ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reference M anua l 350 East Plumeria Drive San Jose, CA 95134 USA March 16, 2012 202-10836-02 v1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N © 2011–2012 NETGEAR, Inc. All rights reserved. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form or by any means without the written permission of NETGEAR, Inc. Technical Support Thank you for choosing NETGEAR.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (continued) • User login restrictions based on IPv6 addresses (see Configure Login Restrictions Based on IPv6 Addresses) • IPv6 remote management access (see Configure Remote Management Access) • IPv6 time zone (see Configure Date and Time Service) • IPv6 diagnostics (see Diagnostics Utilities) • Extensive list of factory default settings (see Appendix A, Default Settings and Technical Specifications) 202-10836-01 1.
Contents Chapter 1 Introduction What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? . 10 Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 11 A Powerful, True Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 Security Features .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . 50 Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Chapter 3 LAN Configuration Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . 51 Port-Based VLANs . . . . . . . . . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Chapter 5 Firewall Protection About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Overview of Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . . 126 Outbound Rules (Service Blocking) . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Inbound Rules (Port Forwarding) . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225 Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . . 233 Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235 RADIUS Client and Server Configuration . . . . . . . . . . . . . . . . . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . . 306 VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 309 Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . .
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . . 370 Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370 Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 372 Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . . 375 Test the LAN Path to Your Wireless VPN Firewall . . . . . . . . . . . . . . . .
1. Introduction 1 This chapter provides an overview of the features and capabilities of the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N and explains how to log in to the device and use its web management interface.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Key Features and Capabilities The wireless VPN firewall provides the following key features and capabilities: • A single 10/100/1000 Mbps Gigabit Ethernet WAN port • Built-in eight-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data transfer between local network resources • A wireless radio with up to four wireless profiles • Both IPv4 and IPv6 support • Advanced IPSec VPN and SSL VPN support • L2TP tunnel support •
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • SSL VPN provides remote access for mobile users to selected corporate resources without requiring a preinstalled VPN client on their computers. - Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, to provide client-free access with customizable user portals and support for a wide variety of user repositories. - Up to five simultaneous SSL VPN connections.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Autosensing Ethernet Connections with Auto Uplink With its internal eight-port 10/100/1000 Mbps switch and 10/100/1000 WAN port, the wireless VPN firewall can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The LAN and WAN interfaces are autosensing and capable of full-duplex or half-duplex operation. The wireless VPN firewall incorporates Auto UplinkTM technology.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Easy Installation and Management You can install, configure, and operate the wireless VPN firewall within minutes after connecting it to the network. The following features simplify installation and management tasks: • Browser-based management. Browser-based configuration allows you to easily configure the wireless VPN firewall from almost any type of operating system, such as Windows, Macintosh, or Linux.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Package Contents The wireless VPN firewall product package contains the following items: • ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • One 12V 1A power supply unit for your region • Rubber feet • Ethernet cable • ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide • Resource CD, including: - Application Notes and other helpful information - 30-day trial license for the ProSafe VPN Client software (VPN01L
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Power LED Left WAN LED (green) Left LAN LEDs (green, one for each port) Wireless LED Right WAN LED Right LAN LEDs (one for each port) DMZ LED Test LED Active WAN LED Figure 1. The following table describes the function of each LED. Table 1. LED descriptions LED Activity Description Power LED On (green) Power is supplied to the wireless VPN firewall. Off Power is not supplied to the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 1. LED descriptions (continued) LED Activity Description Off The LAN port has no link. On (green) The LAN port has detected a link with a connected Ethernet device. Blinking (green) Data is being transmitted or received by the LAN port. Off The LAN port is operating at 10 Mbps. On (amber) The LAN port is operating at 100 Mbps. On (green) The LAN port is operating at 1000 Mbps. Off Port 8 is operating as a normal LAN port.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Rear Panel The rear panel of the wireless VPN firewall includes the antennas, a cable lock receptacle, a console port, a Reset button, a DC power connection, and a power switch. Antennas (1) and (7) (6) Power switch (2) Security lock receptacle (4) Factory default Reset button (5) DC power receptacle (3) Console port Figure 2. Viewed from left to right, the rear panel contains the following components: 1. Dipole antenna. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Bottom Panel with Product Label The product label on the bottom of the wireless VPN firewall’s enclosure displays factory defaults settings, regulatory compliance, and other information. Figure 3. Choose a Location for the Wireless VPN Firewall The wireless VPN firewall is suitable for use in an office environment where it can be freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Log In to the Wireless VPN Firewall Note: To connect the wireless VPN firewall physically to your network, connect the cables and restart your network according to the instructions in the Installation Guide. See the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide for complete steps. A PDF of the Installation Guide is on the NETGEAR support website at http://support.netgear.com/app/products/model/a_id/19435.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 4. 3. In the User Name field, type admin. Use lowercase letters. 4. In the Password / Passcode field, type password. Here, too, use lowercase letters. Note: The wireless VPN firewall user name and password are not the same as any user name or password you might use to log in to your Internet connection. Note: Leave the domain as it is (geardomain). 5. Click Login. The web management interface displays, showing the Router Status screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 5. Web Management Interface Menu Layout The following figure shows the menu at the top the web management interface: 3rd level: Submenu tab (blue) 2nd level: Configuration menu link (gray) 1st level: Main navigation menu link (orange) IP radio buttons Option arrows: Additional screen for submenu item Figure 6. The web management interface menu consists of the following components: • 1st level: Main navigation menu links.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • 2nd level: Configuration menu links. The configuration menu links in the gray bar (immediately below the main navigation menu bar) change according to the main navigation menu link that you select. When you select a configuration menu link, the letters are displayed in white against a gray background. • 3rd level: Submenu tabs. Each configuration menu item has one or more submenu tabs that are listed below the gray menu bar.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Any of the following table buttons might display onscreen: • Select All. Select all entries in the table. • Delete. Delete the selected entry or entries from the table. • Enable. Enable the selected entry or entries in the table. • Disable. Disable the selected entry or entries in the table. • Add. Add an entry to the table. • Edit. Edit the selected entry. • Up. Move the selected entry up in the table. • Down.
2. Internet and Broadband Settings 2 This chapter explains how to configure the Internet and WAN settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Configure the WAN options (optional). If required, change the factory default MTU size, port speed, and MAC address of the wireless VPN firewall: see Configure Advanced WAN Options and Other Tasks on page 47. These are advanced features, and you usually do not need to change them. Each of these four tasks is detailed separately in this chapter. Tasks to Set Up an IPv6 Internet Connection to Your ISP Complete these four tasks: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Network Address Translation Network Address Translation (NAT) allows all computers on your LAN to share a single public Internet IP address. From the Internet, there is only a single device (the wireless VPN firewall) and a single IP address. Computers on your LAN can use any private IP address range, and these IP addresses are not visible from the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 9. 2. Select the NAT radio button or the Classical Routing radio button. WARNING: Changing the WAN mode causes all LAN WAN and DMZ WAN inbound rules to revert to default settings. 3. Click Apply to save your settings. Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection To automatically configure the WAN port for an IPv4 connection to the Internet: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 10. 2. Click the Auto Detect button at the bottom of the screen. The autodetect process probes the WAN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of the following results: • If the autodetect process is successful, a status bar at the top of the screen displays the results (for example, DHCP service detected).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 2. IPv4 Internet connection methods Connection Method Manual Data Input Required • DHCP (Dynamic IP) No manual data input is required.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, skip ahead to Manually Configure an IPv4 Internet Connection on page 31, or see Troubleshoot the ISP Connection on page 370. Note: For more information about the Connection Status screen, see View the WAN Port Status on page 356.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 13. 5. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as explained in the following table: Table 3. PPTP and PPPoE settings Setting Description Austria (PPTP) If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this radio button, and enter the following settings: Account Name Note: For login and password information, see Step 2 and Step 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 3. PPTP and PPPoE settings (continued) Setting Description Other (PPPoE) If you have installed login software, then your connection type is PPPoE. Select this radio button, and enter the following settings: Note: For login Account Name and password information, see Step 2 and Step 3. Domain Name The valid account name for the PPPoE connection. The name of your ISP’s domain or your domain name if your ISP has assigned one.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 4. Internet IP address settings Setting Description Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from from ISP ISP radio button. The ISP automatically assigns an IP address to the wireless VPN firewall using DHCP network protocol.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 8. Click Test to evaluate your entries. The wireless VPN firewall attempts to make a connection according to the settings that you entered. 9. Click Apply to save your changes. 10. To verify the connection, click the Broadband Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a PPPoE configuration; the IP addresses are not related to any other examples in this manual.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N travel over the IPv4 intranet; you do this by enabling and configuring ISATAP tunneling (see Configure ISATAP Automatic Tunnelling on page 42). Note: A network can be both and isolated IPv6 network and a mixed network with IPv4 and IPv6 devices.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 16. 2. Select the IPv4 / IPv6 mode radio button. By default, the IPv4 only mode radio button is selected, and IPv6 is disabled. WARNING: Changing the IP routing mode causes the wireless VPN firewall to reboot. 3. Click Apply to save your changes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To automatically configure the WAN port for an IPv6 connection to the Internet: 1. Select Network Configuration > WAN Settings > Broadband ISP Settings. 2. In the upper right of the screen, select the IPv6 radio button. The ISP Broadband Settings screen displays the IPv6 settings: Figure 17. 3. In the Internet Address section of the screen, from the IPv6 drop-down list, select DHCPv6. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 7. To verify the connection, click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a dynamic IP address configuration.) Figure 18. The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet. If the configuration was not successful, see Troubleshoot the ISP Connection on page 370.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 19. 3. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static IPv6. 4. In the Static IP Address section of the screen, enter the settings as explained in the following table. You should have received static IPv6 address information from your IPv6 ISP: Table 6. Broadband ISP Settings screen settings for IPv6 Setting Description IPv6 Address The IP address that your ISP assigned to you.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. To verify the connection, click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a static IP address configuration; the IP addresses are not related to any other examples in this manual.) Figure 20. The Connection Status screen should show a valid IP address and gateway, and you are connected to the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N With 6to4 tunnels, IPv6 packets are embedded within the IPv4 packet and then transported over the IPv4 network. You do not need to specify remote tunnel endpoints, which are automatically determined by relay routers on the Internet. You cannot use 6to4 tunnels for traffic between IPv4-only devices and IPv6-only devices.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N enabling and configuring Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) tunneling. ISATAP is a LAN tunnel mechanism in which the IPv4 network functions as a virtual IPv6 local link. Each IPv4 address is mapped to a link-local IPv6 address, that is, the IPv4 address is used in the interface portion of the IPv6 address. ISATAP tunneling is used intra-site, that is, between addresses in the LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Add table button under the List of Available ISATAP Tunnels table. The Add ISATAP Tunnel screen displays: Figure 23. 3. Specify the tunnel settings as explained in the following table. Table 7. Add ISATAP Tunnel screen settings Setting Description ISATAP Subnet Prefix The IPv6 prefix for the tunnel. Local End Point Address From the drop-down list, select the type of local address: • LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Tunnel Status and IPv6 Addresses The IPv6 Tunnel Status screen displays the status of all active 6to4 and ISATAP tunnels and their IPv6 addresses. To view the status of the tunnels and IPv6 addresses: Select Monitoring > Router Status > Tunnel Status. The Tunnel Status screen displays: Figure 24. The IPv6 Tunnel Status table shows the following fields: • Tunnel Name.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If your ISP assigns a private WAN IP address such as 192.168.x.x or 10.x.x.x, the DDNS service does not work because private addresses are not routed on the Internet. To configure DDNS: 1. Select Network Configuration > Dynamic DNS. The Dynamic DNS screen displays (see the following figure). 2. Click the submenu tab for your DDNS service provider: • Dynamic DNS for DynDNS.org (which is shown in the following figure) • DNS TZO for TZO.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Configure the DDNS service settings as explained in the following table: Table 8. DDNS service settings Setting Description Change DNS to Select the Yes radio button to enable the DDNS service. The fields that display on the (DynDNS, TZO, screen depend on the DDNS service provider that you have selected. Enter the following Oray, or 3322) settings: Host and Domain Name The host and domain name for the DDNS service.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 27. 3. Enter the settings as explained in the following table: Table 9. Broadband Advanced Options screen settings Setting Description MTU Size Make one of the following selections: Default Select the Default radio button for the normal maximum transmit unit (MTU) value. For most Ethernet networks this value is 1500 bytes, or 1492 bytes for PPPoE connections. Custom Select the Custom radio button, and enter an MTU value in the Bytes field.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 9. Broadband Advanced Options screen settings (continued) Setting Description Speed In most cases, the wireless VPN firewall can automatically determine the connection speed of the WAN port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an Internet connection, you might need to manually select the port speed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional WAN-Related Configuration Tasks • If you want the ability to manage the wireless VPN firewall remotely, enable remote management (see Configure Remote Management Access on page 322). If you enable remote management, NETGEAR strongly recommends that you change your password (see Change Passwords and Administrator and Guest Settings on page 320). • You can set up the traffic meter for the WAN interface, if you wish.
3. LAN Configuration 3 This chapter describes how to configure the advanced LAN features of your wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N VLANs have a number of advantages: • It is easy to set up network segmentation. Users who communicate most frequently with each other can be grouped into common VLANs, regardless of physical location. Each group’s traffic is contained largely within the VLAN, reducing extraneous traffic and improving the efficiency of the whole network. • They are easy to manage.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This is a typical scenario for a configuration with an IP phone that has two Ethernet ports, one of which is connected to the wireless VPN firewall, the other one to another device: Packets coming from the IP phone to the wireless VPN firewall LAN port are tagged. Packets passing through the IP phone from the connected device to the wireless VPN firewall LAN port are untagged.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For each VLAN profile, the following fields display in the VLAN Profiles table: • Check box. Allows you to select the VLAN profile in the table. • Status icon. Indicates the status of the VLAN profile: - Green circle. The VLAN profile is enabled. - Gray circle. The VLAN profile is disabled. • Profile Name. The unique name assigned to the VLAN profile. • VLAN ID. The unique ID (or tag) assigned to the VLAN profile. • Subnet IP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • WINS server (if you entered a WINS server address in the DHCP Setup screen) • Lease time (the date obtained and the duration of the lease) DHCP Relay DHCP relay options allow you to make the wireless VPN firewall a DHCP relay agent for a VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent over routers that do not support forwarding of these types of messages.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure a VLAN Profile For each VLAN on the wireless VPN firewall, you can configure its profile, port membership, LAN TCP/IP settings, DHCP options, DNS server, and inter-VLAN routing capability. To add a VLAN profile: 1. Select Network Configuration > LAN Setup. In the upper right of the screen, the IPv4 radio button is selected by default. The LAN submenu tabs display, with the LAN Setup screen in view, displaying the IPv4 settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 30.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table: Table 10. Add VLAN Profile screen settings Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number. Note: You can enter VLAN IDs from 2 to 4089. VLAN ID 1 is reserved for the default VLAN; VLAN ID 4094 is reserved for the DMZ interface.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 10. Add VLAN Profile screen settings (continued) Setting Description Enable DHCP Server Select the Enable DHCP Server radio button to enable the wireless VPN firewall to function as a Dynamic Host Configuration Protocol (DHCP) server, providing TCP/IP configuration for all computers connected to the VLAN. (For the default VLAN, the DHCP server is enabled by default.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 10. Add VLAN Profile screen settings (continued) Setting Description Enable LDAP information To enable the DHCP server to provide Lightweight Directory Access Protocol (LDAP) server information, select the Enable LDAP information check box. Enter the following settings. LDAP Server The IP address or name of the LDAP server. Search Base The search objects that specify the location in the directory tree from which the LDAP search begins.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit a VLAN profile: 1. On the LAN Setup screen for IPv4 (see Figure 29 on page 56), click the Edit button in the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile screen displays. This screen is identical to the Add VLAN Profile screen (see the previous figure). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 31. 3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.) 4. As an option, you can disable the broadcast of ARP packets for the default VLAN by clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled by default for the default VLAN.) 5. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0 • Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0 To add a secondary LAN IPv4 address: 1. Select Network Configuration > LAN Setup > LAN Multi-homing. In the upper right of the screen, the IPv4 radio button is selected by default. The LAN Multi-homing screen displays the IPv4 settings. (The following figure contains one example.) Figure 32.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Click Apply to save your settings. To delete one or more secondary LAN IP addresses: 1. On the LAN Multi-homing screen for IPv4 (see the previous figure), select the check box to the left of each secondary IP address that you want to delete, or click the Select All table button to select secondary IP addresses. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • There is no need to use a fixed IP address on a computer. Because the IP address allocated by the DHCP server never changes, you do not need to assign a fixed IP address to a computer to ensure that it always has the same IP address. • A computer is identified by its MAC address—not its IP address. The network database uses the MAC address to identify each computer or device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box. Allows you to select the computer or device in the table. • Name. The name of the computer or device. For computers that do not support the NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to add a meaningful name).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 11. Add Known PCs and Devices section settings (continued) Setting Description IP Address Enter the IP address that this computer or device is assigned to: • If the IP address type is Fixed (set on PC), the IP address needs to be outside of the address range that is allocated to the DHCP server pool to prevent the IP address from also being allocated by the DHCP server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 34. 2. Modify the settings as explained in Table 11 on page 66. 3. Click Apply to save your settings in the Known PCs and Devices table. Deleting Computers or Devices from the Network Database To delete one or more computers or devices from the network database: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Edit Group Names option arrow to the right of the LAN submenu tabs. The Network Database Group Names screen displays. (The following figure shows some examples.) Figure 35. 3. Select the radio button next to the group name that you want to edit. 4. Type a new name in the field. The maximum number of characters is 15. Do not use a double quote (''), single quote('), or space in the name. 5.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The saved binding is also displayed on the IP/MAC Binding screen (see Figure 97 on page 181). Manage the IPv6 LAN An IPv6 LAN typically functions with site-local and link-local unicast addresses. Each physical interface requires an IPv6 link-local address that is automatically derived from the MAC addresses of the IPv4 interface and that is used for address configuration and neighbor discovery.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Stateless DHCPv6 Server With Prefix Delegation As an option for a stateless DHCPv6 server, you can enable prefix delegation. The ISP’s stateful DHCPv6 server assigns a prefix that is used by the wireless VPN firewall’s stateless DHCPv6 server to assign to its IPv6 LAN clients. Prefix delegation functions in the following way: 1. The wireless VPN firewall’s DHCPv6 client requests prefix delegation from the ISP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 LAN To configure the IPv6 LAN settings: 1. Select Network Configuration > LAN Setup. 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings. (The following figure contains some examples.) Figure 36.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table. The IPv6 address pools and prefixes for prefix delegation are explained in the sections following the table. Table 12. LAN Setup screen settings for IPv6 Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is FEC0::1.(For more information, see the introduction to this section, Manage the IPv6 LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 12. LAN Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message. The client selects the server with the highest preference value as the preferred server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 37. 2. Enter the settings as explained in the following table: Table 13. LAN IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the LAN is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN Prefixes for Prefix Delegation If you configure a stateless DHCPv6 server for the LAN and select the Prefix Delegation check box (both on the ISP Broadband Settings screen for IPv6 and on the LAN Setup screen for IPv6, a prefix delegation pool is automatically added to the List of Prefixes for Prefix Delegation table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the IPv6 Router Advertisement Daemon and Advertisement Prefixes for the LAN Note: If you do not configure stateful DHCPv6 for the LAN but use stateless DHCPv6, you need to configure the Router Advertisement Deamon (RADVD) and advertisement prefixes. The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect link-local advertisements of IPv6 addresses and IPv6 prefixes in the LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings (see Figure 36 on page 72.) 3. To the right of the LAN Setup tab, click the RADVD option arrow. The RADVD screen for the LAN displays. (The following figure contains some examples.) Figure 39. 4. Enter the settings as explained in the following table: Table 15.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 15. RADVD screen settings for the LAN (continued) Setting Description Advertise Interval Enter the advertisement interval of unsolicited multicast packets in seconds. The minimum value is 10 seconds; the maximum value is 1800 seconds. RA Flags Specify what type of information the DHCPv6 server provides in the LAN by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 40. 2. Enter the settings as explained in the following table: Table 16. Add Advertisement Prefix screen settings for the LAN Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to complete the SLA ID field and Prefix Lifetime field. The other fields are masked out. • Global/Local/ISATAP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more advertisement prefixes: 1. On the RADVD screen for the LAN (see Figure 39 on page 78), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Add Secondary LAN IP Address section of the screen, enter the following settings: • IPv6 Address. Enter the secondary address that you want to assign to the LAN ports. • Prefix Length. Enter the prefix length for the secondary IP address. 4. Click the Add table button in the rightmost column to add the secondary IP address to the Available Secondary LAN IPs table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT. The wireless VPN firewall is programmed to recognize some of these applications and to work correctly with them, but there are other applications that might not function well. In some cases, local computers can run the application correctly if those computers are used on the DMZ port.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 42. 2. Enter the settings as explained in the following table: Table 17. DMZ Setup screen settings for IPv4 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IP Address Enter the IP address of the DMZ port.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 17. DMZ Setup screen settings for IPv4 (continued) Setting Description Do you want to enable DMZ Port? (continued) Subnet Mask Enter the IP subnet mask of the DMZ port. The subnet mask specifies the network number portion of an IP address. The subnet mask for the DMZ port is 255.255.255.0.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 17. DMZ Setup screen settings for IPv4 (continued) Setting Description DHCP Relay To use the wireless VPN firewall as a DHCP relay agent for a DHCP server somewhere else in your network, select the DHCP Relay radio button. Enter the following setting: Relay Gateway Enable LDAP information The IP address of the DHCP server for which the wireless VPN firewall serves as a relay.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N For the DMZ, there are two DHCPv6 server options: • Stateless DHCPv6 server. The IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements, but receive DNS server information from the DHCPv6 server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table: Table 18. DMZ Setup screen settings for IPv6 Setting Description DMZ Port Setup Do you want to enable DMZ Port? Select one of the following radio buttons: • Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and Subnet Mask fields. • No. Allows you to disable the DMZ port after you have configured it. IPv6 Address Enter the IP address of the DMZ port.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 18. DMZ Setup screen settings for IPv6 (continued) Setting Description DHCP Status (continued) DNS Server Select one of the DNS server options from the drop-down lists: • Use DNS Proxy. The wireless VPN firewall acts as a proxy for all DNS requests and communicates with the ISP’s DNS servers that you configured on the Broadband ISP Settings (IPv6) screen (see Configure a Static IPv6 Internet Connection on page 39). • Use DNS from ISP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in the following table: Table 19. DMZ IPv6 Config screen settings Setting Description Start IPv6 Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCPv6 client joining the DMZ is assigned an IP address between this address and the end IP address. End IPv6 Address Enter the end IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Hosts and routers in the LAN use NDP to determine the link-layer addresses and related information of neighbors in the LAN that can forward packets on their behalf. The wireless VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 45. 4. Enter the settings as explained in the following table: Table 21. RADVD screen settings for the DMZ Setting Description RADVD Status Specify the RADVD status by making a selection from the drop-down list: • Enable. The RADVD is enabled, and the RADVD fields become available for you to configure. • Disable. The RADVD is disabled, and the RADVD fields are masked out. This is the default setting.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 21. RADVD screen settings for the DMZ (continued) Setting Description RA Flags Specify what type of information the DHCPv6 server provides in the DMZ by making a selection from the drop-down list: • Managed. The DHCPv6 server is used for autoconfiguration of the IP address. • Other.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 46. 2. Enter the settings as explained in the following table: Table 22. Add Advertisement Prefix screen settings for the DMZ Setting Description IPv6 Prefix Type Specify the IPv6 prefix type by making a selection from the drop-down list: • 6to4. The prefix is for a 6to4 address. You need to complete the SLA ID field and Prefix Lifetime field. The other fields are masked out. • Global/Local/ISATAP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more advertisement prefixes: 1. On the RADVD screen for the DMZ screen (see Figure 45 on page 92), select the check box to the left of each advertisement prefix that you want to delete, or click the Select All table button to select all advertisement prefixes. 2. Click the Delete table button. Manage Static IPv4 Routing Static routes provide additional routing information to your wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 48. 3. Enter the settings as explained in the following table: Table 23. Add Static Route screen settings for IPv4 Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box. Note: A route can be added to the table and made inactive if not needed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit an IPv4 static route: 1. On the Static Routing screen for IPv4 (see Figure 47 on page 95), click the Edit button in the Action column for the route that you want to modify. The Edit Static Route screen displays. This screen is identical to the Add Static Route screen (see the previous figure). 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings. To delete one or more routes: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 49. 3. Enter the settings as explained in the following table: Table 24. RIP Configuration screen settings Setting Description RIP RIP Direction From the RIP Direction drop-down list, select the direction in which the wireless VPN firewall sends and receives RIP packets: • None. The wireless VPN firewall neither advertises its route table, nor accepts any RIP packets from other routers.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 24. RIP Configuration screen settings (continued) Setting Description RIP Version By default, the RIP version is set to Disabled. From the RIP Version drop-down list, select the version: • RIP-1. Classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2. Routing that supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: - RIP-2B.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Static Route Example In this example, we assume the following: • The wireless VPN firewall’s primary Internet access is through a cable modem to an ISP. • The wireless VPN firewall is on a local LAN with IP address 192.168.1.100. • The wireless VPN firewall connects to a remote network where you need to access a device. • The LAN IP address of the remote network is 134.177.0.0.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 50. 3. Click the Add table button under the Static Routes table. The Add IPv6 Static Routing screen displays: Figure 51. 4. Enter the settings as explained in the following table: Table 25. Add IPv6 Static Routing screen settings Setting Description Route Name The route name for the static route (for purposes of identification and management). Active To make the static route effective, select the Active check box.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 25. Add IPv6 Static Routing screen settings (continued) Setting Description Interface From the drop-down list, select the physical or virtual network interface (WAN1, sit0 Tunnel, or LAN) through which the route is accessible. IPv6 Gateway The gateway IPv6 address through which the destination host or network can be reached. Metric The priority of the route. Select a value between 2 and 15.
4. Wireless Configuration and Security 4 This chapter describes how to configure the wireless features of your ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N (NIC) through an antenna. Typically, an individual in-building wireless access point provides a maximum connectivity area of about a 300-foot radius. The wireless VPN firewall can support a small group of wireless users—typically 10 to 32 users. Configure the wireless features according to the order of the following sections: 1. Configure the Basic Radio Settings 2. Configure and Enable Wireless Profiles 3. (Optional) Configure Wi-Fi Protected Setup 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Basic Radio Settings The radio settings apply to all wireless profiles on the wireless VPN firewall. The default wireless mode is 802.11ng. You can change the wireless mode, country, and many other radio settings on the Radio Settings screen (described in this section) and on the Advanced Wireless screen (see Configure Advanced Radio Settings on page 122). The default radio settings should work well for most configurations.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 26. Radio Settings screen settings (continued) Setting Descriptions Mode Specify the wireless mode in the 2.4-GHz band by making a selection from the drop-down list: • g and b. In addition to 802.11b- and 802.11g-compliant devices, 802.11n-compliant devices can connect to the wireless access point because they are backward compatible. • g only. 802.11g- and 802.11n-compliant devices can connect to the wireless access point, but 802.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 26. Radio Settings screen settings (continued) Setting Descriptions Transmit Power This is a nonconfigurable field that shows the actual transmit power in dBm. Transmission rate Specify the transmission data rate by making a selection from the drop-down list. The default setting is Best (Automatic). Note: For information about the available MCS indexes and transmission data rates, see Physical and Technical Specifications on page 385.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N security features that are covered in detail in this chapter. Deploy the security features appropriate to your needs. Figure 53. There are several ways you can enhance the security of your wireless network: • Restrict access based by MAC address. You can allow only trusted computers to connect so that unknown computers cannot wirelessly connect to the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N provides the most reliable security. Use WPA2 only if all clients in your network support WPA2. The wireless VPN firewall supports WPA2 with PSK, RADIUS, or a combination of PSK and RADIUS. For more information about how to configure WPA2, see Configure and Enable Wireless Profiles on page 112. • WPA+WPA2 mixed mode. This mode supports data encryption with a combination of TKIP and CCMP for both WPA and WPA2 clients.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To set up a wireless profile, specify a name for the profile and the SSID, type of security with authentication and data encryption, and whether or not the SSID is broadcast. • Network authentication The wireless VPN firewall is set by default as an open system with no authentication. When you configure network authentication, bear in mind that older wireless adapters might not support WPA or WPA2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N _________________________________________________________________________ Store this information in a safe place: • SSID The service set identifier (SSID) identifies the wireless local area network. You can customize it by using up to 32 alphanumeric characters. Write your SSID on the line. SSID: ___________________________________ The SSID in the wireless access point is the SSID you configure on the wireless adapter card.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure and Enable Wireless Profiles To add a wireless profile: 1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. (The following figure shows some examples.) Figure 54. The following table explains the fields of the Wireless Profiles screen: Table 27. Wireless Profiles screen settings Setting Description Status The status of the profile: Enabled or Disabled.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 55. 3. Specify the settings as explained in the following table: Table 28. Add Wireless Profiles screen settings Setting Description Wireless Profile Configuration Profile Name The name for the default wireless profile is default1. You cannot change this name. For additional profiles, enter a unique name to make it easy to recognize the profile. You can enter a name of up to 32 alphanumeric characters.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 28. Add Wireless Profiles screen settings (continued) Setting Description SSID The wireless network name (SSID) for the wireless profile. The default SSID name is FVS318N_1. You can change this name by entering up to 32 alphanumeric characters. Make sure that additional SSIDs have unique names.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 28. Add Wireless Profiles screen settings (continued) Setting Description Encryption The encryption that you can select depends on the type of WPA security that you have selected: Note: WPA, WPA2, and • WPA. You can select the following encryption from the drop-down list: WPA+WPA2 only. - TKIP - TKIP+CCMP • WPA2. You can select the following encryption from the drop-down list: - CCMP - TKIP+CCMP • WPA+WPA2. The encryption is TKIP+CCMP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 28. Add Wireless Profiles screen settings (continued) Setting Description WEP Index and Keys Authentication Specify the authentication by making a selection from the drop-down list: • Open System. Select this option to use WEP encryption without authentication. • Shared Key. Select this option to use WEP authentication and encryption with a shared key (passphrase).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit a wireless profile: 1. On the Wireless Profiles screen (see Figure 54 on page 112), click the Edit button in the Action column for the wireless profile that you want to modify. The Edit Profiles screen displays. This screen is identical to the Add Profiles screen. 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: For wireless adapters, you can usually find the MAC address printed on the wireless adapter. To allow or restrict access based on MAC addresses: 1. On the Wireless Profiles screen (see Figure 54 on page 112), click the ACL button in the ACL column for the wireless profile for which you want to set up access control. The MAC Address Filtering screen displays. (The following figure shows some examples.) Figure 56. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: When configuring the wireless VPN firewall from a wireless computer whose MAC address is not in the access control list and when the ACL policy status is set to deny access, you will lose your wireless connection when you click Apply. You then need to access the wireless VPN firewall from a wired computer or from a wireless computer that is on the access control list to make any further changes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table explains the fields of the Access Point Status screen. To change the poll interval period, enter a new value in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 29. Access Point screen fields Item Description Access Point AP Name The names for the four wireless profiles are ap1, ap2, ap3, and ap4. Radio The radio to which the client is connected.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: For a list of other Wi-Fi-certified products available from NETGEAR, go to http://www.wi-fi.org. To enable WPS and initiate the WPS process on the wireless VPN firewall: 1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays (see Figure 54 on page 112). 2. On the Wireless Profiles screen, to the right of the Wireless Profiles tab, click the WPS option arrow.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. In the WPS Setup Method section of the screen, use one of the following methods to initiate the WPS process for a wireless device: • PIN method: a. Collect the pin of the wireless device. b. In the Station PIN field, enter the pin. • c. Click the PIN button. Push button configuration (PBC) method: a. Click the PBC button. b.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Specify the settings as explained in the following table: Table 30. Advanced Wireless screen settings Setting Description Beacon Interval Enter an interval between 40 ms and 3500 ms for each beacon transmission, which allows the wireless VPN firewall to synchronize the wireless network. The default setting is 100.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test Basic Wireless Connectivity After you have configured the wireless VPN firewall as explained in the previous sections, test your wireless clients for wireless connectivity before you place the wireless VPN firewall at its permanent position. To test for wireless connectivity: 1. Configure the 802.11b/g/n wireless clients so that they all have the same SSID that you have configured on the wireless VPN firewall.
5. Firewall Protection 5 This chapter describes how to use the firewall features of the wireless VPN firewall to protect your network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N the incoming packet is in response to an outgoing request, but true stateful packet inspection goes far beyond NAT. For IPv6, which in itself provides stronger security than IPv4, a firewall in particular controls the exchange of traffic between the Internet, DMZ, and LAN. Administrator Tips Consider the following operational items: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N A firewall has two default rules, one for inbound traffic and one for outbound. The default rules of the wireless VPN firewall are: • Inbound. Block all access from outside except responses to requests from the LAN side. • Outbound. Allow all access from the LAN side to the outside. The firewall rules for blocking and allowing traffic on the wireless VPN firewall can be applied to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic. Table 31.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table describes the fields that define the rules for outbound traffic and that are common to most Outbound Service screens (see Figure 63 on page 138, Figure 69 on page 145, and Figure 75 on page 152). The steps to configure outbound rules are described in the following sections: • Configure LAN WAN Rules • Configure DMZ WAN Rules • Configure LAN DMZ Rules Table 32.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 32. Outbound rules overview (continued) Setting Description Outbound Rules WAN Users The settings that determine which Internet locations are covered by the rule, based on their IP address. The options are: • Any. All Internet IP address are covered by this rule. • Single address. Enter the required address in the Start field. • Address range. Enter the required addresses the Start and Finish fields.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 32. Outbound rules overview (continued) Setting Description Outbound Rules Log The setting that determines whether packets covered by this rule All rules are logged. The options are: • Always. Always log traffic that matches this rule. This is useful when you are debugging your rules. • Never. Never log traffic that matches this rule.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN Groups screen to keep the computer’s IP address constant (see Set Up DHCP Address Reservation on page 69). • Local computers need to access the local server using the computers’ local LAN address. Attempts by local computers to access the server using the external WAN IP address will fail. Note: See Configure Port Triggering on page 185 for yet another way to allow certain types of inbound traffic that would otherwise be blocked by the firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Inbound rules overview Setting Description Inbound Rules Service The service or application to be covered by this rule. If the service or application does not display in the list, you need to define it using the Services screen (see Add Customized Services on page 168).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 33. Inbound rules overview (continued) Setting Description Inbound Rules LAN Users These settings apply to a LAN WAN inbound rule when the WAN LAN WAN rules mode is classical routing, and determine which computers on LAN DMZ rules your network are affected by this rule. The options are: • Any. All computers and devices on your LAN. • Single address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Some residential broadband ISP accounts do not allow you to run any server processes (such as a web or FTP server) from your location. Your ISP might periodically check for servers and might suspend your account if it discovers any active servers at your location. If you are unsure, see the acceptable use policy of your ISP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN WAN Rules The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules can then be applied to block specific types of traffic from going out from the LAN to the Internet (outbound). This feature is also referred to as service blocking.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Edit. Allows you to make any changes to the definition of an existing rule. Depending on your selection, one of the following screens displays: - Edit LAN WAN Outbound Service screen for IPv4 (identical to Figure 63 on page 138) - Edit LAN WAN Inbound Service screen for IPv4 (identical to Figure 65 on page 140) To change the default outbound policy for IPv6 traffic or to make changes to existing IPv6 rules: 1. Select Security > Firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To enable, disable, or delete one or more IPv4 or IPv6 rules: 1. select the check box to the left of each rule that you want to enable, disable, or delete, or click the Select All table button to select all rules. 2. Click one of the following table buttons: • Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a green circle, indicating that the selected rule or rules are enabled.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 63. 3. Enter the settings as explained in Table 32 on page 128.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN WAN Outbound Rules To create a new IPv6 LAN WAN outbound rule: 1. In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 62 on page 136). 2. Click the Add table button under the Outbound Services table. The Add LAN WAN Outbound Service screen for IPv6 displays: Figure 64. 3. Enter the settings as explained in Table 32 on page 128.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N blocked. Remember that allowing inbound services opens potential security holes in your firewall. Enable only those ports that are necessary for your network. WARNING: Make sure that you understand the consequences of a LAN WAN inbound rule before you apply the rule. Incorrect configuration might cause serious connection problems. If you are configuring the wireless VPN firewall from a remote connection, you might be locked out.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • WAN Destination IP Address • LAN Users (This drop-down list is available only when the WAN mode is Classical Routing. When the WAN mode is NAT, your network presents only one IP address to the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • LAN Users • WAN Users Unless your selection from the Action drop-down list is BLOCK always, you also need to make a selection from the following drop-down list: • Select Schedule 4. Click Apply to save your changes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 67. To make changes to an existing outbound or inbound service rule, in the Action column to the right of to the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Allows you to make any changes to the definition of an existing rule.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 68. To make changes to an existing outbound or inbound service rule, in the Action column to the right of to the rule, click one of the following table buttons: • Up. Moves the rule up one position in the table rank. • Down. Moves the rule down one position in the table rank. • Edit. Allows you to make any changes to the definition of an existing rule.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create DMZ WAN Outbound Service Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. An outbound rule can block or allow traffic between the DMZ and any external WAN IP address according to the schedule created on the Schedule screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • QoS Priority • NAT IP (This drop-down list is available only when the WAN mode is NAT. If you select Single Address, the IP address specified should fall under the WAN subnet.) 4. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Unless your selection from the Action drop-down list is BLOCK always, you also need to make selections from the following drop-down lists: • Select Schedule • QoS Priority 4. Click Apply. The new rule is now added to the Outbound Services table. The rule is automatically enabled. Create DMZ WAN Inbound Service Rules The Inbound Services table lists all existing rules for inbound traffic. If you have not defined any rules, no rules are listed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 71. 3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the Service, Action, and Log drop-down lists, you need to make selections from the following drop-down lists: • WAN Destination IP Address • DMZ Users (This drop-down list is available only when the WAN mode is Classical Routing. When the WAN mode is NAT, your network presents only one IP address to the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 DMZ WAN Inbound Service Rules To create a new IPv6 DMZ WAN inbound rule: 1. In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 68 on page 144). 2. Click the Add table button under the Inbound Services table. The Add DMZ WAN Inbound Service screen for IPv6 displays: Figure 72. 3. Enter the settings as explained in Table 33 on page 132.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure LAN DMZ Rules The LAN DMZ Rules screen allows you to create rules that define the movement of traffic between the LAN and the DMZ. The default outbound and inbound policies are to block all traffic between the local LAN and DMZ network. You can then apply firewall rules to allow specific types of traffic either going out from the LAN to the DMZ (outbound) or coming in from the DMZ to the LAN (inbound).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To access the LAN DMZ Rules screen for IPv6 or to make changes to existing IPv6 rules: 1. Select Security > Firewall > LAN DMZ Rules. The Firewall submenu tabs display with the LAN DMZ Rules screen for IPv4 in view. 2. In the upper right of the screen, select the IPv6 radio button. The LAN DMZ Rules screen displays the IPv6 settings. (The following figure contains examples.) Figure 74.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create LAN DMZ Outbound Service Rules You can change the default outbound policy or define rules that specify exceptions to the default outbound policy. By adding custom rules, you can block or allow access based on the service or application, source or destination IP addresses, and time of day. An outbound rule can block or allow traffic between the DMZ and any internal LAN IP address according to the schedule created on the Schedule screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 LAN DMZ Outbound Service Rules To create a new IPv6 LAN DMZ outbound rule: 1. In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button. The screen displays the IPv6 settings (see Figure 74 on page 151). 2. Click the Add table button under the Outbound Services table. The Add LAN DMZ Outbound Service screen for IPv6 displays: Figure 76. 3. Enter the settings as explained in Table 32 on page 128.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 LAN DMZ Inbound Service Rules To create a new IPv4 LAN DMZ inbound rule: 1. In the upper right of the LAN DMZ Rules screen, select the IPv4 radio button. The screen displays the IPv4 settings (see Figure 73 on page 150). 2. Click the Add table button under the Inbound Services table. The Add LAN DMZ Inbound Service screen for IPv4 displays: Figure 77. 3. Enter the settings as explained in Table 33 on page 132.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Add table button under the Inbound Services table. The Add LAN DMZ Inbound Service screen for IPv6 displays: Figure 78. 3. Enter the settings as explained in Table 33 on page 132.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 79. IPv4 LAN WAN Inbound Rule: Allow a Videoconference from Restricted Addresses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound rule (see the following figure). In the example, CU-SeeMe connections are allowed only from a specified range of external IP addresses.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 80. IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT Mapping In this example, multi-NAT is configured to support multiple public IP addresses on one WAN interface. An inbound rule configures the wireless VPN firewall to host an additional public IP address and associate this address with a web server on the LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Tip: If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN or DMZ. One of these public IP addresses is used as the primary IP address of the router that provides Internet access to your LAN computers through NAT. The other addresses are available to map to your servers. To configure the wireless VPN firewall for additional IP addresses: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. In the Send to LAN Server field, enter the local IP address of your web server computer (192.168.1.2 in this example). 7. In the WAN Destination IP Address fields, enter 10.1.0.52. 8. Click Apply to save your settings. The rule is now added to the Inbound Services table of the LAN WAN Rules screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: For security, NETGEAR strongly recommends that you avoid creating an exposed host. When a computer is designated as the exposed host, it loses much of the protection of the firewall and is exposed to many exploits from the Internet. If compromised, the computer can be used to attack your network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can also enable the wireless VPN firewall to log any attempt to use Instant Messenger during the blocked period. See an example in the following figure. Figure 84.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 85. Configure Other Firewall Features You can configure attack checks, set session limits, and manage the application level gateway (ALG) for SIP sessions. Attack Checks The Attack Checks screen allows you to specify whether or not the wireless VPN firewall should be protected against common attacks in the DMZ, LAN, and WAN networks.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv4 Attack Checks To enable IPv4 attack checks for your network environment: 1. Select Security > Firewall > Attack Checks. In the upper right of the screen, the IPv4 radio button is selected by default. The Attack Checks screen displays the IPv4 settings: Figure 86. 2. Enter the settings as explained in the following table: Table 34.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Attack Checks screen settings for IPv4 (continued) Setting Description LAN Security Checks Block UDP flood Select the Block UDP flood check box (which is the default setting) to prevent the wireless VPN firewall from accepting more than 20 simultaneous, active User Datagram Protocol (UDP) connections from a single device on the LAN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 34. Attack Checks screen settings for IPv4 (continued) Setting Description Jumbo Frames Enable Jumbo Frame Jumbo frames allow multiple smaller packets to be combined into a single larger packet, reducing network overhead and increasing data transfer performance. Jumbo frames are supported on ports 1, 2, 3, and 4 only. Select the Jumbo Frame check box to enable jumbo frames. By default, jumbo frames are disabled.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set Limits for IPv4 Sessions The session limits feature allows you to specify the total number of sessions that are allowed, per user, over an IPv4 connection across the wireless VPN firewall. The session limits feature is disabled by default. To enable and configure session limits: 1. Select Security > Firewall > Session Limit. The Session Limit screen displays: Figure 88. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 35. Session Limit screen settings (continued) Setting Description Total Number of This is a nonconfigurable counter that displays the total number of dropped packets Packets Dropped due when the session limit is reached. to Session Limit Session Timeout TCP Timeout UDP Timeout ICMP Timeout For each protocol, specify a time-out in seconds. A session expires if no data for the session is received for the duration of the time-out period.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Services, Bandwidth Profiles, and QoS Profiles When you create inbound and outbound firewall rules, you use firewall objects such as services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules: • Services. A service narrows down the firewall rule to an application and a port number. For information about adding services, see Add Customized Services on page 168. • Bandwidth profiles.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To add a customized service: 1. Select Security > Services. The Services screen displays. The Custom Services table shows the user-defined services. (The following figure shows some examples.) Figure 90. 2. In the Add Customer Service section of the screen, enter the settings as explained in the following table: Table 36.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 36. Services screen settings (continued) Setting Description Finish Port The last TCP or UDP port of a range that the service uses. If the service uses only a single port number, enter the same number in the Start Port and Finish Port fields. Note: This field is enabled only when you select TCP or UDP from the Type drop-down list.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Bandwidth Profiles Bandwidth profiles determine the way in which data is communicated with the hosts. The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN link. A single bandwidth profile can be for both outbound and inbound traffic.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth Profile screen displays: Figure 93. 3. Enter the settings as explained in the following table: Table 37. Add Bandwidth Profile screen settings Setting Description Profile Name A descriptive name of the bandwidth profile for identification and management purposes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 37. Add Bandwidth Profile screen settings (continued) Setting Description Outbound Maximum The outbound maximum allowed bandwidth in Kbps. The maximum allowable Bandwidth bandwidth is 100000 Kbps, and you cannot configure less than 100 Kbps. There is no default setting. Type From the Type drop-down list, select the type for the bandwidth profile: • Group. The profile applies to all users, that is, all users share the available bandwidth.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N These are the default QoS profiles that are preconfigured and that cannot be edited: • Normal-Service. Used when no special priority is given to the traffic. IP packets are marked with a ToS value of 0. • Minimize-Cost. Used when data needs to be transferred over a link that has a lower cost. IP packets are marked with a ToS value of 2. • Maximize-Reliability.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N - ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows computer running Internet Explorer. A malicious ActiveX control can be used to compromise or infect computers. Enabling this setting blocks ActiveX applets from being downloaded. - Cookies. Cookies are used to store session information by websites that usually require login. However, several websites use cookies to store tracking information and browsing habits.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 94. 2. In the Content Filtering section of the screen, select the Yes radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Web Components section of the screen, select the components that you want to block (by default, none of these components are blocked, that is, none of these check boxes are selected): • Proxy. Blocks proxy servers. • Java. Blocks Java applets from being downloaded. • ActiveX. Blocks ActiveX applets from being downloaded. • Cookies. Blocks cookies from being created by a website.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Set a Schedule to Block or Allow Specific Traffic Schedules define the time frames under which firewall rules can be applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules. To set a schedule: 1. Select Security > Services > Schedule 1. The Schedule 1 screen displays: Figure 95. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Enable Source MAC Filtering The Source MAC Filter screen enables you to permit or block traffic coming from certain known computers or devices. By default, the source MAC address filter is disabled. All the traffic received from computers with any MAC address is allowed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to save your settings. The MAC Address field in the Add Source MAC Address section of the screen now becomes available. 5. Build your list of source MAC addresses to be permitted or blocked by entering the first MAC address in the MAC Address field. A MAC address needs to be entered in the format xx:xx:xx:xx:xx:xx, in which x is a numeric (0 to 9) or a letter between a and f (inclusive), for example: aa:11:bb:22:cc:33.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Host 3. MAC address (00:01:02:03:04:07) and IP address (192.168.10.12) There are three possible scenarios in relation to the addresses in the IP/MAC Bindings table: • Host 1 has not changed its IP and MAC addresses. A packet coming from Host 1 has IP and MAC addresses that match those in the IP/MAC Bindings table. • Host 2 has changed its MAC address to 00:01:02:03:04:09.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: • Yes. IP/MAC binding violations are emailed. Click the Firewall Logs & E-mail page link to ensure that emailing of logs is enabled on the Firewall Logs & E-mail screen (see Configure Logging, Alerts, and Event Notifications on page 338). • No.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 98. 2. Click the Stop button. Wait until the Poll Interval field becomes available. 3. Enter new poll interval in seconds. 4. Click the Set Interval button. Wait for the confirmation that the operation has succeeded before you close the window. IPv6/MAC Bindings To set up a binding between a MAC address and an IPv6 address: 1. Select Security > Address Filter > IP/MAC Binding. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Email IP/MAC Violations section of the screen, specify if you want to enable email logs for IP/MAC binding violations. (You have to do this only once.) Select one of the following radio buttons: • Yes. IP/MAC binding violations are emailed. Click the Firewall Logs & E-mail page link to ensure that emailing of logs is enabled on the Firewall Logs & E-mail screen (see Configure Logging, Alerts, and Event Notifications on page 338). • No.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 100. 2. Click the Stop button. Wait until the Poll Interval field becomes available. 3. Enter new poll interval in seconds. 4. Click the Set Interval button. Wait for the confirmation that the operation has succeeded before you close the window. Configure Port Triggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note these restrictions on port triggering: • Only one computer can use a port-triggering application at any time. • After a computer has finished using a port-triggering application, there is a short time-out period before the application can be used by another computer. This time-out period is required so the wireless VPN firewall can determine that the application has terminated.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 40. Port Triggering screen settings (continued) Setting Description Outgoing (Trigger) Port Range Start Port The start port (1–65535) of the range for triggering. End Port The end port (1–65535) of the range for triggering. Incoming (Response) Start Port Port Range End Port The start port (1–65535) of the range for responding. The end port (1–65535) of the range for responding. 3. Click the Add table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To configure UPnP: 1. Select Security > UPnP. The UPnP screen displays: Figure 103. The UPnP Portmap Table in the lower part of the screen shows the IP addresses and other settings of UPnP devices that have accessed the wireless VPN firewall and that have been automatically detected by the wireless VPN firewall: • Active. A Yes or No indicates if the UPnP device port that established a connection is currently active. • Protocol.
6. Virtual Private Networking Using IPSec and L2TP Connections 6 This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the wireless VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configuring a VPN tunnel connection requires that you specify all settings on both sides of the VPN tunnel to match or mirror each other precisely, which can be a daunting task. The VPN Wizard efficiently guides you through the setup procedure with a series of questions that determine the IPSec keys and VPN policies it sets up.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 105. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 106. 2. Complete the settings as explained in the following table: Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local WAN port’s IP address or Internet name displays in the End Point Information section of the screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Address? Enter the LAN IPv4 address of the remote gateway. Note: The remote LAN IPv4 address needs to be in a different subnet from the local LAN IP address. For example, if the local subnet is 192.168.1.x, then the remote subnet could be 192.168.10.x but could not be 192.168.1.x.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 108. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 110. To view the wizard default settings, click the VPN Wizard default values option arrow in the upper right of the screen. A pop-up screen displays (see the following figure), showing the wizard default values. The default values are the same for IPv4 and IPv6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 111. 3. Complete the settings as explained in the following table: Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local WAN port’s IP address or Internet name displays in the End Point Information section of the screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued) Setting Description Secure Connection Remote Accessibility What is the remote LAN IP Address? Enter the LAN IPv6 address of the remote gateway. Note: The remote LAN IPv6 address needs to be different from the local LAN IPv6 address. For example, if the local LAN IPv6 address is FEC0::1, then the remote LAN IPv6 address could be FEC0:1::1 but could not be FEC0::1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 113. b. Locate the policy in the table, and click the Connect table button. The IPSec VPN connection becomes active. Note: When using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Use the VPN Wizard to Configure the Gateway for a Client Tunnel To set up a client-to-gateway VPN tunnel using the VPN Wizard: 1. Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio button is selected by default. The VPN Wizard screen displays the IPv4 settings. (The following figure contains an example.) Figure 115.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Complete the settings as explained in the following table: Table 43. IPSec VPN Wizard settings for a client-to-gateway tunnel Setting Description About VPN Wizard This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN (remote.com) and the default local FQDN (local.com) display in the End Point Information to the following peers section of the screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 116. Note: When you are using FQDNs, if the Dynamic DNS service is slow to update its servers when your DHCP WAN address changes, the VPN tunnel will fail because the FQDNs do not resolve to your new address. If you have the option to configure the update interval, set it to an appropriately short time. 4. Optional step: Collect the information that you need to configure the VPN client.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. The VPN Client supports IPv4 only; an upcoming release of the VPN Client will support IPv6. To use the Configuration Wizard to set up a VPN connection between the VPN client and the wireless VPN firewall: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 117. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 118. 3. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel parameters wizard screen (screen 2 of 3) displays: Figure 119. 4. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment. Enter the remote IP address or DNS name of the wireless VPN firewall. For example, enter 192.168.15.175. • Preshared key.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays: Figure 120. 6. This screen is a summary screen of the new VPN configuration. Click Finish. 7. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Specify the settings that are explained in the following table. Table 45. VPN client advanced authentication settings Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with the wireless VPN firewall. NAT-T Select Automatic from the drop-down list to enable the VPN client and wireless VPN firewall to negotiate NAT-T.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 122. b. Specify the default lifetimes in seconds: • Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the wireless VPN firewall. • Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this setting to 3600 seconds to match the configuration of the wireless VPN firewall. 9.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure the Authentication Settings (Phase 1 Settings) To create new authentication settings: 1. Right-click the VPN client icon in your Windows system tray, and select Configuration Panel. The Configuration Panel screen displays: Figure 123. 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and select New Phase 1. Figure 124. 3. Change the name of the authentication phase (the default is Gateway): a.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name. The Authentication pane displays in the Configuration Panel screen, with the Authentication tab selected by default. Figure 125. 4. Specify the settings that are explained in the following table. Table 46.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. 6. Click the Advanced tab in the Authentication pane. The Advanced pane displays: Figure 126. 7. Specify the settings that are explained in the following table. Table 47.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 47. VPN client advanced authentication settings (continued) Setting Description Remote ID As the type of ID, select DNS from the Remote ID drop-down list because you specified an FQDN in the wireless VPN firewall configuration. As the value of the ID, enter local.com as the remote ID for the wireless VPN firewall. Note: The local ID on the wireless VPN firewall is the remote ID on the VPN client.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 127. 3. Specify the settings that are explained in the following table. Table 48. VPN client IPSec configuration settings Setting Description VPN Client address Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by the VPN client in the wireless VPN firewall’s LAN; the computer (for which the VPN client opened a tunnel) appears in the LAN with this IP address.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Click Apply to use the new settings immediately, and click Save to keep the settings for future use. Configure the Global Parameters To specify the global parameters: 1. Click Global Parameters in the left column of the Configuration Panel screen. The Global Parameters pane displays in the Configuration Panel screen: Figure 128. 2. Specify the default lifetimes in seconds: • Authentication (IKE), Default.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test the Connection and View Connection and Status Information Both the NETGEAR ProSafe VPN Client and the wireless VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and troubleshooting problems with a connection. Test the NETGEAR VPN Client Connection There are many ways to establish a connection.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Use the system-tray icon. Right-click the system tray icon, and select Open tunnel ‘Tunnel’. Figure 131. Whichever way you choose to open the tunnel, when the tunnel opens successfully, the Tunnel opened message displays above the system tray: Figure 132.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N NETGEAR VPN Client Status and Log Information To view detailed negotiation and error information on the NETGEAR VPN client: Right-click the VPN client icon in the system tray, and select Console. The VPN Client Console Active screen displays: Figure 134. View the Wireless VPN Firewall IPSec VPN Connection Status To view the status of current IPSec VPN tunnels, select VPN > Connection Status.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The Active IPSec SA(s) table lists each active connection with the information that is described in the following table. The default poll interval is 10 seconds. To change the poll interval period, enter a new value in the Poll Interval field, and then click the Set Interval button. To stop polling, click the Stop button. Table 49.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Manage IPSec VPN Policies After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy are stored in separate policy tables. The name that you selected as the VPN tunnel connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy. You can edit existing policies, or manually add new VPN and IKE policies directly in the policy tables.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IKE Policies Screen To access the IKE Policies screen: Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies screen in view. In the upper right of the screen, the IPv4 radio button is selected by default. The IKE Policies screen displays the IPv4 settings. (The following figure shows some examples.) To display the IPv6 settings on the IKE Policies screen, select the IPv6 radio button. Figure 137.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more IKE polices: 1. Select the check box to the left of each policy that you want to delete, or click the Select All table button to select all IKE policies. 2. Click the Delete table button. For information about how to add or edit an IKE policy, see Manually Add or Edit an IKE Policy on page 219. Note: You cannot delete or edit an IKE policy for which the VPN policy is active without first disabling or deleting the VPN policy.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 138.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: Table 51. Add IKE Policy screen settings Setting Description Mode Config Record Do you want to use Mode Config Record? Specify whether or not the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Operation on page 238. Select one of the following radio buttons: • Yes. IP addresses are assigned to remote VPN clients.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 51. Add IKE Policy screen settings (continued) Setting Description Local Identifier From the drop-down list, select one of the following ISAKMP identifiers to be used by the wireless VPN firewall, and then specify the identifier in the Identifier field: • Local Wan IP. The WAN IP address of the wireless VPN firewall. When you select this option, the Identifier field automatically shows the IP address of the selected WAN interface. • FQDN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 51. Add IKE Policy screen settings (continued) Setting Description Authentication Method Select one of the following radio buttons to specify the authentication method: • Pre-shared key. A secret that is shared between the wireless VPN firewall and the remote endpoint. • RSA-Signature. Uses the active self-signed certificate that you uploaded on the Certificates screen (see Manage VPN Self-Signed Certificates on page 309).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 51. Add IKE Policy screen settings (continued) Setting Description Extended Authentication XAUTH Configuration Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE Policies table. Manage VPN Policies You can create two types of VPN policies. When you use the VPN Wizard to create a VPN policy, only the Auto method is available. • Manual. You manually enter all settings (including the keys) for the VPN tunnel on the wireless VPN firewall and on the remote VPN endpoint. No third-party server or organization is involved.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 139. Each policy contains the data that are explained in the following table. These fields are explained in more detail in Table 53 on page 230. Table 52. VPN Policies screen information for IPv4 and IPv6 Item Description ! (Status) Indicates whether the policy is enabled (green circle) or disabled (gray circle).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To enable or disable one or more VPN policies: 1. Select the check box to the left of each policy that you want to enable or disable, or click the Select All table button to select all VPN Policies. 2. Click the Enable or Disable table button. For information about how to add or edit a VPN policy, see Manually Add or Edit a VPN Policy on this page. Manually Add or Edit a VPN Policy To manually add a VPN policy: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 140.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 141.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table. The only differences between IPv4 and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6). Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 Setting Description General Policy Name A descriptive name of the VPN policy for identification and management purposes. Note: The name is not supplied to the remote VPN endpoint.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Traffic Selection Local IP From the drop-down list, select the address or addresses that are part of the VPN tunnel on the wireless VPN firewall: • Any. All computers and devices on the network. Note that you cannot select Any for both the wireless VPN firewall and the remote endpoint. • Single. A single IP address on the network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Key-Out The encryption key for the outbound policy. The length of the key depends on the selected encryption algorithm: • 3DES. Enter 24 characters. • None. Key is not applicable. • DES. Enter 8 characters. • AES-128. Enter 16 characters. • AES-192. Enter 24 characters. • AES-256. Enter 32 characters.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH are available: • Edge Device. The wireless VPN firewall is used as a VPN concentrator on which one or more gateway tunnels terminate. You need to specify the authentication type that should be used during verification of the credentials of the remote VPN gateways: the user database, RADIUS-PAP, or RADIUS-CHAP. • IPSec Host.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 54. Extended authentication settings for IPv4 and IPv6 Setting Description Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: • None. XAUTH is disabled. This the default setting. • Edge Device. The wireless VPN firewall functions as a VPN concentrator on which one or more gateway tunnels terminate.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N first against a local user database (if RADIUS-PAP is enabled) and then by relaying the information to a central authentication server such as a RADIUS server. Note: Even though you can configure RADIUS servers with IPv4 addresses only, the servers can be used for authentication, authorization, and accounting of both IPv4 and IPv6 users. To configure primary and backup RADIUS servers: 1. Select VPN > IPSec VPN > RADIUS Client.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 55. RADIUS Client screen settings (continued) Setting Description Primary Server NAS Identifier The primary Network Access Server (NAS) identifier that needs to be present in a RADIUS request. Note: The wireless VPN firewall functions as an NAS, allowing network access to external users after verification of their authentication information. In a RADIUS transaction, the NAS needs to provide some NAS identifier information to the RADIUS server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4 addresses to clients, but you cannot assign IPv6 addresses to clients. Mode Config Operation After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the remote user with a VPN client) requests the IP configuration settings such as the IP address, subnet mask, WINS server, and DNS address from the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N As an example, the screen shows two Mode Config records with the names EMEA Sales and NA Sales: • For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool (172.16.200.1 through 172.16.200.99) are shown. • For NA Sales, a first pool (172.25.100.50 through 172.25.100.99), a second pool (172.25.210.1 through 172.25.210.99), and a third pool (172.25.220.80 through 172.25.220.99) are shown. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Complete the settings as explained in the following table: Table 56. Add Mode Config Record screen settings Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one range of IP pool addresses in the First Pool fields to enable the wireless VPN firewall to allocate these to remote VPN clients.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 56. Add Mode Config Record screen settings (continued) Setting Description Integrity Algorithm From the drop-down list, select one of the following two algorithms to be used in the VPN header for the authentication process: • SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting. • MD5. Hash algorithm that produces a 128-bit digest. Local IP Address The local IP address to which remote VPN clients have access.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 145. 8. On the Add IKE Policy screen, complete the settings as explained in the following table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The IKE policy settings that are explained in the following table are specifically for a Mode Config configuration. Table 51 on page 221 explains the general IKE policy settings. Table 57. Add IKE Policy screen settings for a Mode Config configuration Setting Description Mode Config Record Do you want to use Mode Config Record? Select the Yes radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 57. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description IKE SA Parameters Note: Generally, the default settings work well for a Mode Config configuration. Encryption Algorithm To negotiate the security association (SA), from the drop-down list, select the 3DES algorithm.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 57. Add IKE Policy screen settings for a Mode Config configuration (continued) Setting Description Extended Authentication Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify user account information: Note: For more • None. XAUTH is disabled. This the default setting. information about • Edge Device.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: Perform these tasks from a computer that has the NETGEAR ProSafe VPN Client installed. To configure the VPN client for Mode Config operation, create authentication settings (phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then specify the global parameters. Configure the Mode Config Authentication Settings (Phase 1 Settings) To create new authentication settings: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication phase name. b. Select Rename. c. Type GW_ModeConfig. d. Click anywhere in the tree list pane. Note: This is the name for the authentication phase that is used only for the VPN client, not during IKE negotiation. You can view and change this name in the tree list pane. This name needs to be a unique name.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 58. VPN client authentication settings (Mode Config) (continued) Setting Description IKE Encryption Select the 3DES encryption algorithm from the drop-down list. Authentication Select the SHA1 authentication algorithm from the drop-down list. Key Group Select the DH2 (1024) key group from the drop-down list. Note: On the wireless VPN firewall, this key group is referred to as Diffie-Hellman Group 2 (1024 bit). 5.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 59. VPN client advanced authentication settings (Mode Config) (continued) Setting Description NAT-T Select Automatic from the drop-down list to enable the VPN client and wireless VPN firewall to negotiate NAT-T. Local and Remote ID As the type of ID, select DNS from the Local ID drop-down list because you specified FQDN in the wireless VPN firewall configuration. As the value of the ID, enter client.com as the local ID for the VPN client.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 150. 3. Specify the settings that are explained in the following table. Table 60. VPN client IPSec configuration settings (Mode Config) Setting Description VPN Client address This field is masked out because Mode Config is selected. After an IPSec connection is established, the IP address that is issued by the wireless VPN firewall displays in this field (see Figure 155 on page 254).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 60. VPN client IPSec configuration settings (Mode Config) (continued) Setting Description ESP Encryption Select 3DES as the encryption algorithm from the drop-down list. Authentication Select SHA-1 as the authentication algorithm from the drop-down list. Mode Select Tunnel as the encapsulation mode from the drop-down list. PFS and Group Select the PFS check box, and then select the DH2 (1024) key group from the drop-down list.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings to match the configuration on the wireless VPN firewall: • Check Interval. Enter 30 seconds. • Max. number of entries. Enter 3 retries. • Delay between entries. Leave the default delay setting of 15 seconds. 4. Click Apply to use the new settings immediately, and click Save to keep the settings for future use.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 154. 3. From the client computer, ping a computer on the wireless VPN firewall LAN. Modify or Delete a Mode Config Record Note: Before you modify or delete a Mode Config record, make sure it is not used in an IKE policy. To edit a Mode Config record: 1. On the Mode Config screen (see Figure 143 on page 238), click the Edit button in the Action column for the record that you want to modify. The Edit Mode Config Record screen displays.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Keep-Alives The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host across the tunnel and monitoring the replies. To configure the keep-alive feature on a configured VPN policy: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4 settings (see Figure 139 on page 226). 2. Specify the IP version for which you want to edit a VPN policy: • IPv4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Enter the settings as explained in the following table: Table 61. Keep-alive settings Setting Description General Enable Keepalive Select the Yes radio button to enable the keep-alive feature. Periodically, the wireless VPN firewall sends keep-alive requests (ping packets) to the remote endpoint to keep the tunnel alive.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 156. 4. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the settings as explained the following table: Table 62. Dead Peer Detection settings Setting Description IKE SA Parameters Enable Dead Peer Detection Select the Yes radio button to enable DPD. When the wireless VPN firewall detects an IKE connection failure, it deletes the IPSec and IKE SA and forces a reestablishment of the connection.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To enable NetBIOS bridging on a configured VPN tunnel: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see Figure 139 on page 226). 2. Specify the IP version for which you want to edit a VPN policy: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 3. • IPv6. Select the IPv6 radio button. The VPN Policies screen for IPv6 displays. 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N is established, the L2TP user can connect to an L2TP client that is located behind the wireless VPN firewall. Note: IPSec VPN provides stronger authentication and encryption than L2TP. (Packets that traverse the L2TP tunnel are not encapsulated by IPSec.) You need to enable the L2TP server on the wireless VPN firewall, specify an L2TP server address pool, and create L2TP user accounts.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Active L2TP Users To view the active L2TP tunnel users, select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 159. The List of L2TP Active Users table lists each active connection with the information that is described in the following table. Table 64.
7. Virtual Private Networking Using SSL Connections 7 The wireless VPN firewall provides a hardware-based SSL VPN solution designed specifically to provide remote access for mobile users to their corporate resources, bypassing the need for a preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL) protocol, commonly used for e-commerce transactions, the wireless VPN firewall can authenticate itself to an SSL-enabled client, such as a standard web browser.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N computer. The wireless VPN firewall assigns the computer an IP address and DNS server IP addresses, allowing the remote computer to access network resources in the same manner as if it were connected directly to the corporate network, subject to any policy restrictions that you configure. • SSL port forwarding.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. For port forwarding, define the servers and services (see Configure Applications for Port Forwarding on page 267). Create a list of servers and services that can be made available through user, group, or global policies. You can also associate fully qualified domain names (FQDNs) with these servers. The wireless VPN firewall resolves the names to the servers using the list you have created. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N You can define individual layouts for the SSL VPN portal. The layout configuration includes the menu layout, theme, portal pages to display, and web cache control options. The default portal layout is the SSL-VPN portal. You can add additional portal layouts.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Layouts table displays the following fields: • Layout Name. The descriptive name of the portal. • Description. The banner message that is displayed at the top of the portal (see Figure 171 on page 283). • Use Count. The number of authentication domains that use the portal. • Portal URL: • - Portal URL (IPv4). The IPv4 URL at which the portal can be accessed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: Table 65. Add Portal Layout screen settings Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Note: Custom portals are accessed at a different URL than the default portal. For example, if your SSL VPN portal is hosted at https://vpn.company.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 65. Add Portal Layout screen settings (continued) Setting Description ActiveX web cache cleaner Select this check box to enable ActiveX cache control to be loaded when users log in to the SSL VPN portal. The web cache cleaner prompts the user to delete all temporary Internet files, cookies, and browser history when the user logs out or closes the web browser window.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N access policies. When you create a group, you need to specify a domain. Therefore, you should create any domains first, then groups, and then user accounts. For information about how to configure domains, groups, and users, see Configure Authentication Domains, Groups, and Users on page 289. Configure Applications for Port Forwarding Port forwarding provides access to specific defined network services.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • TCP Port. The TCP port number of the application that is accessed through the SSL VPN tunnel. The following table lists some commonly used TCP applications and port numbers. Table 66.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. In the Add New Host Name for Port Forwarding section of the screen, specify information in the following fields: • Local Server IP Address. The IP address of an internal server or host computer that you want to name. • Fully Qualified Domain Name. The full server name.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N route to ensure that a VPN tunnel client connects to the local network over the VPN tunnel. Configure the Client IP Address Range First determine the address range to be assigned to VPN tunnel clients, and then define the address range. To define the client IP address range: 1. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen displays the IPv4 settings (the following screen shows an example). 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 165. SSL VPN Client screen for IPv6 3. Complete the settings as explained in the following table: Table 67. SSL VPN Client screen settings for IPv4 and IPv6 Setting Description Client IP Address Range Enable Full Tunnel Support Select this check box to enable full-tunnel support.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 67. SSL VPN Client screen settings for IPv4 and IPv6 (continued) Setting Description Client Address Range Begin The first IP address of the IPv4 address range that you want to assign to the VPN tunnel clients. By default, the first IPv4 address is 192.168.251.1. Client Address Range End The last IP address of the IPv4 address range that you want to assign to the VPN tunnel clients. By default, the last IPv4 address is 192.168.251.254.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. In the Add Routes for VPN Tunnel Clients section of the screen, specify information in the following fields: • Destination Network. The destination network IPv4 or IPv6 address of a local network or subnet. For example, for an IPv4 route, enter 192.168.4.20. • Subnet Mask / Prefix Length. For an IPv4 route, the address of the appropriate subnet mask; for an IPv6 route, the prefix length. 4. Click the Add table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 166. 2. In the Add New Resource section of the screen, specify information in the following fields: • Resource Name. A descriptive name of the resource for identification and management purposes. • Service. From the Service drop-down list, select the type of service to which the resource applies: - VPN Tunnel. The resource applies only to a VPN tunnel. - Port Forwarding. The resource applies only to port forwarding. - All.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Specify the IP version for which you want to add a portal layout: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Go to Step 4. • IPv6. Select the IPv6 radio button. The screen that lets you edit the resource displays the IPv6 settings. This screen is identical to the screen for IPv4 (see the next screen, which shows some examples). Figure 167. 4.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 68. Resources screen settings to edit a resource (continued) Setting Description Object Type From the drop-down list, select one of the following options: • IP Address. The object is an IPv4 or IPv6 address. You need to enter the IP address or the FQDN in the IP Address / Name field. • IP Network. The object is an IPv4 or IPv6 network.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IP address ranges are configured, then the smallest address range takes precedence. Host names are treated the same as individual IP addresses. Network resources are prioritized just like other address ranges. However, the prioritization is based on the individual address or address range, not the entire network resource. For example, assume the following global policy configuration: • Policy 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 168. 2. Make your selection from the following Query options: • To view all global policies, select the Global radio button. • To view group policies, select the Group radio button, and then select the relevant group’s name from the drop-down list. • To view user policies, select the User radio button, and then select the relevant user’s name from the drop-down list. 3. Click the Display action button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N . Figure 169. Add SSL VPN Policy screen for IPv4 • IPv6. Select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6 settings: . Figure 170.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. Complete the settings as explained in the following table: Table 69. Add SSL VPN Policy screen settings Setting Description Policy For Select one of the following radio buttons to specify the type of SSL VPN policy: • Global. The new policy is global and includes all groups and users. • Group. The new policy needs to be limited to a single group. From the drop-down list, select a group name.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 69. Add SSL VPN Policy screen settings (continued) Setting Description Apply Policy to? (continued) IP Address (continued) Permission From the drop-down list, select Permit or Deny to specify whether the policy permits or denies access. IP Network Policy Name A descriptive name of the SSL VPN policy for identification and management purposes. IP Address The network IPv4 or IPv6 network address to which the SSL VPN policy is applied.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: If you have configured SSL VPN user policies, make sure that secure HTTP remote management is enabled (see Configure Remote Management Access on page 322). If secure HTTP remote management is not enabled, all SSL VPN user connections are disabled. To edit an SSL VPN policy: 1. On the Policies screen (see Figure 168 on page 278), click the Edit button in the Action column for the SSL VPN policy that you want to modify.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 171. 3. Enter the user name and password that you just created with the help of the SSL VPN Wizard. 4. Click Login. The User Portal screen displays. The format of the User Portal screen depends on the settings that you selected on the Add Portal Layout screen (see Create the Portal Layout on page 262): • Figure 172, shows the User Portal screen with both a VPN Tunnel and a Port Forwarding menu option.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 172. Figure 173. The User Portal screen displays a simple menu that, depending on the resources allocated, provides the SSL user with the following menu selections: • VPN Tunnel. Provides full network connectivity. • Port Forwarding. Provides access to the network services that you defined as described in Configure Applications for Port Forwarding on page 267.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Change Password. Allows the user to change his or her password. • Support. Provides access to the NETGEAR website. Note: The first time that a user attempts to connect through the VPN tunnel, the NETGEAR SSL VPN tunnel adapter is installed; the first time that a user attempts to connect through the port-forwarding tunnel, the NETGEAR port-forwarding engine is installed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 175.
8. Manage Users, Authentication, and VPN Certificates 8 This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Except in the case of IPSec VPN users, when you create a user account, you need to specify a group. When you create a group, you need to specify a domain. The following table summarizes the external authentication protocols and methods that the wireless VPN firewall supports. Table 70.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Configure Authentication Domains, Groups, and Users This section contains the following subsections: • Configure Domains • Configure Groups • Configure User Accounts • Set User Login Policies • Change Passwords and Other User Settings Configure Domains The domain determines the authentication method to be used for associated users.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The List of Domains table displays the domains with the following fields: • Check box. Allows you to select the domain in the table. • Domain Name. The name of the domain. The name of the default domain (geardomain) to which the default SSL-VPN portal is assigned is appended by an asterisk. • Authentication Type. The authentication method that is assigned to the domain. • Portal Layout Name. The SSL portal layout that is assigned to the domain.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 71. Add Domain screen settings (continued) Setting Description Authentication Type (continued) • Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP). Complete the following fields: - Authentication Server Note: If you select - Authentication Secret any type of RADIUS • Radius-MSCHAP. RADIUS Microsoft CHAP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 71. Add Domain screen settings (continued) Setting Description LDAP Base DN The LDAP distinguished name (DN) that is required to access the LDAP authentication server. This should be a user in the LDAP directory who has read access to all the users that you would like to import into the wireless VPN firewall. The Bind DN field accepts two formats: • A display name in the DN format. For example: cn=Jamie Hanson,cn=users,dc=test,dc=com.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Edit Domains To edit a domain: 1. Select Users > Domains. The Domains screen displays (see Figure 176 on page 289). 2. In the Action column of the List of Domains table, click the Edit table button for the domain that you want to edit. The Edit Domains screen displays. This screen is very similar to the Add Domains screen (see the previous figure). 3. Modify the settings as explained in the previous table.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Create Groups To create a VPN group: 1. Select Users > Groups. The Groups screen displays. (The following figure shows the wireless VPN firewall’s default group—geardomain—and, as an example, several other groups in the List of Groups table.) Figure 178. The List of Groups table displays the VPN groups with the following fields: • Check box. Allows you to select the group in the table. • Name. The name of the group.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 179. 3. Complete the settings as explained in the following table: Table 72. Add Group screen settings Setting Description Name A descriptive (alphanumeric) name of the group for identification and management purposes. Domain The drop-down list shows the domains that are listed on the Domain screen. From the drop-down list, select the domain with which the group is associated.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit a VPN group: 1. Select Users > Groups. The Groups screen displays (see Figure 178 on page 294). 2. In the Action column of the List of Groups table, click the Edit table button for the group that you want to edit. The Edit Groups screen displays. This screen is identical to the Add Groups screen. 3. Modify the settings as explained in the previous table. 4. Click Apply to save your changes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To create a user account: 1. Select Users > Users. The Users screen displays. (The following figure shows the wireless VPN firewall’s default users—admin and guest—and, as an example, several other users in the List of Users table.) Figure 180. The List of Users table displays the users and has the following fields: • Check box. Allows you to select the user in the table. • Name. The name of the user.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 181. 3. Enter the settings as explained in the following table: Table 73. Add Users screen settings Setting Description User Name A descriptive (alphanumeric) name of the user for identification and management purposes. User Type From the drop-down list, select one of the predefined user types that determines the access credentials: • Administrator.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more user accounts: 1. In the List of Users table, select the check box to the left of each user account that you want to delete, or click the Select All table button to select all accounts. You cannot delete a default user account. 2. Click the Delete table button. Note: You cannot delete the default admin or guest user.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • To prohibit the user from logging in from the WAN interface, select the Deny Login from WAN Interface check box. In this case, the user can log in only from the LAN interface. Note: For security reasons, the Deny Login from WAN Interface check box is selected by default for guests and administrators. The Disable Login check box is disabled (masked out) for administrators. 4. Click Apply to save your settings.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 4. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. • Allow Login only from Defined Addresses. Allow logging in from the IP addresses in the Defined Addresses table. 5. Click Apply to save your settings. 6.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 184. 5. In the Defined Addresses Status section of the screen, select one of the following radio buttons: • Deny Login from Defined Addresses. Deny logging in from the IP addresses in the Defined Addresses table. • Allow Login only from Defined Addresses. Allow logging in from the IP addresses in the Defined Addresses table. 6. Click Apply to save your settings. 7.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 9. Repeat Step 7 and Step 8 for any other addresses that you want to add to the Defined Addresses table. To delete one or more IPv6 addresses: 1. In the Defined Addresses table, select the check box to the left of each address that you want to delete, or click the Select All table button to select all addresses. 2. Click the Delete table button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 6. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers table by selecting one of the following browsers from the drop-down list: • Internet Explorer. • Opera. • Netscape Navigator. • Firefox. Mozilla Firefox. • Mozilla. Other Mozilla browsers. 7. Click the Add table button. The browser is added to the Defined Browsers table. 8.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To modify user settings, including passwords: 1. Select Users > Users. The Users screen displays (see Figure 180 on page 297). 2. In the Action column of the List of Users table, click the Edit table button for the user for which you want to modify the settings. The Edit Users screen displays: Figure 186. 3. Change the settings as explained in the following table: Note: Once established, you cannot change the user name or the group.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 76. Edit User screen settings (continued) Setting Description Check to Edit Password Select this check box to make the password fields accessible to modify the password. Idle Timeout Enter Your Password Enter the password with which you have logged in. New Password Enter the new password. Confirm New Password Reenter the new password for confirmation.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The wireless VPN firewall uses digital certificates to authenticate connecting VPN gateways or clients, and to be authenticated by remote entities. A digital certificate that authenticates a server, for example, is a file that contains the following elements: • A public encryption key to be used by clients for encrypting messages to the server. • Information identifying the operator of the server.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N certificates in the Active Self Certificates table are active on the wireless VPN firewall (see Manage VPN Self-Signed Certificates on page 309). • Certificate Revocation Lists (CRL) table. Contains the lists with digital certificates that have been revoked and are no longer valid, that were issued by CAs, and that you uploaded. Note, however, that the table displays only the active CAs and their critical release dates.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To delete one or more digital certificates: 1. In the Trusted Certificates (CA Certificate) table, select the check box to the left of each digital certificate that you want to delete, or click the Select All table button to select all digital certificates. 2. Click the Delete table button. Manage VPN Self-Signed Certificates Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital certificate.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To generate a new CSR file, obtain a digital certificate from a CA, and upload it to the wireless VPN firewall: 1. Select VPN > Certificates. The Certificates screen displays. The following figure shows the middle section of the screen with the Active Self Certificates section, Generate Self Certificate Request section, and Self Certificate Requests section. (The Self Certificate Requests table contains an example certificate.) Figure 189.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 77. Generate self-signed certificate request settings (continued) Setting Description Hash Algorithm From the drop-down list, select one of the following hash algorithms: • MD5. A 128-bit (16-byte) message digest, slightly faster than SHA-1. • SHA-1. A 160-bit (20-byte) message digest, slightly stronger than MD5. Signature Algorithm Although this seems to be a drop-down list, the only possible selection is RSA.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 5. Copy the contents of the Data to supply to CA text field into a text file, including all of the data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE REQUEST-----.” 6. Submit your SCR to a CA: a. Connect to the website of the CA. b. Start the SCR procedure. c.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Delete table button. Manage the VPN Certificate Revocation List A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs up-to-date. You should obtain the CRL for each CA regularly. To view the currently loaded CRLs and upload a new CRL: 1. Select VPN > Certificates. The Certificates screen displays.
9. Network and System Management 9 This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the wireless VPN firewall. This chapter contains the following sections: • Performance Management • System Management Performance Management Performance management consists of controlling the traffic through the wireless VPN firewall so that the necessary traffic gets through when there is a bottleneck.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Content filtering • Source MAC filtering LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking) You can control specific outbound traffic (from LAN to WAN and from the DMZ to WAN). The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for outbound traffic. If you have not defined any rules, only the default rule is listed. The default rule allows all outgoing traffic.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • WAN users. You can specify which Internet locations are covered by an outbound rule, based on their IP address: - Any. The rule applies to all Internet IP address. - Single address. The rule applies to a single Internet IP address. - Address range. The rule applies to a range of Internet IP addresses. • Schedule. You can configure three different schedules to specify when a rule is applied.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Features That Increase Traffic The following features of the wireless VPN firewall tend to increase the traffic load on the WAN side: • LAN WAN inbound rules (also referred to as port forwarding) • DMZ WAN inbound rules (also referred to as port forwarding) • Port triggering • Enabling the DMZ port • Configuring exposed hosts • Configuring VPN tunnels LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding) The LAN WAN Rules screen
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • • LAN users. You can specify which computers on your network are affected by an inbound rule. There are several options: - Any. The rule applies to all computers and devices on your LAN. - Single address. The rule applies to the address of a particular computer. - Address range. The rule applies to a range of addresses. - Groups. The rule is applied to a group of computers.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N safely provide services to the Internet without compromising security on your LAN. By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports. For information about how to enable the DMZ port, see Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic on page 82.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Assign Bandwidth Profiles When you set the QoS priority, the WAN bandwidth does not change. You change the WAN bandwidth that is assigned to a service or application by applying a bandwidth profile to a LAN WAN inbound or outbound rule. The purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while preventing them from consuming all the bandwidth on your WAN links.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To modify the administrator and guest passwords and idle time-out settings: 1. Select Users > Users. The Users screen displays. (The following figure shows the wireless VPN firewall’s default users—admin and guest—and, as an example, several other users in the List of Users table.) Figure 192. 2. In the Action column of the List of Users table, click the Edit table button for the user with the name admin.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The ideal password should contain no dictionary words from any language, and should be a mixture of letters (both uppercase and lowercase), numbers, and symbols. Your password can be up to 32 characters. 5. As an option, you can change the idle time-out for an administrator login session. Enter a new number of minutes in the Idle Timeout field. (The default setting is 5 minutes.) 6. Click Apply to save your settings. 7.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: When remote management is enabled and administrative access through a WAN interface is granted (see Configure Login Policies on page 299), the wireless VPN firewall’s web management interface is accessible to anyone who knows its IP address and default password.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • IPv6. Select the IPv6 radio button. The Remote Management screen displays the IPv6 settings: Figure 195.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 3. Enter the settings as explained in the following table: Table 78. Remote Management screen settings for IPv4 and IPv6 Setting Description Secure HTTP Management Allow Secure HTTP To enable secure HTTP management, select the Yes radio button, which is the Management? default setting. To disable secure HTTP management, select the No radio button.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N About Remote Access When remote management is enabled, you need to use an SSL connection to access the wireless VPN firewall from the Internet. You need to enter https:// (not http://) and type the wireless VPN firewall’s WAN IP address and port number in your browser. For example, if the wireless VPN firewall’s WAN IP address is 192.168.15.175 and the port number is 443, type the following in your browser: https://192.168.15.175:443.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To configure the SNMP settings: 1. Select Administration > SNMP. The SNMP screen displays. (The following figure contains an example.) Figure 196. The SNMP Configuration table shows the following columns: • IP Address. The IP address of the SNMP manager. • Subnet Mask. The subnet mask of the SNMP manager. • Port. The trap port number of the SNMP manager. • Community. The trap community string of the SNMP manager. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To edit an SNMP configuration: 1. On the SNMP screen (see the previous figure), click the Edit button in the Action column for the SNMP configuration that you want to modify. The Edit SNMP screen displays: Figure 197. 2. Modify the settings as explained in the previous table. 3. Click Apply to save your settings. To delete one or more SNMP configurations: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in the following table: Table 80. SNMP SysConfiguration screen settings Setting Description SysContact Enter the SNMP system contact information that is available to the SNMP manager. This setting is optional. SysLocation Enter the physical location of the wireless VPN firewall. This setting is optional. SysName Enter the name of the wireless VPN firewall for SNMP identification purposes.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 199. Back Up Settings The backup feature saves all wireless VPN firewall settings to a file. Back up your settings periodically, and store the backup file in a safe place. Tip: You can use a backup file to export all settings to another wireless VPN firewall that has the same language and management software versions.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Restore Settings WARNING: Restore only settings that were backed up from the same software version. Restoring settings from a different software version can corrupt your backup file or the wireless VPN firewall system software. To restore settings from a backup file: 1. On the Settings Backup and Firmware Upgrade screen (see the previous figure), next to Restore saved settings from file, click Browse. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N process is complete. The reboot process takes about 165 seconds. (If you can see the unit: The reboot process is complete when the Test LED on the front panel goes off.) WARNING: When you press the hardware factory default Reset button or click the software Default button, the wireless VPN firewall settings are erased. All firewall rules, VPN policies, LAN and WAN settings, and other settings are lost. Back up your settings if you intend on using them.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WARNING: After you have started the firmware installation process, do not interrupt the process. Do not try to go online, turn off the wireless VPN firewall, or do anything else to the wireless VPN firewall until the wireless VPN firewall has fully rebooted. 7. When the reboot process is complete, log in to the wireless VPN firewall again. (If you can see the unit: The reboot process is complete when the Test LED on the front panel goes off.) 8.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The bottom of the screen display the current weekday, date, time, time zone, and year (in the example in the previous figure: Current Time: Tue Mar 6 22:48:17 GMT-0800 2012). 2. Enter the settings as explained in the following table: Table 81. Time Zone screen settings Setting Description Date/Time From the drop-down list, select the local time zone in which the wireless VPN firewall operates.
10. Monitor System Access and Performance 10 This chapter describes the system-monitoring features of the wireless VPN firewall. You can be alerted to important events such WAN traffic limits reached, login failures, and attacks. You can also view status information about the firewall, WAN ports, LAN ports, active VPN users and tunnels, and more. In addition, the diagnostics utilities are described.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 201. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 82. Broadband Traffic Meter screen settings Setting Description Enable Traffic Meter Do you want to enable Traffic Metering on Broadband? Select one of the following radio buttons to configure traffic metering: • Yes. Traffic metering is enabled, and the traffic meter records the volume of Internet traffic passing through the WAN interface.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 82. Broadband Traffic Meter screen settings (continued) Setting Description When Limit is reached Block Traffic Select one of the following radio buttons to specify which action the wireless VPN firewall performs when the traffic limit has been reached: • Block All Traffic. All incoming and outgoing Internet and email traffic is blocked. • Block All Traffic Except E-Mail.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To configure and activate logs: 1. Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen displays: Figure 203.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Enter the settings as explained in the following table: Table 83. Firewall Logs & E-mail screen settings Setting Description Log Options Log Identifier Enter the name of the log identifier. The identifier is appended to log messages to identify the device that sent the log messages. The default identifier is FVS318N.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 83. Firewall Logs & E-mail screen settings (continued) Setting Description Enable E-mail Logs Do you want logs to be emailed to you? Select the Yes radio button to enable the wireless VPN firewall to email logs to a specified email address. Complete the fields that are shown on the right side of the screen. Select the No radio button to prevent the logs from being emailed, which is the default setting.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 83. Firewall Logs & E-mail screen settings (continued) Setting Description Enable SysLogs Do you want to enable syslog? To enable the wireless VPN firewall to send logs to a specified syslog server, select the Yes radio button. Complete the fields that are shown on the right side of the screen. To prevent the logs from being sent, select the No radio button, which is the default setting.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N This section describes steps 2 through 4, using the topology that is described in the following table: Type of Address Gateway 1 at Site 1 Gateway 2 at Site 2 WAN IP address 10.0.0.1 10.0.0.2 LAN IP address 192.168.10.0 192.168.20.0 LAN subnet mask 255.255.255.0 255.255.255.0 LAN IP address syslog server 192.168.10.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Remote WAN IP address. 10.0.0.1 • Local WAN IP address. 10.0.0.2 • Remote LAN IP Address. 192.168.10.0 • Remote LAN subnet mask. 255.255.255.0 3. Click Apply to save the settings. To change the local IP address in the VPN policy: 1. Select VPN > IPSec VPN > VPN Policies. The VPN Policy screen displays. 2. Next to the policy name for the Gateway 2–to–Gateway 1 autopolicy, click Edit. The Edit VPN Policy screen displays. 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View Status Screens The wireless VPN firewall provides real-time information in a variety of status screens that are described in the following sections: • View the System Status • View the VPN Connection Status and L2TP Users • View the VPN Logs • View the Port Triggering Status • View the WAN Port Status • View the Attached Devices and the DHCP Log • View the Status of a Wireless Profile View the System Status When you start up the wire
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 204. The following table explains the fields of the Router Status screen: Table 84. Router Status screen information Item Description System Info System Name The NETGEAR system name. Firmware Version The currently installed firmware version.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 84. Router Status screen information (continued) Item Description LAN (VLAN) Information For each of the LAN ports, the screen shows the IP address and subnet mask. For more detailed information, see Table 86 on page 350. LAN IPv4/IPv6 Information MAC Address The MAC address of the wireless VPN firewall. IPv6 Address The IPv6 address that is assigned to the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 205. The following table explains the fields of the Router Statistics screen. To change the poll interval period, enter a new value (in seconds) in the Poll Interval field, and then click Set interval. To stop polling, click Stop. Table 85. Router Statistics screen information Item Description System up Time. The period since the last time that the wireless VPN firewall was started up.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 206.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The following table explains the fields of the Detailed Status screen: Table 86. Detailed Status screen information Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to this port on the LAN Setup screen (see Assign and Manage VLAN Profiles on page 53).
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 86. Detailed Status screen information (continued) Item Description IPv6 Address The IPv6 address of the WAN port. For information about configuring the IPv4 address of the WAN port, see Configure the IPv6 Internet Connection and WAN Settings on page 35. WAN State The WAN state can be either UP or DOWN, depending on whether or not the port is connected to the Internet.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 86. Detailed Status screen information (continued) Item Description Wireless Configuration Wireless Status The wireless status can be Enabled or Disabled, depending on whether or not the default wireless profile is enabled. For information about enabling the default wireless profile, see Configure and Enable Wireless Profiles on page 112. SSID The SSID of the default profile.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N The IPv6 Tunnel Status table shows the following fields: • Tunnel Name. The tunnel name for the 6to4 tunnel is always sit0-WAN1 (SIT stands for simple Internet transition); the tunnel name for an ISATAP tunnel is isatapx-LAN, in which x is an integer. • IPv6 Address. The IPv6 address of the local tunnel endpoint.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To view the active L2TP tunnel users: Select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen displays: Figure 209. The active user name, client’s IP address on the remote LAC, and IP address that is assigned by the L2TP server on the wireless VPN firewall are listed in the table. To disconnect an active user, click the Disconnect table button to the right of the user’s table entry.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To display the SSL VPN log: Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays: Figure 211. View the Port Triggering Status To view the status of the port-triggering feature: 1. Select Security > Port Triggering. The Port Triggering screen displays. (The following figure shows one rule in the Port Triggering Rules table as an example.) Figure 212.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Click the Status option arrow in the upper right of the Port Triggering screen. The Port Triggering Status screen displays in a pop-up screen. Figure 213. The Port Triggering Status screen displays the information that is described in the following table: Table 87. Port Triggering Status screen information Item Description # The sequence number of the rule onscreen. Rule The name of the port-triggering rule that is associated with this entry.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 214. The type of connection determines the information that is displayed on the Connection Status screen. The screen can display the information that is described in the following table: Table 88. Connection Status screen information for an IPv4 connection Item Description Connection Time The period that the wireless VPN firewall has been connected through the WAN port. Connection Type The connection type can be either DHCP or Static IP.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N IPv6 WAN Port Status To view the IPv6 status of the WAN port: 1. Select Network Configuration > WAN Settings > Broadband ISP Settings (IPv6). The Broadband ISP Settings (IPv6) screen displays (see Figure 17 on page 38). 2. Click the Status option arrow in the upper right of the screen to display the Connection Status pop-up screen. (The following figure shows a dynamic IP address configuration.) Figure 215.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Attached Devices and the DHCP Log The LAN Groups screen shows the network database, which is the Known PCs and Devices table, which contains all IP devices that wireless VPN firewall has discovered on the local network. The LAN Setup screen lets you access the DHCP log. View the Attached Devices To view the attached devices on the LAN Groups screen: Select Network Configuration > LAN Setup > LAN Groups. The LAN Groups screen displays.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • MAC Address. The MAC address of the computer’s or device’s network interface. • Group. Each computer or device can be assigned to a single LAN group. By default, a computer or device is assigned to Group 1. You can select a different LAN group from the Group drop-down list in the Add Known PCs and Devices section or on the Edit Groups and Hosts screen. • Action. The Edit table button, which provides access to the Edit Groups and Hosts screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N View the Status of a Wireless Profile To view the status of a specific wireless profile: 1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless Profiles screen displays. 2. Click the Status button in the Status column for the wireless profile for which you want to display the status information. The Access Point screen displays: Figure 218.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 90. Access Point screen fields (continued) Item Description Dropped The number of received (rx) and transmitted (tx) dropped packets on the access point. Multicast The number of received (rx) and transmitted (tx) multicast packets on the access point. Collisions The number of signal collisions that have occurred on the access point.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N 2. Specify the IP version for which you want to display the Diagnostics screen: • IPv4. In the upper right of the screen, the IPv4 radio button is already selected by default. Figure 219. • IPv6. Select the IPv6 radio button. The Diagnostics screen displays the IPv6 settings: Figure 220. The various tasks that you can perform on the Diagnostics screen are explained in the following sections.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Send a Ping Packet Use the ping utility to send a ping packet request in order to check the connection between the wireless VPN firewall and a specific IP address or FQDN. If the request times out (no reply is received), it usually means that the destination is unreachable. However, some network devices can be configured not to respond to a ping. The ping results are displayed on a new screen. To send a ping: 1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Display the Routing Tables Displaying the internal routing table can assist NETGEAR technical support in diagnosing routing problems. To display the routing table: On the Diagnostics screen for IPv4, in the Router Options section of the screen, click the Display button next to Display the IPv4 Routing Table. The routing table is shown in the Route Display screen that displays as a pop-up screen.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Reboot the Wireless VPN Firewall Remotely You can perform a remote reboot, for example, when the wireless VPN firewall seems to have become unstable or is not operating normally. Rebooting breaks any existing connections either to the wireless VPN firewall (such as your management session) or through the wireless VPN firewall (for example, LAN users accessing the Internet).
11. Troubleshooting 11 This chapter provides troubleshooting tips and information for the wireless VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. • Is the wireless VPN firewall on? Go to Basic Functioning on page 368. • Have I connected the wireless VPN firewall correctly? Go to Basic Functioning on page 368.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Note: The wireless VPN firewall’s diagnostic tools are explained in Diagnostics Utilities on page 362. Basic Functioning After you turn on power to the wireless VPN firewall, verify that the following sequence of events occurs: 1. When power is first applied, verify that the Power LED is on. 2. After approximately 2 minutes, verify that: a. The Test LED is no longer lit. b. The left LAN port LEDs are lit for any local ports that are connected. c.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN or WAN Port LEDs Not On If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is made, check the following: • Make sure that the Ethernet cable connections are secure at the wireless VPN firewall and at the hub, router, or workstation. • Make sure that power is turned on to the connected hub, router, or workstation.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that you are using the correct login information. The factory default login name is admin, and the password is password. Make sure that Caps Lock is off when entering this information. Note: To be able to configure the wireless VPN firewall, your computer’s IP address does not need to be on the same subnet as the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N To check the WAN IP address: 1. Launch your browser and navigate to an external site such as www.netgear.com. 2. Access the web management interface of the wireless VPN firewall’s configuration at https://192.168.1.1. 3. Select Network Configuration > WAN Settings > Broadband ISP Settings. The Broadband ISP Settings screen for IPv4 displays. 4. Take one of the following actions: - For IPv4. Click the Broadband Status option arrow.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N - Configure your wireless VPN firewall to spoof your computer’s MAC address. You can do this in the Router’s MAC Address section on the Broadband Advanced Options screen. For more information, see Configure Advanced WAN Options and Other Tasks on page 47. If your wireless VPN firewall can obtain an IP address, but an attached computer is unable to load any web pages from the Internet: • Your computer might not recognize any DNS server addresses.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • Make sure that IPv6 is enabled on the computer. On a computer that runs a Windows-based operating system, do the following (note that the steps might differ on the various Windows operating systems): a. Open the Network Connections screen or the Network and Sharing Center screen. For example, on the Windows taskbar, click Start, then select Control Panel, and then Network Connections. b.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N c. Click or double-click View status of this connection. The Local Area Connection Status screen displays: Figure 223. d. Make sure that Internet access shows for the IPv6 connection. (The previous screen shows that there is no Internet access.) e. Click Details. The Network Connection Details screen displays: Figure 224.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N f. Make sure that an IPv6 address shows. The previous screen does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with FE80. Troubleshoot a TCP/IP Network Using a Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Test the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly, test the path from your computer to a remote device. From the Windows Run dialog box, type: ping -n 10 in which is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in the previous section are displayed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 225. b. Click the Default button. The wireless VPN firewall reboots. During the reboot process, the Settings Backup and Firmware Upgrade screen might remain visible, or a status message with a counter might show the number of seconds left until the reboot process is complete. The reboot process takes about 165 seconds. (If you can see the unit: The reboot process is complete when the Test LED on the front panel goes off.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Problems with the date and time function can include: • Date shown is January 1, 2000. Cause: The wireless VPN firewall has not yet successfully reached a network time server. Check that your Internet access settings are configured correctly. If you have just completed configuring the wireless VPN firewall, wait at least 5 minutes, and check the date and time again. • Time is off by 1 hour.
A. Default Settings and Technical Specifications A This appendix provides the default settings and the physical and technical specifications of the wireless VPN firewall in the following sections: • Factory Default Settings • Physical and Technical Specifications Factory Default Settings You can use the factory default Reset button located on the rear panel to reset all settings to their factory defaults.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior WAN MAC address Use default MAC address of the wireless VPN firewall WAN MTU size 1500 bytes 1492 bytes for PPPoE connections Port speed AutoSense IPv4 LAN, DMZ, and routing settings LAN IPv4 address for the default VLAN 192.168.1.1 LAN IPv4 subnet mask for the default VLAN 255.255.255.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Firewall and security settings Inbound LAN WAN rules (communications coming in from All traffic is blocked, except for traffic the Internet) in response to requests from the LAN. Outbound LAN WAN rules (communications from the LAN All traffic is allowed.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91. Wireless VPN firewall factory default configuration settings (continued) Feature Default Behavior Proxy server blocking Disabled Java applets blocking Disabled ActiveX controls blocking Disabled Cookies blocking Disabled Blocked keywords None Trusted domains All Wireless radio and access point settings Wireless radio Enabled Region Nonconfigurable: set for the region in which you purchased the wireless VPN firewall.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 91.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 92. Wireless VPN firewall physical and technical specifications (continued) Feature Specification Dimensions and weight Dimensions (W x H x D) 19 x 12.5 x 3.5 cm (7.5 X 4.9 X 1.4 in) Weight 0.59 kg (1.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 93. Wireless VPN firewall IPSec VPN specifications (continued) Setting Specification IPSec encryption algorithm DES, 3DES, AES-128, AES-192, AES-256 IPSec key exchange IKE, manual key, pre-shared key, X.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Table 95. Wireless VPN firewall wireless specifications (continued) Setting Specification 802.
B. Two-Factor Authentication B This appendix provides an overview of two-factor authentication, and an example of how to implement the WiKID solution.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N What Is Two-Factor Authentication? Two-factor authentication is a security solution that enhances and strengthens security by implementing multiple factors of the authentication process that challenge and confirm the users’ identities before they can gain access to the network. There are several factors that are used to validate the users to make sure that you are who you say you are.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 226. 2. A one-time passcode (something the user has) is generated. Figure 227. Note: The one-time passcode is time-synchronized to the authentication server so that the OTP can be used only once and needs to be used before the expiration time. If a user does not use this passcode before it expires, the user needs to go through the request process again to generate a new OTP. 3.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Figure 228.
C. Notification of Compliance (Wired) N ETGE A R Wire d P ro d uct s C Regulatory Compliance Information This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N FCC Radio Frequency Interference Warnings & Instructions This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a residential installation.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Additional Copyrights AES Copyright (c) 2001, Dr. Brian Gladman, brg@gladman.uk.net, Worcester, UK. All rights reserved. TERMS Redistribution and use in source and binary forms, with or without modification, are permitted subject to the following conditions: 1. Redistributions of source code must retain the above copyright notice, this list of conditions, and the following disclaimer. 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N MD5 Copyright (C) 1990, RSA Data Security, Inc. All rights reserved. License to copy and use this software is granted provided that it is identified as the “RSA Data Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this software or this function. License is also granted to make and use derivative works provided that such works are identified as “derived from the RSA Data Security, Inc.
D. Notification of Compliance (Wireless) NETG EAR Wireless Routers, G ateways, APs D Regulatory Compliance Information Note: This section includes user requirements for operating this product in accordance with National laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable requirements may result in unlawful operation and adverse action against the end-user by the applicable National regulatory authority.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Español [Spanish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva 1999/5/CE. Ελληνική [Greek] ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc. ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ ΤΙΣ ΟΥΣΙΩΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗΓΙΑΣ 1999/5/ΕΚ. Français [French] Par la présente NETGEAR Inc.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Íslenska [Icelandic] Hér með lýsir NETGEAR Inc. yfir því að Radiolan er í samræmi við grunnkröfur og aðrar kröfur, sem gerðar eru í tilskipun 1999/5/EC. Norsk [Norwegian] NETGEAR Inc. erklærer herved at utstyret Radiolan er i samsvar med de grunnleggende krav og øvrige relevante krav i direktiv 1999/5/EF. This device is a 2.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N • For product available in the USA market, only channel 1~11 can be operated. Selection of other channels is not possible. • This device and its antenna(s) must not be co-located or operation in conjunction with any other antenna or transmitter.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Household Appliance Recommended Minimum Distance (in feet and meters) Cordless phone - Digital 30 feet / 9 meters Bluetooth devices 20 feet / 6 meters ZigBee 20 feet / 6 meters Notification of Compliance (Wireless) 401
Index Numerics administrative default settings 385 administrator default name and password 21 receiving logs by email 341 settings (admin) 320 user account 298 advertisement prefixes, IPv6 DMZ, configuring for 93 LAN, configuring for 79 advertisement, UPnP information 188 AES (Advanced Encryption Standard) IKE policy settings 222 Mode Config settings 240 VPN policy settings 231–232 ALG (Application Level Gateway) 167 antennas external orientation 104 rear panel 18 Application Level Gateway (ALG) 167 ARP (A
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N self-signed 307–309 signature key length 311 trusted 307–308 certification authority (CA) 225, 306–313 channel spacing, wireless 106 channels and frequencies, selecting 106 CHAP (Challenge Handshake Authentication Protocol) 288 See also MIAS (Microsoft Internet Authentication Service) RADIUS authentication WiKID classical routing (IPv4), configuring 27 Clear to Send (CTS) packets and self-protection 123 client identifier 34 clients, wireless separating
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N D DMZ (demilitarized zone) configuring 82–95 increasing traffic 318 port 12, 17 DNS (Domain Name Server) automatic configuration of computers 13 dynamic 45–47 looking up an address 364 Mode Config address allocation 240 proxy 13, 86 proxy, VLANs 55, 60 server IPv4 addresses broadband settings 34 DMZ settings 85 LAN/VLAN settings 59 SSL VPN settings 271 server IPv6 addresses broadband settings 40 DMZ settings 89 LAN settings 74 SSL VPN settings 271 doc
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N event logs 340 examples of firewall rules 155–162 exchange mode, IKE policies 218, 221 exposed hosts increasing traffic 319 specifying (rule example) 159 extended authentication (XAUTH) configuring 233–235 IKE policies 224 extended service set (ESS) 110 gateway, ISP IPv4 address 34 IPv6 address 40 generating keys, WEP 116 global addresses, IPv6 43 global IPv6 tunnels DMZ, configuring for 94 LAN, configuring for 80 group and global policies, configurin
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N LAN, secondary 62–64 MAC bindings 181 port forwarding, SSL VPN 267 reserved 69 secondary LAN 62 SSL VPN clients, configuring 272 policies, configuring 280 resources, configuring 276 static or permanent 30, 34 subnet mask, default 58 subnet mask, DMZ port 85 VPN tunnels 192, 200, 222, 231 IPv4 DMZ, configuring 83–86 IPv4 gateway 34 IPv4 Internet connection autodetecting 28 manually configuring 31 setting up 25 IPv4 ISP, logging in 31 IPv4 routing modes
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N L IPv6 Internet connection manually configuring 39 setting up 26 IPv6 mode, configuring 36 IPv6 prefix length DMZ address 88 DMZ advertisements 94 DMZ DHCPv6 address pools 90 IPSec VPN policies 231 ISP address 40 LAN address 73 LAN advertisements 80 LAN DHCPv6 address pools 75 LAN prefix delegation 76 secondary LAN IP address 82 SSL VPN policies 281 static routes 101 IPv6 prefix lifetimes DMZ advertisements 94 LAN advertisements 80 IPv6 prefixes 6to4
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N login policies, user 299–304 login time-out changing 304, 320 default 21 logs, configuring 340 long preamble 123 looking up DNS address 364 losing wireless connection 119 multicast pass-through 164 multihome LAN addresses IPv4, configuring 62–64 IPv6, configuring 81–82 N n and ng modes, wireless 106 names, changing DDNS host and domain 47 ISP login 31 known PCs and devices 66 LAN groups 68 PPTP and PPPoE accounts 32 wireless profiles and SSIDs 113 NA
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N order of precedence, firewall rules 134 OTP (one-time passcode) 389–391 outbound rules default 127 examples 160–162 IPv4 DMZ-to-WAN rules 145 LAN-to-DMZ rules 152 LAN-to-WAN rules 137 IPv6 DMZ-to-WAN rules 146 LAN-to-DMZ rules 153 LAN-to-WAN rules 139 order of precedence 134 overview 127 QoS profile 129 reducing traffic 315 scheduling 178 service blocking 127 settings 128–130 outbound traffic, bandwidth 172 troubleshooting TCP/IP 375 using the ping ut
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N power plug receptacle and Power On/Off switch 18 power specifications 385 PPP connection 260 PPPoE (PPP over Ethernet) description 13 settings 30, 33 PPTP (Point-to-Point Tunneling Protocol) settings 30, 32 preamble type 123 preference, router (IPv6) DMZ, configuring for 93 LAN, configuring for 79 prefix delegation (IPv6) LAN DHCPv6 server 71, 76 WAN DHCPv6 client 38 prefix length, IPv6 DMZ address 88 DMZ advertisements 94 DMZ DHCPv6 address pools 90 I
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N RFC 2865 235 RIP (Routing Information Protocol), configuring 97–99 roaming 110 Router Advertisement Deamon (RADVD) DMZ, configuring for 90 LAN, configuring for 77 router advertisements (RAs) and router lifetime (IPv6) DMZ, configuring for 92 LAN, configuring for 78 Routing Information Protocol (RIP), configuring 97–99 routing logs 340 routing modes IPv4 26 IPv6 (IPv4-only and IPv4/IPv6) 36 routing table adding static IPv4 routes 95 adding static IPv6 r
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Telnet management 325 temperatures, operating and storage 386 Temporal Key Integrity Protocol (TKIP) 108, 115 Test LED 16, 368 testing Internet connectivity 50 wireless connectivity 124 time settings configuring 334 troubleshooting 377 time-out error, troubleshooting 370 time-out, session 167 timer, wireless profiles 115 tips, firewall and content filtering 126 TKIP (Temporal Key Integrity Protocol) 108, 115 ToS (Type of Service), QoS profile 129 trace
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N WiKID-PAP and WiKID-CHAP 291 Type of Service (ToS), QoS profile 129 TZO.com 45–47 configuring manually 206 Mode Config tunnel, opening 252 Mode Config, configuring 245 tunnel, opening 213 VPN IPSec Wizard. See IPSec VPN Wizard.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N X DHCPv6 client, prefix delegation 38 WAN LEDs 17, 369 WAN ports 15 WAN traffic meter (or counter) 335 web component blocking 174 web management interface description 22 troubleshooting 369 weight 386 WEP (wired equivalent privacy) configuring 114–116 types of encryption 108 Wi-Fi Multimedia (WMM) 123 Wi-Fi protected access (WPA), WPA2, and mixed mode configuring 114–116 types of encryption 108 Wi-Fi Protected Setup (WPS) 120 WiKID authentication, ove