Network Planning Guide for ProSafe VPN Firewall Router FVX538 NETGEAR, Inc.
© 2004 by NETGEAR, Inc. All rights reserved. FullManual. Trademarks NETGEAR and Auto Uplink are trademarks or registered trademarks of NETGEAR, Inc.. Microsoft, Windows, and Windows NT are registered trademarks of Microsoft Corporation. Other brand and product names are registered trademarks or trademarks of their respective holders.
Contents Chapter 1 Introducing the FVX538 The Router’s Front Panel ...............................................................................................1-1 The Router’s Rear Panel ................................................................................................1-3 Rack Mounting the Router ..............................................................................................1-3 The Router’s IP Address, Login Name, and Password ................................................
iv Contents October 2004
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Chapter 1 Introducing the FVX538 This chapter introduces the FVX538 ProSafe VPN Firewall Router. The Router’s Front Panel The FVX538 ProSafe VPN Firewall Router front panel shown below contains the port connections, status LEDs, and the factory defaults reset button.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Table 1-1. Object Descriptions (continued) Object Activity WAN Ports and LEDs Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. LAN Ports and LEDs Gigabit Port and LEDs Description Link/Act LED On (Green) Blinking (Green) Off The WAN port has detected a link with a connected Ethernet device. Data is being transmitted or received by the WAN port. The WAN port has no link.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 The Router’s Rear Panel The rear panel of the FVX538 ProSafe VPN Firewall Router (Figure 1-2) contains the On/Off switch and AC power connection. 100-240 VAC, 50-60Hz, 0.7A max.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 The Router’s IP Address, Login Name, and Password Check the label on the bottom of the FVX538’s enclosure if you forget the following factory default information: • • • IP Address: http://192.168.1.1 to reach the Web-based GUI from the LAN User name: admin Password: password ProSafe VPN Firewall FVX538 DEFAULT ACCESS IP Address User Name Password N10947 E-E011-02-4749 (B) http://192.168.1.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Table 1-2. Factory Default Settings Feature User Name (case sensitive) Password (case sensitive) Built-in DHCP server IP Configuration Time Zone Default admin password DHCP server is enabled, issues addresses in the default subnet IP Address: 192.168.1.1 Subnet Mask: 255.255.255.0 Gateway: 0.0.0.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 1-6 Introducing the FVX538 October 2004
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Chapter 2 Network Planning This chapter describes the factors to consider when planning a network using a router that has dual WAN ports. Overview of the Planning Process The areas that require planning when using a router that has dual WAN ports include: • • Single or multiple exposed hosts Virtual private networks (VPNs) Note: Exposed hosts are sometimes referred to as DMZ hosts.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Virtual Private Networks (VPNs) A virtual private network (VPN) tunnel provides a secure communication channel between either two gateway VPN routers or between a remote PC client and gateway VPN router. As a result, the IP address of at least one of the tunnel end points must be known in advance in order for the other tunnel end point to establish (or re-establish) the VPN tunnel.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Dual WAN Ports (Load Balancing) WAN1 IP Router netgear1.dyndns.org Use of fully-qualified domain names for IP addresses of WAN ports: o required for dynamic IP addresses o optional for fixed IP addresses netgear2.dyndns.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Single Exposed Host: Single WAN Port (Reference Case) In the single WAN case (Figure 2-3), the WAN’s Internet address is either fixed IP or a fully-qualified domain name if the IP address is dynamic. Router WAN IP netgear.dyndns.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Dual WAN Ports (Load Balancing) Router WAN1 IP netgear1.dyndns.org netgear2.dyndns.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider publicizing one of the WAN port Internet addresses and keeping the other one unpublicized in order to maintain better control of WAN port traffic. Dual WAN Ports WAN1 IP Addresses Router 22.23.24.25, 22.23.24.26, . . . 14.15.16.17, 14,15,16,18, . . .
Network Planning Guide for ProSafe VPN Firewall Router FVX538 For the single gateway WAN port case, the mechanism is to use a fully-qualified domain name (FQDN) when the IP address is dynamic and to use either an FQDN or the IP address itself when the IP address is fixed. The situation is different when dual gateway WAN ports are used in a failover-based system.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 VPN Road Warrior (Client-to-Gateway) The following situations exemplify the requirements for a remote PC client with no router to establish a VPN tunnel with a gateway VPN router: • • • Single gateway WAN port Redundant dual gateway WAN ports for increased system reliability (before and after failover) Dual gateway WAN ports used for load balancing VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on
Network Planning Guide for ProSafe VPN Firewall Router FVX538 10.5.6.0/24 Road Warrior Example (Dual WAN Ports, Before Failover) WAN1 IP Gateway A LAN IP bzrouter.dyndns.org X 10.5.6.1 WAN2 port inactive WAN IP X WAN2 IP (N/A) VPN Router (at employer's main office) Client B 0.0.0.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing In the case of the dual WAN ports on the gateway VPN router (Figure 2-13), the remote PC initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the remote PC is not known in advance. The chosen gateway WAN port must act as the responder. 10.5.6.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 10.5.6.0/24 172.23.9.0/24 Gateway-to-Gateway Example (Single WAN Ports) Gateway A LAN IP 10.5.6.1 VPN Router (at office A) Gateway B WAN IP WAN IP FQDN netgear.dyndns.org LAN IP 172.23.9.1 22.23.24.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (i.e., the IP address of the active WAN port is not known in advance).
Network Planning Guide for ProSafe VPN Firewall Router FVX538 10.5.6.0/24 Gateway-to-Gateway Example (Dual WAN Ports, Load Balancing) Gateway A WAN_A1 IP netgear1.dyndns.org 172.23.9.0/24 WAN_B1 IP 22.23.24.25 Gateway B LAN IP netgear2.dyndns.org 10.5.6.1 VPN Router (at office A) WAN_A2 IP 22.23.24.26 WAN_B2 IP Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses LAN IP 172.23.9.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 10.5.6.0/24 Telecommuter Example (Single WAN Port) Gateway A LAN IP 10.5.6.1 VPN Router (at employer's main office) WAN IP WAN IP FQDN bzrouter.dyndns.org 0.0.0.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 After a failover of the gateway WAN port (Figure 2-20), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel. The gateway WAN port must act as the responder. 10.5.6.0/24 Telecommuter Example (Dual WAN Ports, After Failover) Gateway A WAN1 IP (N/A) WAN1 port inactive X LAN IP 10.5.6.1 X bzrouter2.dyndns.
Network Planning Guide for ProSafe VPN Firewall Router FVX538 The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified domain name is optional.
