ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 USA July, 2012 202-10836-04 v1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N © 2011–2012 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (continued) • IPv6 firewall rules (see Configure LAN WAN Rules, Configure DMZ WAN Rules, Configure LAN DMZ Rules, and Examples of Firewall Rules) • IPv6 attack checks (see Attack Checks) • IPv6/MAC bindings (see Set Up IP/MAC Bindings) • Simplified wireless settings submenus for easier configuration (see Chapter 4, Wireless Configuration and Security) • IPSec VPN IPv6 address support (see Chapter 6, Virtual Private Networking Using IPSec and L2TP Conne
Contents Chapter 1 Introduction What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? . 10 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 12 A Powerful, True Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Security Features .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Stateless IP/ICMP Translation . . . . . . . . . . . . . . . . . . . . . . . . 49 Configure Advanced WAN Options and Other Tasks. . . . . . . . . . . . . . . . . 50 Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . 53 Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Advanced Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Test Basic Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Chapter 5 Firewall Protection About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128 Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Wireless VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . 221 Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Manage IKE Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222 Manage VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230 Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 303 Set User Login Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 306 Change Passwords and Other User Settings. . . . . . . . . . . . . . . . . . . . 311 Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . . 313 VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Power LED Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379 LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 380 Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . . 380 When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . .
1. Introduction 1 This chapter provides an overview of the features and capabilities of the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N and explains how to log in to the device and use its web management interface.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The wireless VPN firewall provides advanced IPSec and SSL VPN technologies with support for up to 12 IPSec VPN tunnels and 5 SSL VPN tunnels, as well as L2TP support for easy and secure remote connections. The use of Gigabit Ethernet WAN and LAN ports ensures high data transfer speeds.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Hidden mode. The SSID is not broadcast, assuring that only clients configured with the correct SSID can connect. • Secure and economical operation. Adjustable power output allows more secure or economical operation.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Security Features The wireless VPN firewall is equipped with several features designed to maintain security: • Computers hidden by NAT. NAT opens a temporary path to the Internet for requests originating from the local network. Requests originating from outside the LAN are discarded, preventing users outside the LAN from finding and directly accessing the computers on the LAN. • Port forwarding with NAT.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies configuration of computers on your local network. • DNS proxy. When DHCP is enabled and no DNS addresses are specified, the firewall provides its own address as a DNS server to the attached computers. The firewall obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. • PPP over Ethernet (PPPoE).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Maintenance and Support NETGEAR offers the following features to help you maximize your use of the wireless VPN firewall: • Flash memory for firmware upgrades. • Technical support seven days a week, 24 hours a day. Information about support is available on the NETGEAR website at http://support.netgear.com/app/answers/detail/a_id/212.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The front panel also contains three groups of status indicator light-emitting diodes (LEDs), including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in detail in the following table. Some LED explanation is provided on the front panel. Power LED Left WAN LED (green) Left LAN LEDs (green, one for each port) Wireless LED Right WAN LED Right LAN LEDs (one for each port) DMZ LED Test LED Active WAN LED Figure 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 1. LED descriptions (continued) LED Activity Description Off The LAN port has no link. On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port. Off The LAN port is operating at 10 Mbps. On (amber) The LAN port is operating at 100 Mbps. On (green) The LAN port is operating at 1000 Mbps. Off Port 8 is operating as a normal LAN port.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Rear Panel The rear panel of the wireless VPN firewall includes the antennas, a cable lock receptacle, a console port, a Reset button, a DC power connection, and a power switch. Antennas (1) and (7) (6) Power switch (2) Security lock receptacle (4) Factory default Reset button (5) DC power receptacle (3) Console port Figure 2. Viewed from left to right, the rear panel contains the following components: 1. Dipole antenna. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Bottom Panel with Product Label The product label on the bottom of the wireless VPN firewall’s enclosure displays factory defaults settings, regulatory compliance, and other information. Figure 3. Choose a Location for the Wireless VPN Firewall The wireless VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Log In to the Wireless VPN Firewall Note: To connect the wireless VPN firewall physically to your network, connect the cables and restart your network according to the instructions in the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide. A PDF of this guide is on the NETGEAR support website at http://support.netgear.com/app/products/model/a_id/19435.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 4. 3. In the User Name field, type admin. Use lowercase letters. 4. In the Password / Passcode field, type password. Here, too, use lowercase letters. Note: The wireless VPN firewall user name and password are not the same as any user name or password you might use to log in to your Internet connection. Note: Leave the domain as it is (geardomain). 5. Click Login. The web management interface displays, showing the Router Status screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 5. Web Management Interface Menu Layout The following figure shows the menu at the top the web management interface: 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) 1st level: Main navigation menu link (orange) IP radio buttons Option arrows: Additional screen for submenu item Figure 6. The web management interface menu consists of the following components: • 1st level: Main navigation menu links.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • 2nd level: Configuration menu links. The configuration menu links in the gray bar (immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background. • 3rd level: Submenu tabs. Each configuration menu item has one or more submenu tabs that are listed below the gray menu bar.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Any of the following table buttons might display onscreen: • Select All. Select all entries in the table. • Delete. Delete the selected entry or entries from the table. • Enable. Enable the selected entry or entries in the table. • Disable. Disable the selected entry or entries in the table. • Add. Add an entry to the table. • Edit. Edit the selected entry. • Up. Move the selected entry up in the table. • Down.
2. IPv4 and IPv6 Internet and Broadband Settings 2 This chapter explains how to configure the Internet and WAN settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. (Optional) Configure Dynamic DNS on the WAN port. If required, configure your fully qualified domain names: See Configure Dynamic DNS on page 35. 4. (Optional) Configure the WAN options. If required, change the factory default MTU size, port speed, and MAC address of the wireless VPN firewall: See Configure Advanced WAN Options and Other Tasks on page 50. These are advanced features, and you usually do not need to change the settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv4 WAN Mode By default, IPv4 is supported and functions in NAT mode but can also function in classical routing mode. IPv4 functions the same way in IPv4-only mode that it does in IPv4 / IPv6 mode. The latter mode adds IPv6 functionality (see Configure the IPv6 Routing Mode on page 38). Network Address Translation Network Address Translation (NAT) allows all computers on your LAN to share a single public Internet IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 9. 2. Select the NAT radio button or the Classical Routing radio button. WARNING: Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings. 3. Click Apply to save your settings. Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection To automatically configure the WAN port for an IPv4 connection to the Internet: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10. 2. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of the following results: • If the autodetect process is successful, a status bar at the top of the screen displays the results (for example, DHCP service detected).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 2. IPv4 Internet connection methods Connection Method Manual Data Input Required • DHCP (Dynamic IP) No manual data input is required.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, skip ahead to Manually Configure an IPv4 Internet Connection on page 31, or see Troubleshoot the ISP Connection on page 382. Note: For more information about the Connection Status screen, see View the WAN Port Status on page 367.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 13. 5. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in the following table: Table 3. PPTP and PPPoE settings Setting Description Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio button, and enter the following settings: Account Name Note: For login and password information, see Step 2 and Step 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 3. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio button, and enter the following settings: Note: For login Account Name and password information, see Step 2 and Step 3. Domain Name The valid account name for the PPPoE connection. The name of your ISP’s domain or your domain name if your ISP has assigned one.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the wireless VPN firewall using DHCP network protocol.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 8. Click Apply to save your changes. 9. Click Test to evaluate your entries. The wireless VPN firewall attempts to make a connection according to the settings that you entered. 10. To verify the connection, click the Broadband Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a PPPoE configuration; the IP addresses are not related to any other examples in this manual.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N After you have configured your account information on the wireless VPN firewall, when your ISP-assigned IP address changes, your wireless VPN firewall automatically contacts your DDNS service provider, logs in to your account, and registers your new IP address. Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the DDNS service does not work because private addresses are not routed on the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Access the website of the DDNS service provider, and register for an account (for example, for DynDNS.org, go to http://www.dyndns.com/). 5. Configure the DDNS service settings as explained in the following table: Table 6. DDNS service settings Setting Description Change DNS to Select the Yes radio button to enable the DDNS service. The fields that display on the (DynDNS, TZO, screen depend on the DDNS service provider that you have selected.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Isolated IPv6 network. If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you need to make sure that the IPv6 packets can travel over the IPv4 Internet backbone; you do this by enabling automatic 6to4 tunneling (see Configure 6to4 Automatic Tunneling on page 46). • Mixed network with IPv4 and IPv6 devices.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 18. 2. Select the IPv4 / IPv6 mode radio button. By default, the IPv4 only mode radio button is selected, and IPv6 is disabled. WARNING: Changing the IP routing mode causes the wireless VPN firewall to reboot. 3. Click Apply to save your changes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Stateful address autoconfiguration. The wireless VPN firewall obtains an interface address, configuration information such as DNS server information, and other parameters from a DHCPv6 server. The IP address is a dynamic address. To automatically configure the WAN port for an IPv6 connection to the Internet: 1. Select Network Configuration > WAN Settings > Broadband ISP Settings. 2. In the upper right of the screen, select the IPv6 radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. As an optional step: If you have selected the Stateless Address Auto Configuration radio button, you can select the Prefix Delegation check box: • Prefix delegation check box is selected. A prefix is assigned by the ISP’s stateful DHCPv6 server through prefix delegation, for example, 2001:db8:: /64. The wireless VPN firewall’s own stateless DHCPv6 server can assign this prefix to its IPv6 LAN clients.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 21. 3. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static IPv6. 4. In the Static IP Address section of the screen, enter the settings as explained in the following table. You should have received static IPv6 address information from your IPv6 ISP: Table 7. Broadband ISP Settings screen settings for a static IPv6 address Setting Description IPv6 Address The IP address that your ISP assigned to you.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your changes. 6. To verify the connection, click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a static IP address configuration; the IP addresses are not related to any other examples in this manual.) Figure 22. The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 23. 3. In the Internet Address section of the screen, from the IPv6 drop-down list, select PPPoE. 4. In the PPPoE IPv6 section of the screen, enter the settings as explained in the following table. You should have received PPPoE IPv6 information from your ISP: Table 8. Broadband ISP Settings screen settings for a PPPoE IPv6 connection Setting Description User Name The PPPoE user name that is provided by your ISP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 8. Broadband ISP Settings screen settings for a PPPoE IPv6 connection (continued) Setting Description DHCPv6 Option From the DHCPv6 Option drop-down list, select one of the following DHCPv6 server options, as directed by your ISP: • Disable-DHCPv6. DHCPv6 is disabled. You need to specify the DNS servers in the Primary DNS Server and Secondary DNS Server fields in order to receive an IP address from the ISP. • DHCPv6 StatelessMode.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure 6to4 Automatic Tunneling If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you need to make sure that the IPv6 packets can travel over the IPv4 Internet backbone by enabling automatic 6to4 tunneling. 6to4 is a WAN tunnel mechanism for automatic tunneling of IPv6 traffic between a device with an IPv6 address and a device with an IPv4 address, or the other way around.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Select the Enable Automatic Tunneling check box. 3. Click Apply to save your changes. Configure ISATAP Automatic Tunneling If your network is an IPv4 network or IPv6 network that consists of both IPv4 and IPv6 devices, you need to make sure that the IPv6 packets can travel over the IPv4 intranet by enabling and configuring Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 25. 2. Click the Add table button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays: Figure 26. 3. Specify the tunnel settings as explained in the following table. Table 9. Add ISATAP Tunnel screen settings Setting Description ISATAP Subnet Prefix The IPv6 prefix for the tunnel. Local End Point Address From the drop-down list, select the type of local address: • LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings. To delete one or more tunnels: 1. On the ISATAP Tunnels screen, select the check box to the left of each tunnel that you want to delete, or click the Select All table button to select all tunnels. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For SIIT to function, the routing mode needs to be IPv4 / IPv6. NETGEAR’s implementation of SIIT lets you enter a single IPv4 address on the SIIT screen. This IPv4 address is then used in the IPv4-translated address for IPv6 devices to enable communication between IPv4-only devices on the wireless VPN firewall’s LAN and IPv6-only devices on the WAN. To configure SIIT: 1. Select Network Configuration > SIIT. The SIIT screen displays: Figure 28. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 29. 3. Enter the settings as explained in the following table: Table 10. Broadband Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value. For most Ethernet networks, this value is 1500 bytes, or 1492 bytes for PPPoE connections.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 10. Broadband Advanced Options screen settings (continued) Setting Description Speed In most cases, the wireless VPN firewall can automatically determine the connection speed of the WAN port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional WAN-Related Configuration Tasks If you want the ability to manage the wireless VPN firewall remotely, enable remote management (see Configure Remote Management Access on page 331). If you enable remote management, NETGEAR strongly recommends that you change your password (see Change Passwords and Administrator and Guest Settings on page 329). You can set up the traffic meter for the WAN interface, if you wish.
3. LAN Configuration 3 This chapter describes how to configure the LAN features of your wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N same segment. The resources of other departments can be invisible to the marketing VLAN members, accessible to all, or accessible only to specified individuals, depending on how the IT manager has set up the VLANs. VLANs have a number of advantages: • It is easy to set up network segmentation. Users who communicate most frequently with each other can be grouped into common VLANs, regardless of physical location.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the LAN ports that are members of the VLAN can send and receive both tagged and untagged packets. Untagged packets that enter these LAN ports are assigned to the default PVID 1; packets that leave these LAN ports with the same default PVID 1 are untagged.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 30. For each VLAN profile, the following fields display in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: - Green circle. The VLAN profile is enabled. - Gray circle. The VLAN profile is disabled. • Profile Name. The unique name assigned to the VLAN profile. • VLAN ID. The unique ID (or tag) assigned to the VLAN profile. • Subnet IP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DHCP Server The default VLAN (VLAN 1) has the DHCP server option enabled by default, allowing the wireless VPN firewall to assign IP, DNS server, WINS server, and default gateway addresses to all computers connected to the wireless VPN firewall’s LAN. The assigned default gateway address is the LAN address of the wireless VPN firewall. IP addresses are assigned to the attached computers from a pool of addresses that you need to specify.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LDAP Server A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify directory services that run over TCP/IP. For example, clients can query email addresses, contact information, and other service information using an LDAP server. For each VLAN, you can specify an LDAP server and a search base that defines the location in the directory (that is, the directory tree) from which the LDAP search begins.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Add table button under the VLAN Profiles table. The Add VLAN Profile screen displays: Figure 32.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table: Table 11. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number. Note: You can enter VLAN IDs from 2 to 4089. VLAN ID 1 is reserved for the default VLAN; VLAN ID 4094 is reserved for the DMZ interface.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 11. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the wireless VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN. (For the default VLAN, the DHCP server is enabled by default.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 11. Add VLAN Profile screen settings (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings. LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begins.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit a VLAN profile: 1. On the LAN Setup screen for IPv4 (see Figure 31 on page 59), click the Edit button in the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile screen displays. This screen is identical to the Add VLAN Profile screen (see the previous figure). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 33. 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4. As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.) 5. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To add a secondary LAN IPv4 address: 1. Select Network Configuration > LAN Setup > LAN Multi-homing. In the upper right of the screen, the IPv4 radio button is selected by default. The LAN Multi-homing screen displays the IPv4 settings. (The following figure contains one example.) Figure 34. The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the wireless VPN firewall. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more secondary LAN IP addresses: 1. On the LAN Multi-homing screen for IPv4 (see the previous figure), select the check box to the left of each secondary IP address that you want to delete, or click the Select All table button to select secondary IP addresses. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • There is no need to use a fixed IP address on a computer. Because the IP address allocated by the DHCP server never changes, you do not need to assign a fixed IP address to a computer to ensure that it always has the same IP address. • A computer is identified by its MAC address—not its IP address. The network database uses the MAC address to identify each computer or device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box. Allows you to select the computer or device in the table. • Name. The name of the computer or device. For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to add a meaningful name).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 12. Add Known PCs and Devices section settings (continued) Setting Description IP Address Enter the IP address that this computer or device is assigned to: • If the IP address type is Fixed (set on PC), the IP address needs to be outside of the address range that is allocated to the DHCP server pool to prevent the IP address from also being allocated by the DHCP server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 36. 2. Modify the settings as explained in Table 12 on page 69. 3. Click Apply to save your settings in the Known PCs and Devices table. Deleting Computers or Devices from the Network Database To delete one or more computers or devices from the network database: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Edit Group Names option arrow to the right of the LAN submenu tabs. The Network Database Group Names screen displays. (The following figure shows some examples.) Figure 37. 3. Select the radio button next to the group name that you want to edit. 4. Type a new name in the field. The maximum number of characters is 15. Do not use a double quote (''), single quote('), or space in the name. 5.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The saved binding is also displayed on the IP/MAC Binding screen (see Figure 99 on page 186). Manage the IPv6 LAN • DHCPv6 Server Options • Configure the IPv6 LAN • Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN An IPv6 LAN typically functions with site-local and link-local unicast addresses.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N DHCPv6 server. For stateless DHCPv6, you need to configure the RADVD and advertisement prefixes (see Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN on page 80). Stateless DHCPv6 Server With Prefix Delegation As an option for a stateless DHCPv6 server, you can enable prefix delegation.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 LAN To configure the IPv6 LAN settings: 1. Select Network Configuration > LAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings. (The following figure contains some examples.) Figure 38.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. Table 13. LAN Setup screen settings for IPv6 Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is FEC0::1.(For more information, see the introduction to this section, Manage the IPv6 LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 13. LAN Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message. The client selects the server with the highest preference value as the preferred server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 39. 2. Enter the settings as explained in the following table: Table 14. LAN IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the LAN is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN Prefixes for Prefix Delegation If you configure a stateless DHCPv6 server for the LAN and select the Prefix Delegation check box (both on the ISP Broadband Settings screen for IPv6 and on the LAN Setup screen for IPv6, a prefix delegation pool is automatically added to the List of Prefixes for Prefix Delegation table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to configure the Router Advertisement Deamon (RADVD) and advertisement prefixes. The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect link-local advertisements of IPv6 addresses and IPv6 prefixes in the LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To configure the Router Advertisement Daemon for the LAN: 1. Select Network Configuration > LAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings (see Figure 38 on page 75.) 3. To the right of the LAN Setup tab, click the RADVD option arrow. The RADVD screen for the LAN displays. (The following figure contains some examples.) Figure 41. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 16. RADVD screen settings for the LAN (continued) Setting Description Advertise Interval Enter the advertisement interval of unsolicited multicast packets in seconds. The minimum value is 10 seconds; the maximum value is 1800 seconds. RA Flags Specify what type of information the DHCPv6 server provides in the LAN by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 42. 2. Enter the settings as explained in the following table: Table 17. Add Advertisement Prefix screen settings for the LAN Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to complete the SLA ID field and Prefix Lifetime field. The other fields are masked out. • Global/Local/ISATAP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more advertisement prefixes: 1. On the RADVD screen for the LAN (see Figure 41 on page 81), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the wireless VPN firewall. 3. In the Add Secondary LAN IP Address section of the screen, enter the following settings: • IPv6 Address. Enter the secondary address that you want to assign to the LAN ports. • Prefix Length. Enter the prefix length for the secondary IP address. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N firewall can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN. By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports. Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 44. 2. Enter the settings as explained in the following table: Table 18. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IP Address Enter the IP address of the DMZ port.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 18. DMZ Setup screen settings for IPv4 (continued) Setting Description Do you want to enable DMZ Port? (continued) Subnet Mask Enter the IP subnet mask of the DMZ port. The subnet mask specifies the network number portion of an IP address. The subnet mask for the DMZ port is 255.255.255.0.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 18. DMZ Setup screen settings for IPv4 (continued) Setting Description DHCP Relay To use the wireless VPN firewall as a DHCP relay agent for a DHCP server somewhere else in your network, select the DHCP Relay radio button. Enter the following setting: Relay Gateway Enable LDAP information The IP address of the DHCP server for which the wireless VPN firewall serves as a relay.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For the DMZ, there are two DHCPv6 server options: • Stateless DHCPv6 server. The IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements, but receive DNS server information from the DHCPv6 server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table: Table 19. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IPv6 Address Enter the IP address of the DMZ port.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 19. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) DNS Server Select one of the DNS server options from the drop-down lists: • Use DNS Proxy. The wireless VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers that you configured on the Broadband ISP Settings (IPv6) screen (see Configure a Static IPv6 Internet Connection on page 41). • Use DNS from ISP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in the following table: Table 20. DMZ IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the DMZ is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Hosts and routers in the LAN use NDP to determine the link-layer addresses and related information of neighbors in the LAN that can forward packets on their behalf. The wireless VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 47. 4. Enter the settings as explained in the following table: Table 22. RADVD screen settings for the DMZ Setting Description RADVD Status Specify the RADVD status by making a selection from the drop-down list: • Enable. The RADVD is enabled, and the RADVD fields become available for you to configure. • Disable. The RADVD is disabled, and the RADVD fields are masked out. This is the default setting.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 22. RADVD screen settings for the DMZ (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the DMZ by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address. • Other.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 48. 2. Enter the settings as explained in the following table: Table 23. Add Advertisement Prefix screen settings for the DMZ Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to complete the SLA ID field and Prefix Lifetime field. The other fields are masked out. • Global/Local/ISATAP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more advertisement prefixes: 1. On the RADVD screen for the DMZ screen (see Figure 47 on page 95), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Add table button under the Static Routes table. The Add Static Route screen displays: Figure 50. 3. Enter the settings as explained in the following table: Table 24. Add Static Route screen settings for IPv4 Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit an IPv4 static route: 1. On the Static Routing screen for IPv4 (see Figure 49 on page 98), click the Edit button in the Action column for the route that you want to modify. The Edit Static Route screen displays. This screen is identical to the Add Static Route screen (see the previous figure). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings. To delete one or more routes: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 51. 3. Enter the settings as explained in the following table: Table 25. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the wireless VPN firewall sends and receives RIP packets: • None. The wireless VPN firewall neither advertises its route table, nor accepts any RIP packets from other routers.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 25. RIP Configuration screen settings (continued) Setting Description RIP Version By default, the RIP version is set to Disabled. From the RIP Version drop-down list, select the version: • RIP-1. Classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2. Routing that supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: - RIP-2B.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Static Route Example In this example, we assume the following: • The wireless VPN firewall’s primary Internet access is through a cable modem to an ISP. • The wireless VPN firewall is on a local LAN with IP address 192.168.1.100. • The wireless VPN firewall connects to a remote network where you need to access a device. • The LAN IP address of the remote network is 134.177.0.0.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 52. 3. Click the Add table button under the Static Routes table. The Add IPv6 Static Routing screen displays: Figure 53. 4. Enter the settings as explained in the following table: Table 26. Add IPv6 Static Routing screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 26. Add IPv6 Static Routing screen settings (continued) Setting Description Interface From the drop-down list, select the physical or virtual network interface (WAN1, sit0 Tunnel, LAN, or DMZ interface) through which the route is accessible. IPv6 Gateway The gateway IPv6 address through which the destination host or network can be reached. Metric The priority of the route. Select a value between 2 and 15.
4. Wireless Configuration and Security 4 This chapter describes how to configure the wireless features of your ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (NIC) through an antenna. Typically, an individual in-building wireless access point provides a maximum connectivity area of about a 300-foot radius. The wireless VPN firewall can support a small group of wireless users—typically 10 to 32 users. Configure the wireless features according to the order of the following sections: 1. Configure the Basic Radio Settings 2. Configure and Enable Wireless Profiles 3. (Optional) Configure Wi-Fi Protected Setup 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Basic Radio Settings The radio settings apply to all wireless profiles on the wireless VPN firewall. The default wireless mode is 802.11ng. You can change the wireless mode, country, and many other radio settings on the Radio Settings screen (described in this section) and on the Advanced Wireless screen (see Configure Advanced Radio Settings on page 125). The default radio settings should work well for most configurations.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 27. Radio Settings screen settings (continued) Setting Descriptions Mode Specify the wireless mode in the 2.4-GHz band by making a selection from the drop-down list: • g and b. In addition to 802.11b- and 802.11g-compliant devices, 802.11n-compliant devices can connect to the wireless access point because they are backward compatible. • g only. 802.11g- and 802.11n-compliant devices can connect to the wireless access point, but 802.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 27. Radio Settings screen settings (continued) Setting Descriptions Default Transmit Power From the drop-down list, select the default transmit power: • Full. This is the default setting. • Half. • Quarter. • Eighth. • Minimum. If the country regulation does not allow the transmit power that you select, the power is automatically adjusted to the legally allowed power, which is then displayed in the Transmit Power field.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Wireless Data Security Options Indoors, computers can connect over 802.11n wireless networks at a maximum range of 300 feet. Typically, a wireless VPN firewall inside a building works best with devices within a 100 foot radius. Such distances can allow for others outside your immediate area to access your network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption. The very strong authentication along with dynamic per frame rekeying of WPA make it virtually impossible to compromise. The wireless VPN firewall supports WPA with a pre-shared key (PSK), RADIUS, or a combination of PSK and RADIUS. For more information about how to configure WPA, see Configure and Enable Wireless Profiles on page 115. • WPA2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Each wireless profile provides the following features: • Capability to turn off the wireless profile during scheduled vacations and office shutdowns, on evenings, or on weekends. This a green feature that allows you to save energy. • WLAN partitioning to prevent associated wireless clients (using the same wireless profile) from communicating with each other. This feature is useful for hotspots and other public access situations.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Before You Change the SSID, WEP, and WPA Settings For a new wireless network, print or copy the following form and fill in the settings. For an existing wireless network, the network administrator can provide this information. Be sure to set the Country/Region correctly as the first step.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure and Enable Wireless Profiles To add a wireless profile: 1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. (The following figure shows some examples.) Figure 56. The following table explains the fields of the Wireless Profiles screen: Table 28. Wireless Profiles screen settings Setting Description Status The status of the profile: Enabled or Disabled.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 57. 3. Specify the settings as explained in the following table: Table 29. Add Wireless Profiles screen settings Setting Description Wireless Profile Configuration Profile Name The name for the default wireless profile is default1. You cannot change this name. For additional profiles, enter a unique name to make it easy to recognize the profile. You can enter a name of up to 32 alphanumeric characters.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Add Wireless Profiles screen settings (continued) Setting Description SSID The wireless network name (SSID) for the wireless profile. The default SSID name is FVS318N_1. You can change this name by entering up to 32 alphanumeric characters. Make sure that additional SSIDs have unique names.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Add Wireless Profiles screen settings (continued) Setting Description The encryption that you can select depends on the type of WPA security that you have selected: Note: WPA, WPA2, and • WPA. You can select the following encryption from the drop-down list: WPA+WPA2 only. - TKIP - TKIP+CCMP • WPA2. You can select the following encryption from the drop-down list: - CCMP - TKIP+CCMP • WPA+WPA2. The encryption is TKIP+CCMP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 29. Add Wireless Profiles screen settings (continued) Setting Description WEP Index and Keys Authentication Specify the authentication by making a selection from the drop-down list: • Open System. Select this option to use WEP encryption without authentication. • Shared Key. Select this option to use WEP authentication and encryption with a shared key (passphrase).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit a wireless profile: 1. On the Wireless Profiles screen (see Figure 56 on page 115), click the Edit button in the Action column for the wireless profile that you want to modify. The Edit Profiles screen displays. This screen is identical to the Add Profiles screen. 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To allow or restrict access based on MAC addresses: 1. On the Wireless Profiles screen (see Figure 56 on page 115), click the ACL button in the ACL column for the wireless profile for which you want to set up access control. The MAC Address Filtering screen displays. (The following figure shows some examples.) Figure 58. 2. Click Add to open the MAC Address screen (not shown in this manual). 3. Enter a MAC address in the MAC Address field. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: When you configure the wireless VPN firewall from a wireless computer whose MAC address is not in the access control list and when the ACL policy status is set to deny access, you will lose your wireless connection when you click Apply. You then need to access the wireless VPN firewall from a wired computer or from a wireless computer that is on the access control list to make any further changes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 30. Wireless Profile Status screen fields Item Description Wireless Profile Statistics Profile Name The name of the wireless profile. Radio The radio to which the client is connected. By default, the radio is always 1, indicating the 2.4 GHz radio. Packet The number of received (rx) and transmitted (tx) packets on the access point in bytes. Bytes The number of received (rx) and transmitted (tx) bytes on the access point.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To enable WPS and initiate the WPS process on the wireless VPN firewall: 1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays (see Figure 56 on page 115). 2. On the Wireless Profiles screen, to the right of the Wireless Profiles tab, click the WPS option arrow. The WPS screen displays: Figure 60. 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Push button configuration (PBC) method: a. Click the PBC button. b. Within 2 minutes, press the WPS button on your wireless device to enable the device to connect to the wireless VPN firewall, or follow the WPS instructions that came with the device. With either method, the wireless VPN firewall tries to communicate with the wireless device, set the wireless security for the wireless device, and allow it to join the wireless network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Specify the settings as explained in the following table: Table 31. Advanced Wireless screen settings Setting Description Beacon Interval Enter an interval between 40 ms and 3500 ms for each beacon transmission, which allows the wireless VPN firewall to synchronize the wireless network. The default setting is 100.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test Basic Wireless Connectivity After you have configured the wireless VPN firewall as explained in the previous sections, test your wireless clients for wireless connectivity before you place the wireless VPN firewall at its permanent position. To test for wireless connectivity: 1. Configure the 802.11b/g/n wireless clients so that they all have the same SSID that you have configured on the wireless VPN firewall.
5. Firewall Protection 5 This chapter describes how to use the firewall features of the wireless VPN firewall to protect your network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N incoming packet is in response to an outgoing request, but true stateful packet inspection goes far beyond NAT. For IPv6, which in itself provides stronger security than IPv4, a firewall in particular controls the exchange of traffic between the Internet, DMZ, and LAN. Administrator Tips Consider the following operational items: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the wireless VPN firewall are: • Inbound. Block all access from outside except responses to requests from the LAN side. • Outbound. Allow all access from the LAN side to the outside. The firewall rules for blocking and allowing traffic on the wireless VPN firewall can be applied to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic. Table 32.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 65 on page 141, Figure 71 on page 148, and Figure 77 on page 155). The steps to configure outbound rules are described in the following sections: • Configure LAN WAN Rules • Configure DMZ WAN Rules • Configure LAN DMZ Rules Table 33.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Outbound rules overview (continued) Setting Description Outbound Rules WAN Users The settings that determine which Internet locations are covered by the rule, based on their IP address. The options are: • Any. All Internet IP addresses are covered by this rule. • Single address. Enter the required address in the Start field. • Address range. Enter the required addresses the Start and Finish fields.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Outbound rules overview (continued) Setting Description Outbound Rules Log The setting that determines whether packets covered by this rule All rules are logged. The options are: • Always. Always log traffic that matches this rule. This is useful when you are debugging your rules. • Never. Never log traffic that matches this rule.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Groups screen to keep the computer’s IP address constant (see Set Up DHCP Address Reservation on page 72). • Local computers need to access the local server using the computers’ local LAN address. Attempts by local computers to access the server using the external WAN IP address will fail. Note: See Configure Port Triggering on page 190 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Inbound rules overview Setting Description Inbound Rules Service The service or application to be covered by this rule. If the service or application does not display in the list, you need to define it using the Services screen (see Add Customized Services on page 172).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Inbound rules overview (continued) Setting Description Inbound Rules LAN Users These settings apply to a LAN WAN inbound rule when the WAN LAN WAN rules mode is classical routing, and determine which computers on LAN DMZ rules your network are affected by this rule. The options are: • Any. All computers and devices on your LAN. • Single address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location. If you are unsure, see the acceptable use policy of your ISP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN WAN Rules • Create LAN WAN Outbound Service Rules • Create LAN WAN Inbound Service Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound). This feature is also referred to as service blocking.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Edit. Allows you to make any changes to the definition of an existing rule. Depending on your selection, one of the following screens displays: - Edit LAN WAN Outbound Service screen for IPv4 (identical to Figure 65 on page 141) - Edit LAN WAN Inbound Service screen for IPv4 (identical to Figure 67 on page 144) To change the default outbound policy for IPv6 traffic or to change existing IPv6 rules: 1. Select Security > Firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To enable, disable, or delete one or more IPv4 or IPv6 rules: 1. Select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules. 2. Click one of the following table buttons: • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the selected rule or rules are enabled.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 65. 2. Enter the settings as explained in Table 33 on page 131.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN WAN Outbound Rules To create a new IPv6 LAN WAN outbound rule: 1. In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 64 on page 139). 2. Click the Add table button under the Outbound Services table. The Add LAN WAN Outbound Service screen for IPv6 displays: Figure 66. 3. Enter the settings as explained in Table 33 on page 131.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create LAN WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is blocked. Remember that allowing inbound services opens potential security holes in your firewall. Enable only those ports that are necessary for your network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 67. IPv6 LAN WAN Inbound Rules To create a new IPv6 LAN WAN inbound rule: 1. In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 64 on page 139). 2. Click the Add table button under the Inbound Services table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 68. 3. Enter the settings as explained in Table 34 on page 135. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • WAN Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 4. Click Apply to save your changes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Inbound rules on the LAN WAN Rules screen take precedence over inbound rules on the DMZ WAN Rules screen. When an inbound packet matches an inbound rule on the LAN WAN Rules screen, the packet is not matched against the inbound rules on the DMZ WAN Rules screen. To access the DMZ WAN Rules screen for IPv4 or to change existing IPv4 rules: Select Security > Firewall > DMZ WAN Rules.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To access the DMZ WAN Rules screen for IPv6 or to change existing IPv6 rules: 1. Select Security > Firewall > DMZ WAN Rules. The Firewall submenu tabs display with the DMZ WAN Rules screen for IPv4 in view. 2. In the upper right of the screen, select the IPv6 radio button. The DMZ WAN Rules screen displays the IPv6 settings. (The following figure contains examples.) Figure 70.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Disable. Disables the rule or rules. The ! status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled. • Delete. Deletes the selected rule or rules. Create DMZ WAN Outbound Service Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in Table 33 on page 131.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in Table 33 on page 131. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • DMZ Users • WAN Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • QoS Priority 4. Click Apply.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 73. 2. Enter the settings as explained in Table 34 on page 135. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • WAN Destination IP Address • DMZ Users (This drop-down list is available only when the WAN mode is Classical Routing. When the WAN mode is NAT, your network presents only one IP address to the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 DMZ WAN Inbound Service Rules To create a new IPv6 DMZ WAN inbound rule: 1. In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 70 on page 147). 2. Click the Add table button under the Inbound Services table. The Add DMZ WAN Inbound Service screen for IPv6 displays: Figure 74. 3. Enter the settings as explained in Table 34 on page 135.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN DMZ Rules • Create LAN DMZ Outbound Service Rules • Create LAN DMZ Inbound Service Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to block all traffic between the local LAN and DMZ network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Edit. Allows you to make any changes to the definition of an existing rule. Depending on your selection, one of the following screens displays: - Edit LAN DMZ Outbound Service screen for IPv4 (identical to Figure 77 on page 155) - Edit LAN DMZ Inbound Service screen for IPv4 (identical to Figure 79 on page 157) To access the LAN DMZ Rules screen for IPv6 or to change existing IPv6 rules: 1. Select Security > Firewall > LAN DMZ Rules.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click one of the following table buttons: • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the selected rule or rules are enabled. (By default, when a rule is added to the table, it is automatically enabled.) • Disable. Disables the rule or rules. The ! status icon changes from a green circle to a gray circle, indicating that the selected rule or rules are disabled. • Delete.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in Table 33 on page 131. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • DMZ Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 3. Click Apply.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 4. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. Create LAN DMZ Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 3. Click Apply to save your changes. The new rule is now added to the Inbound Services table. IPv6 LAN DMZ Inbound Service Rules To create a new IPv6 LAN DMZ inbound rule: 1. In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Examples of Firewall Rules • Examples of Inbound Firewall Rules • Examples of Outbound Firewall Rules Examples of Inbound Firewall Rules IPv4 LAN WAN Inbound Rule: Host a Local Public Web Server If you host a public web server on your local network, you can define a rule to allow inbound web (HTTP) requests from any outside IP address to the IP address of your web server at any time of the day. Figure 81.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN WAN Inbound Rule: Allow a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule (see the following figure). In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses. Figure 82.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures the wireless VPN firewall to host an additional public IP address and associate this address with a web server on the LAN. The following addressing scheme is used to illustrate this procedure: • • NETGEAR wireless VPN firewall: - WAN IP address. 10.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 83. 4. From the Service drop-down list, select HTTP for a web server. 5. From the Action drop-down list, select ALLOW Always. 6. In the Send to LAN Server field, enter the local IP address of your web server computer (192.168.1.2 in this example). 7. In the WAN Destination IP Address fields, enter 10.1.0.52. 8. Click Apply to save your settings. The rule is now added to the Inbound Services table of the LAN WAN Rules screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an Exposed Host Specifying an exposed host allows you to set up a computer or server that is available to anyone on the Internet for services that you have not yet defined. WARNING: Do not set up an exposed host from a remote connection because you will likely lock yourself out from the wireless VPN firewall. To expose one of the computers on your LAN or DMZ as this host: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to a Single LAN User If you want to restrict incoming RTelnet sessions from a single IPv6 WAN user to a single IPv6 LAN user, specify the initiating IPv6 WAN address and the receiving IPv6 LAN address. See an example in the following figure. Figure 85.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 86. IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP Site on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during working hours, you can create an outbound rule to allow such traffic by specifying the IPv6 DMZ start and finish addresses and the IPv6 WAN address. On the Schedule screen, create a schedule that specifies working hours, and assign it to the rule.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 87. Configure Other Firewall Features • Attack Checks • Set Limits for IPv4 Sessions • Manage the Application Level Gateway for SIP Sessions You can configure attack checks, set session limits, and manage the application level gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether the wireless VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Attack Checks To enable IPv4 attack checks for your network environment: 1. Select Security > Firewall > Attack Checks. In the upper right of the screen, the IPv4 radio button is selected by default. The Attack Checks screen displays the IPv4 settings: Figure 88. 2. Enter the settings as explained in the following table: Table 35.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 35. Attack Checks screen settings for IPv4 (continued) Setting Description LAN Security Checks Block UDP flood Select the Block UDP flood check box (which is the default setting) to prevent the wireless VPN firewall from accepting more than 20 simultaneous, active User Datagram Protocol (UDP) connections from a single device on the LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 35. Attack Checks screen settings for IPv4 (continued) Setting Description Jumbo Frames Enable Jumbo Frame Jumbo frames allow multiple smaller packets to be combined into a single larger packet, reducing network overhead and increasing data transfer performance. Jumbo frames are supported on ports 1, 2, 3, and 4 only. Select the Jumbo Frame check box to enable jumbo frames. By default, jumbo frames are disabled.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set Limits for IPv4 Sessions The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IPv4 connection across the wireless VPN firewall. The session limits feature is disabled by default. To enable and configure session limits: 1. Select Security > Firewall > Session Limit. The Session Limit screen displays: Figure 90. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 36. Session Limit screen settings (continued) Setting Description User Limit Enter a number to indicate the user limit. Note the following: • If the User Limit Parameter is set to Percentage of Max Sessions, the number specifies the maximum number of sessions that are allowed from a single-source device as a percentage of the total session connection capacity of the wireless VPN firewall. (The session limit is per-device based.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Services, Bandwidth Profiles, and QoS Profiles • Add Customized Services • Create Bandwidth Profiles • Preconfigured Quality of Service Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To define a new service, you need to determine first which port number or range of numbers is used by the application. You can usually determine this information by contacting the publisher of the application, user groups, or newsgroups. When you have the port number information, you can enter it on the Services screen. To add a customized service: 1. Select Security > Services. The Services screen displays.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 37. Services screen settings (continued) Setting Description Start Port The first TCP or UDP port of a range that the service uses. Note: This field is enabled only when you select TCP or UDP from the Type drop-down list. Finish Port The last TCP or UDP port of a range that the service uses. If the service uses only a single port number, enter the same number in the Start Port and Finish Port fields.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts. The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link. A single bandwidth profile can be for both outbound and inbound traffic.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 95. 3. Enter the settings as explained in the following table: Table 38. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 38. Add Bandwidth Profile screen settings (continued) Setting Description Type From the Type drop-down list, select the type for the bandwidth profile: • Group. The profile applies to all users, that is, all users share the available bandwidth. • Individual. The profile applies to an individual user, that is, each user can use the available bandwidth. 4. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N These are the default QoS profiles that are preconfigured and that cannot be edited: • Normal-Service. Used when no special priority is given to the traffic. IP packets are marked with a ToS value of 0. • Minimize-Cost. Used when data needs to be transferred over a link that has a lower cost. IP packets are marked with a ToS value of 2. • Maximize-Reliability.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N - ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows computer running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded. - Cookies. Cookies are used to store session information by websites that usually require login. However, several websites use cookies to store tracking information and browsing habits.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 96. 2. In the Content Filtering section of the screen, select the Yes radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Web Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): • Proxy. Blocks proxy servers. • Java. Blocks Java applets from being downloaded. • ActiveX. Blocks ActiveX applets from being downloaded. • Cookies. Blocks cookies from being created by a website.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules. To set a schedule: 1. Select Security > Services > Schedule 1. The Schedule 1 screen displays: Figure 97. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known computers or devices. By default, the source MAC address filter is disabled. All the traffic received from computers with any MAC address is allowed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the same section, from the Policy for MAC Addresses listed below drop-down list, select one of the following options: • Block and Permit the rest. Traffic coming from all addresses in the MAC Addresses table is blocked. Traffic from all other MAC addresses is permitted. • Permit and Block the rest. Traffic coming from all addresses in the MAC Addresses table is permitted. Traffic from all other MAC addresses is blocked. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: You can bind IP addresses to MAC addresses for DHCP assignment on the LAN Groups submenu. See Manage the Network Database on page 68. As an example, assume that three computers on the LAN are set up as follows, and that their IPv4 and MAC addresses are added to the IP/MAC Bindings table: • Host 1. MAC address (00:01:02:03:04:05) and IP address (192.168.10.10) • Host 2. MAC address (00:01:02:03:04:06) and IP address (192.168.10.11) • Host 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 99. 2. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: • Yes. IP/MAC binding violations are emailed. Click the Firewall Logs & E-mail page link to ensure that emailing of logs is enabled on the Firewall Logs & E-mail screen (see Configure Logging, Alerts, and Event Notifications on page 349).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit an IP/MAC binding: 1. In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays. 2. Modify the settings that you wish to change (see the previous table; you can change the MAC address, IPv4 address, and logging status). 3. Click Apply to save your changes. The modified IP/MAC binding displays in the IP/MAC Bindings table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 101. 3. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: • Yes. IP/MAC binding violations are emailed. Click the Firewall Logs & E-mail page link to ensure that emailing of logs is enabled on the Firewall Logs & E-mail screen (see Configure Logging, Alerts, and Event Notifications on page 349).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit an IP/MAC binding: 1. In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC binding that you want to edit. The Edit IP/MAC Binding screen displays. 2. Modify the settings that you wish to change (see the previous table; you can change the MAC address, IPv6 address, and logging status). 3. Click Apply to save your changes. The modified IP/MAC binding displays in the IP/MAC Bindings table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application. Note: Port triggering is supported for IPv4 devices only. Once configured, port triggering operates as follows: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 103. 2. In the Add Port Triggering Rule section, enter the settings as explained in the following table: Table 41. Port Triggering screen settings Setting Description Name A descriptive name of the rule for identification and management purposes. Enable From the drop-down list, select Yes to enable the rule. (You can define a rule but not enable it.) The default setting is No.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To remove one or more port triggering rules from the table: 1. Select the check box to the left of each port triggering rule that you want to delete, or click the Select All table button to select all rules. 2. Click the Delete table button. To display the status of the port triggering rules: Click the Status option arrow in the upper right of the Port Triggering screen. A pop-up screen displays, showing the status of the port triggering rules.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the wireless VPN firewall and that have been automatically detected by the wireless VPN firewall: • Active. A Yes or No indicates if the UPnP device port that established a connection is currently active. • Protocol.
6. Virtual Private Networking Using IPSec and L2TP Connections 6 This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the wireless VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configuring a VPN tunnel connection requires that you specify all settings on both sides of the VPN tunnel to match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPSec keys and VPN policies it sets up.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 107. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 108. 2. Complete the settings as explained in the following table: Table 42. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local WAN port’s IP address or Internet name displays in the End Point Information section of the screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 42. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Address? Enter the LAN IPv4 address of the remote gateway. Note: The remote LAN IPv4 address needs to be in a different subnet from the local LAN IP address. For example, if the local subnet is 192.168.1.x, then the remote subnet could be 192.168.10.x but could not be 192.168.1.x.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 110. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 112. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 113. 3. Complete the settings as explained in the following table: Table 43. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local WAN port’s IP address or Internet name displays in the End Point Information section of the screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 43. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Address? Enter the LAN IPv6 address of the remote gateway. Note: The remote LAN IPv6 address needs to be different from the local LAN IPv6 address. For example, if the local LAN IPv6 address is FEC0::1, then the remote LAN IPv6 address could be FEC0:1::1 but could not be FEC0::1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 115. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use the VPN Wizard to Configure the Gateway for a Client Tunnel To set up a client-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio button is selected by default. The VPN Wizard screen displays the IPv4 settings. (The following figure contains an example.) Figure 117.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Complete the settings as explained in the following table: Table 44. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN (remote.com) to the following peers and the default local FQDN (local.com) display in the End Point Information section of the screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 118. Note: When you are using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time. 4. Optional step: Collect the information that you need to configure the VPN client.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. The VPN Client supports IPv4 only; an upcoming release of the VPN Client will support IPv6. To use the Configuration Wizard to set up a VPN connection between the VPN client and the wireless VPN firewall: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 119. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 120. 3. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays: Figure 121. 4. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the wireless VPN firewall. For example, enter 192.168.15.175. • Preshared key.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays: Figure 122. 6. This screen is a summary screen of the new VPN configuration. Click Finish. 7. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Specify the settings that are explained in the following table. Table 46. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the wireless VPN firewall. NAT-T Select Automatic from the drop-down list to enable the VPN client and wireless VPN firewall to negotiate NAT-T.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 124. b. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the wireless VPN firewall. • Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the wireless VPN firewall. 9.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Authentication Settings (Phase 1 Settings) To create new authentication settings: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 125. 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Figure 126. 3. Change the name of the authentication phase (the default is Gateway): a.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. Figure 127. 4. Specify the settings that are explained in the following table. Table 47.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication pane. The Advanced pane displays: Figure 128. 7. Specify the settings that are explained in the following table. Table 48.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 48. VPN client advanced authentication settings (continued) Setting Description Remote ID As the type of ID, select DNS from the Remote ID drop-down list because you specified an FQDN in the wireless VPN firewall configuration. As the value of the ID, enter local.com as the remote ID for the wireless VPN firewall. Note: The local ID on the wireless VPN firewall is the remote ID on the VPN client.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 129. 3. Specify the settings that are explained in the following table. Table 49. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the wireless VPN firewall’s LAN; the computer (for which the VPN client opened a tunnel) appears in the LAN with this IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 49. VPN client IPSec configuration settings (continued) Setting Description PFS and Group Select the PFS check box, and then select the DH2 (1024) key group from the drop-down list. Note: On the wireless VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit). 4. Click Apply to use the new settings immediately, and click Save to keep the settings for future use.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test the Connection and View Connection and Status Information • Test the NETGEAR VPN Client Connection • NETGEAR VPN Client Status and Log Information • View the Wireless VPN Firewall IPSec VPN Connection Status • View the Wireless VPN Firewall IPSec VPN Log Both the NETGEAR ProSafe VPN Client and the wireless VPN firewall provide VPN connection and status information.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Use the Connection Panel screen. On the main menu of the Configuration Panel screen, select Tools > Connection Panel to open the Connection Panel screen. Perform one of the following tasks: - Double-click Gateway-Tunnel. - Right-click Gateway-Tunnel, and select Open tunnel. - Click Gateway-Tunnel, and press Ctrl+O. Figure 132. • Use the system-tray icon. Right-click the system tray icon, and select Open tunnel ‘Tunnel’. Figure 133.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N NETGEAR VPN Client Status and Log Information To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays: Figure 136. View the Wireless VPN Firewall IPSec VPN Connection Status To view the status of current IPSec VPN tunnels, select VPN > Connection Status.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 10 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and then click the Set Interval button. To stop polling, click the Stop button. Table 50.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage IPSec VPN Policies • Manage IKE Policies • Manage VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or manually add new VPN and IKE policies directly in the policy tables.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IKE Policies Screen To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view. In the upper right of the screen, the IPv4 radio button is selected by default. The IKE Policies screen displays the IPv4 settings. (The following figure shows some examples.) To display the IPv6 settings on the IKE Policies screen, select the IPv6 radio button. Figure 139.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more IKE polices: 1. Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all IKE policies. 2. Click the Delete table button. For information about how to add or edit an IKE policy, see Manually Add or Edit an IKE Policy on page 224. Note: You cannot delete or edit an IKE policy for which the VPN policy is active without first disabling or deleting the VPN policy.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 140.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: Table 52. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode Config Record? Specify whether the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Operation on page 243. Select one of the following radio buttons: • Yes. IP addresses are assigned to remote VPN clients.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 52. Add IKE Policy screen settings (continued) Setting Description Local Identifier From the drop-down list, select one of the following ISAKMP identifiers to be used by the wireless VPN firewall, and then specify the identifier in the Identifier field: • Local Wan IP. The WAN IP address of the wireless VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 52. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the wireless VPN firewall and the remote endpoint. • RSA-Signature. Uses the active self-signed certificate that you uploaded on the Certificates screen (see Manage VPN Self-Signed Certificates on page 316).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 52. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Modify the settings that you wish to change (see the previous table). 5. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Manage VPN Policies You can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 141. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 54 on page 235. Table 53. VPN Policies screen information for IPv4 and IPv6 Item Description ! (Status) Indicates whether the policy is enabled (green circle) or disabled (gray circle).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more VPN polices: 1. Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all VPN policies. 2. Click the Delete table button. To enable or disable one or more VPN policies: 1. Select the check box to the left of each policy that you want to enable or disable, or click the Select All table button to select all VPN Policies. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 142.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 143.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). Table 54. Add New VPN Policy screen settings for IPv4 and IPv6 Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the wireless VPN firewall: • Any. All computers and devices on the network. You cannot select Any for both the wireless VPN firewall and the remote endpoint. • Single. A single IP address on the network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: • 3DES. Enter 24 characters. • None. Key does not apply. • DES. Enter 8 characters. • AES-128. Enter 16 characters. • AES-192. Enter 24 characters. • AES-256. Enter 32 characters.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N authenticate users from a stored list of user accounts. XAUTH provides the mechanism for requesting individual authentication information from the user. A local user database or an external authentication server, such as a RADIUS server, provides a method for storing the authentication information centrally in the local network. You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are available: • Edge Device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. In the Extended Authentication section on the screen, complete the settings as explained in the following table: Table 55. Extended authentication settings for IPv4 and IPv6 Setting Description Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N information such as a user name and password or some encrypted response using his or her user name and password information. The gateway then attempts to verify this information first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 56. RADIUS Client screen settings (continued) Setting Description Secret Phrase A shared secret phrase to authenticate the transactions between the client and the primary RADIUS server. The same secret phrase needs to be configured on both the client and the server. Primary Server NAS Identifier The primary Network Access Server (NAS) identifier that needs to be present in a RADIUS request.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Assign IPv4 Addresses to Remote Users (Mode Config) • Mode Config Operation • Configure Mode Config Operation on the Wireless VPN Firewall • Configure the ProSafe VPN Client for Mode Config Operation • Test the Mode Config Connection • Modify or Delete a Mode Config Record To simplify the process of connecting remote VPN clients to the wireless VPN firewall, use the Mode Config feature to automatically assign IPv4 addresses to remote users, i
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Mode Config Operation on the Wireless VPN Firewall To configure Mode Config on the wireless VPN firewall, first create a Mode Config record, and then select the Mode Config record for an IKE policy. To configure Mode Config on the wireless VPN firewall: 1. Select VPN > IPSec VPN > Mode Config. The Mode Config screen displays: Figure 145.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 146. 3. Complete the settings as explained in the following table: Table 57. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the wireless VPN firewall to allocate these to remote VPN clients.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 57. Add Mode Config Record screen settings (continued) Setting Description WINS Server If there is a WINS server on the local network, enter its IP address in the Primary field. You can enter the IP address of a second WINS server in the Secondary field. DNS Server Enter the IP address of the DNS server that is used by remote VPN clients in the Primary field. You can enter the IP address of a second DNS server in the Secondary field.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedure by configuring an IKE policy. 5. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view (see Figure 139 on page 223). 6. Under the List of IKE Policies table, click the Add table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 147. 8. On the Add IKE Policy screen, complete the settings as explained in the following table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 52 on page 226 explains the general IKE policy settings. Table 58. Add IKE Policy screen settings for a Mode Config configuration Setting Description Mode Config Record Do you want to use Mode Config Record? Select the Yes radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 58. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description IKE SA Parameters Note: Generally, the default settings work well for a Mode Config configuration. Encryption Algorithm To negotiate the security association (SA), from the drop-down list, select the 3DES algorithm.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 58. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication Select one of the following radio buttons to specify whether Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters. Configure the Mode Config Authentication Settings (Phase 1 Settings) To create new authentication settings: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 149. 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Specify the settings that are explained in the following table. Table 59. VPN client authentication settings (Mode Config) Setting Description Interface Select Any from the drop-down list. Remote Gateway Enter the remote IP address or DNS name of the wireless VPN firewall. For example, enter 192.168.15.175. Preshared Key Select the Preshared Key radio button. Enter the pre-shared key that you already specified on the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 7. Specify the settings that are explained in the following table. Table 60. VPN client advanced authentication settings (Mode Config) Setting Description Advanced features Mode Config Select this check box to enable Mode Config. Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the IPSec configuration that is used only for the VPN client, not during IPSec negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected by default: Figure 152. 3. Specify the settings that are explained in the following table. Table 61.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 61. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description Subnet mask Enter 255.255.255.0 as the remote subnet mask of the wireless VPN firewall that opens the VPN tunnel. This is the LAN IP subnet mask that you specified in the Local Subnet Mask field on the Add Mode Config Record screen of the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Specify the following default lifetimes in seconds to match the configuration on the wireless VPN firewall: • Authentication (IKE), Default. Enter 3600 seconds. Note: The default setting is 28800 seconds (8 hours). However, for a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour). • Encryption (IPSec), Default. Enter 3600 seconds. 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Verify that the wireless VPN firewall issued an IP address to the VPN client. This IP address displays in the VPN Client address field on the IPSec pane of the VPN client. (The following figure shows the upper part of the IPSec pane only.) Figure 156. 3. From the client computer, ping a computer on the wireless VPN firewall LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N establishment time. If you require a VPN tunnel to remain connected, you can use the keep-alive and Dead Peer Detection (DPD) features to prevent the tunnel from being disconnected and to force a reconnection if the tunnel disconnects for any reason. For DPD to function, the peer VPN device on the other end of the tunnel also needs to support DPD. Keep-alive, though less reliable than DPD, does not require any support from the peer device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Enter the settings as explained in the following table: Table 62. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the wireless VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 158. 4. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 63. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD. When the wireless VPN firewall detects an IKE connection failure, it deletes the IPSec and IKE SA and forces a reestablishment of the connection.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To enable NetBIOS bridging on a configured VPN tunnel: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 141 on page 231). 2. Specify the IP version for which you want to edit a VPN policy: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 3. • IPv6. Select the IPv6 radio button. The VPN Policies screen for IPv6 displays. 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N is established, the L2TP user can connect to an L2TP client that is located behind the wireless VPN firewall. Note: IPSec VPN provides stronger authentication and encryption than L2TP. (Packets that traverse the L2TP tunnel are not encapsulated by IPSec.) You need to enable the L2TP server on the wireless VPN firewall, specify an L2TP server address pool, and create L2TP user accounts.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Active L2TP Users To view the active L2TP tunnel users, select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 161. The List of L2TP Active Users table lists each active connection with the information that is described in the following table. Table 65.
7. Virtual Private Networking Using SSL Connections 7 The wireless VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the wireless VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The SSL VPN client provides a point-to-point (PPP) connection between the client and the wireless VPN firewall, and a virtual network interface is created on the user’s computer.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Because you need to assign a group when creating an SSL VPN user account, the user account is created after you have created the group. 3. For port forwarding, define the servers and services (see Configure Applications for Port Forwarding on page 273). Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names (FQDNs) with these servers.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options. The default portal layout is the SSL-VPN portal. You can add additional portal layouts.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Layouts table displays the following fields: • Layout Name. The descriptive name of the portal. • Description. The banner message that is displayed at the top of the portal (see Figure 175 on page 290). • Use Count. The number of authentication domains that use the portal. • Portal URL: • - Portal URL (IPv4). The IPv4 URL at which the portal can be accessed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: Table 66. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 66. Add Portal Layout screen settings (continued) Setting Description ActiveX web cache cleaner Select this check box to enable ActiveX cache control to be loaded when users log in to the SSL VPN portal. The web cache cleaner prompts the user to delete all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then groups, and then user accounts. For information about how to configure domains, groups, and users, see Configure Authentication Domains, Groups, and Users on page 296.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the Add New Application for Port Forwarding section of the screen, specify information in the following fields: • IP Address. The IP address of an internal server or host computer that a remote user has access to. • TCP Port. The TCP port number of the application that is accessed through the SSL VPN tunnel. The following table lists some commonly used TCP applications and port numbers. Table 67.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To add servers and host names for client name resolution: 1. Select VPN > SSL VPN > Port Forwarding. The Port Forwarding screen displays (see Figure 165 on page 273). 2. In the Add New Host Name for Port Forwarding section of the screen, specify information in the following fields: • Local Server IP Address. The IP address of an internal server or host computer that you want to name. • Fully Qualified Domain Name. The full server name.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N - • A split tunnel sends only traffic that is destined for the local network based on the specified client routes. All other traffic is sent to the Internet. A split tunnel allows you to manage bandwidth by reserving the VPN tunnel for local traffic only.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • IPv6. Select the IPv6 radio button. The SSL VPN Client screen displays the IPv6 settings (the following screen shows some examples). Figure 167. SSL VPN Client screen for IPv6 3. Complete the settings as explained in the following table: Table 68. SSL VPN Client screen settings for IPv4 and IPv6 Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 68. SSL VPN Client screen settings for IPv4 and IPv6 (continued) Setting Description Secondary DNS Server The IP address of the secondary DNS server that is assigned to the VPN tunnel clients. This setting is optional. Client Address Range Begin The first IP address of the IPv4 address range that you want to assign to the VPN tunnel clients. By default, the first IPv4 address is 192.168.251.1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Add Routes for VPN Tunnel Clients section of the screen, specify information in the following fields: • Destination Network. The destination network IPv4 or IPv6 address of a local network or subnet. For example, for an IPv4 route, enter 192.168.4.20. • Subnet Mask / Prefix Length. For an IPv4 route, the address of the appropriate subnet mask; for an IPv6 route, the prefix length. 4. Click the Add table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 168. 2. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service drop-down list, select the type of service to which the resource applies: - VPN Tunnel. The resource applies only to a VPN tunnel. - Port Forwarding. The resource applies only to port forwarding. - All.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Specify the IP version for which you want to add a portal layout: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 4. • IPv6. Select the IPv6 radio button. The screen that lets you edit the resource displays the IPv6 settings. This screen is identical to the screen for IPv4 (see the next figure, which shows some examples). Figure 169. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 69. Resources screen settings to edit a resource (continued) Setting Description Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IPv4 or IPv6 address. You need to enter the IP address or the FQDN in the IP Address / Name field. • IP Network. The object is an IPv4 or IPv6 network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For example, a policy that is configured for a single IP address takes precedence over a policy that is configured for a range of addresses. And a policy that applies to a range of IP addresses takes precedence over a policy that is applied to all IP addresses. If two or more IP address ranges are configured, then the smallest address range takes precedence. Host names are treated the same as individual IP addresses.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 170. 2. Make your selection from the following Query options: • To view all global policies, select the Global radio button. • To view group policies, select the Group radio button, and then select the relevant group’s name from the drop-down list. • To view user policies, select the User radio button, and then select the relevant user’s name from the drop-down list. 3. Click the Display action button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N . Figure 171. Add SSL VPN Policy screen for IPv4 • IPv6. Select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6 settings: . Figure 172.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: Table 70. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy needs to be limited to a single group. From the drop-down list, select a group name.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 70. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy to? (continued) IP Address (continued) Permission From the drop-down list, select Permit or Deny to specify whether the policy permits or denies access. IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The network IPv4 or IPv6 network address to which the SSL VPN policy is applied.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If you have configured SSL VPN user policies, make sure that secure HTTP remote management is enabled (see Configure Remote Management Access on page 331). If secure HTTP remote management is not enabled, all SSL VPN user connections are disabled. To edit an SSL VPN policy: 1. On the Policies screen (see Figure 170 on page 284), click the Edit button in the Action column for the SSL VPN policy that you want to modify.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Specify the IP version for which you want to open the SSL portal login screen: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 3. Figure 173. Portal Layouts screen for IPv4 • IPv6. Select the IPv6 radio button. The Portal Layouts screen displays the IPv6 settings. Figure 174. Portal Layouts screen for IPv6 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 175. 4. Enter a user name and password that are associated with a domain, that, in turn, is associated with the portal. For information about creating login credentials to access a portal, see Configure Domains, Groups, and Users on page 272. 5. Click Login. The User Portal screen displays.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 176. Figure 177. The User Portal screen displays a simple menu that, depending on the resources allocated, provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. • Port Forwarding. Provides access to the network services that you defined as described in Configure Applications for Port Forwarding on page 273.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Change Password. Allows the user to change his or her password. • Support. Provides access to the NETGEAR website. Note: The first time that a user attempts to connect through the VPN tunnel, the NETGEAR SSL VPN tunnel adapter is installed; the first time that a user attempts to connect through the port forwarding tunnel, the NETGEAR port forwarding engine is installed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 179.
8. Manage Users, Authentication, and VPN Certificates 8 This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a group, you need to specify a domain. The following table summarizes the external authentication protocols and methods that the wireless VPN firewall supports. Table 71.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Authentication Domains, Groups, and Users • Configure Domains • Configure Groups • Configure User Accounts • Set User Login Policies • Change Passwords and Other User Settings Configure Domains The domain determines the authentication method to be used for associated users.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk. • Authentication Type. The authentication method that is assigned to the domain. • Portal Layout Name. The SSL portal layout that is assigned to the domain.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 72. Add Domain screen settings (continued) Setting Description Authentication Type (continued) • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). Complete the following fields: - Authentication Server Note: If you select - Authentication Secret any type of RADIUS • Radius-MSCHAP. RADIUS Microsoft CHAP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 72. Add Domain screen settings (continued) Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This should be a user in the LDAP directory who has read access to all the users that you would like to import into the wireless VPN firewall. The Bind DN field accepts two formats: • A display name in the DN format. For example: cn=Jamie Hanson,cn=users,dc=test,dc=com.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Domains To edit a domain: 1. Select Users > Domains. The Domains screen displays (see Figure 180 on page 296). 2. In the Action column of the List of Domains table, click the Edit table button for the domain that you want to edit. The Edit Domains screen displays. This screen is very similar to the Add Domains screen (see the previous figure). 3. Modify the settings as explained in the previous table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Groups To create a VPN group: 1. Select Users > Groups. The Groups screen displays. (The following figure shows the wireless VPN firewall’s default group—geardomain—and, as an example, several other groups in the List of Groups table.) Figure 182. The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 183. 3. Complete the settings as explained in the following table: Table 73. Add Group screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The drop-down list shows the domains that are listed on the Domain screen. From the drop-down list, select the domain with which the group is associated.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Groups For groups that were automatically created when you created a domain, you can modify only the idle time-out settings but not the group name or associated domain. For groups that you created on the Add Groups screen, you can modify the domain and the idle time-out settings but not the group name. To edit a VPN group: 1. Select Users > Groups. The Groups screen displays (see Figure 182 on page 301). 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • IPSec VPN user. A user who can make an IPSec VPN connection only through a NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see Configure Extended Authentication (XAUTH) on page 238). • L2TP user. A user who can connect over an L2TP connection to an L2TP client that is located behind the wireless VPN firewall. To create a user account: 1. Select Users > Users. The Users screen displays.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 185. 3. Enter the settings as explained in the following table: Table 74. Add Users screen settings Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • Administrator.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more user accounts: 1. In the List of Users table, select the check box to the left of each user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account. 2. Click the Delete table button. Note: You cannot delete the default admin or guest user.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Make the following optional selections: • To prohibit the user from logging in to the wireless VPN firewall, select the Disable Login check box. • To prohibit the user from logging in from the WAN interface, select the Deny Login from WAN Interface check box. In this case, the user can log in only from the LAN interface. Note: For security reasons, the Deny Login from WAN Interface check box is selected by default for guests and administrators.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. • Allow Login only from Defined Addresses. Allow logging in from the IP addresses in the Defined Addresses table. 5. Click Apply to save your settings. 6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 188. 5. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. • Allow Login only from Defined Addresses. Allow logging in from the IP addresses in the Defined Addresses table. 6. Click Apply to save your settings. 7.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 9. Repeat Step 7 and Step 8 for any other addresses that you want to add to the Defined Addresses table. To delete one or more IPv6 addresses: 1. In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your settings. 6. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers table by selecting one of the following browsers from the drop-down list: • Internet Explorer. • Opera. • Netscape Navigator. • Firefox. Mozilla Firefox. • Mozilla. Other Mozilla browsers. 7. Click the Add table button. The browser is added to the Defined Browsers table. 8.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To modify user settings, including passwords: 1. Select Users > Users. The Users screen displays (see Figure 184 on page 304). 2. In the Action column of the List of Users table, click the Edit table button for the user for which you want to modify the settings. The Edit Users screen displays: Figure 190. 3. Change the settings as explained in the following table: Note: Once established, you cannot change the user name or the group.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 77. Edit User screen settings (continued) Setting Description Check to Edit Password Select this check box to make the password fields accessible to modify the password. Idle Timeout Enter Your Password Enter the password with which you have logged in. New Password Enter the new password. Confirm New Password Reenter the new password for confirmation.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is uploaded only to the IPSec VPN certificate repository. The wireless VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by remote entities.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Self Certificate Requests table. Contains the self-signed certificate requests that you generated. These requests might or might not have been submitted to CAs, and CAs might or might not have issued digital certificates for these requests. Only the self-signed certificates in the Active Self Certificates table are active on the wireless VPN firewall (see Manage VPN Self-Signed Certificates on page 316). • Certificate Revocation Lists (CRL) table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click the Upload table button. If the verification process on the wireless VPN firewall approves the digital certificate for validity and purpose, the digital certificate is added to the Trusted Certificates (CA Certificates) table. To delete one or more digital certificates: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Generate a CSR and Obtain a Self-Signed Certificate from a CA To use a self-signed certificate, you first need to request the digital certificate from a CA, and then download and activate the digital certificate on the wireless VPN firewall. To request a self-signed certificate from a CA, you need to generate a certificate signing request (CSR) for and on the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the Generate Self Certificate Request section of the screen, enter the settings as explained in the following table: Table 78. Generate self-signed certificate request settings Setting Description Name A descriptive name of the domain for identification and management purposes. Subject The name that other organizations see as the holder (owner) of the certificate.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 194. 5. Copy the contents of the Data to supply to CA text field into a text file, including all of the data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----.” 6. Submit your SCR to a CA: a. Connect to the website of the CA. b. Start the SCR procedure. c.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more SCRs: 1. In the Self Certificate Requests table, select the check box to the left of each SCR that you want to delete, or click the Select All table button to select all SCRs. 2. Click the Delete table button. View and Manage Self-Signed Certificates The Active Self Certificates table on the Certificates screen (see Figure 193 on page 317) shows the digital certificates issued to you by a CA and available for use.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 195. Certificates, screen 3 of 3 The Certificate Revocation Lists (CRL) table lists the active CAs and their critical release dates: • CA Identity. The official name of the CA that issued the CRL. • Last Update. The date when the CRL was released. • Next Update. The date when the next CRL will be released. 2. In the Upload CRL section, click the Browse button and navigate to the CLR file that you previously downloaded from a CA. 3.
9. Network and System Management 9 This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Features That Reduce Traffic You can adjust the following features of the wireless VPN firewall in such a way that the traffic load on the WAN side decreases: • LAN WAN outbound rules (also referred to as service blocking) • DMZ WAN outbound rules (also referred to as service blocking) • Content filtering • Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) You can control specific outbound traffic (from L
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • - Single address. The rule applies to the address of a particular computer. - Address range. The rule applies to a range of addresses. - Groups. The rule applies to a group of computers. (You can configure groups for LAN WAN outbound rules but not for DMZ WAN outbound rules.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Source MAC Filtering If you want to reduce outgoing traffic by preventing Internet access by certain computers on the LAN, you can use the source MAC filtering feature to drop the traffic received from the computers with the specified MAC addresses. By default, this feature is disabled; all traffic received from computers with any MAC address is allowed. See Enable Source MAC Filtering on page 183 for the procedure about how to use this feature.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N rules, see Configure LAN WAN Rules on page 138 and Configure DMZ WAN Rules on page 145. When you define inbound firewall rules, you can further refine their application according to the following criteria: • Services. You can specify the services or applications to be covered by an inbound rule.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you know the port numbers used by the application. Without port triggering, the response from the external application would be treated as a new connection request rather than a response to a request from the LAN network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use QoS and Bandwidth Assignment to Shift the Traffic Mix By setting the QoS priority and assigning bandwidth profiles to firewall rules, you can shift the traffic mix to aim for optimum performance of the wireless VPN firewall. Set QoS Priorities The QoS priority settings determine the Quality of Service for the traffic passing through the wireless VPN firewall. You can assign a QoS priority to LAN WAN and DMZ WAN outbound firewall rules.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N System Management • Change Passwords and Administrator and Guest Settings • Configure Remote Management Access • Use the Command-Line Interface • Use a Simple Network Management Protocol Manager • Manage the Configuration File • Update the Firmware • Configure Date and Time Service Change Passwords and Administrator and Guest Settings The default administrator and default guest passwords for the web management interface are both password.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin. The Edit Users screen displays: Figure 197. You cannot modify the administrator user name, user type, or group assignment. 3. Select the Check to Edit Password check box. The password fields become available. 4. Enter the old password, enter the new password, and then confirm the new password.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can also change the administrator login policies: • Disable login. Deny login access. Note: You obviously do not want to deny login access to yourself if you are logged in as an administrator. • Deny login access from a WAN interface. By default, the administrator cannot log in from a WAN interface. You can change this setting to allow login access from a WAN interface. • Deny or allow login access from specific IP addresses.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To configure the wireless VPN firewall for remote management: 1. Select Administration > Remote Management. The Remote Management screen displays the IPv4 settings (see the next figure). 2. Specify the IP version for which you want to configure remote management: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 3. Figure 198. Remote Management screen for IPv4 • IPv6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 199. Remote Management screen for IPv6 3. Enter the settings as explained in the following table: Table 79. Remote Management screen settings for IPv4 and IPv6 Setting Description Secure HTTP Management Allow Secure HTTP To enable secure HTTP management, select the Yes radio button, which is the default setting. To disable secure HTTP management, select the No radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 79. Remote Management screen settings for IPv4 and IPv6 (continued) Setting Description Allow Secure HTTP Port Number Management? (continued) Enter the port number through which access is allowed. The default port number is 443. Note: The URL through which you can securely manage over an HTTP connection displays below the Port Number field. Telnet Management Allow Telnet Management? To enable Telnet management, select the Yes radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • To maintain security, the wireless VPN firewall rejects a login that uses http://address rather than the SSL https://address. • The first time that you remotely connect to the wireless VPN firewall with a browser through an SSL connection, you might get a warning message regarding the SSL certificate. If you are using a Windows computer with Internet Explorer 7.0 or later, simply click Yes to accept the certificate.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N SNMP lets you monitor and manage your wireless VPN firewall from an SNMP manager. It provides a remote means to monitor and control network devices, and to manage configurations, statistics collection, performance, and security. The wireless VPN firewall supports SNMPv1, SNMPv2c, and SNMPv3. To configure the SNMP settings: 1. Select Administration > SNMP. The SNMP screen displays. (The following figure contains an example.) Figure 200.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. To specify a new SNMP configuration, in the Create New SNMP Configuration Entry section of the screen, enter the settings as explained in the following table: Table 80. SNMP screen settings Setting Description IP Address Enter the IP address of the new SNMP manager. Subnet Mask Enter the subnet mask of the new SNMP manager.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more SNMP configurations: 1. On the SNMP screen (see Figure 200 on page 336), select the check box to the left of each SNMP configuration that you want to delete, or click the Select All table button to select all SNMP configurations. 2. Click the Delete table button. To edit the SNMPv3 default users: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 81. Edit User screen settings for SNMPv3 users (continued) Setting Description Authentication Algorithm From the drop-down list, select the protocol for authenticating an SNMPv3 user: • MD5. Message Digest 5. This is a hash algorithm that produces a 128-bit digest. • SHA1. Secure Hash Algorithm 1. This is a hash algorithm that produces a 160-bit digest.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 82. SNMP SysConfiguration screen settings (continued) Setting Description SysName Enter the name of the wireless VPN firewall for SNMP identification purposes. The default name is FVS318N. 3. Click Apply to save your changes. Manage the Configuration File The configuration settings of the wireless VPN firewall are stored in a configuration file on the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Back Up Settings The backup feature saves all wireless VPN firewall settings to a file. Back up your settings periodically, and store the backup file in a safe place. Tip: You can use a backup file to export all settings to another wireless VPN firewall that has the same language and management software versions. Remember to change the IP address of the second wireless VPN firewall before deploying it to eliminate IP address conflicts on the network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: Once you start restoring settings, do not interrupt the process. Do not try to go online, turn off the wireless VPN firewall, shut down the computer, or do anything else to the wireless VPN firewall until the settings have been fully restored.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Update the Firmware You can install a different version of the wireless VPN firewall firmware from the Settings Backup and Firmware Upgrade screen. To view the current version of the firmware that the wireless VPN firewall is running, from the main menu, select Monitoring. The Router Status screen displays, showing the firmware version in the System Info section of the screen. After you have updated the firmware, the new firmware version is displayed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Date and Time Service Configure date, time, and NTP server designations on the System Date & Time screen. Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times in a network of computers. Setting the correct system time and time zone ensures that the date and time recorded in the wireless VPN firewall logs and reports are accurate. To set time, date, and NTP servers: 1. Select Administration > Time Zone.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 83. Time Zone screen settings (continued) Setting Description NTP Servers (default or Select one of the following radio buttons to specify the NTP servers: custom) • Use Default NTP Servers. The wireless VPN firewall regularly updates its RTC by contacting a default NETGEAR NTP server on the Internet. • Use Custom NTP Servers.
10. Monitor System Access and Performance 10 This chapter describes the system-monitoring features of the wireless VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more. In addition, the diagnostics utilities are described.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 206. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 84. Broadband Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to enable Traffic Metering on Broadband? Select one of the following radio buttons to configure traffic metering: • Yes. Traffic metering is enabled, and the traffic meter records the volume of Internet traffic passing through the WAN interface.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 84. Broadband Traffic Meter screen settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the wireless VPN firewall performs when the traffic limit has been reached: • Block All Traffic. All incoming and outgoing Internet and email traffic is blocked. • Block All Traffic Except E-Mail.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 208.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in the following table: Table 85. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages. The default identifier is FVS318N.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 85. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want logs to be emailed to you? Select the Yes radio button to enable the wireless VPN firewall to email logs to a specified email address. Complete the fields that are shown on the right side of the screen. Select the No radio button to prevent the logs from being emailed, which is the default setting.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 85. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Do you want to enable syslog? To enable the wireless VPN firewall to send logs to a specified syslog server, select the Yes radio button. Complete the fields that are shown on the right side of the screen. To prevent the logs from being sent, select the No radio button, which is the default setting.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following sections describe steps 2 through 4, using the topology that is described in the following table: Type of Address Gateway 1 at Site 1 Gateway 2 at Site 2 WAN IP address 10.0.0.1 10.0.0.2 LAN IP address 192.168.10.0 192.168.20.0 LAN subnet mask 255.255.255.0 255.255.255.0 LAN IP address syslog server 192.168.10.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Gateway 2 at Site 2 To create a gateway-to-gateway VPN tunnel to Gateway 1, using the IPSec VPN wizard: 1. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays. 2. Configure a gateway-to-gateway VPN tunnel using the following information: • Connection name. Any name of your choice • Pre-shared key. The same key as you configured on Gateway 1 • Remote WAN IP address. 10.0.0.1 • Local WAN IP address. 10.0.0.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View Status Screens • View the System Status • View the VPN Connection Status and L2TP Users • View the VPN Logs • View the Port Triggering Status • View the WAN Port Status • View the Attached Devices and the DHCP Log • View the Status of a Wireless Profile View the System Status When you start up the wireless VPN firewall, the default screen that displays is the Router Status screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 209. The following table explains the fields of the Router Status screen: Table 86. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The installed firmware version. LAN (VLAN) Information For each of the LAN ports, the screen shows the IP address and subnet mask. For more detailed information, see Table 88 on page 361.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 86. Router Status screen information (continued) Item Description LAN IPv4/IPv6 Information MAC Address The MAC address of the wireless VPN firewall. IPv6 Address The IPv6 address that is assigned to the wireless VPN firewall. For information about configuring the IPv6 address, see Configure the IPv6 Internet Connection and WAN Settings on page 37. DHCP Server The status of the IPv4 DHCP server (Enabled or Disabled).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 210. The following table explains the fields of the Router Statistics screen. To change the poll interval period, enter a new value (in seconds) in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 87. Router Statistics screen information Item Description System up Time. The period since the last time that the wireless VPN firewall was started up.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 211.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table explains the fields of the Detailed Status screen: Table 88. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to this port on the LAN Setup screen (see Assign and Manage VLAN Profiles on page 56).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 88. Detailed Status screen information (continued) Item Description NAT (IPv4 only) The NAT state can be either Enabled or Disabled, depending on whether NAT is enabled (see Network Address Translation on page 27) or classical routing is enabled (see Classical Routing on page 27).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 88. Detailed Status screen information (continued) Item Description Wireless Profile Information SSID The SSID of the wireless profile. Security Settings The security settings of the wireless profile.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the VPN Connection Status and L2TP Users The Connection Status screens display a list of IPSec VPN connections, SSL VPN connections, and L2TP users who are currently logged in to the wireless VPN firewall. To view the active IPSec VPN connections: Select VPN > Connection Status. The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view: Figure 213.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To disconnect an active user, click the Disconnect table button to the right of the user’s table entry. To view the active L2TP tunnel users: Select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 215. The active user name, client’s IP address on the remote LAC, and IP address that is assigned by the L2TP server on the wireless VPN firewall are listed in the table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 217. View the Port Triggering Status To view the status of the port triggering feature: 1. Select Security > Port Triggering. The Port Triggering screen displays. (The following figure shows one rule in the Port Triggering Rules table as an example.) Figure 218.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status pop-up screen displays. Figure 219. The Port Triggering Status screen displays the information that is described in the following table: Table 89. Port Triggering Status screen information Item Description # The sequence number of the rule onscreen. Rule The name of the port triggering rule that is associated with this entry.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 220. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 90. Connection Status screen information for an IPv4 connection Item Description Connection Time The period that the wireless VPN firewall has been connected through the WAN port. Connection Type The connection type can be either DHCP or Static IP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 WAN Port Status To view the IPv6 status of the WAN port: 1. Select Network Configuration > WAN Settings > Broadband ISP Settings (IPv6). The Broadband ISP Settings (IPv6) screen displays (see Figure 19 on page 40). 2. Click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a dynamic IP address configuration.) Figure 221.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Attached Devices and the DHCP Log The LAN Groups screen shows the network database, which is the Known PCs and Devices table, which contains all IP devices that wireless VPN firewall has discovered on the local network. The LAN Setup screen lets you access the DHCP log. View the Attached Devices To view the attached devices on the LAN Groups screen: Select Network Configuration > LAN Setup > LAN Groups. The LAN Groups screen displays.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N assigned a static IP address, you need to update this entry manually after the IP address on the computer or device has changed. • MAC Address. The MAC address of the computer’s or device’s network interface. • Group. Each computer or device can be assigned to a single LAN group. By default, a computer or device is assigned to Group 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Status of a Wireless Profile To view the status of a specific wireless profile: 1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. 2. Click the Status button in the Status column for the wireless profile for which you want to display the status information. The Wireless Profile Status screen displays: Figure 224.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 92. Wireless Profile Status screen fields (continued) Item Description Connected Clients MAC Address The MAC address of the client. Radio The radio to which the client is connected. By default, the radio is always 1, indicating the 2.4 GHz radio. Security The type of security that the client is using (Open, WEP, WPA, WPA2, or WPA+WPA2). Encryption The type of encryption that the client is using (CCMP, TKIP, or TKIP + CCMP).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 225. • IPv6. Select the IPv6 radio button. The Diagnostics screen displays the IPv6 settings: Figure 226. The various tasks that you can perform on the Diagnostics screen are explained in the following sections.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Send a Ping Packet Use the ping utility to send a ping packet request in order to check the connection between the wireless VPN firewall and a specific IP address or FQDN. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping. The ping results are displayed on a new screen. To send a ping: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Display the Routing Tables Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems. To display the routing table: On the Diagnostics screen for IPv4, in the Router Options section of the screen, click the Display button next to Display the IPv4 Routing Table. The routing table is shown in the Route Display pop-up screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reboot the Wireless VPN Firewall Remotely You can perform a remote reboot, for example, when the wireless VPN firewall seems to have become unstable or is not operating normally. Rebooting breaks any existing connections either to the wireless VPN firewall (such as your management session) or through the wireless VPN firewall (for example, LAN users accessing the Internet).
11. Troubleshooting 11 This chapter provides troubleshooting tips and information for the wireless VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the wireless VPN firewall on? Go to Basic Functioning on page 379. • Have I connected the wireless VPN firewall correctly? Go to Basic Functioning on page 379.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The wireless VPN firewall’s diagnostic tools are explained in Diagnostics Utilities on page 373. Basic Functioning • Power LED Not On • Test LED Never Turns Off • LAN or WAN Port LEDs Not On After you turn on power to the wireless VPN firewall, verify that the following sequence of events occurs: 1. When power is first applied, verify that the Power LED is on. 2. After approximately 2 minutes, verify that: a.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N If all LEDs are still on more than several minutes minute after power-up, do the following: • Turn off the power, and then turn it on again to see if the wireless VPN firewall recovers. • Reset the wireless VPN firewall’s configuration to factory default settings. Doing so sets the wireless VPN firewall’s IP address to 192.168.1.1. This procedure is explained in Restore the Default Configuration and Password on page 388.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that you are using the SSL https://address login rather than the http://address login. • Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using Internet Explorer, click Refresh to be sure that the Java applet is loaded. • Try quitting the browser and launching it again. • Clear the browser’s cache. • Make sure that you are using the correct login information.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Troubleshoot the ISP Connection If your wireless VPN firewall is unable to access the Internet, you should first determine whether the wireless VPN firewall is able to obtain a WAN IP address from the ISP. Unless you have been assigned a static IP address, your wireless VPN firewall requests an IP address from the ISP. You can determine whether the request was successful using the web management interface. To check the WAN IP address: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N system name, or account name that was assigned to you by your ISP. You might also have to enter the assigned domain name or workgroup name in the Domain Name field, and you might have to enter additional information. For more information, see Manually Configure an IPv4 Internet Connection on page 31. • Your ISP allows only one Ethernet MAC address to connect to the Internet, and might check for your computer’s MAC address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Check the computer: • • Make sure that the operating system supports IPv6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • c. Make sure that Internet Protocol Version 6 (TCP/IPv6) displays, as is shown in the previous figure. Make sure that the computer has an IPv6 address. If the computer has a link-local address only, it cannot reach the wireless VPN firewall or the Internet. On a computer that runs a Windows-based operating system, do the following (note that the steps might differ on the various Windows operating systems): a.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 230. f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with FE80.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click OK. A message similar to the following should display: Pinging with 32 bytes of data If the path is working, you see this message: Reply from : bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you could have one of the following problems: • • Wrong physical connections - Make sure that the LAN port LED is on.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N information. For more information, see Manually Configure an IPv4 Internet Connection on page 31. • Your ISP could be rejecting the Ethernet MAC addresses of all but one of your computers. Many broadband ISPs restrict access by allowing traffic only from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single computer connected to that modem.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The reboot process takes about 165 seconds. (If you can see the unit: The reboot process is complete when the Test LED on the front panel goes off.) WARNING: When you press the hardware factory default Reset button or click the software Default button, the wireless VPN firewall settings are erased. All firewall rules, VPN policies, LAN and WAN settings, and other settings are lost. Back up your settings if you intend on using them.
A. Default Settings and Technical Specifications A This appendix provides the default settings and the physical and technical specifications of the wireless VPN firewall in the following sections: • Factory Default Settings • Physical and Technical Specifications Factory Default Settings You can use the factory default Reset button located on the rear panel to reset all settings to their factory defaults.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Stateless IP/ICMP Translation (SIIT) Disabled WAN MAC address Use default MAC address of the wireless VPN firewall WAN MTU size 1500 bytes 1492 bytes for PPPoE connections Port speed AutoSense Dynamic DNS for IPv4 Disabled IPv4 LAN, DMZ, and routing settings LAN IPv4 address for the default VLAN 192.168.1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior DMZ port for IPv6 Disabled DMZ IPv6 address (Port 8) 176::1 DMZ IPv6 prefix length (Port 8) 64 DMZ DHCPv6 server Disabled Firewall and security settings Inbound LAN WAN rules (communications coming in from All traffic is blocked, except for traffic the Internet) in response to requests from the LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Encryption None Authentication None Transmission rate Best1 Default transmit power Full 802.11 wireless mode 802.11ng (for most countries) 802.11b/g/n radio frequency channel Auto 802.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Key group DH-Group 2 (1024 bit) NetBIOS Enabled VPN IPsec Wizard: IKE policy settings for IPv4 gateway-to-client tunnels Exchange mode Aggressive ID type FQDN Local WAN ID remote.com Remote WAN ID local.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 94. Wireless VPN firewall physical and technical specifications (continued) Feature Specification Power plug (localized to the country of sale) North America 120V, 60 Hz, input United Kingdom, Australia 240V, 50 Hz, input Europe 230V, 50 Hz, input Input, for all regions 12VDC @ 1A output Dimensions and weight Dimensions (W x H x D) 19 x 12.5 x 3.5 cm (7.5 X 4.9 X 1.4 in) Weight 0.59 kg (1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table shows the IPSec VPN specifications for the wireless VPN firewall: Table 95. Wireless VPN firewall IPSec VPN specifications Setting Specification Network Management Web-based configuration and status monitoring Number of concurrent users supported 12 IPSec authentication algorithm SHA-1, MD5 IPSec encryption algorithm DES, 3DES, AES-128, AES-192, AES-256 IPSec key exchange IKE, manual key, pre-shared key, X.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table shows the wireless specifications for the wireless VPN firewall: Table 97. Wireless VPN firewall wireless specifications Setting Specification 802.11bg data rates 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps, and auto-rate capable 802.11ng/n data rates Data rates for a channel width of 20 MHz and a (short) guard interval of 400 ms: Best (automatic), 7.2 Mbps, 14.4 Mbps, 21.7 Mbps, 28.9 Mbps, 43.3 Mbps, 57.
B. Two-Factor Authentication B This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N What Is Two-Factor Authentication? Two-factor authentication is a security solution that enhances and strengthens security by implementing multiple factors of the authentication process that challenge and confirm the users’ identities before they can gain access to the network. There are several factors that are used to validate the users to make sure that you are who you say you are.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 232. 2. A one-time passcode (something the user has) is generated. Figure 233. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time. If a user does not use this passcode before it expires, the user needs to go through the request process again to generate a new OTP. 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 234.
C. Notification of Compliance (Wired) N ETGE A R Wire d P ro d uct s C Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N FCC Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional Copyrights AES Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc.
D. Notification of Compliance (Wireless) NETG EAR Wireless Routers, G ateways, APs D Regulatory Compliance Information Note: This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Español [Spanish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Ελληνική [Greek] ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc. ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗΓΙΑΣ 1999/5/ΕΚ. Français [French] Par la présente NETGEAR Inc.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Íslenska [Icelandic] Hér með lýsir NETGEAR Inc. yfir því að Radiolan er í samræmi við grunnkröfur og aðrar kröfur, sem gerðar eru í tilskipun 1999/5/EC. Norsk [Norwegian] NETGEAR Inc. erklærer herved at utstyret Radiolan er i samsvar med de grunnleggende krav og øvrige relevante krav i direktiv 1999/5/EF. This device is a 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • For product available in the USA market, only channel 1~11 can be operated. Selection of other channels is not possible. • This device and its antenna(s) must not be co-located or operation in conjunction with any other antenna or transmitter.
Index Numerics administrator default name and password 21 receiving logs by email 352 settings (admin) 329 user account 305 advertisement prefixes, IPv6 DMZ, configuring for 96 LAN, configuring for 82 advertisement, UPnP information 193 AES (Advanced Encryption Standard) IKE policy settings 227 Mode Config settings 246 SNMPv3 user settings 339 VPN policy settings 236–237 ALG (application level gateway) 171 antennas external orientation 107 rear panel 18 application level gateway (ALG) 171 ARP (Address Reso
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Auto Uplink, autosensing Ethernet connections 13 autodetecting IPv4 Internet settings 29 autoinitiating VPN tunnels 235 autosensing port speed 52 certificates commercial CAs 314 CRL 315, 320 CSR 317 overview 313 self-signed 314–316 signature key length 318 trusted 314–315 certification authority (CA) 230, 313–321 channel spacing, wireless 109 channels and frequencies, selecting 109 CHAP (Challenge Handshake Authentication Protocol) 295 See also MIAS (
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N crossover cable 13, 380 CSMA (Carrier Sense Multiple Access) 126 CSR (certificate signing request) 317 CTS (Clear to Send) packets and self-protection 126 custom services, firewall 172 radio 108, 126 remote management 333 router lifetime DMZ RADVD 96 LAN RADVD 82 secure HTTP access 333 server preference, IPv6 DMZ DHCP 91 LAN DHCP 77 session time-out periods 171 SIP support for ALG 171 SNMPv3 users 336 SSID 117 Telnet access 334 transmit power and rate
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N ESS (extended service set) 113 Ethernet ports 15 event logs 351 examples of firewall rules 159–166 exchange mode, IKE policies 223, 226 exposed hosts increasing traffic 327 specifying (rule example) 163 extended authentication (XAUTH) configuring 238–240 IKE policies 229 extended service set (ESS) 113 dipole antenna 18 direction, bandwidth profiles 176 DMZ (demilitarized zone) configuring 85–98 increasing traffic 327 port 13, 17 DNS (Domain Name Serve
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N G LAN-to-WAN rules 143 IPv6 DMZ-to-WAN rules 152 LAN-to-DMZ rules 158 LAN-to-WAN rules 144 order of precedence 137 overview 133 scheduling 182 settings 135–136 inbound traffic, bandwidth 176 increasing traffic overview 325–327 port forwarding 134 infrastructure mode 110 installation, verifying 53 instant messaging, blocking (rule example) 164 interface specifications 397 interference (wireless) 107 Interior Gateway Protocol (IGP) 100 Internet connecti
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N unique global address 47 VPN tunnels 201, 227, 236 IPv6 connection, troubleshooting 383 IPv6 DMZ, configuring 89–98 IPv6 gateway 105 IPv6 Internet connection manually configuring 41, 43 setting up 26 IPv6 mode, configuring 38 IPv6 prefix length DMZ address 91 DMZ advertisements 97 DMZ DHCPv6 address pools 93 IPSec VPN policies 236 ISP address 42 LAN address 76 LAN advertisements 83 LAN DHCPv6 address pools 78 LAN prefix delegation 79 secondary LAN IP a
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N key generation, WEP 119 keyword blocking 179 knowledge base 389 location of wireless VPN firewall 19 lock, security 18 login attempts 351 login default settings 390 login policies, user 306–311 login time-out changing 311, 329 default 21 logs, configuring 351 long preamble 126 looking up DNS address 375 losing wireless connection 122 L L2TP (Layer 2 Tunneling Protocol) server 263 L2TP Access Concentrator (LAC) 263 L2TP users 305 LAC (L2TP Access Conc
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N monitoring default settings 396 MTU (maximum transmission unit) default 51 IPv6 DMZ packets 96 IPv6 LAN packets 82 multicast pass-through 168 multihome LAN addresses IPv4, configuring 65–67 IPv6, configuring 84–85 online games, DMZ port 86 open system (no wireless security) 117 operating frequency, radio 108 option arrows (web management interface) 23 Oray.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N PFS (Perfect Forward Secrecy) 238, 246 physical specifications 396 PIN method, WPS 124 pinging checking connections 375 responding on Internet ports 167 responding on LAN ports 168 troubleshooting TCP/IP 386 using the ping utility 375 placement of wireless VPN firewall 19, 107 plug and play (UPnP), configuring 192 Point-to-Point Tunneling Protocol (PPTP) settings 30, 32 policies IKE exchange mode 223, 226 ISAKMP identifier 223, 227 managing 222 Mode Co
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N VLANs 56–63 wireless security 112, 115–119 protection from common attacks 166–169 protocols compatibilities 396 RIP 13 service numbers 172 traffic volume by protocol 349 PSK. See pre-shared key.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N SSIDs (service set identifiers) assigning a name and broadcasting 117 broadcasting and security 111 SSL VPN ActiveX web cache cleaner 272 ActiveX-based client 266 authentication 298 cache control 271 client IP address range and routes 276–279 configuration steps 267 connection status 292 FQDNs, configuring port forwarding 268 logs 292 network resources, configuring 279–282 overview 12 policies managing 282 settings 286 port forwarding configuring 273–2
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N status, viewing 356–363 updating firmware 343 IPv6 connection 383 ISP connection 382 LEDs 379–380 NTP 389 testing your setup 387 time-out error 381 web management interface 380 trusted certificates 314–315 trusted domains, building a list of 181 tunnels, IPv6 configuring globally 46–50 DMZ, configuring for 97 LAN, configuring for 83 two-factor authentication authentication, overview 400 described 295 WiKID-PAP and WiKID-CHAP 298 Type of Service (ToS),
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N V manually generated 230 IPSec VPN user account 304–305 keep-alives 235, 260 NetBIOS 235, 263 pass-through (IPSec, PPTP, L2TP) 168 pre-shared key client-to-gateway tunnel 205 gateway-to-gateway tunnel 197, 201 IKE policy settings 228 RSA signature 228 sending syslogs 353 testing connections 218 XAUTH 238–240 VPNC (Virtual Private Network Consortium) 14, 195 vendor class identifier (VCI) 34 version, SNMP 337 videoconferencing DMZ port 86 from restrict
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N testing 127 wireless equipment, placement and range 107 wireless mode 109 wireless network name (SSID) broadcasting 117 broadcasting and security 111 wireless radio advanced settings, configuring 125 basic settings, configuring 108 wireless security 111–120 wireless separation 118 wireless specifications 399 wireless status, viewing 362 WLAN partition 118 WMM (Wi-Fi Multimedia) 126 WPA (Wi-Fi protected access), WPA2, and mixed mode configuring 117–119
