment prefixes. The RADVD [...]

  • Page 78

    LAN Configuration 78 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings (see Figure 36 on p age 72 .) 3. T o the right of the LAN Setu p t ab, click the RADVD option arrow . The RADVD screen for t he LAN displays. (The following fi[...]

  • Page 79

    LAN Configuration 79 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your changes. Advert isement P refixes for the LAN Y ou need to configure the prefixes that are adver tised in the LAN RAs. For a 6to4 address, you need to specify only the site level a ggregation identifier (SLA ID) and th e prefix lifetime. For a gl[...]

  • Page 80

    LAN Configuration 80 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 40. 2. Enter the settings as explained in the following table: 3. Click Apply to save your changes and add the new IPv6 address pool to the Li st o f Pr ef ix es to Advertise table on the RADVD screen fo r the LAN.  T o edit an advertisement prefix: 1. On the R AD[...]

  • Page 81

    LAN Configuration 81 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o delete one or more advertisement prefixes: 1. On the RA DV D screen for the LAN (see Figure 39 on p age 78 ), select the check box to the left of each advertisement prefix that you want to d elete, or click the Select All t able button to select all advertisement pr[...]

  • Page 82

    LAN Configuration 82 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Add Secondary LAN IP Address section of the screen, enter the following settings: • IPv6 Address . Enter the se condary address that you want to assign to the LAN port s. • Pre fix Length . Enter the prefix length for the secondary IP address. 4. Click the Add[...]

  • Page 83

    LAN Configuration 83 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Using a DMZ port is also helpf ul with onli ne games and videoco nferencing applications that are incompatible with NA T . The wireless VPN firewall is programmed to recognize some of these applications and to work correctly with t hem, but there are other application s tha[...]

  • Page 84

    LAN Configuration 84 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 42. 2. Enter the settings as explained in the following table: T able 17. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Ye s . Enables you to configure the DMZ port[...]

  • Page 85

    LAN Configuration 85 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Do you want to enable DMZ Port? (continued) Subnet Mask Enter the IP subnet mask of the DMZ port. The subnet mask specifies the network n umber portion of an IP address. The subnet mask for the DMZ port is 255.255.255.0. DHCP for DMZ Connected Computers Disable DHCP Server [...]

  • Page 86

    LAN Configuration 86 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click Apply to save your settings. DMZ P ort for IPv6 T raffic The DMZ Setup (IPv6) screen let s you se t up the DMZ port for IPv6 traf fic. Y ou can enable or disable the hardware DMZ port (LAN port 8; see Front Panel o n page 15) f or IPv6 traffic an d configure an IPv[...]

  • Page 87

    LAN Configuration 87 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For the DMZ, there are two DHCPv6 server options: • St ateless DHCPv6 server . The IPv6 client s in the DMZ generate their own IP address by using a combination of locally available informatio n and router advertisement s, but receive DNS server information from t he DHCP[...]

  • Page 88

    LAN Configuration 88 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table: T able 18. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Ye s . Enables you to configure the DMZ port settings. [...]

  • Page 89

    LAN Configuration 89 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. IPv6 DMZ A ddress P ools If you configure a stateful DHCPv6 server fo r the DMZ, you need to add local DHCP IPv6 address pools so the DHCPv6 server can contro l the a llocation of IPv6 addresses in the DMZ.  T o add an IPv6 DMZ addre[...]

  • Page 90

    LAN Configuration 90 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in the following table: 3. Click Apply to save your changes and add the new IPv6 address pool to the Li s t of I Pv 6 Address Pools table on the DMZ Setup (IPv6) screen.  T o edit an IPv6 DMZ address pool: 1. On the DMZ Setup screen for[...]

  • Page 91

    LAN Configuration 91 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Hosts and routers in the LAN use NDP to determine the link-layer ad dresses and related information of neighbors in the LAN t hat can forward packe ts on their be half. The wireless VPN firewall periodically distributes r outer advertisements (RAs) throug hout the DMZ to pr[...]

  • Page 92

    LAN Configuration 92 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 45. 4. Enter the settings as explained in the following table: T able 21. RADVD scree n settings for the DMZ Setting Description RADVD S t atus S pecify the RADVD status by ma king a selection from the drop-down list: • Enable . The RADVD is e nabled, and the RADVD[...]

  • Page 93

    LAN Configuration 93 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your changes. Ad vertisement P refixes for the DMZ Y ou need to configure the prefixes that are adver tised in the DMZ RAs. For a 6to4 address, you need to specify only the site level a ggregation identifier (SLA ID) and th e prefix lifetime. For a gl[...]

  • Page 94

    LAN Configuration 94 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 46. 2. Enter the settings as explained in the following table: 3. Click Apply to save your changes and add the new IPv6 address pool to the Li st o f Pr ef ix es to Advertise table on the RADVD screen fo r the DMZ.  T o edit an advertisement prefix: 1. On the RADV[...]

  • Page 95

    LAN Configuration 95 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o delete one or more advertisement prefixes: 1. On the RADVD screen for the DMZ screen (see Figure 45 on page 92 ), select the check box to the lef t of each advertisement prefix th at you want to delete, or click the Select All table button to se lect all advertiseme[...]

  • Page 96

    LAN Configuration 96 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 48. 3. Enter the settings as explained in the following table: 4. Click Apply to save your settings. The new static route is added to the S tatic Routes t able. T able 23. Add St atic Route screen settings for IPv4 Setting Description Route Name The route name for th[...]

  • Page 97

    LAN Configuration 97 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o edit an IPv4 st atic route: 1. On the S t atic Routing screen for IPv4 (see Figure 47 on p age 95 ), click the Edit button in the Action column for the route that you want to modify . The Edit S tatic Route screen d isplays. This screen is identical to the Add S tat[...]

  • Page 98

    LAN Configuration 98 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 49. 3. Enter the settings as explained in the following table: T able 24. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction dro p-down li st, select the direction in which the wireless VPN firewall sends and receives RIP p[...]

  • Page 99

    LAN Configuration 99 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. RIP V ersion By default, the RIP version is set to Disabled. From th e RIP V ersion drop-down list, select the version: • RIP-1 . Classful routing that does not include subnet information. This is the most commonly supported version. [...]

  • Page 100

    LAN Configuration 100 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Static R oute Example In this example, we assume the fo llowing: • The wireless VPN fire wall’ s primary Int ernet a ccess is through a cable modem to an ISP . • The wireless VPN fire wall is on a local LAN with IP address 192.168.1.100. • The wireless VPN fir[...]

  • Page 101

    LAN Configuration 101 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 50. 3. Click the Ad d t able button under the S tatic Routes table. The Add IPv6 S tatic Routing screen displays: Figure 51. 4. Enter the setting s as explained in the following table: T abl e 25. Add IPv6 S t atic Routing screen settings Setting Description Route N[...]

  • Page 102

    LAN Configuration 102 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your settings. The new static route is added to the List of IPv6 S t atic Routes table.  T o edit an IPv6 sta tic route: 1. On the S tatic Routing screen for IPv6 (see Figure 50 on p age 101 ), click the Edit button in the Action column for the ro[...]

  • Page 103

    103 4 4. Wir el ess Co nfigu r a tio n an d S ecu r i t y This chapter describes how to configure the wirele ss features of your ProSafe Wirele ss-N 8-Port Gigabit VPN Firewall FVS3 18N. This chapte r includes the following sections: • Overview of the Wireless Features • Configure the Basic Radio Se ttings • Wireless Data Security Option s ?[...]

  • Page 104

    Wireless Configuration and Security 104 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (NIC) through an antenna. T ypically , an individual in-building wireless access point provides a maximum connectivity area of about a 300-foot radius. The wireless VPN firewall can support a small group of wireless users—typically 10 to 32 users. Confi[...]

  • Page 105

    Wireless Configuration and Security 105 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Basic R adio Settings The radio settings apply to all wireless prof iles on th e wireless VPN firewall. The default wireless mode is 802.1 1ng. Y ou can change the wireless mode, country , and many other radio settings on the Radio Set tings[...]

  • Page 106

    Wireless Configuration and Security 106 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Mode S pecify the wireless mode in the 2.4-GHz band by making a selection from the drop-down list: • g an d b . In a ddition to 802.1 1b- and 802.1 1 g-compliant devices, 802.1 1n-compliant devices can con nect to the wireless access point because they [...]

  • Page 107

    Wireless Configuration and Security 107 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N W ARNING: When you have changed the count ry settings, the wireless VPN firewall will reboot when you c lick Apply . 3. Click Apply to save your settings. Operating F requency (Channel) Guidelines Y ou should not need to change the operating frequency (ch[...]

  • Page 108

    Wireless Configuration and Security 108 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security features that are covered in de tail in this chapter . Deploy the security features appropriate to your needs. Figure 53. There are several ways you can enha nce the security of your wireless network: • Restrict ac cess based by MAC address . Y[...]

  • Page 109

    Wireless Configuration and Security 109 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N provides the most reliable secu rity . Use WP A2 only if all clients in your network support WP A2. The wireless VPN firewall supports WP A2 with PSK, RADIUS, or a combination of PSK and RADIUS. For more information ab out how to configure WP A2, see Conf[...]

  • Page 110

    Wireless Configuration and Security 11 0 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T o set up a wireless profile, specify a name for the profile and the SSID, type of security with authentication and dat a encryption, and whether or not the SSID is broad cast. • Network authentic ation The wireless VPN firewall is set by default as a[...]

  • Page 111

    Wireless Configuration and Security 111 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N ______________________ __________________________ _________________________ S tore this information in a safe place: • SSID The service set identifier (SSID) identifies t he wireless local area network. Y ou can customize it by using up to 32 alphanumer[...]

  • Page 112

    Wireless Configuration and Security 11 2 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure and Enable Wireless P rofiles  T o add a wireless profile: 1. Select Network Con figuration > Wireless Settings > W ireless Profiles . The Wireless Profiles screen displays. (The fo llowing figure show s some examples.) Figure 54. The [...]

  • Page 113

    Wireless Configuration and Security 11 3 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 55. 3. S pecify the settings as explained in the following table: T able 28. Add Wireless Profiles screen settings Setting Description Wireless Profile Configuration Profile Name The name for the default wireless profil e is default1. Y ou cannot [...]

  • Page 114

    Wireless Configuration and Security 11 4 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N SSID The wireless network name (SSID) for t he wirel ess profi le. The default SSID name is FVS318N_1. Y ou can ch ange this name by entering up to 32 alphanumeric characters. Make sure that addi tional SSIDs have unique names. Broadcast SSID Sele ct the[...]

  • Page 115

    Wireless Configuration and Security 11 5 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Encryp tion Note: WPA, WPA2, and WPA+WPA2 only. The encryption that you can select depends on the type of WP A security that you have selected: • WP A . Y ou can select the following encryption fro m the drop-down list: - TKIP - TKIP+CCMP • WP A2 . Y[...]

  • Page 116

    Wireless Configuration and Security 11 6 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your setting s. The new profile is adde d to the List of Available Wireless Profiles table on the Wireless Profiles screen. W ARNING: If you use a wireless computer to configure wireless security settings, you will be disconnected [...]

  • Page 117

    Wireless Configuration and Security 11 7 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o edit a wireless profile: 1. On the Wireless Profiles screen (see Figure 54 on page 11 2 ), click the Edit button in the Action column for the wireless profile that you want to modify . The Edit Profiles screen displays. This screen is identical t[...]

  • Page 118

    Wireless Configuration and Security 11 8 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: For wireless adapters, you can u sually find the MAC address printed on the wireless adapter .  T o allow or restrict access based on MAC addresses: 1. On the Wireless Profiles screen (see Figure 54 on page 11 2 ), click the ACL button in the AC[...]

  • Page 119

    Wireless Configuration and Security 11 9 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N W ARNING: When configuring the wireless VPN fire wall from a wireless computer whose MAC address is not in the access control list and when the ACL policy st atus is set to deny access, you will lose your wireless connection when you clic k Apply . Y ou [...]

  • Page 120

    Wireless Configuration and Security 120 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following t able explains the fields of the A c ce ss P o i nt S t at u s screen. T o change the poll interval period, ent er a new va lu e in the Poll Interval field, and then click Set interval . T o stop polling, click Sto p . Configure Wi-Fi P rot[...]

  • Page 121

    Wireless Configuration and Security 121 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: For a list of other Wi-Fi-certified product s available from NETGEAR, go to http://www .wi-fi.org .  T o enable WPS and initiate the WPS process on the wireless VPN firewa ll: 1. Select Netwo rk Configuration > Wireless Settings > Wireless [...]

  • Page 122

    Wireless Configuration and Security 122 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. In the WPS Setup Method section of the screen, use one of the following methods to initiat e the WPS process for a wireless device: • PIN meth od: a. Colle ct the pin of the wireless device. b. In the S tation PIN field, e nter the pin. c. Click the [...]

  • Page 123

    Wireless Configuration and Security 123 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. S pecify the settings as explained in the following table: 4. Click App ly to save your settings. T a ble 30. Advanced Wireless screen sett ings Setting Description Beacon Interval Enter an interval between 40 ms and 3500 ms for each beacon transmissio[...]

  • Page 124

    Wireless Configuration and Security 124 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T est Basic Wireless Connectivity After you have configured the wireless VPN fi rewall as explained in the previous sections, test your wirele ss client s for wireless connectivi ty before you pla ce the wireless VPN firewall at its permanent position. ?[...]

  • Page 125

    125 5 5. F i rewa l l P ro te c t io n This chapter describes how to use the fire wall feat ures of the wireless VPN firewall to prot ect your network. This chapter cont ains the following sections: • About Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of T raffic • Configure LAN W AN Rules • Configure DMZ W AN Ru[...]

  • Page 126

    Firewall Protection 126 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N the incoming packet is in response to an outgo i ng request, but true st ateful p acket inspection goes far beyond NA T . For IPv6, which in itself provides st ronger security than IPv4, a firewall in pa rticular controls the exchange of traf fic between the Internet, DM[...]

  • Page 127

    Firewall Protection 127 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N A firewall has two default rules, one for inbo und traffic and one for outbound. The default rules of the wireless VPN firewall are: • Inbound . Block all access from out side except re sponses to requests from the LA N side. • Outboun d . Allow all access from the L[...]

  • Page 128

    Firewall Protection 128 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following t able describes the fi elds that define the rules for outbound traf fic and that are common to most Outbound Service screens (see Fig ure 63 on page 1 38, Figure 69 on page 145, and Figure 75 on p age 152). The steps to con figure outbound rules are descri[...]

  • Page 129

    Firewall Protection 129 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N W AN Users The settings that determine which Internet locations are covered by the rule, based on thei r IP address. The options are: • Any . All Internet IP address ar e covered by this rule. • Si ngle address . Enter the required ad dress in the S tart field. • A[...]

  • Page 130

    Firewall Protection 130 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Inbound R ules (P ort Forwarding) If you have enabled Network Address T ranslation (NA T), your network presents one IP address only to the Internet, and out side users cannot directly access an y of your local computers (LAN users). (For information a bout configuring N[...]

  • Page 131

    Firewall Protection 131 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Groups screen to keep the computer ’ s IP address constan t (see Set Up DHCP Address Reservation on p age 69 ). • L ocal computers need to access the local server using the computers’ local LAN address. Attempts by local computers to access the server using the[...]

  • Page 132

    Firewall Protection 132 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T able 33. Inbound rules overview Setting Description Inbound Rules Service The service or application to be covered by this rule. If the service or application does not display in the list, you need to define it using the Services screen (see Add Customized Services on [...]

  • Page 133

    Firewall Protection 133 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Users These settings apply to a LAN WAN inbound rule when the WAN mode is classical routing, and determine which compu ters on your network are affected by this rule. The options are: • Any . All computers and d evices on your LAN. • Single address . En ter the r[...]

  • Page 134

    Firewall Protection 134 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Some residential broadband ISP account s do not allow you to run any server processes (such as a web or FTP server) from your location. Y our ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location[...]

  • Page 135

    Firewall Protection 135 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN W AN R ules The default outbound policy is to allow all traf fic to the Internet to p ass through. Firewa ll rules can then be applied to block spec ific types o f traf fic from going out from the LAN to the Internet (outbound). This f eature is also referr[...]

  • Page 136

    Firewall Protection 136 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Edit . Allows you to make any changes to the definition of a n existing rule. Depending on your selection, one of the following screens displa ys: - Edit LAN W AN Outboun d Service screen for IPv4 (identica l to Figure 63 on p age 138 ) - Edit L AN W AN Inbound Servi[...]

  • Page 137

    Firewall Protection 137 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o enable, disable, or delete one or more IPv4 or IPv6 rules : 1. select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table butto n to select all rules. 2. Click one of the following t able buttons: • [...]

  • Page 138

    Firewall Protection 138 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 63. 3. Enter the settings as explained in T able 32 on page 128 . In addition to selections f rom the Service, Action, and Log drop-down lists, you need to make selections from the following drop-do wn lists: • LAN Users • WA N U se r s Un le ss y ou r se le c[...]

  • Page 139

    Firewall Protection 139 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN W AN Outbound R ules  T o create a new IPv6 LAN W A N outbound rule: 1. In the upper right of the LAN WA N Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 62 on p age 136 ). 2. Click the Ad d t able button under t[...]

  • Page 140

    Firewall Protection 140 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N blocked. Remember that allowing in bound services opens potential secu rity holes in your firewall. Enable only those port s that are necessary for your network. W ARNING: Make sure that you underst and the consequences of a LAN W AN inbound rule before you apply the rul[...]

  • Page 141

    Firewall Protection 141 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the setting s as explained in T able 33 on page 132 . In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • W AN Destination IP Address • L AN Users (This drop-down list[...]

  • Page 142

    Firewall Protection 142 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in T able 33 on page 132 . In addition to selections f rom the Service, Action, and Log drop-down lists, you need to make selections from the following drop-do wn lists: • LAN Users • WA N U se r s Un le ss y ou r se le ct io n fr o[...]

  • Page 143

    Firewall Protection 143 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 67. T o make changes to an existing outbound or inbound service rule, in the Action column to the right of to the rule, click one of the fo llowing table butto ns: • Up . Moves the rule up one position in the t able rank. • Down . Moves the rule down one posit[...]

  • Page 144

    Firewall Protection 144 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 68. T o make changes to an existing outbound or inbound service rule, in the Action column to the right of to the rule, click one of the following table buttons: • Up . Mo ves the rule up one posit ion in the table ran k. • Down . Moves the rule down one posit[...]

  • Page 145

    Firewall Protection 145 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create DMZ W AN Outbound Service R ules Y ou can change the default outbound policy or define rules that specify e xceptions to the default outbound policy . By adding custom rules, you can block or allo w access based on the service or application, source or destination[...]

  • Page 146

    Firewall Protection 146 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Un le ss y ou r se le ct io n fr om t he Actio n drop-down list is BLOCK always, you also need to ma k e s e l e c t i o n s f r o m t he following drop-down lists: • Select Sch edule • Qo S Priority • NA T IP (This drop-down list is available only wh en the W A N [...]

  • Page 147

    Firewall Protection 147 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Un le ss y ou r se le ct io n fr om t he Action drop-do wn list is BLOCK always, you also need t o m ak e se lec tio ns f r o m the following drop-down list s: • Select Schedule • QoS Priority 4. Click App ly . The new rule is now added to the Outbound Services table[...]

  • Page 148

    Firewall Protection 148 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 71. 3. Enter the settings as explained in T able 33 on page 132 . In addition to selections f rom the Service, Action, and Log drop-down lists, you need to make selections from the following drop-do wn lists: • W AN Destination IP Address • DMZ Users (Th is dr[...]

  • Page 149

    Firewall Protection 149 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 DMZ WAN Inbound Service R ules  T o create a new IPv6 DMZ W AN inbound rule: 1. In the upper right of the DMZ W AN Rules screen, select the IPv 6 radio button. The screen displays the IPv6 settings (see Figure 68 on p age 144 ). 2. Click the Ad d t able button un[...]

  • Page 150

    Firewall Protection 150 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN DMZ R ules The LAN DMZ Rules screen allows you to create rules that d efine the movement of traf fic between the LAN and the DMZ. The defau lt outbound and inbound policies are to block all traffic between the local LAN and DMZ network. Y ou can then apply [...]

  • Page 151

    Firewall Protection 151 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o access the LAN DMZ Rules screen for IPv6 or to ma ke changes to existing IPv6 rules: 1. Select Security > Firewall > LAN DMZ Rules . The Firewall submenu tabs display with the LAN DMZ Rules screen for IPv4 in view . 2. In the upper right of the screen, sele[...]

  • Page 152

    Firewall Protection 152 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create LAN DMZ Outbound Service R ules Y ou can change the default outbound policy or define rules that specify exceptions to the default outbound policy . By adding custom rules, you can block or allow access based on the service or application, source or dest ination I[...]

  • Page 153

    Firewall Protection 153 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN DMZ Outbound Service R ules  T o create a new IPv6 LAN DMZ outbound rule: 1. In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 74 on p age 151 ). 2. Click the Ad d t able button und[...]

  • Page 154

    Firewall Protection 154 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN DMZ Inbound Service Rules  T o create a new IPv4 LAN DMZ inbound rule: 1. In the upper right of the LAN DMZ Rules screen, select the IPv4 radio button. The screen displays the IPv4 settings (see Figure 73 on page 150 ). 2. Click the Add t able button under th[...]

  • Page 155

    Firewall Protection 155 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Ad d t able button under the Inbound Services table. The Add LAN DMZ Inbound Service screen for IPv6 displays: Figure 78. 3. Enter the setting s as explained in T able 33 on page 132 . In addition to selections from the Service, Action, and Log drop-down lis[...]

  • Page 156

    Firewall Protection 156 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 79. IPv4 LAN W AN Inbound R u le: Allow a Videoconfere nce from R estricted Addresses If you want to allow incoming videoconferencing to be initiated fro m a restricted range of outside IP addresses, such as from a branch of fice, you can create an inbo und rule ([...]

  • Page 157

    Firewall Protection 157 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 80. IPv4 LAN W AN or IPv4 DMZ W AN Inbound R ule: Set Up One -to - One NA T Mapping In this example, multi-NA T is configured to support multiple public IP addresses on one W AN interface. An inbound rule configures the wireless VPN firewall to host an additional [...]

  • Page 158

    Firewall Protection 158 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Tip: If you arrange with your ISP to have more than one pub lic IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that pro vides I[...]

  • Page 159

    Firewall Protection 159 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. In the Send to LAN Server field, enter the local IP address of your web server computer (192.168.1.2 in this example ). 7. In the W AN Destination IP Address fields, enter 10.1.0 .52 . 8. Click App ly to save your settings. The rule is now added to the Inbound Service[...]

  • Page 160

    Firewall Protection 160 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N W ARNING: For security , NETGEAR strongly recommends that you avoid creating an exposed host. When a compu ter is designated as the exposed host, it loses much of the prote ction of the firewall and is exposed to many exploit s from the Internet. If compromised, the comp[...]

  • Page 161

    Firewall Protection 161 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Y ou can also enable the wireless VPN firewall to log any attempt to use Inst ant Messenger during the blocked period. See an e xample in the following figure. Figure 84. IPv6 DMZ W AN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you [...]

  • Page 162

    Firewall Protection 162 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 85. Configure Other Firewall Features Y ou can configure attack checks, set session limit s, and manage t he application level gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specif y whether or not the wireless VPN firewall sh[...]

  • Page 163

    Firewall Protection 163 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 A ttack Checks  T o enable IPv4 att ack checks for your network environment: 1. Select Se curity > Firewa ll > Att ack Checks . In the upper rig ht of the screen, the IPv4 radio button is selected by default. The Att ack Checks screen displays the IPv4 sett[...]

  • Page 164

    Firewall Protection 164 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Security Checks Block UDP flood Select the Block UDP flood check box (which is the default settin g) to prevent the wireless VPN firewall from accepting more than 20 simultaneous, active User Datagram Protocol (UDP) connection s from a single device on the LAN. A UDP[...]

  • Page 165

    Firewall Protection 165 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click Apply to save your settings. IPv6 A ttack Checks  T o enable IPv6 att ack checks for your network environment: 1. Select Se curity > Firewall > Att ack Checks . 2. In the upper right of the screen, select the IPv6 radio button. The Attack Checks screen [...]

  • Page 166

    Firewall Protection 166 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set Limits for IPv4 Sessions The session limits featu re allows y ou to specify the total nu mber of sessions that ar e allowed, per user , over an IPv4 connection across the wi reless VPN firewall. The session limits feature is disabled by default.  T o enable and co[...]

  • Page 167

    Firewall Protection 167 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. Manage the Application Level Gateway for SIP Sessions The application level gateway (ALG) fa cilitates multimedia sessions such as voice over IP (V oIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and [...]

  • Page 168

    Firewall Protection 168 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Services, Bandwidth P rof iles, and QoS P rofiles When you create inbound a nd outbound firewall rules, you use firewall object s such as services, QoS profiles, bandwid th profiles, an d schedules to narrow down the firewall rules: • Services . A service narrows down [...]

  • Page 169

    Firewall Protection 169 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o add a customized service: 1. Select Security > Services . The Services screen displays. The Custom Services table shows the user-defined services. (The fo llowing figure shows some examples.) Figure 90. 2. In the Add Customer Service section of the screen, ent[...]

  • Page 170

    Firewall Protection 170 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click App ly to save your settings. The new custom service is added to the Custom Services table.  T o edit a service: 1. In the Custom Services table, click the Edit table butto n to the right of the service that you want to edit. The Edit Service screen disp lays[...]

  • Page 171

    Firewall Protection 171 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Bandwidth P rofiles Bandwid th profiles determine the wa y in whic h dat a is communicated with the host s. The purpose of bandwid th profiles is to provide a me tho d for allocating and limiting traf fic, thus allocating LAN users suf ficient bandwid th wh ile pr[...]

  • Page 172

    Firewall Protection 172 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 93. 3. Enter the settings as explained in the following table: T able 37. Add Bandwidth Profile screen settings Setting Description Profile Name A[...]

  • Page 173

    Firewall Protection 173 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. The new bandwidth profile is added to the List of Bandwidth Profiles t able.  T o edit a bandwid th profile: 1. I n the List of Bandwidth Profiles t able, click the Edit table button to the right of the bandwidth pr ofile that you[...]

  • Page 174

    Firewall Protection 174 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N These are the default QoS profile s that are preconfigured and t hat cannot be edited: • Normal-Service . Used when no special priority is gi ven to the traffic. IP p ackets are marked with a T oS value of 0. • Min imize-Cost . Used when data needs to be transferred [...]

  • Page 175

    Firewall Protection 175 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N - ActiveX . Similar to Java applet s, ActiveX controls are inst alled on a Windows computer running Internet Explorer . A ma licious ActiveX control can be used to compromise or infect computers. Enabli ng this setting blocks ActiveX applet s from being downloaded. - Coo[...]

  • Page 176

    Firewall Protection 176 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 94. 2. In the Content Filtering section of the screen, select the Ye s radio button.[...]

  • Page 177

    Firewall Protection 177 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Web Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): • Proxy . Bl ocks proxy servers. • J ava . Blocks Java applet s from bein[...]

  • Page 178

    Firewall Protection 178 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set a Schedule to Block or Allow Specific T raffic Schedules define the time frames under which firewall rule s can be applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules.  [...]

  • Page 179

    Firewall Protection 179 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable Source MA C Filtering The Source MAC Filter screen enables you to pe rmit or block traf fic coming from certain known computers or devices. By default, the source MAC address filte r is dis abled. All the traf fic received from computers with any MAC address is al[...]

  • Page 180

    Firewall Protection 180 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. The MAC Address field in the Add Source MAC Address section of the screen now becomes available. 5. Build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field. A MAC [...]

  • Page 181

    Firewall Protection 181 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Host 3. MAC address (00:01:02:03:04:07) and IP add ress (192.168.10.12) There are three possible scenarios in relation to the ad dresses in the IP/MAC Bindings t able: • Host 1 h as not changed it s IP and MAC addresses. A p acket coming from Host 1 has IP and MAC [...]

  • Page 182

    Firewall Protection 182 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (Y ou have to do this only once.) Select one of the following radio buttons: • Ye s . IP/MAC binding violations are emailed. Click the Firew[...]

  • Page 183

    Firewall Protection 183 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 98. 2. Click the St op button. W ait unt il the Poll Interval field becomes available. 3. Ente r new poll inte rval in seconds. 4. Click the Set I nterval button. Wait for the confirmation that the operation has succeeded before you close the window . IPv6/MAC Bin[...]

  • Page 184

    Firewall Protection 184 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (Y ou have to do this only once.) Select one of the following radio buttons: • Ye s . IP/MAC binding violations are emailed. Click the Firew[...]

  • Page 185

    Firewall Protection 185 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 100. 2. Click the St op button. W ait unt il the Poll Interval field becomes available. 3. Ente r new poll inte rval in seconds. 4. Click the Set I nterval button. Wait for the confirmation that the operation has succeeded before you close the window . Configure P[...]

  • Page 186

    Firewall Protection 186 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note these restrictions on port tr iggering: • Only one computer can use a por t-triggering application at any time. • Af ter a comput er has finished using a p ort-tri g gerin g applica tion , there is a short time-out period before the application can b e used by a[...]

  • Page 187

    Firewall Protection 187 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click the Add table button. The new port-triggering rule is add ed to the Port T riggerin g Rules tab le .  T o edit a port-triggering rule: 1. I n the Port T riggering Rules t able, click the Edit table button to the right of the port-triggering rule that you want[...]

  • Page 188

    Firewall Protection 188 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o configure UPnP: 1. Select Security > UPnP . The UPnP screen displays: Figure 10 3. The UPnP Portmap T able in the lower p art of the screen shows the IP add resses and other settings of UPnP devices that have acce ssed the wireless VPN firewall and that have b[...]

  • Page 189

    189 6 6. Vi r t u a l P r iva t e N e t work i ng Us in g IP Sec an d L2TP C onn ecti ons This chapter describes how to use the IP se cu rity (IPSec) virtual private networking (VPN) features of the wireless VPN firewall to provide se cure, encrypted communications between your local network and a remote network o r computer . This chapter contain [...]

  • Page 190

    Virtual Private Networking Usin g IPSec and L2TP Connections 190 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configuring a VPN tunnel connection re quires that you specify all se ttings on both sides of the VPN tunnel to match or mirror each other precisely , which can be a daunting task. The VPN Wizard efficiently guides you through the[...]

  • Page 191

    Virtual Private Networking Us ing IPSec and L2TP Connections 191 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 105. T o view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A p op-up screen displays (see the following figure), showing the wizard default va lues. The def[...]

  • Page 192

    Virtual Private Networking Usin g IPSec and L2TP Connections 192 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10 6. 2. Complete the settings as explained in the following table: T able 41. I PSec VPN Wizard settings f or an IPv4 gateway -to-gateway tunne l Setting Description About VPN Wizard This VPN tunnel will connect to th e fo[...]

  • Page 193

    Virtual Private Networking Us ing IPSec and L2TP Connections 193 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Tip: T o ensure that tunnels stay active, after completing th e wizard, manually edit the VPN policy to ena ble keep-alives, which periodically sends ping packet s to the host on the peer side of the network to keep the tunnel ali[...]

  • Page 194

    Virtual Private Networking Usin g IPSec and L2TP Connections 194 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10 8. b. Locate the policy in the table, and click the Connect t able button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when yo ur DHCP W AN ad[...]

  • Page 195

    Virtual Private Networking Us ing IPSec and L2TP Connections 195 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 1 10. T o view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A p op-up screen displays (see the following figure), showing the wizard default va lues. The de[...]

  • Page 196

    Virtual Private Networking Usin g IPSec and L2TP Connections 196 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 1 1 1. 3. Complete the settings as explained in the following table: T able 42. I PSec VPN Wizard settings f or an IPv6 gateway -to-gateway tunne l Setting Description About VPN Wizard This VPN tunnel will connect to th e f[...]

  • Page 197

    Virtual Private Networking Us ing IPSec and L2TP Connections 197 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Tip: T o ensure that tunnels stay active, after completing th e wizard, manually edit the VPN policy to ena ble keep-alives, which periodically sends ping packet s to the host on the peer side of the network to keep the tunnel ali[...]

  • Page 198

    Virtual Private Networking Usin g IPSec and L2TP Connections 198 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 1 13. b. Locate the policy in the table, and click the Connect t able button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when yo ur DHCP W AN ad[...]

  • Page 199

    Virtual Private Networking Us ing IPSec and L2TP Connections 199 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use the VPN Wizard to Configure the Gateway for a Client T unnel  T o set up a client-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard . In the upper right of the screen, the IPv4 radio b[...]

  • Page 200

    Virtual Private Networking Usin g IPSec and L2TP Connections 200 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Complete the settings as explained in the following table: 3. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPN Policies table on the VPN Policies screen for IPv4. By default, the VPN polic[...]

  • Page 201

    Virtual Private Networking Us ing IPSec and L2TP Connections 201 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 1 16. Note: When you are using FQDNs, if the Dy namic DNS service is slow to update its servers when your DHCP W AN address changes, the VPN tunnel will fail because th e FQDNs do not resolve to your new address. If you hav[...]

  • Page 202

    Virtual Private Networking Usin g IPSec and L2TP Connections 202 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these t asks from a computer that has the NETGEAR ProSafe VPN Client installed. The VPN Client support s IPv4 only; an upcoming release of the VPN Client will support IPv6.  T o use the Configuration Wizard to set[...]

  • Page 203

    Virtual Private Networking Us ing IPSec and L2TP Connections 203 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 1 18. 3. Select the A router or a VPN ga teway radio button, and click Next . The VPN tunnel paramete rs wizard screen (screen 2 of 3) displays: Figure 1 19. 4. S pecify the following VPN tunnel parameters: • I P or DNS p[...]

  • Page 204

    Virtual Private Networking Usin g IPSec and L2TP Connections 204 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Next . The Configuration Summary wizard screen (screen 3 of 3) displays : Figure 12 0. 6. This screen is a summary screen of the new VPN conf iguration. Click Finish . 7. S pecify the local and remo te IDs: a. In the tree[...]

  • Page 205

    Virtual Private Networking Us ing IPSec and L2TP Connections 205 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. S pecify the settings that are exp lained in the following table. 8. Conf igure the global p arameters: a. Click Gl obal Parameters in the lef t column of the Conf iguration Panel screen. The Global Parameters p ane displays in[...]

  • Page 206

    Virtual Private Networking Usin g IPSec and L2TP Connections 206 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 12 2. b. S pecify the default lifetimes in seconds: • Authentica tion (IKE) , Default . The default lifetime va lue is 3600 seconds. Change this setting to 28800 se conds to match the configuration of the wireless VPN fir[...]

  • Page 207

    Virtual Private Networking Us ing IPSec and L2TP Connections 207 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Authentication Settings (Pha se 1 Settings)  T o create new authentication settings: 1. Right-click the VPN client icon in yo ur Windows system tray , and select Configuration Panel . The Configuration Panel scree[...]

  • Page 208

    Virtual Private Networking Usin g IPSec and L2TP Connections 208 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the authentication ph ase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authenticatio[...]

  • Page 209

    Virtual Private Networking Us ing IPSec and L2TP Connections 209 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to use the new settings immediately , and click Sa ve to keep the settings for future use. 6. Click the Advan ced tab in the Authentication pane. The Adv an ce d p ane displays: Figure 126. 7. S pecify the settings [...]

  • Page 210

    Virtual Private Networking Usin g IPSec and L2TP Connections 210 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 8. Click Apply to use the new settin gs immediately , and click Save to keep th e settings for future use. Create the IPSec Configuration (Ph ase 2 Settings) Note: On the wireless VPN firewall, the IPSec conf iguration (phase 2 se[...]

  • Page 211

    Virtual Private Networking Us ing IPSec and L2TP Connections 21 1 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 127. 3. S pecify the settings that are explained in the following table. T abl e 48. VPN client IP Sec configuration settings Setting Description VPN Client addre ss Either enter 0 .0.0.0 as the IP address, or enter a virt[...]

  • Page 212

    Virtual Private Networking Usin g IPSec and L2TP Connections 212 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to use the new settin gs immediately , and click Save to keep th e settings for future use. Configure the Global Parameters  T o specify the global p arameters: 1. Click Global Parame ters in the left col umn of [...]

  • Page 213

    Virtual Private Networking Us ing IPSec and L2TP Connections 213 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T est the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and th e wireless VPN firewall provide VPN connection and st atus information. This informat ion is use ful for verifying the st a[...]

  • Page 214

    Virtual Private Networking Usin g IPSec and L2TP Connections 214 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Use the system-tray icon . Right-click th e system tray icon, and select Ope n tunnel ‘T unnel’ . Figure 13 1. Whichever way you choose to open the tun nel, when the tunnel opens successfully , the T unnel opened message d[...]

  • Page 215

    Virtual Private Networking Us ing IPSec and L2TP Connections 215 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N NETGEAR VPN Client Status and Log Information  T o view det ailed negotiation and error inform ation on the NETGEAR VPN client: Right-click the VPN client icon in the system tray , and select Console . The VPN Client Console Ac[...]

  • Page 216

    Virtual Private Networking Usin g IPSec and L2TP Connections 216 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Active IPSec SA(s) table list s each active connection with the information that is described in the following t able. The default pol l in terval is 10 seconds. T o change the poll interval period, enter a new value in t he P[...]

  • Page 217

    Virtual Private Networking Us ing IPSec and L2TP Connections 217 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage IPSec VPN P o licies After you have used th e VPN Wiza rd to se t up a VPN tu nnel, a VPN policy and an IKE policy are stored in sep arate policy t ables. The name that you selected as t he VPN tunnel connection name during[...]

  • Page 218

    Virtual Private Networking Usin g IPSec and L2TP Connections 218 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IKE P o licies Screen  T o access the IKE Policies screen: Select VPN > IPSec VPN . The I PSec VPN submenu t abs display with the IKE Policies screen in view . In the upper right of the screen, the IPv4 radio button is selec[...]

  • Page 219

    Virtual Private Networking Us ing IPSec and L2TP Connections 219 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o delete one or more IKE polices: 1. Select the check box to the lef t of each pol icy that yo u want to delete, or click the Select All table button to se lect all IKE policies. 2. Click the Del e te t able button. For info[...]

  • Page 220

    Virtual Private Networking Usin g IPSec and L2TP Connections 220 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 13 8.[...]

  • Page 221

    Virtual Private Networking Us ing IPSec and L2TP Connections 221 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: T abl e 51. Add IKE Policy screen settings Setting Description Mode Config Reco rd Do you want to use Mode Config Record? S pecify whether or not the IKE policy uses a [...]

  • Page 222

    Virtual Private Networking Usin g IPSec and L2TP Connections 222 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Local Identifie r From the drop-down list, select one of t he following ISAKMP identifiers to be used by the wireless VPN firewall, and then specif y the identifier in the Identifier field: • Lo cal Wan IP . The W AN IP address [...]

  • Page 223

    Virtual Private Networking Us ing IPSec and L2TP Connections 223 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Authentication Metho d Select one of the following rad io buttons to specify the aut hentication method: • Pre-sh ared key . A secret that is shared betw een the wirel ess VPN firewall and the remote endpoint. • RSA-Signature [...]

  • Page 224

    Virtual Private Networking Usin g IPSec and L2TP Connections 224 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table.  T o edit an IKE policy: 1. Select VPN > IPSec VPN . The IPSec VPN subme nu tabs display with the IKE Policies screen for IPv4 [...]

  • Page 225

    Virtual Private Networking Us ing IPSec and L2TP Connections 225 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Manage VPN P olicies Y ou can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy , only[...]

  • Page 226

    Virtual Private Networking Usin g IPSec and L2TP Connections 226 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 13 9. Each policy contains t he data that are e xplained in the following t able. These fields are explained in more det ail in Ta b l e 53 on p age 230 .  T o delete one or more VPN polices: 1. Select the che ck box to [...]

  • Page 227

    Virtual Private Networking Us ing IPSec and L2TP Connections 227 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o enable or disable one or more VPN policies: 1. Select the check box to the left of each policy that you want to enable or disable, or click the Select All table button to sel ect all VPN Policies. 2. Click the Ena ble or D[...]

  • Page 228

    Virtual Private Networking Usin g IPSec and L2TP Connections 228 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 140. Add New VPN Policy s creen for IPv4[...]

  • Page 229

    Virtual Private Networking Us ing IPSec and L2TP Connections 229 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 141. Add New VPN Policy screen for IPv6[...]

  • Page 230

    Virtual Private Networking Usin g IPSec and L2TP Connections 230 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). T able 53. Add New VPN Policy screen settings for IPv4 and IPv6[...]

  • Page 231

    Virtual Private Networking Us ing IPSec and L2TP Connections 231 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T raffic Selection Local IP From the drop-down list, select the addr ess or addresses that are part of the VPN tunnel on the wi reless VPN firewall: • Any . Al l computers and devices on the network. No te that you cannot select[...]

  • Page 232

    Virtual Private Networking Usin g IPSec and L2TP Connections 232 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Key-Out The encryption key for the outbo und polic y . The length of the key depends on the selected encryption a lgorithm: • 3D ES . Enter 24 characters. • None . Key is not applicable. • DES . Enter 8 characters. • AES-1[...]

  • Page 233

    Virtual Private Networking Us ing IPSec and L2TP Connections 233 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your settings. The VPN policy is added to the List of VPN Policies table.  T o edit a VPN policy: 1. Select VPN > IPSec VPN > VPN Policies . The VPN Policies screen displays the IPv4 settings (see F[...]

  • Page 234

    Virtual Private Networking Usin g IPSec and L2TP Connections 234 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Y ou can enable XAUTH when you manually add or edit an IKE policy . T wo types of XAUTH are available: • Edge Devic e . The wireless VPN firewall is used as a VPN concentrator on which one or more gateway tunnels terminate. Y ou[...]

  • Page 235

    Virtual Private Networking Us ing IPSec and L2TP Connections 235 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your settings. User Database Configuration When XAUTH is enabled in an Edge Device c onfiguration, users need to be authenticat ed either by a local user database account or by an external RADIUS server . Wh[...]

  • Page 236

    Virtual Private Networking Usin g IPSec and L2TP Connections 236 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N first against a local user dat abase (if RADIUS-P AP is enabled) and then by relaying the information to a central authen tication server such as a RADIUS server . Note: Even though you can configu re RADIUS servers with IPv4 addr[...]

  • Page 237

    Virtual Private Networking Us ing IPSec and L2TP Connections 237 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click Apply to save your settings. Note: Y ou can select the RADIUS authentication protocol (P AP or CHAP) on the Edit IKE Policy scr een or Add IKE Policy screen (see Configure XAUTH for VPN Clients on p age 234 ). Assign IPv4[...]

  • Page 238

    Virtual Private Networking Usin g IPSec and L2TP Connections 238 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Y ou can use the Mode Config feature in combi nation with an IPv6 IKE policy to assign IPv4 addresses to client s, but you cannot assign IPv6 addresses to clients. Mode Config Operation After the IKE Phase 1 negotiatio n is comple[...]

  • Page 239

    Virtual Private Networking Us ing IPSec and L2TP Connections 239 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N As an example, the screen shows two Mode Config record s with the name s EMEA Sales and NA Sales: • F or EMEA Sales, a first pool (172.1 6.100.1 through 172.16.100.99) an d second pool (172.16.200.1 through 172.1 6.200.99) are s[...]

  • Page 240

    Virtual Private Networking Usin g IPSec and L2TP Connections 240 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Complete the settings as explained in the following table: T able 56. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identi fication and manag[...]

  • Page 241

    Virtual Private Networking Us ing IPSec and L2TP Connections 241 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Appl y to save your settings. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedu re by configuring an IKE policy . 5. Select VP N > IP Sec VPN .[...]

  • Page 242

    Virtual Private Networking Usin g IPSec and L2TP Connections 242 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 14 5. 8. On the Add IKE Policy screen, complete the settings as explained in the following table.[...]

  • Page 243

    Virtual Private Networking Us ing IPSec and L2TP Connections 243 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The IKE policy settings that are explained i n t h e fo l l ow ing t abl e are specifically for a Mode Config configuratio n. T able 51 on page 221 explains the general IKE policy settings. T able 57. Add IKE Policy screen s[...]

  • Page 244

    Virtual Private Networking Usin g IPSec and L2TP Connections 244 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IKE SA Parameters Note: Generally, the default settings wo rk we l l for a Mode Config configuration. Encryption Algorithm T o negotiate the security association ( SA), from the drop-down list, select the 3DES algorithm. Authentic[...]

  • Page 245

    Virtual Private Networking Us ing IPSec and L2TP Connections 245 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 9. Click Apply to save your settings. The I KE policy is added to the List of IKE Policies table. Configure the ProSafe VPN Client for Mode Config Operation When the Mode Config feature is enab led, the following information is ne[...]

  • Page 246

    Virtual Private Networking Usin g IPSec and L2TP Connections 246 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these t asks from a computer that has the NETGEAR ProSafe VPN Client inst alled. T o configure the VPN client for Mode Conf ig operation, creat e authentication settings (phase 1 settings), create an associa ted IPSe[...]

  • Page 247

    Virtual Private Networking Us ing IPSec and L2TP Connections 247 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Change the name of the aut hentication phase (the default is Gateway): a. R i gh t- cl ic k t he authentication phase na m e . b. Select Rename . c. T ype GW_ModeConfig . d. Click anywh ere in the tree list pane. Note: This is [...]

  • Page 248

    Virtual Private Networking Usin g IPSec and L2TP Connections 248 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to use the new settin gs immediately , and click Save to keep th e settings for future use. 6. Click the Advanced t ab in the Authentication pane. The Adv a nc e d pa ne di s pl a ys : Figure 14 9. 7. S pecif y the [...]

  • Page 249

    Virtual Private Networking Us ing IPSec and L2TP Connections 249 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 8. Click Apply to use the new settings immediately , and click Sa ve to keep the settings for future use. Create the Mode Config IPSec Configuration (Ph ase 2 Settings) Note: On the wireless VPN firewall, the IPSec configuration ([...]

  • Page 250

    Virtual Private Networking Usin g IPSec and L2TP Connections 250 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 15 0. 3. S pecify the settings that are explained in the following t able. T able 60. VPN client IPSec conf iguration settings (Mode Config) Setting Description VPN Client ad dress This field is masked out because Mode Conf[...]

  • Page 251

    Virtual Private Networking Us ing IPSec and L2TP Connections 251 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to use the new settings immediately , and click Sa ve to keep the settings for future use. Configure the Mode Config Global Parameters  T o specify the global p arameters: 1. Click Glob al Parameters in the le ft[...]

  • Page 252

    Virtual Private Networking Usin g IPSec and L2TP Connections 252 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Select the Dead Peer Detection (DPD) check box, and configure the following DPD set tings to match the configuration on the wireless VPN firewall: • Check In terval . Enter 30 second s. • Max . number of entries . En ter 3 [...]

  • Page 253

    Virtual Private Networking Us ing IPSec and L2TP Connections 253 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 154. 3. From the client computer , ping a computer on the wireless VPN firewall LAN. Modify or Delete a Mode Config R ecord Note: Before you modify or delete a Mode Config record, make sure it is not used in an IKE policy .[...]

  • Page 254

    Virtual Private Networking Usin g IPSec and L2TP Connections 254 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure K eep-Alives The keep-alive feature maint ains the IPSec SA by sending periodic ping request s to a host across the tunnel and monitoring the replies.  T o configure the keep-alive feature on a configured VPN po licy:[...]

  • Page 255

    Virtual Private Networking Us ing IPSec and L2TP Connections 255 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Enter the setting s as explained in the following table: 5. Click App ly to save your settings. Configure Dead P eer Detection The Dead Peer Detection (DPD) feature le ts the wireless VPN fire wall maintain the IKE SA by exchan[...]

  • Page 256

    Virtual Private Networking Usin g IPSec and L2TP Connections 256 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 15 6. 4. In the IKE SA Pa rameters section of the screen, locate the DPD fields, an d complete the settings as explained the following table: 5. Click Apply to save your settings. Configure NetBIOS Bridging with IPSec VPN W[...]

  • Page 257

    Virtual Private Networking Us ing IPSec and L2TP Connections 257 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o enable NetBIOS bridging on a configured VPN tunnel: 1. Select VPN > IPSec VPN > VPN Policies . The VPN Policies screen displays (see Figure 139 on p age 226 ). 2. S pecify the IP version for which you want to edit a [...]

  • Page 258

    Virtual Private Networking Usin g IPSec and L2TP Connections 258 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N is established, the L2TP u ser can connect to an L2TP client that is located be hind the wireless VPN firewall. Note: IPSec VPN provides stronger authentication and encryption than L2TP . (Packets that traverse the L2TP tunne l ar[...]

  • Page 259

    Virtual Private Networking Us ing IPSec and L2TP Connections 259 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Active L2TP Users T o view the active L2TP tunnel users, select VPN > Conne ction St atus > L2TP Active Users . The L2TP Active Users screen displays: Figure 159. The List of L2TP Active Users table list s each ac t[...]

  • Page 260

    260 7 7. Vi r t u a l P r iva t e N e t work i ng Us in g SS L Con ne ct i on s The wireless VPN firewall provides a hardware-b ased SSL VPN solution designed specif ically to provide remote access for mobile users to thei r corporate re sources, byp assing the need for a preinstalled VPN client o n their computers. Us ing the familiar Secure Socke[...]

  • Page 261

    Virtual Private Networking Using SSL Connections 261 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N computer . The wireless VPN firewall assigns the computer an IP address and DNS server IP addresses, allowing the remote computer to access network resources in the same manner as if it were co nnected directly to the corporate network, subje[...]

  • Page 262

    Virtual P rivate Networking Using SSL Connections 262 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. For port forwarding, define the servers and services (see Configu re Applications for Port Forwarding on p age 267 ). Create a list of servers and services that can be made available th rough user , group, or glo bal policies. Y ou can al[...]

  • Page 263

    Virtual Private Networking Using SSL Connections 263 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Y ou can define individual layouts for the SSL VPN port al. The layout con figuration includes the menu layout, theme, port al pages to displa y , and web cache control options. The d efault portal la yout is the SSL-VPN portal. Y ou can add [...]

  • Page 264

    Virtual P rivate Networking Using SSL Connections 264 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Layout s table disp lays the fo llowing fields: • Layout Name . The descrip tive name of the portal. • Description . The ba nner message that is displayed at the top of the portal (see Figure 171 on p age 283 ). • Use Count[...]

  • Page 265

    Virtual Private Networking Using SSL Connections 265 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: T a bl e 65 . Add Port al Layout screen settings Setting Description Port al Layout and Theme Name Portal Layout Name A descriptive name fo r the portal layout. Th is name is p art[...]

  • Page 266

    Virtual P rivate Networking Using SSL Connections 266 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your settings. The new port al layout is added to the List of Layouts table. For information about how to display the new portal layout, see Access the New SSL Portal Login Screen on p age 282 .  T o edit a port al [...]

  • Page 267

    Virtual Private Networking Using SSL Connections 267 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then group s, and then use r accounts. For information about how to configure domains, group s, and users, see Configure A[...]

  • Page 268

    Virtual P rivate Networking Using SSL Connections 268 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • TCP Port . The TCP port number of the app lication that is accessed through the SSL VPN tunnel. The follo wing tab le lists some co mmonly used TCP applica tions and port numbers. 3. Click the Add t able button. The new application entry[...]

  • Page 269

    Virtual Private Networking Using SSL Connections 269 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the Add New Host Name for Port Forward ing section of th e screen, specify information in the following fields: • L ocal Server IP Ad dress . The IP address of a n internal server or host computer that you want to name. • F ully Qua[...]

  • Page 270

    Virtual P rivate Networking Using SSL Connections 270 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N route to ensure that a VPN tunnel client con nects to the local ne twork over the VPN tunnel. Configure the Client IP Address Range First determine the address range to be assigned to VPN tunnel clients, and then define the address range. ?[...]

  • Page 271

    Virtual Private Networking Using SSL Connections 271 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 165. SSL VPN Client screen for IPv6 3. Complete the settings as explained in the following table: T a bl e 67 . SSL VPN Client screen set tings for IPv4 and IPv6 Setting Description Client IP Address Range Enable Full Tunnel Support Se[...]

  • Page 272

    Virtual P rivate Networking Using SSL Connections 272 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. VPN tunnel clients are now able to connect to the wireless VPN firewall and receive a virtual IP address in the client address range. Add R outes for VPN T unnel Clients The VPN tunnel client s assume th[...]

  • Page 273

    Virtual Private Networking Using SSL Connections 273 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Add Routes for VPN T unnel Clients section of the screen, specify information in the following fields: • Des tination Network . The destination network I Pv4 or IPv6 address of a local network or subnet. For example , for an IPv4 [...]

  • Page 274

    Virtual P rivate Networking Using SSL Connections 274 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 16 6. 2. In the Add New Resource section of the screen, specify informat ion in the following fields: • Resource Nam e . A descriptive name of the resource for identification and management purposes. • Service . F rom the Service [...]

  • Page 275

    Virtual Private Networking Using SSL Connections 275 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. S pecify the IP version for which you want to add a portal layout: • IP v4 . In the upper right of the screen, the IPv4 radio button is already selected by default. Go to S tep 4 . • IPv6 . Select the IPv6 radio button. Th e screen th [...]

  • Page 276

    Virtual P rivate Networking Using SSL Connections 276 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply t o save your settings. The new configurat ion is added to the Def ined Resource Addresses table. T o delete a configuration from the Defi ned Resource Addresse s table, click the Delete t able button to the right of the con f[...]

  • Page 277

    Virtual Private Networking Using SSL Connections 277 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IP address ranges are config ured, then the smallest address range t akes precedence. Host names are treated the same as individu al IP addresses. Network resources are prioritized just like other a ddress ranges. However , the prioritization[...]

  • Page 278

    Virtual P rivate Networking Using SSL Connections 278 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 16 8. 2. Make your selection from the following Query options: • T o view all global policies, select the Global rad io button. • T o view group policies, select the Group rad io button, and then select the relevant group’s name[...]

  • Page 279

    Virtual Private Networking Using SSL Connections 279 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N . Figure 169. Add SSL VPN Policy screen for IPv4 • IPv6 . Select the IPv6 radio button. The Add SSL VPN Po licy screen displays the IPv6 settings: . Figure 170. Add SSL VPN Policy screen for IPv6[...]

  • Page 280

    Virtual P rivate Networking Using SSL Connections 280 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: T able 69. Add SSL VPN Policy scre en settings Setting Description Policy For Select one of the following radio buttons to s pecify the type of SSL VPN policy: • Gl obal . The n[...]

  • Page 281

    Virtual Private Networking Using SSL Connections 281 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your settings. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into effect immediately . Apply Policy to? (continued) IP Address (continued) Permission From the drop[...]

  • Page 282

    Virtual P rivate Networking Using SSL Connections 282 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If you have configured SSL VPN us er policies, ma ke sure that secure HTTP remote management is ena bled (see Configure Remote Management Access on p age 322 ). If secure HTTP remote management is not enabled, all SSL VPN user connecti[...]

  • Page 283

    Virtual Private Networking Using SSL Connections 283 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 171. 3. Enter the user name and password that you just created with the help of the SSL VPN Wizard. 4. Click L ogin . The User Portal screen displays. The format of the User Portal screen depends on the settings that you sele cted on t[...]

  • Page 284

    Virtual P rivate Networking Using SSL Connections 284 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 17 2. Figure 17 3. The User Portal screen displa ys a simple menu that, dependin g on the resources allocated, provides the SSL user with th e following menu selections: • VPN T unnel . Provides full network connectivity . • Port [...]

  • Page 285

    Virtual Private Networking Using SSL Connections 285 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Change Password . Allows the user to change his or her password. • Support . Provides access to the NETGEAR we bsite. Note: The first time that a user attempt s to connect through th e VPN tunnel, the NETGEAR SSL VPN tunnel adapter is i[...]

  • Page 286

    Virtual P rivate Networking Using SSL Connections 286 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 17 5.[...]

  • Page 287

    287 8 8. M anage User s , Authenti cat i on , a nd VPN Cer tif icates This chapter describes how to manage users, aut henticat ion, and security certificates for IPSec VPN and SSL VPN. This chapter cont ains the following sections: • The Wireless VPN Firewall’ s Authentication Process and Options • Configure Authentication Domains, Groups, an[...]

  • Page 288

    Manage Users, Authentication, and VPN Certificates 288 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Except in the case of IPSec VPN users, when you create a use r account, you need to spe cify a group. When you create a g roup, you need to specify a domain. The following t able summarizes the exte rnal authentication protocols and metho d[...]

  • Page 289

    Manage Users, Authenticat ion, and VPN Certificates 289 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Authentication Domains, Groups, and Users This section cont ains the following subsections: • Configur e Domains • Configure Group s • Configure User Account s • Set User Login Policies • Change Passwords and Other User[...]

  • Page 290

    Manage Users, Authentication, and VPN Certificates 290 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Domains t able displays the doma ins with the following fields: • Check b ox . Allows you to select the domain in the t able. • Domain Name . The name of the domain. The name of the def ault domain (geardomain) to which the [...]

  • Page 291

    Manage Users, Authenticat ion, and VPN Certificates 291 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Authentication T ype (continued) Note: If you select any typ e of RADIUS authenticati on, make sure that one or more RADIUS servers are config ured (see RADIUS Client and Server Configuration on page 235 ). • Radius-CHAP . RADIUS Challen[...]

  • Page 292

    Manage Users, Authentication, and VPN Certificates 292 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. The domain is added to the List of Domains table. 5. If you use local authentication, make sure that it is not disabled: in the Local Authentication section of the Domain screen (see Figure 176 on page [...]

  • Page 293

    Manage Users, Authenticat ion, and VPN Certificates 293 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Domains  T o edit a domain: 1. Select Us ers > Domai ns . The Domains screen displays (see Figure 176 on page 289 ). 2. In the Actio n column of the List of Domains table, click the Edit table button for the domain that you want[...]

  • Page 294

    Manage Users, Authentication, and VPN Certificates 294 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Groups  T o create a VPN group: 1. Select Users > Group s . The Group s screen displays. (The following figure shows th e wireless VPN firewall’s defa ult group—gear domain—and, as an example, several o ther groups in the[...]

  • Page 295

    Manage Users, Authenticat ion, and VPN Certificates 295 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 179. 3. Complete the settings as explained in the following table: 4. Click App ly to save your changes. The new group is added to the List of Groups t able.  T o delete one or more group s: 1. I n the List of Groups table, se le[...]

  • Page 296

    Manage Users, Authentication, and VPN Certificates 296 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o edit a VPN group: 1. Select Users > Groups . The Group s screen displays (see Figure 17 8 on page 294 ). 2. In the Action column of the List of Groups table, click the Edit table button for the group tha t you want to edit. The E[...]

  • Page 297

    Manage Users, Authenticat ion, and VPN Certificates 297 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o create a user account: 1. Select Users > User s . The User s screen displays. (The following figure shows the wireless VPN firewall’s defa ult users—admin and guest—and, as an example, several other users in the List of Us[...]

  • Page 298

    Manage Users, Authentication, and VPN Certificates 298 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 18 1. 3. Enter the settings as explained in the following table: 4. Click Apply to save your settings. The user is added to the List of Users table. T able 73. Add Users screen settings Setting Description User Name A descriptive (al[...]

  • Page 299

    Manage Users, Authenticat ion, and VPN Certificates 299 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o delete one or more user account s: 1. In the List of Users t able, select the check bo x to the left of each user account that you want to delete, or click the Select All t able button to select all account s. Y ou cannot delete a [...]

  • Page 300

    Manage Users, Authentication, and VPN Certificates 300 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • T o prohibit the user from logg ing in from the W AN interface, select the Deny Login from W AN Interface check box. In this case, the user can log in only from the LAN interface. Note: For security reasons, the Deny Lo gin from W AN In[...]

  • Page 301

    Manage Users, Authenticat ion, and VPN Certificates 301 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. In the Defined Ad dresses S tatus section of the screen, select one of the following radio buttons: • Den y Login from Defined Addresses . Deny log ging in from the IP addresses in the Defined Addresses t ab le. • Allo w Login only [...]

  • Page 302

    Manage Users, Authentication, and VPN Certificates 302 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 18 4. 5. In the Defined Addresses S tatus section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses . Deny logging in fro m the IP ad dresses in the Defined Addresses table . • Allow Lo[...]

  • Page 303

    Manage Users, Authenticat ion, and VPN Certificates 303 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 9. Repeat St e p 7 and St ep 8 for any other addresses that you want to add to the Defined Addresses table.  T o delete one or more IPv6 addresses: 1. I n the Defined Addresses table, select t he check box to the lef t of each address t[...]

  • Page 304

    Manage Users, Authentication, and VPN Certificates 304 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers table by selecting one of the following browsers from the drop-down list: • Internet Exp lorer . • Ope ra . • Net scape Navigator . • Firefox[...]

  • Page 305

    Manage Users, Authenticat ion, and VPN Certificates 305 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o modify user settings, including p asswords: 1. Select Users > User s . The User s screen displays (see Figure 180 on p age 297 ). 2. In the Actio n column of the List of Users table, click the Edit table button for the user for [...]

  • Page 306

    Manage Users, Authentication, and VPN Certificates 306 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. Manage Digital Certificates for VPN Connections The wireless VPN firewall uses digit al certific ates (also known as X509 certificates) during the Internet Key Exchange (I KE) authentication phase to au[...]

  • Page 307

    Manage Users, Authenticat ion, and VPN Certificates 307 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The wireless VPN firewall uses digit al cert ificates to authenticate connecting VPN gateways or clients, and to b e authent icated by remo te entities. A digit al certificat e that a uthentica tes a server , for example, is a file t hat c[...]

  • Page 308

    Manage Users, Authentication, and VPN Certificates 308 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N certificates in the Active Self Certificates t able are active on the wireless VPN firewall (see Manage VPN Self-Signed Certificates on p age 309 ). • Certificate Rev ocation List s (CRL) t able . Cont ains the list s with digita l certif[...]

  • Page 309

    Manage Users, Authenticat ion, and VPN Certificates 309 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o delete one or more digit al certificates: 1. In the Tru sted Certificates (CA Certificate) table, select the check box to the lef t of each digital certificate th at you want to delete, o r click the Select All t able button to sel[...]

  • Page 310

    Manage Users, Authentication, and VPN Certificates 310 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o generate a new CSR file, obt ain a digit al certificate from a CA, and upload it to the wireless VPN firewall: 1. Select VPN > Certificates . The Certificates screen displa ys. The following figure shows the middle section of the[...]

  • Page 311

    Manage Users, Authenticat ion, and VPN Certificates 31 1 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click the Generate table button. A new SCR is created and added to the Self Certificate Requests table. 4. In the Self Certificate Re quests table, click the Vie w table button in the Action column to view the new SCR. The Certificate [...]

  • Page 312

    Manage Users, Authentication, and VPN Certificates 312 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Copy the contents of the Dat a to supply to CA text field into a text file, including all of the data cont ained from “-----BEGIN CERTIFICA TE REQUEST -----” to “-----END CERTIFICA TE REQUEST -----.” 6. Submit your SCR to a CA: a[...]

  • Page 313

    Manage Users, Authenticat ion, and VPN Certificates 313 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Dele te t able button. Manage the VPN Certificate R evocation List A Certificate Revocation List (CRL) file shows digit al certificates that have be en revoked and are no longer valid. Each CA issues it s own CRLs. It is impo [...]

  • Page 314

    314 9 9. Net w or k and S y stem Manageme nt This chapter describes the tools for managing th e network traf fic to optimize its performance and the system management features of the wireless VPN firewall. This chapter con tains the following sections: • Performance Manageme nt • System Management P erformance Management Performance management [...]

  • Page 315

    Network and System Management 315 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Content filtering • Sou rce MAC filtering LAN W AN Outbound Ru les and DMZ WAN Outbound R ules (Service Blocking) Y ou can control specific outbound traffic (from LAN to W AN and from the DMZ to W AN). The LAN W AN Rules screen and the DMZ W AN Rules scre[...]

  • Page 316

    Network and System Management 316 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • W AN users . Y ou can specify which Internet locations are covered by an outbound rule, based on their IP address: - Any . The rule applies to all Internet IP address. - Single a ddress . The rule applies to a single In ternet IP address. - Address range . [...]

  • Page 317

    Network and System Management 317 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Features That Increase T r affic The following features of the wire less VPN firewall tend to increase the traf fic load on the W AN side: • L AN W AN inbound rules (also ref erred to as port forwarding) • DMZ W AN inbo und rules (also referred to as port f[...]

  • Page 318

    Network and System Management 318 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • LAN users . Y ou can specify which computers on your network ar e affecte d by an inbound rule. There are several options: - Any . The rule app lies to all computers and devices on your LAN. - Single a ddress . The rule applies to the address o f a particul[...]

  • Page 319

    Network and System Management 319 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N safely provide services to the I nternet without compromising security on yo ur LAN. By default, the DMZ port and both inbound and outbou nd DMZ traf fic are disa bled. En abling the DMZ port and allowing traf fic to and from t he DMZ increases the traf fic thr[...]

  • Page 320

    Network and System Management 320 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Assign Bandwidth Profiles When you set the QoS priority , the W AN bandwidth does n ot change. Y ou change the W AN bandwidth that is assigned to a service or appl ication by applying a bandwid th profile to a LAN W AN inbound or o utbound rule. The purpose of [...]

  • Page 321

    Network and System Management 321 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o modify the administrator and guest p asswords and idle time-out settings: 1. Select Users > User s . The User s screen displays. (The following figure shows the wireless VPN firewall’s defa ult users—admin and guest—and, as an example, several [...]

  • Page 322

    Network and System Management 322 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The ideal p assword should contain no dictionary words from any language, and should be a mixture of let ters (both uppercase and lowercase), numbers, and symbols. Y our password can be up to 32 characters. 5. As an option, you can change the idle time-ou[...]

  • Page 323

    Network and System Management 323 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: When remote management is enabled and administrative access through a W AN interface is granted (see Configure Login Policies on pag e 299 ), the wireless VPN firewall’ s web manag ement interface is accessible to anyone wh o knows its IP address and de[...]

  • Page 324

    Network and System Management 324 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • IPv6 . Select the IPv6 radio button . The Remote Management screen displays the IPv6 settings: Figure 195. Remote Management sc reen for IPv6[...]

  • Page 325

    Network and System Management 325 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the setting s as explained in the following table: W ARNING: If you are remotely connected to the wirele ss VPN firewall and you select the No radio button to disable se cure HTTP management, you and all other SSL VPN users are disconnected when you cl[...]

  • Page 326

    Network and System Management 326 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N About Remote Access When remote management is enable d, you need to use an SSL connection to acce ss the wireless VPN firewall from the Internet. Y ou need to enter https:// ( not htt p://) and type the wireless VPN firewall’s W AN IP address and po rt number[...]

  • Page 327

    Network and System Management 327 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o configure the SNMP settings: 1. Select Administration > SNMP . The SNMP screen displays. (The following figure contains an example.) Figure 196. The SNMP Configuration table sh ows the following columns: • IP Addre ss . The IP address o f the SNMP [...]

  • Page 328

    Network and System Management 328 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o edit an SNMP configuration: 1. On the SNMP screen (see the previous figure), click th e Edit button in the Action column for the SNMP configuration that you want to modify . The Edit SNMP screen displays: Figure 19 7. 2. Modify the settings as explained[...]

  • Page 329

    Network and System Management 329 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the setting s as explained in the following table: 3. Click App ly to save your changes. Manage the Configuration File The configuration settings of the wirele ss VPN firewall are stored in a configuration file on the wireless VPN firewall. This file c[...]

  • Page 330

    Network and System Management 330 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 19 9. Back Up Settings The backup feature saves all wireless VPN firewa ll settings to a file . Back up your settings periodically , and store the backup file in a safe place. Tip: Y ou can use a backup file to export all settings to another wirele ss VP[...]

  • Page 331

    Network and System Management 331 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N R estore Settings W ARNING: Restore only settings that were backed up from th e same soft ware version. Restoring settings from a di fferent sof tware version can corrupt your backup file or th e wireless VPN firewall system software.  T o restore settings f[...]

  • Page 332

    Network and System Management 332 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N process is complete. The reboot process t akes about 165 seconds. (If you can see the unit: The reboot process is complete whe n the T est LED on the front pan el goes of f.) W ARNING: When you press the hardware factory default Reset b utton or click the sof t[...]

  • Page 333

    Network and System Management 333 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N W ARNING: Af ter you have st arted the firmware insta llation process, do not interrupt the process. Do not try to go onl ine, tu rn off the wire less VPN firewall, or do anything else to the wireless VPN firewall unti l the wireless VPN firewall has fully rebo[...]

  • Page 334

    Network and System Management 334 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The bottom of the screen display the current weekday , date, time, time zone, and year (in the example in the previous figure: Current T ime: T ue Mar 6 22:48:17 GMT -0800 2012). 2. Enter th e settings as explained in the following table: 3. Click Apply to save[...]

  • Page 335

    335 10 10. M on ito r S yste m Ac ce ss an d P er for ma nc e This chapter describes the system-monitoring featur es of the wireless VPN firewall. Y ou can be alerted to importan t events su ch W AN traf fic limit s reached, login failur es, and attacks. Y ou can also view status information ab out the firewa ll, W AN ports, LAN ports, active VPN u[...]

  • Page 336

    Monitor System Access and Performance 336 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 20 1. 2. Enter the settings as explained in the following table:[...]

  • Page 337

    Monitor System Access and Performance 337 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T a bl e 82 . Broadb an d T raffic Meter screen se tt in g s Setting Description Enable T raffic Meter Do you want to enab le T raffic Metering on Broadband? Select one of the following radio buttons to configure traf fic metering: • Ye s . Traf fic m[...]

  • Page 338

    Monitor System Access and Performance 338 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click Apply to save your settings. T o display a report of the Internet traf fic by type , click the T raffic by Protocol option arrow in the upper right of the Broadband T raf fic Meter screen. The T raf fic by Protocol screen displays in a pop-up s[...]

  • Page 339

    Monitor System Access and Performance 339 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o configure and activate logs: 1. Select Monitoring > F irewall Logs & E-mail . The Firewall Logs & E-mail screen displays : Figure 203.[...]

  • Page 340

    Monitor System Access and Performance 340 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in the following table: T able 83. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log identifier . The identifier is appended to log messages to id entif[...]

  • Page 341

    Monitor System Access and Performance 341 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable E-ma il Logs Do you want logs to be emailed to you? Select the Ye s radio button to enable the wireless VPN firewall to email logs to a specified email address. Complete the fields that a r e sh own on the right side of the screen. Select the No [...]

  • Page 342

    Monitor System Access and Performance 342 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click Apply to save your settings. Note: Enabling routing and other even t l ogs might generate a significant volume of log messa ges. NETGEAR recommends that you ena ble firewall logs for debugging purposes only . How to Send Syslogs over a VPN T un[...]

  • Page 343

    Monitor System Access and Performance 343 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This section describes step s 2 through 4, using the to pology that is described in the follo wing table: Configure Gateway 1 at Site 1  T o create a gateway-to-gateway VPN tunnel to Gateway 2, using the IPSec VPN wizard : 1. Select VPN > IPSec VP[...]

  • Page 344

    Monitor System Access and Performance 344 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Remote W AN IP address. 10.0.0.1 • Local W AN IP address. 10.0.0.2 • Remot e LAN IP Address. 192.168.10.0 • Remot e LAN subnet mask. 255.255.255.0 3. Click Apply to save the settings.  T o change the local IP address in the VPN policy: 1. S[...]

  • Page 345

    Monitor System Access and Performance 345 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View Status Screens The wireless VPN firewall provides real-time in forma tion in a variety of st atus screens that are described in the following sections: • V iew the System S t atus • V iew the VPN Connection S t atus and L2TP Users • V iew the[...]

  • Page 346

    Monitor System Access and Performance 346 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 20 4. The following t able explains the fiel ds of the Router S tatus screen: T able 84. Router St atus scr een information Item Description System Info System Name The NETGEAR system name. Firmware V ersion The currently installed firmware versi[...]

  • Page 347

    Monitor System Access and Performance 347 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N R outer Statistics Screen  T o view the Router St atistics screen: 1. Select Monitoring > Router St atus . The Router S t atus screen displays (see the previous figure). 2. Click the Sho w Statistics option arrow in the upper right of the Router S[...]

  • Page 348

    Monitor System Access and Performance 348 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 20 5. The following t able explains the fields of the Ro uter S tatistics screen. T o change the poll interval period, enter a new va lu e (in seconds) in the Poll Inte rval field, and then click Set interval . T o stop polling, click St op . Det[...]

  • Page 349

    Monitor System Access and Performance 349 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 206.[...]

  • Page 350

    Monitor System Access and Performance 350 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following t able explains the fiel ds of the Det ailed S tatus screen: T able 86. Detailed S t atus scree n in formation Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the V[...]

  • Page 351

    Monitor System Access and Performance 351 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 Address The IPv6 address of the W AN port. For information about configurin g the IPv4 address of the W AN port, see Configure the IPv6 Internet Connection and WAN Settings on page 35 . WA N Sta t e The W AN state can be either UP or DOWN , dep end[...]

  • Page 352

    Monitor System Access and Performance 352 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T unnel Status Screen The IPv6 T unnel S ta tus screen displays the st atus of all act ive 6to4 and ISA T AP tunnels and their IPv6 addresses.  T o view the status of th e tunnels and IPv6 addresses: Select Monitoring > Route r St atus > T unne[...]

  • Page 353

    Monitor System Access and Performance 353 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The IPv6 T unnel S tatu s table shows the following fields: • T unnel Name . The tunnel name for the 6to4 tun nel is always sit0-W AN1 (SIT stands for simple Internet transition); the tunnel name for an I SA T AP tunnel is isatapx-LAN, in wh ich x is [...]

  • Page 354

    Monitor System Access and Performance 354 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o view the active L2TP tunnel users: Select VPN > Connection S t atus > L2TP Active Users . The L2TP Active Users screen displays: Figure 20 9. The active user name, client’ s IP address on the remote LAC, and IP address that is assigned b[...]

  • Page 355

    Monitor System Access and Performance 355 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs . The SSL VPN Logs screen displays: Figure 21 1. View the P ort T riggering Status  T o view the st atus of the port-trig gering feature: 1. Select Se curity > Port[...]

  • Page 356

    Monitor System Access and Performance 356 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Statu s option arrow in the upp er right of the Port T riggering screen. The Port T riggering S tatus screen displays in a pop-up screen. Figure 21 3. The Port T riggering S t atus screen displays t he information that is d escribed in the [...]

  • Page 357

    Monitor System Access and Performance 357 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 214. The type of connection determines th e inform ation that is displayed on the Connection S tatus screen. The screen can disp lay the info rmation that is described in the following table: Click Disconn ect to disconnect the connect ion. T abl[...]

  • Page 358

    Monitor System Access and Performance 358 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 WAN P ort Status  T o view the IPv6 status of the W AN port: 1. Select Netwo rk Configuration > W AN Settings > Broadband ISP Settings (IPv6) . The Broadband ISP Settings (IPv6) screen displays (see Figur e 17 on p age 38 ). 2. Click the S[...]

  • Page 359

    Monitor System Access and Performance 359 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Attached Devices and the DHCP Log The LAN Groups screen shows the network dat abase, which is the Known PCs and Devices table, which cont ains all IP dev ices that wireless VPN firewall has discovered on the local network. The LAN Setup screen [...]

  • Page 360

    Monitor System Access and Performance 360 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • MAC Address . The MAC address of the compu ter ’ s or device’ s network interface. • Group . Each computer or device can b e assigned to a single LAN group. By defa ult, a computer or device is assigned to Group 1. Y ou can select a dif ferent[...]

  • Page 361

    Monitor System Access and Performance 361 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Status of a Wireless P rofile  T o view the st atus of a specific wireless profile: 1. Select Netwo rk Configuration > Wireless Settings > Wireless Profiles . The Wireless Profiles screen displays. 2. Click the St at us button in the S[...]

  • Page 362

    Monitor System Access and Performance 362 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Diagnostics Utilities The wireless VPN firewall provides diagn ostic tools that help you an alyze the status of th e network and traffic conditions. T wo types of tools are available: • Network diagnost ic tools . These tools include a ping utility , [...]

  • Page 363

    Monitor System Access and Performance 363 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. S pecify the IP version for which you want to display the Diagnostics screen: • IP v4 . In the upper right of the screen, the IPv4 radio button is already selected by default. Figure 219. • IPv6 . Select the IPv6 radio button. The Diagnostics scr[...]

  • Page 364

    Monitor System Access and Performance 364 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Send a Ping P acket Use the ping utility to send a ping p acket request in order to ch eck the connection between the wireless VPN firewall and a specific IP addr ess or FQDN. If the request times out (no reply is received), it usually means that th e d[...]

  • Page 365

    Monitor System Access and Performance 365 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Display the R outing T ables Displaying the internal routing t able can assi st NETGEAR technical support in diagnosing routing problems.  T o display the routing t able: On the Diagnostics screen for IPv4, in the Ro ut er Optio ns section of the scr[...]

  • Page 366

    Monitor System Access and Performance 366 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reboot the Wireless VPN Firewall R emotely Y ou can perform a remote reboot, for example, when the wireless VPN firewa ll seems to have become unstable or is not operating normally . Rebooting breaks any existing connecti on s either to the wireless VPN[...]

  • Page 367

    367 11 11 . T r oubles hooting This chapter provides trouble shooting tips an d information for the wireless VPN firewall. Af ter each problem description, instructions are provid ed to help you diagnose and solve the problem. For the common problems listed, go to t he section indicated. • Is the wireless VPN firewall on? Go to Basic Functioning [...]

  • Page 368

    T roubleshooting 368 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The wireless VPN firewall’ s diagnostic tools are expla ined in Diagnostics Utilities on page 362 . Basic F unctioning  Af ter you turn on power to the wireless VPN firewall, verify that the following sequence of event s occurs: 1. When power is first applied, ve[...]

  • Page 369

    T roubleshooting 369 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN or WA N P ort LEDs Not On  If either the LAN LEDs or W AN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable conne ctions are secure at the wireless VPN fire wall and at the hub, router , or workstation.[...]

  • Page 370

    T roubleshooting 370 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that you are using the correct login information. The fa ctory default login name is admin, and the password is password. Make sure tha t Caps Lock is of f when entering this information. Note: T o be able to configure the wireless VPN firewall, your computer [...]

  • Page 371

    T roubleshooting 371 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N  T o check the W AN IP address: 1. Launch your browser and navigate to an ex ternal site such as www .netgear .com. 2. Access the web management interface of the wireless VPN fire wall’ s configuration at https://192.168.1.1. 3. Select Netwo rk Configuration > W AN [...]

  • Page 372

    T roubleshooting 372 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N - Configure your wireless VPN firewall to s poof your compute r ’s MAC address. Y ou can do this in the Router’s MAC Address section on the Broadband Ad vanced Options screen. For more information, see Configure Advanced W AN Options and Other T asks o n page 47 . If yo[...]

  • Page 373

    T roubleshooting 373 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that IPv6 is enabled on the computer . On a computer that runs a Windows-based operating system, do t he followin g (note that the steps might dif fer on the various Windows operating systems): a. Open the Network Connections screen or the Ne twork and Sharing[...]

  • Page 374

    T roubleshooting 374 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Click or double-click V iew st atus of this connection . The Lo cal Area Connection S tatus screen displays: Figure 22 3. d. Make sure that Internet access shows for the IPv6 connection. (The previou s screen shows that there is no Internet access.) e. Click Det ails . T[...]

  • Page 375

    T roubleshooting 375 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N f. Make sure that an IPv6 address shows. The previous screen does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which st art, in this case, with FE80. T roubleshoot a T CP/IP Network Using a Ping Ut[...]

  • Page 376

    T roubleshooting 376 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N T est the P ath from Y our Co mputer to a Remote Device After verifying that the LAN path works correctly , test the path from your computer to a remote device. From the Windows Run dialog box, type: ping -n 10 <IP address> in which <IP addr ess> is the IP addre[...]

  • Page 377

    T roubleshooting 377 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 225. b. Click the Default button. The wireless VPN firewall reboot s. During the reboot process, the Settings Backup and F irmware Upgrade screen might re main visible, or a status me ssage with a counter might show the number of seconds left until th e reboot proces[...]

  • Page 378

    T roubleshooting 378 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Problems with the date and time function can in clude: • Date shown is Ja nuary 1, 2000. Cause: The wireless VPN firewall has not yet successfully reached a n etwork time server . Check that your Internet access settings are configured correctly . If you have just complet[...]

  • Page 379

    379 A A. De f ault Se tt ing s and T echni cal Sp ecificat ion s This appendix provides the de fault settings and th e physical and technical specifica tions of the wireless VPN firewall in the following sections: • Factory Default Settings • Physical and T echnical Specifications Factory Default Settings Y ou can use the factory default Reset [...]

  • Page 380

    Default Settings and T echnical Specifications 380 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N W AN MAC address Use def ault MAC address of the wireless VPN firewall W AN MTU size 1500 bytes 1492 bytes for PPPoE connections Port speed AutoSense IPv4 LAN, DMZ, and routi ng settings LAN IPv4 address for the default VLAN 192.168.1.1 LAN IPv[...]

  • Page 381

    Default Settings and T echnical S pecifications 381 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Firewall and security settings Inbound LAN W AN rules (communications coming in from the Internet) All traffic is blocked, except for traffic in response to requ e st s from the LAN. Outbound LAN W AN rules (communications from the LAN to the [...]

  • Page 382

    Default Settings and T echnical Specifications 382 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Proxy server blocking Disabled Java applets blocking Disabled ActiveX controls blocking Disabled Cookies blocking Disabled Blocked keywords None T rusted domains A l l Wireless radio and access point settings Wireless radio Enabled Region Nonco[...]

  • Page 383

    Default Settings and T echnical S pecifications 383 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Beacon inte rval 100 ms DTIM interval 2 RTS threshold 2346 bytes Fragmentation threshold 2346 bytes Preamble mode Long Protec tion mode None Power save Disabled VPN IPsec Wizard: IKE policy settings for IP v4 and IPv6 gateway-to-g ateway tunne[...]

  • Page 384

    Default Settings and T echnical Specifications 384 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Authentication algorithm SHA-1 Authentication method Pre-shared Key Key group DH-Group 2 (1024 bit) Life time 8 hours VPN IPsec Wizard: VPN policy settings for IPv4 gateway -to-client tunnels Encryption algorithm 3DES Authentication algorithm S[...]

  • Page 385

    Default Settings and T echnical S pecifications 385 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Physical and T echnical Specifications The following ta ble shows the physical and technica l specifications for the wireless VPN firewall: Administrative and monitoring se ttings Secure HTTP management Enabled T e lnet management Disabled T r[...]

  • Page 386

    Default Settings and T echnical Specifications 386 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following t able shows the IPSec VPN specif ications for the wireless VPN firewall: Dimensions and w eight Dimensions (W x H x D) 19 x 12.5 x 3.5 cm (7.5 X 4.9 X 1.4 in) Weight 0.59 kg (1.3 lb) Environmental specifications Operating tempera[...]

  • Page 387

    Default Settings and T echnical S pecifications 387 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following ta ble shows the SSL VPN specifications for th e wireless VPN firewall: The following ta ble shows the wireless spec ifications for the wireless VPN firewall: IPSec encryption algorithm DES, 3DES, AES-128, AES-192, AES-256 IPSec [...]

  • Page 388

    Default Settings and T echnical Specifications 388 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 802.1 1 b/bg/ng/n encryption 6 4-bit s and 128-bits WEP , TKIP , CCMP data encryption Network managemen t Web-based config uration and st atus monitoring T able 95. Wireless VPN firewall wireless specifications (continued) Setting Specification[...]

  • Page 389

    389 B B. T w o -F act or A ut hen ti cation This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution. This appendi x cont ains the fo llowing sections: • Why Do I Need T wo-Factor Authentication? • NETGEAR T wo-Factor Authentication Solutions Why Do I Need T wo -Factor Authentication[...]

  • Page 390

    T wo-Factor Authentication 390 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N What Is T wo -Factor Authentication? T wo-factor authentication is a security solution that enhances and strength ens security by implementing multiple factors of the authentic atio n process that challenge and confirm the users’ identitie s before they can gain[...]

  • Page 391

    T wo-Factor Authentication 391 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 226. 2. A one-time passcode ( something the user has ) is generated. Figure 227. Note: The one-time passco de is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time. If a us er[...]

  • Page 392

    T wo-Factor Authentication 392 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 22 8.[...]

  • Page 393

    393 C C. No tif i cati on of C om pli ance (W ir ed) NET GEAR W ir ed Pr oduc ts Regulatory Compliance Information This section includes user requirement s for oper ating this p roduct in acco rdance with National laws for usage of radio spectrum and ope ration of radio devices. Failure of the end-user to comply with the applicable re quirements ma[...]

  • Page 394

    Notification of Compliance (Wired) 394 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N FCC Radio Frequency Interference W arnings & Instructions This equipment has been tested and foun d to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. T hese limits a re designed to provide reasonable protecti[...]

  • Page 395

    Notification of Compliance (Wired) 395 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional Copyrights AES Copyright (c) 2001, Dr . Brian Gladman, brg@gladman.uk.net, Worcester , UK. All rights reserved. TERMS Redistribution and use in source and binary fo rms, with or without modificatio n, are permitted subject to the foll owing cond[...]

  • Page 396

    Notification of Compliance (Wired) 396 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N MD5 Copyright (C) 1990, RSA Dat a Secu rity , Inc. All rights reserved. License to copy and use this software is grant ed provided that it is identified as the “RSA Data Security , Inc. MD5 Mes sage-Digest Algorithm” in all material mentioning or refer[...]

  • Page 397

    397 D D. Notif i cati on of C om pli ance (W ir ele ss) NET GEAR Wir eless R o ute r s, Gate w ay s, AP s Regulatory Compliance Information Note: This section includes use r requirements for operating this product in a ccordance with National l aws for usage of radio spectrum and op eration of radio devices. Failure of the e nd-user to comply with [...]

  • Page 398

    Notification of Compliance (Wireless) 398 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Es pañol [S pan ish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos esenciales y cuales quie ra otras disposiciones aplicables o exigibles de la Dire ctiva 1999/5/CE. Ελληνική [G reek] ΜΕ ΤΗΝ ΠΑΡ[...]

  • Page 399

    Notification of Compliance (Wireless) 399 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This device is a 2.4 GHz wideband transmission system (tra nsceiver), intende d for use in all EU member states and EFT A countries, except in France and Italy where restrictive use applies. In Italy the end-user should apply for a license at the nati o[...]

  • Page 400

    Notification of Compliance (Wireless) 400 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • For product available in the USA market, only channel 1~ 1 1 can be operated. Selectio n of other channels is not possible. • T his device and its antenna(s) must not be co-located or opera tion in conjunction with a ny other antenna or transmitte[...]

  • Page 401

    Notification of Compliance (Wireless) 401 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Cordless phone - Digital 30 feet / 9 meters Bluetooth devices 20 feet / 6 meters ZigBee 20 feet / 6 meters Household Ap pliance Recommended Mini mum Dist an ce (in feet and meters)[...]

  • Page 402

    402 Inde x Numerics 10BASE-T , 100BASE-T , and 1000 BASE-T speeds 49 2.4-GHz wireless mode 106 20- and 40-MHz channel spacing 106 3322.org 45 – 47 64-bit and 128-bit WEP 116 6to4 tunnels configuring globally 41 DMZ, configuring for 94 LAN, configuring for 80 802.1 1b/bg/ng/n data ra tes and frequencies 38 7 802.1 1b/bg/ng/n modes 106 A AAA (authe[...]

  • Page 403

    403 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N autodetecting IPv4 Internet settings 29 autoinitiating VPN tunnels 230 autosensing port speed 49 B b mode, wireless 106 backing up configuration fi le 330 bandwidth capacity 314 bandwidth limits, logging dropped packet s 340 bandwidth profiles creating 171 – 173 shifting traffic mix 320 b[...]

  • Page 404

    404 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N D Data Encryption S tandard. See DES. data rates, 802.1 1b/bg/ng /n 38 7 database, local users 290 date and daylight saving time settings 334 troubleshooting settings 378 DC power plug receptacle 18 DDNS (Dynamic DNS), configuring 45 – 47 Dead Peer Detectio n (DPD) 223 , 25 5 defaults con[...]

  • Page 405

    405 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N event logs 340 examples of firewall ru les 155 – 162 exchange mode, IKE policies 21 8 , 221 exposed hosts increasing traffic 319 specifying (rule example) 159 extended authentica tion (XAUTH) configuring 233 – 23 5 IKE policies 224 extended service set (ESS) 110 F factory default settin[...]

  • Page 406

    406 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 DMZ-to-WAN rules 14 9 LAN-to-DMZ rules 154 LAN-to-WAN rules 141 order of precedence 134 overview 130 scheduling 178 settings 132 – 133 inbound traffic, bandwidth 172 increasing traffic overview 317 – 319 port forwarding 131 infrastructure mode 107 installation, verifying 50 instant[...]

  • Page 407

    407 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 Internet connection manually configuring 39 setting u p 26 IPv6 mode, configuring 36 IPv6 prefix length DMZ address 88 DMZ advertisements 94 DMZ DHCPv6 address pools 90 IPSec VPN policies 231 ISP address 40 LAN address 73 LAN advertisements 80 LAN DHCPv6 address pools 75 LAN prefix del[...]

  • Page 408

    408 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N login polici es, user 299 – 304 login time-out changing 304 , 320 default 21 logs, configuring 340 long preamb l e 123 looking up DNS address 364 losing wireless connection 119 M MAC addresses blocked, adding 179 configuring 35 , 41 , 49 format 49 , 180 IP bindin gs 180 – 184 restrictin[...]

  • Page 409

    409 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N order of precedence, firewall rules 134 OTP (one-time passcode) 389 – 391 outbound rules default 127 examples 160 – 162 IPv4 DMZ-to-WAN rules 145 LAN-to-DMZ rules 152 LAN-to-WAN rules 137 IPv6 DMZ-to-WAN rules 146 LAN-to-DMZ rules 153 LAN-to-WAN rules 139 order of precedence 134 overvie[...]

  • Page 410

    410 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N power plug receptacle and Power On/Off switch 18 power specifications 385 PPP connection 260 PPPoE (PPP over Ethernet) description 13 settings 30 , 33 PPTP (Point-to-Point Tunneling Protocol) settings 30 , 32 preamble type 123 preference, router (IPv6) DMZ, configurin g for 93 LAN, configur[...]

  • Page 411

    41 1 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N RFC 2865 235 RIP (Routi ng Information Protocol ), configur ing 97 – 99 roaming 110 Router Advertisement Deamon (RADVD) DMZ, configurin g for 90 LAN, configuring for 77 router advertisements (RAs) and router lifetime (IPv6) DMZ, configurin g for 92 LAN, configuring for 78 Routing Informa[...]

  • Page 412

    412 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N policie s managing 276 settings 280 port forwarding configuring 267 – 269 description 261 portal s accessing 282 configuring 262 – 266 options 260 resources, configuring 273 – 276 specifications 387 tunnel description 260 user account 296 – 298 user port al 283 stateful packet inspe[...]

  • Page 413

    413 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WiKID-P AP and WiKID-CHAP 29 1 T ype of Se rvice (T o S), QoS profile 129 TZO.com 45 – 47 U UDP (User Datagram Protocol) 186 UDP flood , bl o cki ng 164 UDP time-out 167 unicast packet s, IPv6 DMZ, configurin g for 92 LAN, configuring for 78 Universal Plug and Pla y (UPnP), configuring 18[...]

  • Page 414

    414 ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DHCPv6 client, prefix delegation 38 W AN LEDs 17 , 369 WA N p o r ts 15 W AN traffic meter (or counter) 335 web component blocking 174 web management interface description 22 troubleshooting 369 weight 386 WEP (wired equivale nt privacy) configuring 114 – 116 types of encryption 108 Wi-Fi[...]