User Manual Part 1

ManualsBrandsNetgear ManualsElectronicsProSafe Wireless-N VPN Firewall

ProSafe Wireless-N VPN Firewall

SRXN3205 Reference Manual

Trademarks

NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc.

Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product

names are registered trademarks or trademarks of their respective holders.

Statement of Conditions

In the interest of improving internal design, operational function, and/or reliability, NETGEAR reserves the right to

make changes to the products described in this document without notice.

NETGEAR does not assume any liability that may occur due to the use or application of the product(s) or circuit

layout(s) described herein.

Federal Communications Commission (FCC) Compliance Notice: Radio Frequency

Notice

This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to part 15 of

the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential

installation. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in

accordance with the instructions, may cause harmful interference to radio communications. However, there is no

guarantee that interference will not occur in a particular installation. If this equipment does cause harmful interference

to radio or television reception, which can be determined by turning the equipment off and on, the user is encouraged to

try to correct the interference by one or more of the following measures:

. • Reorient or relocate the receiving antenna.

. • Increase the separation between the equipment and receiver.

. • Connect the equipment into an outlet on a circuit different from that to which the receiver is connected.

. • Consult the dealer or an experienced radio/TV technician for help.

1.0, July 2008

FCC Radiation Exposure Statement

This equipment complies with FCC RF radiation exposure limits set forth for an uncontrolled environment. This equipment should be installed

and operated with a minimum distance of 20 centimeters between the radiator and your body.

This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions:

1) This device may not cause harmful interference, and

2) This device must accept any interference received, including interference that may cause undesired operation.

This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.

The antennas used for this transmitter must be installed to provide a spectrum distance of at least 20cm from all persons and must not be co-

located or operating in conjunction with any other antenna or transmitter.

Summary of content (150 pages)

PAGE 1
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual © 2008 by NETGEAR, Inc. All rights reserved. Trademarks NETGEAR and the NETGEAR logo are registered trademarks and ProSafe is a trademark of NETGEAR, Inc. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
PAGE 2
EU Regulatory Compliance Statement The ProSafe Wireless-N VPN Firewall is compliant with the following EU Council Directives: 89/336/EEC and LVD 73/23/EEC. Compliance is verified by testing to the following standards: EN55022 Class B, EN55024 and EN60950-1. Bestätigung des Herstellers/Importeurs Es wird hiermit bestätigt, daß das ProSafe Wireless-N VPN Firewall gemäß der im BMPT-AmtsblVfg 243/1991 und Vfg 46/1992 aufgeführten Bestimmungen entstört ist. Das vorschriftsmäßige Betreiben einiger Geräte (z.B.
PAGE 3
Open SSL Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions * are met: 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 2.
PAGE 4
PPP Copyright (c) 1989 Carnegie Mellon University. All rights reserved. Redistribution and use in source and binary forms are permitted provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that the software was developed by Carnegie Mellon University.
PAGE 5
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Contents About This Manual Conventions, Formats, and Scope ..................................................................................xiii How to Use This Manual ..................................................................................................xiv How to Print this Manual ..................................................................................................xiv Revision History ...............
PAGE 6
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring the WAN Mode (Required for Dual WAN) ................................................. 2-11 Network Address Translation .................................................................................2-12 Classical Routing ...................................................................................................2-12 Configuring Auto-Rollover Mode .............................................................
PAGE 7
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Setting Block Sites (Content Filtering) ...................................................................4-19 Enabling Source MAC Filtering ....................................................................................4-22 Port Triggering ..............................................................................................................4-23 E-Mail Notifications of Event Logs and Alerts ........................
PAGE 8
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Configuring Domains, Groups, and Users ......................................................................6-7 Configuring Applications for Port Forwarding .................................................................6-7 Adding Servers .........................................................................................................6-8 Adding A New Host Name ..........................................................
PAGE 9
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Using an SNMP Manager .............................................................................................8-12 Settings Backup and Firmware Upgrade ......................................................................8-14 Configuring Date and Time Service ..............................................................................8-16 Chapter 9 Monitoring System Performance Enabling the Traffic Meter ................
PAGE 10
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336G Reference Manual Appendix A Default Settings and Technical Specifications Appendix B Related Documents Appendix C Network Planning for Dual WAN Ports What You Will Need to Do Before You Begin ................................................................ C-1 Cabling and Computer Hardware Requirements .................................................... C-3 Computer Network Configuration Requirements ............................................
PAGE 11
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual About This Manual The NETGEAR® ProSafe™ Wireless-N VPN Firewall Reference Manual describes how to configure and troubleshoot a ProSafe Wireless-N VPN Firewall. The information in this manual is intended for readers with intermediate computer and networking skills. Conventions, Formats, and Scope The conventions, formats, and scope of this manual are described in the following paragraphs: • • Typographical Conventions.
PAGE 12
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Danger: This is a safety warning. Failure to take heed of this notice may result in personal injury or death. • Scope. This manual is written for the router according to these specifications: Product Version ProSafe Wireless-N VPN Firewall Manual Publication Date July 2008 For more information about network, Internet, firewall, and VPN technologies, see the links to the NETGEAR website in Appendix B, “Related Documents.”.
PAGE 13
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Printing from PDF. Your computer must have the free Adobe Acrobat reader installed in order to view and print PDF files. The Acrobat reader is available on the Adobe Web site at http://www.adobe.com. – Printing a PDF Chapter. Use the PDF of This Chapter link at the top left of any page. – • Click the PDF of This Chapter link at the top left of any page in the chapter you want to print.
PAGE 14
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual xiv v1.
PAGE 15
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 1 Introduction The SRXN3205 ProSafe Wireless-N VPN Firewall connects your wired local area network (LAN) and your wireless LAN clients to the Internet (Wide Area Network) through an external broadband access device such as a cable modem or DSL modem.
PAGE 16
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • “Front Panel Features” • “Rear Panel Features” • “Default IP Address, Login Name, and Password Location” • “Qualified Web Browsers” Key Firewall Features The VPN firewall portion provides the following key features: • A single 10/100/1000 Mbps Gigabit Ethernet WAN port for your Internet connection.
PAGE 17
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Logs security events such as blocked incoming traffic, port scans, attacks, and administrator logins. You can configure the firewall to email the log to you at specified intervals. You can also configure the firewall to send immediate alert messages to your email address or email pager whenever a significant event occurs.
PAGE 18
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Advanced VPN Support for Both IPsec and SSL The VPN firewall supports IPsec and SSL virtual private network (VPN) connections. • • IPsec VPN delivers full network access between a central office and branch offices, or between a central office and telecommuters. Remote access by telecommuters requires the installation of VPN client software on the remote computer.
PAGE 19
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The choice of band is reflected in protocol standard supported, as well as the administration screens displayed to you. For example, if you choose to enable the 2.4 GHz band, only 802.11b/g/n protocols are supported. In addition, in the administration screens, the configuration options for 802.11a/n protocols are greyed out. On the other hand, if you enable the 5 GHz band, the 802.11 a/n protocols are support and the 802.
PAGE 20
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Configuration Backup. Configuration settings can be backed up to a file and restored. • Secure and Economical Operation. Adjustable power output allows more secure or economical operation. • Power over Ethernet. Power can be supplied to the SRXN3205 over the Ethernet port from any 802.3af compliant mid-span or end-span source. Please refer to the Appendix for a list of compliant Netgear PoE switches.
PAGE 21
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • VPN Wizard. The VPN firewall includes the NETGEAR VPN Wizard to easily configure IPsec VPN tunnels according to the recommendations of the Virtual Private Network Consortium (VPNC) to ensure the IPsec VPN tunnels are interoperable with other VPNCcompliant VPN firewalls and clients. • SNMP. The VPN firewall supports the Simple Network Management Protocol (SNMP) to let you monitor and manage log resources from an SNMP-compliant system manager.
PAGE 22
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • • • • • • • • • • • • • • • FSM7352PS - ProSafe 48 Port 10/100 L3 Managed Stackable Switch with 4 Gigabit Ports and 48 Port PoE GS724TP - ProSafe 24-Port GE PoE Smart Switch GS748TP - ProSafe 48-Port GE PoE Smart Switch WNDA3100 - RangeMax Dual Band Wireless-N USB 2.0 Adapter WN121T RangeMax NEXT Wireless-N USB 2.
PAGE 23
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • • • • • • • ProSafe Wireless-N VPN Firewall Rubber feet (4) with adhesive backing One AC-DC power adpater (12V, 1.5A) with cord (approximately 6 ft, or 183 cm) Three dual-band antennas (SMA connectors): 2 dipole (long); 1 patch (square) One Straight through Category 5 (Cat5) Ethernet cable. Installation Guide, SRXN3205 ProSafe Wireless-N VPN Firewall . Resource CD, including: – Application Notes and other helpful information.
PAGE 24
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Factory Defaults button. (5) Using a sharp object, press and hold this button for about ten seconds until the front panel TEST light flashes to reset the VPN firewall to factory default settings. All configuration settings will be lost and the default password will be restored. 2. LAN Ethernet ports. (6) Four switched N-way automatic speed negotiating, Auto MDI/MDIX, Gigabit Ethernet ports with RJ-45 connectors. 3. WAN Ethernet port.
PAGE 25
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Rear Panel Features The rear panel of the ProSafe Wireless-N VPN Firewall includes three SMA dual-band antenna connectors (2 dipole (long); 1 patch (square) and AC-DC power adapter jack. 1 1 2 1 Figure 1-2 New Photo The SRXN3205 rear panel functions are described below: 1. Left, Middle, and Right Detachable (SMA) Antennas (1) The SRXN3205 provides three SMA connectors for the detachable antennas (two dipole and one patch).
PAGE 26
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Default IP Address, Login Name, and Password Location Check the label on the bottom of the SRXN3205’s enclosure if you need a reminder of the following factory default information: IP Address User Name Password Figure 1-3New Drawing Qualified Web Browsers To configure the ProSafe Wireless-N VPN Firewall, an administrator must use Internet Explorer 5.1 or higher, Apple Safari 1.2 or higher, or Mozilla Firefox l.
PAGE 27
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 2 Connecting to the Internet (WAN) The initial Internet configuration of the SRXN3205 ProSafe Wireless-N VPN Firewall is described in this chapter.
PAGE 28
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. Configure the WAN options (optional). Optionally, you can enable the WAN port to respond to a ping, and you can change the factory default MTU size and port speed. However, these are advanced features and changing them is not usually required. See “Configuring the Advanced WAN Options (Optional)” on page 2-14. Each of these tasks is detailed separately in this chapter.
PAGE 29
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Web Configuration Manager appears, displaying the Router Status menu as the default. Figure 2-2 new screen shot Navigating the Menus The Web Configuration Manager menus are organized in a layered structure of main categories and submenus: • Main menu. The horizontal orange bar near the top of the page is the main menu, containing the primary configuration categories. Clicking on a primary category changes the contents of the submenu bar.
PAGE 30
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Submenu. The horizontal grey bar immediately below the main menu is the submenu, containing subcategories of the currently selected primary category. • Tab. Immediately below the submenu bar, at the top of the menu active window, are one or more tabs, further subdividing the currently selected subcategory if necessary. • Option arrow. To the right of the tabs on some menus are one or more blue dots with an arrow in the center.
PAGE 31
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 2-3 New screen shot 2. Click Auto Detect at the bottom of the menu. Auto Detect will probe the WAN port for a range of connection methods and suggest one that your ISP appears to support. a. If Auto Detect is successful, a status bar at the top of the menu will display the results:. Figure 2-4 New screen shot Connecting to the Internet (WAN) 2-5 v1.
PAGE 32
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual b. If Auto Detect senses a connection method that requires input from you, it will prompt you for the information. All methods with the required settings are detailed in the following table. Table 2-1. Internet connection methods Connection Method Data Required DHCP (Dynamic IP) No data is required. PPPoE Login (Username, Password); Account Name, Domain Name (sometimes required).
PAGE 33
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The WAN Status window should show a valid IP address and gateway. If the configuration was not successful, skip ahead to “Manually Configuring the Internet Connection” following this section, or see “Troubleshooting the ISP Connection” on page 12-4. Note: If the configuration process was successful, you are connected to the Internet through the WAN port. 4.
PAGE 34
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. If you clicked Yes, enter the ISP-provided Login and Password information. 4. In the ISP Type options, select the type of ISP connection you use from the three listed options. (By default, “Other (PPPoE)” is selected, as shown below. Figure 2-7 New screen shot (If your connection is PPPoE, PPTP or BigPond Cable, your ISP will require an initial login.) 5.
PAGE 35
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. If your ISP is Austria Telecom or any other ISP that uses PPTP as a login protocol: a. Select Austria (PPTP). b. Configure the following fields: • Account Name (also known as Host Name or System Name). Enter the valid account name for the PPTP connection (usually your e-mail name as assigned by your ISP). Some ISPs require entering your full email address here. • Domain Name.
PAGE 36
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • IP Address. Enter the Static IP address assigned to you, that identifies the firewall to your ISP. • Subnet Mask. Enter the mask provided by the ISP or your network administrator. • Gateway IP Address. Enter the IP address of the ISP’s gateway, provided by the ISP or your network administrator. 10. If your ISP has not assigned a static IP address, click Get dynamically from ISP. The text fields will be inactivated.
PAGE 37
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the WAN Mode To access the WAN Mode, click on Network Configuration > WAN Settings and select the WAN Mode tab. The WAN mode page allows you to configure how your firewall uses the external Internet connection. This screen gives you two choices for accessing the external Internet connection. • Network Address Translation (NAT).
PAGE 38
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Dynamic DNS (Optional) Dynamic DNS (DDNS) is an Internet service that allows routers with varying public IP addresses to be located using Internet domain names. To use DDNS, you must setup an account with a DDNS provider such as DynDNS.org, TZO.com or Iego.net. Links to DynDNS, TZO and Iego are provided for your convenience as Tabbed menus xxx to the Dynamic DNS configuration screen.
PAGE 39
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To configure Dynamic DNS: 1. Select Network Configuration > Dynamic DNS from the main/submenu. The Dynamic DNS screen displays. Figure 2-11 Need new screenshots (3) The Current WAN Mode section reports the currently configured WAN mode. Only those options that match the configured WAN Mode will be accessible. 2. Select the Dynamic DNS Service you will use.
PAGE 40
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Access the Web site of one of the DDNS service providers and set up an account. Links to three DDNS providers are in the tab header. Figure 2-12 Need new screen shots (3) 4. After registering for your account, return to the Dynamic DNS menu and fill in the required fields for the DDNS service you selected: a. In the Host and Domain Name field, enter the entire FQDN name that your dynamic DNS service provider gave you (for example: .
PAGE 41
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the Advanced link to the right of the tabs. The WAN Advanced Options tab is displayed. Figure 2-13 Need new screenshot 3. Edit the default information you want to change. a. MTU Size. The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 Bytes, or 1492 Bytes for PPPoE connections. For some ISPs, you may need to reduce the MTU.
PAGE 42
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The format for the MAC address is 01:23:45:67:89:AB (numbers 0-9 and either uppercase or lowercase letters A-F). If you select Use This MAC Address and then type in a MAC address, your entry will be overwritten. 4. Click Apply to save your changes. Additional WAN Related Configuration • If you want the ability to manage the firewall remotely, enable remote management at this time (see “Enabling Remote Management Access” on page 9-10).
PAGE 43
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 3 LAN Configuration This chapter describes how to configure the advanced LAN features of your ProSafe Wireless-N VPN Firewall.
PAGE 44
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual and 192.168.1.100, although you may wish to save part of the range for devices with fixed addresses. The VPN Firewall will deliver the following parameters to any LAN device that requests DHCP: • An IP Address from the range you have defined. • Subnet Mask • Gateway IP Address (the VPN Firewall’s LAN IP address). • Primary DNS Server (the VPN Firewall’s LAN IP address or a user-specified DNS server IP address in the LAN Setup menu).
PAGE 45
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 3-1OK 2. In the LAN TCP/IP Setup section, configure the following settings: • IP Address. The LAN address of your VPN Firewall (factory default: 192.168.1.1). Note: If you change the LAN IP address of the firewall while connected through the browser, you will be disconnected. You must then open a new connection to the new IP address and log in again. For example, if you change the default IP address 192.168.1.1 to 10.0.0.
PAGE 46
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • If another device on your network will be the DHCP server, or if you will manually configure all devices, click Disable DHCP Server. If the DHCP server is enabled, enter the following parameters: • Domain Name. (Optional) The DHCP will assign the entered domain to its DHCP clients. • Starting IP Address. Specifies the first of the contiguous addresses in the IP address pool.
PAGE 47
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Managing Groups and Hosts (LAN Groups) The Known PCs and Devices table in the LAN Groups menu contains a list of all known PCs and network devices that are assigned dynamic IP addresses by the VPN Firewall, or have been discovered by other means. Collectively, these entries make up the LAN Groups Database. The LAN Groups Database is updated by these methods: • DHCP Client Requests.
PAGE 48
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • A computer is identified by its MAC address—not its IP address. Hence, changing a computer’s IP address does not affect any restrictions applied to that PC. Viewing the LAN Groups Database To view the LAN Groups Database, follow these steps: 1. Select Network Configuration > LAN Settings from the main/sub-menu. The LAN Setup tab displays. 2. Click the LAN Groups tab and the LAN Groups tab displays.
PAGE 49
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Group. Each PC or device can be assigned to a single group. By default, a computer is assigned to Group 1, unless a different group is chosen from the Group pull-down menu. • Action. Allows modification of the selected entry by clicking Edit. Adding Devices to the LAN Groups Database To add devices manually to the LAN Groups Database, follow these steps: 1. In the Add Known PCs and Devices section, make the following entries: • Name.
PAGE 50
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Changing Group Names in the LAN Groups Database By default, the LAN Groups are named Group1 through Group8. You can rename these group names to be more descriptive, such as Engineering or Marketing. To edit the names of any of the eight available groups: 1. From the LAN Groups tab, click the Edit Group Names link to the right of the tabs. The Network Database Group Names tab appears. Figure 3-3OK 2.
PAGE 51
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring DHCP Address Reservation A computer (or device) will always receive the same IP address, if you specify a reserved IP address for the computer (or device) on the LAN (based on the MAC address of the device), each time it accesses the VPN Firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points that require permanent IP address settings.
PAGE 52
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Multi Home LAN IP Addresses If you have computers on your LAN using different IP address ranges (for example, 172.16.2.0 or 10.0.0.0), you can add “aliases” to the LAN port, giving computers on those networks access to the Internet through the VPN Firewall. This allows the VPN Firewall to act as a gateway to additional logical subnets on your LAN. You can assign the VPN Firewall an IP address on each additional logical subnet.
PAGE 53
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Click Add. The new Secondary LAN IP address will appear in the Available Secondary LAN IPs table. Note: IP addresses on these secondary subnets cannot be configured in the DHCP server. The hosts on the secondary subnets must be manually configured with IP addresses, gateway IP addresses, and DNS server IP addresses.
PAGE 54
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click Add and the Add Static Route tab is displayed. Figure 3-6Replaced 3. Enter a route name for this static route in the Route Name field (for identification and management). 4. Select Active to make this route effective. 5. Select Private if you want to limit access to the LAN only. The static route will not be advertised in RIP. 6. Enter the Destination IP Address to the host or network where the route leads. 7.
PAGE 55
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring Routing Information Protocol (RIP) RIP (Routing Information Protocol, RFC 2453) is an Interior Gateway Protocol (IGP) that is commonly used in internal networks (LANs). It allows a router to exchange its routing information automatically with other routers, and allows it to dynamically adjust its routing tables and adapt to changes in the network. RIP is disabled by default. To configure RIP parameters: 1.
PAGE 56
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • In Only. The VPN Firewall accepts RIP information from other routers, but does not broadcast its routing table. • Out Only. The VPN Firewall broadcasts its routing table periodically but does not accept RIP information from other routers. • Both. The VPN Firewall broadcasts its routing table and also processes RIP information received from other routers. 4.
PAGE 57
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 4 Wireless Configuration This chapter describes how to set up your ProSafe Wireless-N VPN Firewall SRXN3205 for wireless connectivity to your LAN. This basic configuration will enable computers with 802.11b/ g/n or 802.11a/n wireless adapters to do such things as connect to the Internet, or access printers and files on your LAN. Note: Indoors, computers can connect over 802.11b/g/n or 802.
PAGE 58
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Wireless Equipment Placement and Range Guidelines The operating distance or range of your wireless connection can vary significantly based on the physical placement of the VPN Firewall. The latency, data throughput performance, and notebook power consumption of wireless adapters also vary depending on your configuration choices.
PAGE 59
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 4-1Need new photo/picture There are several ways you can enhance the security of your wireless network: • Restrict Access Based on MAC address. You can restrict access to only trusted PCs so that unknown PCs cannot wirelessly connect to the SRXN3205. MAC address filtering adds an obstacle against unwanted access to your network, but the data broadcast over the wireless link is fully exposed.
PAGE 60
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Basic Wireless Setup (No Security) Configuring Basic Wireless Setup (No Security) To configure the SRXN3205 for basic Wireless access, follow these simple steps: 1. Connect to the SRXN3205 by opening your browser and entering http://192.168.1.1 in the address field. The SRXN3205 login screen will appear. 2. Enter admin for the user name and password for the password, both in lower case letters as shown in Figure 4-2. Figure 4-2 3. Click Login.
PAGE 61
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • You will automatically be logged out of the VPN Firewall after 5 minutes of no activity. Figure 4-3 4. Select Network Configuration from the main menu (orange menu bar). Figure 4-4 5. Select Wireless Settings in the submenu (gray menu bar below the orange menu bar). Wireless Configuration 4-5 v1.
PAGE 62
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The default Wireless Settings screen displays as shown in Figure 4-6. Use this screen to setup your wireless connectivity requirements. Figure 4-5 6. Click Enable Wireless Access Point on the right side of the screen. 7. If you want your SSID (network name) broadcast, leave the default setting as is. If you disable Allow Broadcast of Name (SSID), only devices that have the correct SSID can connect.
PAGE 63
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 8. Type your network name in the Name (SSID) field on the upper left side of the screen. 9. From the Region pull-down menu, select the region where the SRXN3205 will be used (the default Region is North America). Note: If your country or region is not listed, please check with Netgear Support. 10. Select your wireless Mode setting from the pulldown menu or accept the default (11ng) setting. The selection are 802.
PAGE 64
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Completing Wireless Setup (No Security) The purpose of setting your wireless settings in stages, without the security settings, is to eliminate any possible errors in setting up your wireless settings before adding the more complicated security settings. This method will greatly aid you in discovering where the errors in your security settings are by removing doubts about your wireless settings. Configuring 802.
PAGE 65
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – b only – All 802.11b wireless stations can be used. (The 802.11g wireless stations can still be used if they can operate in 802.11b mode.) Note: If you select this option and if other settings on this screen are disabled, then you must select the Turn Radio On radio button to enable available options on this screen. • – g only – All 802.11g wireless stations can be used. – 11ng – All 11b, 11g, and 11ng wireless stations can be used.
PAGE 66
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • 40 MHz - This is the static, high-throughput mode. Legacy clients will not be able to connect in this mode. 3. Click Apply to save your 802.11b/g/n wireless settings. Configuring 802.11a/n Wireless Settings To configure the 802.11.a/n wireless settings of your VPN Firewall: 1. From main menu, select Network Configuration and then Wireless Settings. The Wireless Settings screen of your VPN Firewall will display, as shown in Figure 4-7 below.
PAGE 67
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Auto option intelligently picks a channel & frequency with least interference. The wireless channel in use will be between 1 to 11 for US and Canada, 1 to 13 for Europe and Australia. If you select Auto for channel & frequency, then the only available Channel Width is Dynamic 20/40MHz. It is not necessary to change the wireless channel unless you experience interference (shown by lost connections and/or slow data transfers).
PAGE 68
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Use the default user name of admin and default password of password— or use a new LAN address and password if you have set them up. 3. Select Network Configuration > Wireless Settings from main/submenu. 4. In the Wireless Settings ensure the Auto (default) is set for the Channel feature. This feature selects a channel that has the least interference.
PAGE 69
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Wireless Security Types and Settings Configure the Wireless Security Types based on the level of security you need using one of the following methods and print out the form provided to aid you in making your slections: • Print out the “SSID and WEP/WPA Settings Setup Form” on page 4-14 • To configure WEP encryption for Open Systems or Shared Key, see “Configuring WEP” on page 4-16. • To configure WPA-PSK, see “Configuring WPA-PSK” on page 4-18.
PAGE 70
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual SSID and WEP/WPA Settings Setup Form 802.11b/g/n Configuration For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set it up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step.
PAGE 71
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 802.11a/n Configuration For a new wireless network, print or copy this form and fill in the configuration parameters. For an existing wireless network, the person who set up or is responsible for the network will be able to provide this information. Be sure to set the Regulatory Domain correctly as the first step. • SSID: The Service Set Identification (SSID) requires the identity or name of the wireless local area network.
PAGE 72
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WEP To configure WEP data encryption in the Wireless Settings menu: 1. Click the WEP radio button on the left to enable WEP data encryption. When you select the WEP data encryption, only the feature selections for WEP are made active on screen, while the other options and features remain grayed out. 2. In the Authentication drop-down menu, choose Automatic, Open System, or Shared Key authentication. 3.
PAGE 73
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 4-8 6. Note: If you use a wireless computer to configure WEP settings, you will be disconnected when you click Apply. Reconfigure your wireless adapter to match the new settings or access the VPN Firewall from a wired computer to make any further changes. Wireless Configuration 4-17 v1.
PAGE 74
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA-PSK Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 or above include the client software that supports WPA. Nevertheless, the wireless adapter hardware and driver must also support WPA. Consult the product document for your wireless adapter and WPA client software for instructions on configuring WPA settings.
PAGE 75
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA2-PSK Not all wireless adapters support WPA2. Furthermore, client software is required on the client. Ensure your client card supports WPA2. Consult the product document for your wireless adapter and WPA2 client software for instructions on configuring WPA2 settings. Figure 4-10 To configure WPA2-PSK in the Wireless Settings menu: 1. Click the WPA2 radio button on the left to enable WPA2 data encryption.
PAGE 76
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA-PSK and WPA2-PSK Not all wireless adapters support WPA and WPA2. Client software is required on the client: • Windows XP and Windows 2000 with Service Pack 3 or above do include the client software that supports WPA. The wireless adapter hardware and driver must also support WPA. • Service Pack 3 does not include the client software that supports WPA2. Make sure your client card supports WPA2.
PAGE 77
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. In the PSK Settings section, enter text in the Passphrase text box (Network Key) with 8-63 characters. 5. Enter a value for Key Lifetime text box in minutes. 6. Click Apply to save your settings. Configuring WPA with RADIUS Not all wireless adapters support WPA. Furthermore, client software is required on the client. Windows XP and Windows 2000 with Service Pack 3 or above do include the client software that supports WPA.
PAGE 78
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring WPA2 with RADIUS Not all wireless adapters support WPA2. Furthermore, client software is required on the client. Make sure your client card supports WPA2. Consult the product document for your wireless adapter and WPA2 client software for instructions on configuring WPA2 settings. Figure 4-12 To configure WPA2 with RADIUS in the Wireless Settings menu: 1. Click the WPA2 radio button on the left to enable WPA2 data encryption.
PAGE 79
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. Click Apply to save your settings. Configuring WPA and WPA2 with RADIUS Not all wireless adapters support WPA and WPA2. Client software is required on the client: • Windows XP and Windows 2000 with Service Pack 3, or above, do include the client software that supports WPA. The wireless adapter hardware and driver must also support WPA. • Service Pack 3 does not include the client software that supports WPA2.
PAGE 80
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • The Server Name, IP Address, RADIUS Port (number), and Shared Key are required for communication with the RADIUS Server. – Server Name. The – IP Address. The IP address of the RADIUS Server. The default is 0.0.0.0. – RADIUS Port. The port number of the RADIUS Server. The default is 1812. – Shared Key. This is shared between the VPN firewall and the RADIUS Server while authenticating the supplicant (wireless client). 5.
PAGE 81
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Verifying Wireless Connectivity (Security) Using a Client PC with an 802.11b/g/n or 802.11a/n wireless adapter with the correct wireless and security settings for connection to the SRXN3205 (SSID, WEP/WPA, MAC ACL, etc.), verify connectivity by using a browser such as Mozilla Firefox, Netscape, or Internet Explorer to browse the Internet, or check for file and printer access on your network.
PAGE 82
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Connect Ethernet cable(s) from the LAN ports on your VPN Firewall to a LAN port on ????your router, switch, or hub. Note: By default, SRXN3205 is set with the DHCP client Enabled. If your network uses dynamic IP addresses, you must change this setting. To connect to the SRXN3205 after the DHCP server on your network assigns it a new IP address, enter the VPN Firewall name into your Web browser.
PAGE 83
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Advanced Wireless Settings Configuring Advanced Wireless Settings The Advanced screen of the Wireless Settings menu is used to configure and enable various wireless LAN parameters for all of the 802.11a/n and 802.11b/g/n modes. The default wireless LAN parameters usually work well. However, you can use these settings to fine tune the overall performance of your Wireless Settings for your environment.
PAGE 84
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Enter the appropriate information in the fields described below: • RTS Threshold (256 - 2346): Request to Send Threshold. The packet size that is used to determine if it should use the CSMA/CD (Carrier Sense Multiple Access with Collision Detection) mechanism or the CSMA/CA mechanism for packet transmission.
PAGE 85
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Click the Setup Access List to the right of the screen. The Access Control List tab and Available Wireless Stations tab appear on screen with the Access Control List tab selected. Figure 4-16need new screen 3. Click the radio button for Yes in the ACL Enable section to turn on the Access Control List feature. The Trusted Wireless Stations table will show any wireless stations you enter.
PAGE 86
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Click the Add button to the right when you have completed typing. Now, only devices on this list will be allowed to wirelessly connect to the SRXN3205. 7. Repeat these steps for each additional device you want to add to the list. 8. To delete an existing entry, click the check box to the left of the entry and then click the delete button. 9. To view the clients currently connected, click the Available Wireless Stations tab.
PAGE 87
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 5 Firewall Security and Content Filtering This chapter describes how to set up your firewall and use the content filtering features of the SRXN3205 VPN firewall to protect your network.
PAGE 88
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual A firewall incorporates the functions of a NAT (Network Address Translation) router, while adding features for dealing with a hacker intrusion or attack, and for controlling the types of traffic that can flow between the two networks. Unlike simple Internet sharing NAT routers, a firewall uses a process called stateful packet inspection to protect your network from attacks and intrusions.
PAGE 89
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Quality of Service (QoS) priorities. Each service at its own native priority that impacts its quality of performance and tolerance for jitter or delays. You can change this QoS priority if desired to change the traffic mix through the system (see “Setting Quality of Service (QoS) Priorities” on page 5-19). Outbound Rules (Service Blocking) The SRXN3205 allows you to block the use of certain Internet services by PCs on your network.
PAGE 90
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 5-1. Outbound Rules (continued) Item Description LAN users These settings determine which computers on your network are affected by this rule. Select the desired options: • Any – All PCs and devices on your LAN. • Single address – Enter the required address and the rule will be applied to that particular PC. • Address range – If this option is selected, you must enter the start and finish fields.
PAGE 91
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP address may change periodically as the DHCP lease expires. Consider using Dyamic DNS (under Network Configuration) so that external users can always find your network (see “Configuring Dynamic DNS (Optional)” on page 2-11. • If the IP address of the local server PC is assigned by DHCP, it may change when the PC is rebooted.
PAGE 92
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Table 5-2. Inbound Rules (continued) Item Description WAN Users These settings determine which Internet locations are covered by the rule, based on their IP addresses. Select the desired option: • Any – All Internet IP address are covered by this rule. • Single address – Enter the required address in the start field. • Address range – If this option is selected, you must enter the start and end fields.
PAGE 93
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 5-1need new screenshot Order of Precedence for Rules As you define new rules, they are added to the tables in the Rules menu as the last item in the list, as shown in Figure 5-1. For any traffic attempting to pass through the firewall, the packet information is subjected to the rules in the order shown in the Rules Table, beginning at the top and proceeding to the bottom, before applying the default rule.
PAGE 94
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To change the Default Outbound Policy, follow these steps: 1. Click the LAN WAN Rules tab, shown in Figure 5-1. 2. Change the Default Outbound Policy by choosing Block Always from the drop-down menu. 3. Click Apply. Creating a LAN WAN Outbound Services Rule An outbound rule will block or allow the selected application from an internal IP LAN address to an external WAN IP address according to the schedule created in the Schedule menu.
PAGE 95
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Click Apply to save your changes and reset the fields on this screen. The new rule will be listed on the Outbound Services table. Creating a LAN WAN Inbound Services Rule This Inbound Services Rules table lists all existing rules for inbound traffic. If you have not defined any rules, no rules will be listed. By default, all inbound traffic is blocked. Remember that allowing inbound services opens holes in your firewall.
PAGE 96
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. In the Action column adjacent to the rule, do the following: • Click Edit to make any changes to the rule definition of an existing rule. The Outbound Service screen is displayed containing the data for the selected rule. • Click Up to move the rule up one position in the table rank. • Click Down to move the rule down one position in the table rank. 2.
PAGE 97
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual see that no application is listening at that port, and (3) reply with an ICMP Destination Unreachable packet. When the victimized system is flooded, it is forced to send many ICMP packets, eventually making it unreachable by other clients. The attacker may also spoof the IP address of the UDP packets, ensuring that the excessive ICMP return packets do not reach him, thus making the attacker’s network location anonymous.
PAGE 98
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 5-4need new screenshot 3. Select the Attack Checks you wish to initiate. 4. Click Apply to save your settings Inbound Rules Examples LAN WAN Inbound Rule: Hosting A Local Public Web Server If you host a public Web server on your local network, you can define a rule to allow inbound Web (HTTP) requests from any outside IP address to the IP address of your Web server at any time of day.
PAGE 99
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 5-5need new screenshot LAN WAN Inbound Rule: Allowing Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule. In the example shown in Figure 5-6, CU-SeeMe connections are allowed to a local host only from a specified range of external IP addresses.
PAGE 100
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 5-6Need new screenshot LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses will be used as the primary IP address of the firewall. This address will be used to provide Internet access to your LAN PCs through NAT.
PAGE 101
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual – LAN IP address: 192.168.1.11 – Port number for Web service: 8080 Figure 5-7need new screenshot To test the connection from a PC on the WAN side, type http://10.1.0.5. The home page of the Web server should appear. LAN WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined.
PAGE 102
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Outbound Rules Example Outbound rules let you prevent users from using applications such as Instant Messenger, Real Audio, or other non-essential services.
PAGE 103
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Figure 5-8Need screenshot Adding Customized Services Services are functions performed by server computers at the request of client computers. For example, Web servers serve Web pages, time servers serve time and date information, and game hosts serve data about other players’ moves. When a computer on the Internet sends a request for service to a server computer, the requested service is identified by a service or port number.
PAGE 104
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual To add a custom service: 1. Select Security > Services from the main/submenu and the Services screen displays. Figure 5-9OK 2. In the Add Custom Services section, enter a descriptive name for the service (this name is for your convenience). 3. Select the Layer 3 transport protocol of the service: TCP, UDP, or ICMP. 4. Enter the first TCP or UDP port of the range that the service uses. 5. Enter the last port of the range that the service uses.
PAGE 105
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Setting Quality of Service (QoS) Priorities The Quality of Service (QoS) Priorities setting determines the priority of a service, which in turn, determines the quality of that service for the traffic passing through the firewall. The user can change this priority: • On the Services screen in the Custom Services Table for customized services (see Figure 5-9) [Security > Services].
PAGE 106
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Setting Schedules to Block or Allow Traffic If you enabled Content Filtering in the Block Sites menu, or if you defined an outbound or inbound rule to use a schedule, you can set up a schedule for when blocking occurs or when access is restricted. The firewall allows you to specify when blocking will be enforced by configuring one of the Schedules—Schedule 1, Schedule 2 or Schedule 3.
PAGE 107
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Setting Block Sites (Content Filtering) To restrict internal LAN users from access to certain sites on the Internet, you can use the VPN firewall’s Content Filtering and Web Components filtering. By default, these features are disabled; all requested traffic from any Web site is allowed. If you enable one or more of these features and users try to access a blocked site, they will see a “Blocked by NETGEAR” message.
PAGE 108
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 5-11OK 2. Select Yes to enable Content Filtering. 3. Click Apply to activate the menu controls. 5-22 Firewall Security and Content Filtering v1.
PAGE 109
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 4. Select any Web Components you wish to block. Proxy, Java, ActiveX, or Cookies 5. Select the groups to which Keyword Blocking will apply, then click Enable to activate Keyword blocking (or disable to deactivate Keyword Blocking). 6. Enter your list of blocked Keywords or Domain Names in the Blocked Keyword fields and click Add after each entry. The Keyword or Domain name will be added to the Blocked Keywords table.
PAGE 110
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Enabling Source MAC Filtering (Address Filter) In the Address Filter submenu, the Source MAC Filter tab allows you to block traffic coming from certain known machines or devices. • By default, the source MAC address filter is disabled. Traffic received from any MAC address is allowed.
PAGE 111
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 5-12Need new screenshot 4. Enter your list of source MAC addresses to be blocked in the MAC Address field in the form 01:23:45:67:89:AB, using colon-separated hexadecimal characters (0-9, A-F). 5. Click the Add icon. The MAC address is added to the MAC Addresses table where it will be blocked. 6. Click Apply to save your settings. To remove an entry from the table, select the MAC address entry and click Delete.
PAGE 112
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Source MAC Filter screen displays as the default with the IP/MAC Binding tab shown. 2. Click the IP/MAC Binding tab to view the options available. 3. Click the Yes radio button to enable Source MAC Filtering. IP/MAC Bind Table This table lists the currently defined IP/MAC Bind rules: – Name: Displays the user-defined name for this rule. – MAC Addresses: Displays the MAC Addresses for this rule.
PAGE 113
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • Figure 5-13Need screenshot Example: If three computers are on the LAN with the following setup: Host1 -- MAC address(00:01:02:03:04:05) & IP address(192.168.10.10) Host2 -- MAC address(00:01:02:03:04:06) & IP address(192.168.10.11) Host3 -- MAC address(00:01:02:03:04:07) & IP address(192.168.10.12) All the above host entries are added in IP/MAC Binding table.
PAGE 114
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Enabling Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using this feature requires the port numbers used by the application. Once configured, port triggering operates as follows: 1. A PC makes an outgoing connection using a port number defined in the Port Triggering table. 2.
PAGE 115
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The Port Triggering screen is displayed. Figure 5-14OK 2. Enter a user-defined name for this rule in the Name field. 3. From the Enable pull-down menu, indicate if the rule is enabled or disabled. 4. From the Protocol pull-down menu, choose either TCP or UDP transport protocol. 5. In the Outgoing (Trigger) Port Range fields: a. Enter the Start Port range (1 - 65534). b. Enter the End Port range (1 - 65534). 6.
PAGE 116
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Bandwidth Profile The Bandwidth profile sets the limits on the bandwidth of internet link and determines the limits on the data traffic sent to or received from your host. Bandwidth Limiting, by providing limits on the outgoing/incoming traffic, prevents the LAN users for consuming all the bandwidth of internet link.
PAGE 117
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. To add a Bandwidth Profile to the table, click the Add button. The Add Bandwidth Profile screen displays. 3. Type a value for each parameter text box to create a new bandwidth profile. • Profile Name: Specify an easily identifiable name for the profile. • Minimum Bandwidth: Specify the minimum bandwidth value in Kbps for the profile. • Maximum Bandwidth: Specify the maximum bandwidth value in Kbps for the profile.
PAGE 118
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. To enable the UPnP feature, click the Yes radio button or No to disable it. – No is the default and the VPN firewall will not automatically configure devices. – If Yes is selected it activates the two text boxes to the right. 3. Fill in the two text boxes to the right. – Advertisement Period: Type in the text box (in minutes), how often you want the firewall to broadcast its UPnP information to all devices within range.
PAGE 119
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual E-Mail Notifications of Event Logs and Alerts The Firewall Logs can be configured to log and then e-mail denial of access, general attack information, and other information to a specified e-mail address.
PAGE 120
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 6 Virtual Private Networking Using IPsec This chapter describes how to use the IPsec virtual private networking (VPN) features of the ProSafe Wireless-N VPN Firewall to provide secure, encrypted communications between your local network and a remote network or computer.
PAGE 121
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Creating a VPN Tunnel to a Gateway You can configure multiple gateway VPN tunnel policies through the VPN Wizard. You can also set up multiple remote VPN client policies through the VPN Wizard. A remote client policy can support up to 200 clients. To set up a gateway VPN Tunnel using the VPN Wizard: 1. Select VPN > IPsec VPN from the main/submenu. 2. Click the VPN Wizard tab and the VPN Wizard screen displays. Figure 6-1Need new screenshot 1.
PAGE 122
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 2. Create a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN endpoint. It is used to help you manage the VPN settings. 3. Enter a Pre-shared Key. The key must be entered both here and on the remote VPN gateway, or the remote VPN client. This key should be minimum of 8 characters and should not exceed 49 characters. This method does not require using a CA (Certificate Authority). 4.
PAGE 123
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 6-2need new screenshot You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen is displayed. Then view or edit the parameters of the new policy by clicking Edit in the Action column adjacent to the policy. The Edit IKE Policy screen will display. 6-4 Virtual Private Networking Using IPsec v1.
PAGE 124
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 6-3OK Creating a VPN Tunnel Connection to a VPN Client You can set up multiple remote VPN Client policies through the VPN Wizard by changing the default End Point Information settings created for each policy by the wizard. A remote client policy can support up to 200 clients. The remote clients must configure the “Local Identity” field in the policy as “PolicyName.fvs_remote.com”, where X stands for a number from 1 to 25.
PAGE 125
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 6-4New screenshot 2. Select VPN Client as your VPN tunnel connection. The wizard needs to know whether you are planning to connect to a remote gateway or setting up the connection for a remote client PC to establish a secure connection to this device. 3. Create a Connection Name. Enter an appropriate name for the connection. This name is not supplied to the remote VPN client. It is used to help you manage the VPN settings. 4.
PAGE 126
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Alternatively, you can provide the Internet name of the gateway. The Internet name is the Fully Qualified Domain Name (FQDN); for example, vpn.netgear.com. 7. Enter the Local WAN IP Address or Internet name. Both local and remote ends should be defined as either IP addresses or Internet Names (FQDN). A combination of IP address and Internet Name is not permissible. 8. Click Apply.
PAGE 127
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 6-6Need new screenshot 2. You can also view the status of your IKE Policies by clicking the IKE Policies tab. The IKE Policies screen displays. 6-8 Virtual Private Networking Using IPsec v1.
PAGE 128
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual . Figure 6-7 3. To see the detailed settings of the IKE Policy, click the Edit button next to the policy. The Edit IKE Policy tab is displayed . Figure 6-8OK Virtual Private Networking Using IPsec 6-9 v1.
PAGE 129
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Managing VPN Tunnel Policies After you use the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name you selected as the VPN tunnel connection name during Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or add new VPN and IKE policies directly in the policy tables.
PAGE 130
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual About the IKE Policy Table When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and populated in the List of IKE Policies and is given the same name as the new VPN connection name. You can also edit exiting policies or add new IKE policies directly on the List of IKE Policies. Each policy contains the following data: • Policy Name. Uniquely identifies each IKE policy.
PAGE 131
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • – Diffie-Hellman (DH) Group. This method is used when exchanging keys. The DH group sets the number of bits. The VPN Wizard default setting is Group 2. (This setting must match the remote VPN.) – SA-Lifetime (sec) – Enable Dead Peer Detection, if yes – Detection Period – Reconnect after failure count Extended Authenticaton.
PAGE 132
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Traffic covered by a policy will automatically be sent via a VPN tunnel. 2. When traffic is covered by two or more policies, the first matching policy will be used. (In this situation, the order of the policies is important. However, if you have only one policy for each remote VPN Endpoint, then the policy order is not important.) 3. The VPN tunnel is created according to the parameters in the SA (Security Association). 4.
PAGE 133
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual VPN tunnel activity. The Active IPsec (SA)s table also lists current data for each active IPsec SA (Security Association): • Policy Name. The name of the VPN policy associated with this SA. • Endpoint. The IP address on the remote VPN Endpoint. • Tx (KBytes). The amount of data transmitted over this SA. • Tx (Packets). The number of packets transmitted over this SA. • State. The current state of the SA.
PAGE 134
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. {{Check either the WAN1 or WAN2 radio box to select the WAN interface tunnel.}}} 6. Enter the remote WAN’s IP Address or Internet Name and then enter the local WAN’s IP Address or Internet Name. In this example, we are using their FQDNs. (Both the local and remote addresses must be of the same type—either both must be FQDN or both must be an IP address.) 7. Click Apply to create the “home” VPN Client.
PAGE 135
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The value entered under Domain Name will be of the form “.fvg_remote.com”, where each user must use a different variation on the Domain Name entered here. The is the policy name used in the SRXN3205 configuration. In this example, it is “home”. X and Y are an arbitrary pair of numbers chosen for each user. Note: X may not be zero! In this example, we have entered home11.fvg_remote.com.
PAGE 136
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Manually Assigning IP Addresses to Remote Users (ModeConfig) To simply the process of connecting remote VPN clients to the SRXN3205, the ModeConfig module can be used to assign IP addresses to remote users, including a network access IP address, subnet mask, and name server addresses from the firewall. Remote users are given IP addresses available in secured network space so that remote users appear as seamless extensions of the network.
PAGE 137
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 3. Click the Mode Config tab. The Mode Config tab is displayed.. Figure 6-9OK 4. Click Add. The Add Mode Config Record screen is displayed . Figure 6-10OK 5. Enter a descriptive Record Name such as “Sales”. 6-18 Virtual Private Networking Using IPsec v1.
PAGE 138
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 6. Assign at least one range of IP Pool addresses in the First IP Pool field to give to remote VPN clients. Note: The IP Pool should not be within your local network IP addresses. Use a different range of private IP addresses such as 172.20.xx.xx. 7. If you have a WINS Server on your local network, enter its IP address. 8. Enter one or two DNS Server IP addresses to be used by remote VPN clients. 9.
PAGE 139
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual a. Enter a descriptive name in the Policy Name Field such as “salesperson”. This name will be used as part of the remote identifier in the VPN client configuration. b. Set Direction/Type to Responder. c. The Exchange Mode will automatically be set to Aggressive. 5. For Local information: a. Select Fully Qualified Domain Name for the Local Identity Type. b.
PAGE 140
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Configuring the ProSafe VPN Client for ModeConfig From a client PC running NETGEAR ProSafe VPN Client software, configure the remote VPN client connection. To configure the client PC: 1. Right-click the VPN client icon in the Windows toolbar. In the upper left of the Policy Editor window, click the New Policy editor icon. a. Give the connection a descriptive name such as “modecfg_test”. (This name will only be used internally). b.
PAGE 141
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual a. Under Security Policy, Phase 1 Negotiation Mode, check the Aggressive Mode radio button. b. Check the Enable Perfect Forward Secrecy (PFS) radio button, and choose the DiffieHellman Group 2 from the PFS Key Group pull-down menu. c. Enable Replay Detection should be checked. 4. Click on Authentication (Phase 1) on the left-side of the menu and choose Proposal 1. Enter the Authentication values to match those in the firewall ModeConfig Record menu.
PAGE 142
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual • IPsec Host. If you want authentication by the remote gateway, enter a User Name and Password to be associated with this IKE policy. If this option is chosen, the remote gateway must specify the user name and password used for authenticating this gateway. Note: If a RADIUS-PAP server is enabled for authentication, XAUTH will first check the local User Database for the user credentials.
PAGE 143
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 5. In the Extended Authentication section, choose the Authentication Type from the pulldown menu which will be used to verify user account information. Select • • Edge Device to use this firewall as a VPN concentrator where one or more gateway tunnels terminate. When this option is chosen, you will need to specify the authentication type to be used in verifying credentials of the remote VPN gateways.
PAGE 144
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual 1. Select VPN > IPsec VPN from the main/submenu. 2. Click the RADIUS Client tab and the RADIUS Client screen displays. Figure 6-12Need new sceenshot 3. To activate (enable) the Primary RADIUS server, click the Yes radio button. The primary server options become active. 4. Configure the following entries: • Primary RADIUS Server IP address. The IP address of the RADIUS server. • Secret Phrase.
PAGE 145
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual The SRXN3205 is acting as a NAS (Network Access Server), allowing network access to external users after verifying their authentication information. In a RADIUS transaction, the NAS must provide some NAS Identifier information to the RADIUS Server. Depending on the configuration of the RADIUS Server, the SRXN3205’s IP address may be sufficient as an identifier, or the server may require a name, which you would enter here.
PAGE 146
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Chapter 7 Virtual Private Networking Using SSL The SRXN3205 ProSafe Wireless-N VPN Firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a pre-installed VPN client on their computers.
PAGE 147
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual browser provides authentication and encryption, establishing a secure connection to the firewall. Upon successful connection, an ActiveX-based SSL VPN client is downloaded to the remote PC that will allow the remote user to virtually join the corporate network. The SSL VPN Client provides a PPP (point-to-point) connection between the client and the firewall, and a virtual network interface is created on the user’s PC.
PAGE 148
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual When you define the SSL VPN policies that determine network resource access for your SSL VPN users, you can define global policies, group policies, or individual policies. Because you must assign an authentication domain when creating a group, the group is created after you have created the domain. 4. Create one or more SSL VPN user accounts.
PAGE 149
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Portal Layouts are applied by selecting from available portal layouts in the configuration of a Domain. When you have completed your Portal Layout, you can apply the Portal Layout to one or more authentication domains (see XREF to apply a Portal Layout to a Domain). You can also make the new portal the default portal for the SSL VPN gateway by selecting the default radio button adjacent to the portal layout name.
PAGE 150
ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual Figure 7-2OK 3. In the Portal Layout and Theme Name section of the menu, configure the following entries: a. Enter a descriptive name for the portal layout in the Portal Layout Name field. This name will be part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.