Netgear FVS336G-300EUS manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693

Go to page of

A good user manual

The rules should oblige the seller to give the purchaser an operating instrucion of Netgear FVS336G-300EUS, along with an item. The lack of an instruction or false information given to customer shall constitute grounds to apply for a complaint because of nonconformity of goods with the contract. In accordance with the law, a customer can receive an instruction in non-paper form; lately graphic and electronic forms of the manuals, as well as instructional videos have been majorly used. A necessary precondition for this is the unmistakable, legible character of an instruction.

What is an instruction?

The term originates from the Latin word „instructio”, which means organizing. Therefore, in an instruction of Netgear FVS336G-300EUS one could find a process description. An instruction's purpose is to teach, to ease the start-up and an item's use or performance of certain activities. An instruction is a compilation of information about an item/a service, it is a clue.

Unfortunately, only a few customers devote their time to read an instruction of Netgear FVS336G-300EUS. A good user manual introduces us to a number of additional functionalities of the purchased item, and also helps us to avoid the formation of most of the defects.

What should a perfect user manual contain?

First and foremost, an user manual of Netgear FVS336G-300EUS should contain:
- informations concerning technical data of Netgear FVS336G-300EUS
- name of the manufacturer and a year of construction of the Netgear FVS336G-300EUS item
- rules of operation, control and maintenance of the Netgear FVS336G-300EUS item
- safety signs and mark certificates which confirm compatibility with appropriate standards

Why don't we read the manuals?

Usually it results from the lack of time and certainty about functionalities of purchased items. Unfortunately, networking and start-up of Netgear FVS336G-300EUS alone are not enough. An instruction contains a number of clues concerning respective functionalities, safety rules, maintenance methods (what means should be used), eventual defects of Netgear FVS336G-300EUS, and methods of problem resolution. Eventually, when one still can't find the answer to his problems, he will be directed to the Netgear service. Lately animated manuals and instructional videos are quite popular among customers. These kinds of user manuals are effective; they assure that a customer will familiarize himself with the whole material, and won't skip complicated, technical information of Netgear FVS336G-300EUS.

Why one should read the manuals?

It is mostly in the manuals where we will find the details concerning construction and possibility of the Netgear FVS336G-300EUS item, and its use of respective accessory, as well as information concerning all the functions and facilities.

After a successful purchase of an item one should find a moment and get to know with every part of an instruction. Currently the manuals are carefully prearranged and translated, so they could be fully understood by its users. The manuals will serve as an informational aid.

Table of contents for the manual

  • Page 1

    350 East Plumeria Drive San Jose, C A 95134 USA December 2014 202-11413-01 P r oSAFE Dual W AN Gigabit S SL VPN Fir ew all Model F VS336Gv3 R ef erenc e Manual[...]

  • Page 2

    2 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Suppor t Thank you f or selec ting NET GE AR pr oduc ts. After inst alling your device, locat e the serial number on the label of your pr oduc t and use it to r egister your pr oduct at https ://my .net gear .com . Y ou must r egister your pr oduc t bef ore you c an use NET GEAR telephon[...]

  • Page 3

    3 Cont ents Chapter 1 Get an Overview of the Features and Hardware and Log In What Is the Pr oSAFE Dual W AN Gigabit SSL VPN Fir ewall?. . . . . . . . . . . . . . . . . 13 K ey Featur es and C apabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 T wo W AN Ports f or Incr eased Reliability and Load Balanci[...]

  • Page 4

    4 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Method f or IPv4 Interfac es . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56 Manage Sec ondary IPv4 W AN Addr esses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Secondary IPv4 W AN Addr esses . . . . . . . . . . . . . . . . . . . .[...]

  • Page 5

    5 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Chapter 4 Configure the IPv4 LAN Settings Manage IPv4 Virtual L ANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . 116 IPv4 L ANs and VL ANs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 116 P ort-Based VL ANs . . . . . . .[...]

  • Page 6

    6 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage a St ateful DHCPv6 Server and IPv6 Addr ess P ools f or the DMZ . 198 Manage St atic IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 Add a St atic IPv6 Rout e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .[...]

  • Page 7

    7 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Chapter 7 Protect Your Network Manage Cont ent Filt ering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Cont ent Filtering Ov er view . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308 Enable Cont ent Filterin[...]

  • Page 8

    8 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T est the Mode C onfig Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 411 Change a Mode Config R ecor d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 413 Remov e One or More Mode C onfig Rec or ds . . . . . . . . . . . . . . . .[...]

  • Page 9

    9 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage User Login P olicies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 508 Change P asswor ds and Automatic Logout P eriod . . . . . . . . . . . . . . . . . . . . . 515 Manage Digital C ertificates f or VPN Connec tions . . . . . . . . . . . . . . . .[...]

  • Page 10

    10 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View the A ttached Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 603 View the DHCP Log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 605 Chapter 13 Diagnostics and Troubleshooting Use the Diagnostics[...]

  • Page 11

    11 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Login and L ogout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 647 Syst em St ar tup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 648 Reboo t . . . . . . . . . . . . . . . . . . . [...]

  • Page 12

    12 1 1. Get an Ov er view of the Fe atur es and Har dwar e and Log In This chapter provides an overview of the features and capabilities of the NETGEAR ProSAFE ® Dual W AN Gigabit SSL VPN Firewall for model FVS336Gv3 and explains how to log in to the device and use its web management interface. The chapter contains the following sections: • What[...]

  • Page 13

    Get an Over view of the Featur es and Hardwar e and Log In 13 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 What Is the Pr oSAFE Dual W AN Gigabit SSL VPN Fir ewall? The ProSAFE Dual W AN Gigabit SSL VPN Firewall, hereafter referred to as the VPN firewall, connects your local area network (LAN) to the Internet through one or two exter[...]

  • Page 14

    Get an Overview of the Features and Har dware and Log In 14 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Built-in four-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for fast data transfer between local network resources and support for up to 200,000 internal or external connections • Both IPv4 and IPv6 support • Advanced [...]

  • Page 15

    Get an Over view of the Featur es and Hardwar e and Log In 15 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Advanc ed VPN Suppor t f or Both IPSec and SSL The VPN firewall supports IPSec and SSL virtual private network (VPN) connections: • IPSec VPN delivers full network access between a central office and branch of fices, or betwee[...]

  • Page 16

    Get an Overview of the Features and Har dware and Log In 16 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Security Featur es The VPN firewall is equipped with several features designed to maintain security: • Computers hidden by NA T . NA T opens a temporary path to the Internet for requests originating from the local network. Reque[...]

  • Page 17

    Get an Over view of the Featur es and Hardwar e and Log In 17 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 obtains actual DNS addresses from the ISP during connection setup and forwards DNS requests from the LAN. • PPP over Ethernet (PPPoE) . PPPoE is a protocol for connecting remote hosts to the Internet over a DSL connection by s[...]

  • Page 18

    Get an Overview of the Features and Har dware and Log In 18 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 P ack age Cont ents The VPN firewall product package contains the following items: • Dual W AN Gigabit SSL VPN Firewall • One AC power cable • One Category 5 (Cat 5) Ethernet cable • One rack-mounting kit • ProSAFE Dual [...]

  • Page 19

    Get an Over view of the Featur es and Hardwar e and Log In 19 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 1. Front panel T able 1. LED descriptions LED Activity Description Power Green Power is supplied to the VPN firewall. Off Power is not supplied to the VPN firewall. T est Amber during startup T est mode. The VPN firewall [...]

  • Page 20

    Get an Overview of the Features and Har dware and Log In 20 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Back P anel The back panel of the VPN firewall includes a console port, a cable security lock receptacle, a recessed Factory Defaults reset button, and an AC power connection. Figure 2. Back panel Viewed from left to right, the ba[...]

  • Page 21

    Get an Over view of the Featur es and Hardwar e and Log In 21 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Factory Defaults reset button . T o reset the VPN firewall to factory default settings, use a sharp object to press and hold this button for about eight seconds until the front panel T est LED blinks. All configuration setti[...]

  • Page 22

    Get an Overview of the Features and Har dware and Log In 22 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Rack- Mount the VPN Fir ewall with the Mounting Kit Use the mounting kit for the VPN firewall to install the appliance in a rack. Attach the mounting brackets using the hardware that is supplied with the mounting kit. Figure 4. Ra[...]

  • Page 23

    Get an Over view of the Featur es and Hardwar e and Log In 23 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W eb Management Interf ace Ov er view The following figure shows the menu at the top the web management interface: Figure 5. Screen menus, option arrows, and buttons The web management interface menu consists of the following le[...]

  • Page 24

    Get an Overview of the Features and Har dware and Log In 24 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 - Both radio buttons are disabled . IP functionality does not apply . The bottom of each screen provides action buttons. The nature of a screen determines which action buttons are shown. Most screens and sections of screens provid[...]

  • Page 25

    Get an Over view of the Featur es and Hardwar e and Log In 25 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o log in to the VPN firewall: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN[...]

  • Page 26

    Get an Overview of the Features and Har dware and Log In 26 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: After five minutes of inactivity (the default login time-out), you are automatically logged out. Y ou are now ready to configure the VPN firewall for your specific network environment. However , NETGEAR recommends that you f[...]

  • Page 27

    Get an Over view of the Featur es and Hardwar e and Log In 27 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select Users > Users . The Users screen displays. 7. In the List of Users table, click the Edit button for the admin default user . The Edit Users screen displays. 8. Select the Check to Edit Password check box. 9. Configu[...]

  • Page 28

    28 2 2. Configur e the IPv4 Int ernet and W AN Settings This chapter explains how to configure the IPv4 Internet and W AN settings. The chapter contains the following sections: • Roadmap to Setting Up IPv4 Internet Connections to Y our ISPs • Configure the IPv4 Internet Connection and WAN Settings • Configure Load Balancing or Auto-Rollover f[...]

  • Page 29

    Configur e the IPv4 Internet and W AN Settings 29 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Roadmap t o Setting Up IPv4 Internet C onnec tions t o Y our ISPs T ypically , the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide sec[...]

  • Page 30

    Configur e the IPv4 Internet and W AN Settings 30 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 This task is described in Manage Dynamic DNS Connections on page 63. 6. (Optional) Configure advanced W AN options . If necessary , change the factory default MTU size, port speed and duplex settings, advertised MAC address of the VPN firew[...]

  • Page 31

    Configur e the IPv4 Internet and W AN Settings 31 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note the following about NA T : • The VPN firewall uses NA T to select the correct computer (on your LAN) to receive any incoming data. • If you have only a single public Internet IP address, you must use NA T (the default setting). •[...]

  • Page 32

    Configur e the IPv4 Internet and W AN Settings 32 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the NA T (Network Address T ranslation) section, select the NA T radio button or the Classical Routing radio button. W ARNING: Changing the W AN mode causes all LAN W AN and DMZ W AN inbound rules to revert to default settings. 8. Cli[...]

  • Page 33

    Configur e the IPv4 Internet and W AN Settings 33 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: If your ISP requires MAC authentication and another MAC address was previously registered with your ISP , you must configure that MAC address on the VPN firewall (see Change the Advertised MAC Address of the VPN Firewall on page 70) b[...]

  • Page 34

    Configur e the IPv4 Internet and W AN Settings 34 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Failure Detection Method . The failure detection method that is active for the W AN interface (see Configure the Auto-Rollover Mode and Failure Detection Method for IPv4 Interfaces on page 56 ). Any of the following methods can be displ[...]

  • Page 35

    Configur e the IPv4 Internet and W AN Settings 35 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Auto Detect button. The autodetect process probes the W AN port for a range of connection methods and suggests one that your ISP is most likely to support. The autodetect process returns one of the following results: • If the[...]

  • Page 36

    Configur e the IPv4 Internet and W AN Settings 36 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Connection Status screen shows a valid IP address and gateway . Y ou are connected to the Internet. For more information about the connection status, see View the WAN Port Status and T erminate or Establish the Internet Connection on pa[...]

  • Page 37

    Configur e the IPv4 Internet and W AN Settings 37 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the defa[...]

  • Page 38

    Configur e the IPv4 Internet and W AN Settings 38 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Locate the Domain Name Server (DNS) Servers section. Note: When you selected the Use Static IP Address radio button i n Step 8 , the Use These DNS Servers radio button was selected automatically. 1 1. Specify the DNS server addresses: ?[...]

  • Page 39

    Configur e the IPv4 Internet and W AN Settings 39 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The VPN firewall attempts to make a connection according to the settings that you entered. 16. V erify the connection: a. Select Network Configuration > W AN Settings > W AN Setup . The W AN Setup screen displays the IPv4 settings. b.[...]

  • Page 40

    Configur e the IPv4 Internet and W AN Settings 40 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: If your ISP requires MAC authentication and another MAC address was previously registered with your ISP , you must configure that MAC address on the VPN firewall (see Change the Advertised MAC Address of the VPN Firewall on page 70) b[...]

  • Page 41

    Configur e the IPv4 Internet and W AN Settings 41 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the login name in the Login field and the password in the Password field. This information is provided by your ISP and is specific for the PPPoE service. 10. In the ISP T ype section, select the Other (PPPoE) radio button. 1 1. Ent[...]

  • Page 42

    Configur e the IPv4 Internet and W AN Settings 42 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 13. Configure the IP address settings as described in the following table. 14. Locate the Domain Name Server (DNS) Servers section. 15. Specify the DNS settings as described in the following table. 16. Locate the Connection Reset section. S[...]

  • Page 43

    Configur e the IPv4 Internet and W AN Settings 43 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 17. T o configure an automatic connection reset, specify the settings as described in the following table. 18. Click the Apply button. Y our settings are saved. 19. T o evaluate your entries, click the T est button. The VPN firewall attempt[...]

  • Page 44

    Configur e the IPv4 Internet and W AN Settings 44 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manually Configur e a PPTP IPv4 Internet Connection T o configure a PPTP IPv4 Internet connection, enter the PPTP IPv4 information that your IPv4 ISP gave you. If you do not have this information, contact your IPv4 ISP . For each W AN inter[...]

  • Page 45

    Configur e the IPv4 Internet and W AN Settings 45 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the WAN IPv4 Settings table, c lick the Edit button for the W AN interface that you want to configure. The W AN IPv4 ISP Settings screen displays. 8. In the ISP Login section, select the Ye s radio button. 9. Enter the login name in t[...]

  • Page 46

    Configur e the IPv4 Internet and W AN Settings 46 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 12. Locate the Internet (IP) Address section. 13. Configure the IP address settings as described in the following table. 14. Locate the Domain Name Server (DNS) Servers section. Idle T imeout Select a connection method radio button: • Kee[...]

  • Page 47

    Configur e the IPv4 Internet and W AN Settings 47 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 15. Specify the DNS settings as described in the following table. 16. Locate the Connection Reset section. 17. T o configure an automatic connection reset, specify the settings as described in the following table. 18. Click the Apply button[...]

  • Page 48

    Configur e the IPv4 Internet and W AN Settings 48 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Connection Status pop-up screen displays. The IP addresses that are shown in this figure are not related to any other examples in this manual. The Connection Status screen shows a valid IP address and gateway . Y ou are connected to the[...]

  • Page 49

    Configur e the IPv4 Internet and W AN Settings 49 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 firewall supports weighted load balancing and round-robin load balancing (see Configure Load Balancing Mode and Optional Protocol Binding for IPv4 Interfaces on page 49). Note: Scenarios could arise in which load balancing must be bypassed [...]

  • Page 50

    Configur e the IPv4 Internet and W AN Settings 50 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Pr otoc ol Binding When a protocol is bound to a particular W AN port, all outgoing traffic of that protocol is directed to the bound W AN port. For example, if the HTTPS protocol is bound to the WAN1 port and the FTP protocol is bound to t[...]

  • Page 51

    Configur e the IPv4 Internet and W AN Settings 51 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Load Balancing Settings section, configure the following settings: a. Select the Load Balancing Mode radio button. b. From the corresponding menu on the right, select a load balancing method: • Weighted LB . With weighted load b[...]

  • Page 52

    Configur e the IPv4 Internet and W AN Settings 52 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the [...]

  • Page 53

    Configur e the IPv4 Internet and W AN Settings 53 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Configure the protocol binding settings as described in the following table. 9. Click the Apply button. Setting Description Service From the menu, select a service or application to be covered by this rule. If the service or application [...]

  • Page 54

    Configur e the IPv4 Internet and W AN Settings 54 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. The protocol binding rule is added to the Protocol Binding table. The rule is automatically enabled, which is indicated by a green circle in the ! status icon column. Change a Pr otoc ol Binding Rule The following [...]

  • Page 55

    Configur e the IPv4 Internet and W AN Settings 55 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o enable, disable, or remove one or more protocol binding rules: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the instal[...]

  • Page 56

    Configur e the IPv4 Internet and W AN Settings 56 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Configur e the Auto-R ollover Mode and F ailure Det ec tion Method f or IPv4 Int erfac es Instead of using two W AN interfaces simultaneously in a load balancing configuration, you can use one W AN interface as the primary link and the othe[...]

  • Page 57

    Configur e the IPv4 Internet and W AN Settings 57 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the[...]

  • Page 58

    Configur e the IPv4 Internet and W AN Settings 58 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. Configur e the F ailure Det ec tion Method f or IPv4 W AN Interf aces The following procedure describes how to configure the failure detection method for IPv4 W AN interfaces that function in auto-rollover mode. ?[...]

  • Page 59

    Configur e the IPv4 Internet and W AN Settings 59 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: The default time to roll over after the primary W AN interface fails is two minutes. The minimum test period is 30 seconds, and the minimum number of tests is 2. 1 1. Click the Apply button. Y our settings are saved. Note: Y ou can co[...]

  • Page 60

    Configur e the IPv4 Internet and W AN Settings 60 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Remove One or More Secondary WAN Addresses Secondary IPv4 W AN Addr esses Y ou can set up a single W AN Ethernet port to be accessed through multiple IPv4 addresses by adding aliases to the port. An alias is a secondary W AN address. On[...]

  • Page 61

    Configur e the IPv4 Internet and W AN Settings 61 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen[...]

  • Page 62

    Configur e the IPv4 Internet and W AN Settings 62 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Add button. The secondary IP address is added to the List of Secondary W AN addresses table. 1 1. Repeat Step 9 and Step 10 for each secondary IP address that you want to add to the List of Secondary W AN addresses table. R em[...]

  • Page 63

    Configur e the IPv4 Internet and W AN Settings 63 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage Dynamic DNS Connec tions The following sections provide information about managing Dynamic DNS: • Dynamic DNS • Configure Dynamic DNS Dynamic DNS Dynamic DNS (DDNS) is an Internet service that allows devices with varying public I[...]

  • Page 64

    Configur e the IPv4 Internet and W AN Settings 64 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o configure DDNS for both W AN interfaces: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VP[...]

  • Page 65

    Configur e the IPv4 Internet and W AN Settings 65 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The W AN Mode section reports the configured W AN mode (for example, Single Port W AN1, Load Balancing, or Auto Rollover). Only those options that match the configured W AN mode are accessible on the screen. 7. Click the submenu tab for you[...]

  • Page 66

    Configur e the IPv4 Internet and W AN Settings 66 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. Managing Advanc ed W AN Options The following sections provide information about managing advanced W AN options: • Change the Maximum T ransmission Unit Size • Change the Port Speed and Duplex Settings • Chan[...]

  • Page 67

    Configur e the IPv4 Internet and W AN Settings 67 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the W AN IPv4 Settings table, click the Edit button for the WAN interface that you want to configure. The W AN IPv4 ISP Settings screen displays. 8. Click the Advanced option arrow in the upper right. The W AN Advanced Options screen [...]

  • Page 68

    Configur e the IPv4 Internet and W AN Settings 68 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change the P or t Speed and Duplex Settings In most cases, the VPN firewall can automatically determine the connection speed of the W AN port of the device (modem, dish, or router) that provides the W AN connection. If you cannot establish [...]

  • Page 69

    Configur e the IPv4 Internet and W AN Settings 69 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. In the Speed section, if you know the Ethernet port speed of the modem, dish, or router , select it from the Port Speed menu. • AutoSense . Speed autosensing. This is the default setting. The firewall can sense all Ethernet speeds and [...]

  • Page 70

    Configur e the IPv4 Internet and W AN Settings 70 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change the Advertised MAC Addr ess of the VPN Fir ewall Each computer or router on your network has a unique 48-bit local Ethernet address. This is also referred to as the computer ’s Media Access Control (MAC) address. If your ISP has MA[...]

  • Page 71

    Configur e the IPv4 Internet and W AN Settings 71 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. In the Router ’s MAC Address section, enter the settings as described in the following table. W ARNING: Depending on the changes that you made, when you click the Apply button, the VPN firewall might restart or services such as HTTP an[...]

  • Page 72

    Configur e the IPv4 Internet and W AN Settings 72 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. Set the W AN Connec tion Type and Cor r esponding Speeds The W AN connection type and corresponding upload and download connection speeds in effect limit the rate of traf fic that is being forwarded by the VPN fire[...]

  • Page 73

    Configur e the IPv4 Internet and W AN Settings 73 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. In the Upload/Download Settings section, enter the settings as described in the following table. W ARNING: Depending on the changes that you made, when you click the Apply button, the VPN firewall might restart or services such as HTTP a[...]

  • Page 74

    Configur e the IPv4 Internet and W AN Settings 74 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage W AN QoS and W AN QoS Pr ofiles The following sections provide information about managing W AN Quality of Service (QoS) and W AN QoS profiles: • WAN QoS • Add a Rate Control WAN QoS Profile • Add a Priority Queue WAN QoS Profil[...]

  • Page 75

    Configur e the IPv4 Internet and W AN Settings 75 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: T o configure and apply QoS profiles successfully , familiarity with QoS concepts such QoS priority queues, IP precedence, DHCP , and their values is helpful. Add a Rat e Contr ol W AN QoS Pr ofile The following procedure describes ho[...]

  • Page 76

    Configur e the IPv4 Internet and W AN Settings 76 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description QoS T ype From the menu, select Rate Control . For information about the Priority selection, see Add a Priority Queue WAN QoS Profile on page 78. Interface From [...]

  • Page 77

    Configur e the IPv4 Internet and W AN Settings 77 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The profile is added to the List of QoS Profiles table on the QoS screen. Y ou are now ready to enable W AN QoS and select the rate control QoS type (see Enable WAN QoS and Select the W A[...]

  • Page 78

    Configur e the IPv4 Internet and W AN Settings 78 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Add a Priority Queue W AN QoS Pr ofile The following procedure describes how to add a priority queue QoS profile for a W AN interface.  T o add a priority queue W AN QoS profile: 1. On your computer , launch an Internet browser . 2. In t[...]

  • Page 79

    Configur e the IPv4 Internet and W AN Settings 79 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description QoS T ype From the menu, select Priority . For information about the Rate Control selection, see Add a Rate Control WAN QoS Profile on page 75). Interface From t[...]

  • Page 80

    Configur e the IPv4 Internet and W AN Settings 80 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The profile is added to the List of QoS Profiles table on the QoS screen. Y ou are now ready to enable W AN QoS and select the priority QoS type (see Enable WAN QoS and Select the W AN Qo[...]

  • Page 81

    Configur e the IPv4 Internet and W AN Settings 81 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the [...]

  • Page 82

    Configur e the IPv4 Internet and W AN Settings 82 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • QoS T ype . The type of profile, either Rate Control or Priority . • Interface Name . The W AN interface to which the profile applies (W AN1 or W AN2). • Service . The service to which the profile applies. • Direction . The W AN d[...]

  • Page 83

    Configur e the IPv4 Internet and W AN Settings 83 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Change the settings. For information about the settings, see Add a Rate Control WAN QoS Profile on page 75 and Add a Priority Queue WAN QoS Profile on page 78. 9. Click the Apply button. Y our settings are saved. The modified QoS profile[...]

  • Page 84

    Configur e the IPv4 Internet and W AN Settings 84 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The ! status icons change from green circles to gray circles, indicating that the selected profiles are disabled. • Delete . Removes the selected W AN QoS profiles. The selected profiles are removed from the List of QoS Profiles table. Ad[...]

  • Page 85

    85 3 3. Configur e the IPv6 Int ernet and W AN Settings This chapter explains how to configure the IPv6 Internet and W AN settings. The chapter contains the following sections: • Roadmap to Setting Up an IPv6 Internet Connection to Y our ISP • Configure the IPv6 Internet Connection and WAN Settings • Manage T unneling for IPv6 T raffic • Co[...]

  • Page 86

    Configur e the IPv6 Internet and W AN Settings 86 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Roadmap t o Setting Up an IPv6 Internet Connection to Y our ISP T ypically , the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide secur[...]

  • Page 87

    Configur e the IPv6 Internet and W AN Settings 87 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 5. (Optional) Configure auto-rollover and failure detection . By default, the W AN interfaces are configured for primary (single) W AN mode. Y ou can enable auto-rollover and configure the failure detection settings. These tasks are describ[...]

  • Page 88

    Configur e the IPv6 Internet and W AN Settings 88 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 After you configured the IPv6 routing mode, you must configure a W AN interface with a global unicast address to enable secure IPv6 Internet connections on your VPN firewall. A global unicast address is a public and routable IPv6 W AN addre[...]

  • Page 89

    Configur e the IPv6 Internet and W AN Settings 89 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Enable the IPv6 Routing Mode The following procedure describes how to enable the IPv6 routing mode.  T o enable the IPv6 routing mode: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the[...]

  • Page 90

    Configur e the IPv6 Internet and W AN Settings 90 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W ARNING: Changing the IP routing mode causes the VPN firewall to reboot. 8. Click the Apply button. Y our settings are saved. Use a DHCPv6 Ser ver t o Configur e an IPv6 Internet Connec tion Aut omatically A DHCPv6 server can allow the VPN[...]

  • Page 91

    Configur e the IPv6 Internet and W AN Settings 91 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: If your ISP requires MAC authentication and another MAC address was previously registered with your ISP , you must configure that MAC address on the VPN firewall (see Change the Advertised MAC Address of the VPN Firewall on page 70) b[...]

  • Page 92

    Configur e the IPv6 Internet and W AN Settings 92 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Status . The status of the W AN interface (UP or DOWN). • W AN IP . The IPv6 address of the W AN interface. • Action . The Edit button provides access to the W AN IPv6 ISP Settings screen (see Step 8 ) for the corresponding W AN int[...]

  • Page 93

    Configur e the IPv6 Internet and W AN Settings 93 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Prefix delegation check box is selected . A prefix is assigned by the ISP DHCPv6 server through prefix delegation, for example, 2001:db8:: /64. The VPN firewall’s own stateless DHCPv6 server can assign this prefix to its IPv6 LAN clie[...]

  • Page 94

    Configur e the IPv6 Internet and W AN Settings 94 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manually Configur e a Static IPv6 Int ernet Connec tion T o configure a static IPv6 Internet connection, enter the IPv6 address information that your IPv6 ISP gave you. If you do not have this information, contact your IPv6 ISP . Note: If y[...]

  • Page 95

    Configur e the IPv6 Internet and W AN Settings 95 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. In the I Pv6 W AN Settings table, c lick the Edit button for the W AN interface that you want to configure. The W AN IPv6 ISP Settings screen displays. The following figure shows the W AN2 IPv6 ISP Settings screen as an example. 9. In th[...]

  • Page 96

    Configur e the IPv6 Internet and W AN Settings 96 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: If you do not know your static IPv6 address information, contact your IPv6 ISP. 1 1. Click the Apply button. Y our settings are saved. 12. V erify the connection: a. Select Network Configuration > W AN Settings > W AN Setup . Th[...]

  • Page 97

    Configur e the IPv6 Internet and W AN Settings 97 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Connection Status screen shows a valid IP address and gateway . Y ou are connected to the Internet. For more information about the connections status, see View the W AN Port Status and T erminate or Establish the Internet Connection on [...]

  • Page 98

    Configur e the IPv6 Internet and W AN Settings 98 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the[...]

  • Page 99

    Configur e the IPv6 Internet and W AN Settings 99 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. In the Internet Address section, from the IPv6 menu, select PPPoE . 10. In the PPPoE IPv6 section, enter the settings as described in the following table. Note: If you do not know your PPPoE IPv6 information, contact your IPv6 ISP. Setti[...]

  • Page 100

    Configur e the IPv6 Internet and W AN Settings 100 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 1 1. Click the Apply button. Y our settings are saved. 12. V erify the connection: a. Select Network Configuration > W AN Settings > W AN Setup . The W AN Setup screen displays the IPv4 settings. b. In the upper right, select the IPv[...]

  • Page 101

    Configur e the IPv6 Internet and W AN Settings 101 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Connection Status screen shows a valid IP address and gateway . Y ou are connected to the Internet. For more information about the connection status, see View the W AN Port Status and T erminate or Establish the Internet Connection on [...]

  • Page 102

    Configur e the IPv6 Internet and W AN Settings 102 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6to4 is a W AN tunnel mechanism for automatic tunneling of IPv6 traf fic between a device with an IPv6 address and a device with an IPv4 address, or the other way around. 6to4 tunneling is used to transfer IPv6 traffic between LAN IPv6 hos[...]

  • Page 103

    Configur e the IPv6 Internet and W AN Settings 103 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > W AN Settings > 6 to 4 T unnelin[...]

  • Page 104

    Configur e the IPv6 Internet and W AN Settings 104 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: If you do not use a stateful DHCPv6 server in your LAN, you must configure the Router Advertisement Daemon (RADVD) and set up ISA T AP advertisement prefixes (which are referred to as Global/Local/ISA T AP prefixes) for ISA T AP tunn[...]

  • Page 105

    Configur e the IPv6 Internet and W AN Settings 105 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Click the Add button under the List of Available ISA T AP T unnels table. The Add ISA T AP T unnel screen displays. 8. Specify the tunnel settings as described in the following table. 9. Click the Apply button. Y our settings are saved.[...]

  • Page 106

    Configur e the IPv6 Internet and W AN Settings 106 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login scree[...]

  • Page 107

    Configur e the IPv6 Internet and W AN Settings 107 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change th[...]

  • Page 108

    Configur e the IPv6 Internet and W AN Settings 108 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The IPv6 T unnel Status table shows the following fields: • T unnel Name . The tunnel name for the 6to4 tunnel is always sit0-W AN1 (SIT stands for Simple Internet T ransition); the tunnel name for an ISA T AP tunnel is isatapx-LAN, in w[...]

  • Page 109

    Configur e the IPv6 Internet and W AN Settings 109 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login scree[...]

  • Page 110

    Configur e the IPv6 Internet and W AN Settings 110 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Aut o-Rollover f or IPv6 W AN Interf aces Y ou can configure the VPN firewall’ s IPv6 interfaces for auto-rollover for increased system reliability . Y ou must specify one W AN interface as the primary interface. The VPN firewall support[...]

  • Page 111

    Configur e the IPv6 Internet and W AN Settings 111 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login scree[...]

  • Page 112

    Configur e the IPv6 Internet and W AN Settings 112 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The other W AN interface becomes disabled. c. Select the Auto Rollover check box. d. From the corresponding menu on the right, select a W AN interface to function as the backup W AN interface. Note: Ensure that the backup W AN interface is[...]

  • Page 113

    Configur e the IPv6 Internet and W AN Settings 113 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. In the I Pv6 W AN Settings table, c lick the Edit button for the W AN interface that you selected as the primary W AN interface. The W AN IPv6 ISP Settings screen displays. 9. Click the Advanced option arrow in the upper right. The W AN[...]

  • Page 114

    Configur e the IPv6 Internet and W AN Settings 114 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: Y ou can configure the VPN firewall to generate a WAN status log and email this log to a specified address (see Manage Logging, Alerts, and Event Notifications on page 571). Additional W AN-R elat ed Configur ation T asks If you want[...]

  • Page 115

    115 4 4. Configur e the IPv4 L AN Settings This chapter describes how to configure the IPv4 LAN features of your VPN firewall. The chapter contains the following sections: • Manage IPv4 Virtual LANs and DHCP Options • Manage IPv4 Multihome LAN IP Addresses on the Default VLAN • Manage IPv4 LAN Groups and Hosts • Manage the DMZ Port for IPv4[...]

  • Page 116

    Configur e the IPv4 L AN Settings 116 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage IPv4 Vir tual L ANs and DHCP Options The following sections provide information about managing IPv4 VLANs and DHCP options: • IPv4 LANs and VLANs • Port-Based VLANs • Assign VLAN Profiles • VLAN DHCP • Manage VLAN Profiles • Configur[...]

  • Page 117

    Configur e the IPv4 L AN Settings 117 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 P or t-Based VL ANs The VPN firewall supports port-based VLANs. Port-based VLANs confine broadcast traffic to the LAN ports. Even though a LAN port can be a member of more than one VLAN, the port can have only one VLAN ID as its port VLAN identifier (P[...]

  • Page 118

    Configur e the IPv4 L AN Settings 118 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o assign VLAN profiles to LAN ports: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory[...]

  • Page 119

    Configur e the IPv4 L AN Settings 119 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • VLAN ID . The unique ID (or tag) assigned to the VLAN profile. • Subnet IP . The subnet IP address for the VLAN profile. • DHCP Status . The DHCP server status for the VLAN profile, which can be either Enabled or Disabled. • Action . The Edit[...]

  • Page 120

    Configur e the IPv4 L AN Settings 120 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For most applications, the default DHCP server and TCP/IP settings of the VPN firewall are satisfactory . The VPN firewall delivers the following settings to any LAN device that requests DHCP: • An IP address from the range that you define • Subnet[...]

  • Page 121

    Configur e the IPv4 L AN Settings 121 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage VL AN Pr ofiles For each VLAN on the VPN firewall, you can configure its profile, port membership, LAN TCP/IP settings, DHCP options, DNS server , and inter-VLAN routing capability . Note: For information about how to manage VLANs, see Port-Base[...]

  • Page 122

    Configur e the IPv4 L AN Settings 122 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Click the Add button. The Add VLAN Profile screen displays.[...]

  • Page 123

    Configur e the IPv4 L AN Settings 123 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description VLAN Profile Profile Name Enter a unique name for the VLAN profile. VLAN ID Enter a unique ID number for the VLAN profile. No two VLANs can have the same VLAN ID number . No[...]

  • Page 124

    Configur e the IPv4 L AN Settings 124 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Start IP Address Enter the start IP address. This address specifies the first of the contiguous addresses in the IP address pool. Any new DHCP client joining the LAN is assigned an IP address between this address and the end IP address. For the default[...]

  • Page 125

    Configur e the IPv4 L AN Settings 125 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. Change a VL AN Pr ofile The following procedure describes how to change an existing VLAN profile.  T o change a VLAN profile: 1. On your computer , launch an Internet browser . 2. In the address f[...]

  • Page 126

    Configur e the IPv4 L AN Settings 126 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The modified VLAN profile displays in the VLAN Profiles table on the LAN Setup screen. Enable, Disable, or Delet e Existing VL AN Pr ofiles The following procedure describes how to enable or disable [...]

  • Page 127

    Configur e the IPv4 L AN Settings 127 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The ! status icons change from green circles to gray circles, indicating that the selected profiles are disabled. • Delete . Removes the selected VLAN profiles. The selected profiles are removed from the VLAN Profiles table. Configur e Unique VL AN M[...]

  • Page 128

    Configur e the IPv4 L AN Settings 128 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. From the MAC Address for VLANs menu, select Unique . The default setting is Same . 9. Click the Apply button. Y our settings are saved. VLANs have unique MAC addresses. Note: If you attempt to configure more than 16 VLANs, the MAC addresses that are[...]

  • Page 129

    Configur e the IPv4 L AN Settings 129 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings . The LAN submenu tabs display , wi[...]

  • Page 130

    Configur e the IPv4 L AN Settings 130 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 access to the Internet, but you can do so only for the default VLAN. The IP address that is assigned as a secondary IP address must be unique and cannot be assigned to a VLAN. Make sure that any secondary LAN addresses are different from the primary LA[...]

  • Page 131

    Configur e the IPv4 L AN Settings 131 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Available Secondary LAN IPs table displays the secondary LAN IP addresses that you added to the VPN firewall. 7. In the Add Secondary LAN IP Address section, enter the following settings: • IP Address . Enter the secondary address that you want t[...]

  • Page 132

    Configur e the IPv4 L AN Settings 132 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Stat[...]

  • Page 133

    Configur e the IPv4 L AN Settings 133 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Router Status screen displays. 6. Select Network Configuration > LAN Settings > LAN Multi-homing . The LAN Multi-homing screen displays the IPv4 settings. 7. In the Available Secondary LAN IPs table, s elect the check box to the left of each [...]

  • Page 134

    Configur e the IPv4 L AN Settings 134 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Y ou do not need to reserve an IP address for a computer in the DHCP server . All IP address assignments made by the DHCP server are maintained until the computer or device is removed from the network database, either by expiration (inactive for a [...]

  • Page 135

    Configur e the IPv4 L AN Settings 135 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Remove One or More Devices from the Network Database View or Add Devices Manually t o the Network Database The following procedure describes how to view or add devices manually to the network database.  T o view or add devices manually to the ne[...]

  • Page 136

    Configur e the IPv4 L AN Settings 136 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Known PCs and Devices table lists the entries in the network database. For each computer or device, the following fields display: • Check box . Allows you to select the computer or device in the table. • Name . The name of the computer or devic[...]

  • Page 137

    Configur e the IPv4 L AN Settings 137 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Add button. The computer or device is added to the Known PCs and Devices table. 9. (Optional) Save the binding between the IP address and MAC address for the entry that you just added: a. Select the check box for the table entry . b. Click[...]

  • Page 138

    Configur e the IPv4 L AN Settings 138 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The LAN Groups screen displays. The following figure shows some manually added devices in the Known PCs and Devices table as an example. 7. In the Known PCs and Devices table, click the Edit button for the device that you want to change. The Edit LAN G[...]

  • Page 139

    Configur e the IPv4 L AN Settings 139 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove One or Mor e Devices fr om the Network Database The following procedure describes how to remove one or more devices from the network database.  T o remove one or more devices from the network database: 1. On your computer , launch an Interne[...]

  • Page 140

    Configur e the IPv4 L AN Settings 140 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change Gr oup Names in the Network Dat abase By default, the groups are named Group1 through Group8. Y ou can change these group names to be more descriptive, for example, GlobalMarketing and GlobalSales.  T o change the name of one of the eight ava[...]

  • Page 141

    Configur e the IPv4 L AN Settings 141 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Select the radio button next to the group name that you want to change. Note: You can change only one group name at a time. 9. T ype a new name in the field. The maximum number of characters is 15. Do not use a double quote (''), single qu[...]

  • Page 142

    Configur e the IPv4 L AN Settings 142 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 some cases, local computers can run the application correctly if those computers are used on the DMZ port. Note the following about the DMZ port: • The VPN firewall has a separate firewall security profile for the DMZ port. This security profile is a[...]

  • Page 143

    Configur e the IPv4 L AN Settings 143 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Enter the settings as described in the following table. Setting Description DMZ Port Setup Select the Ye s radio button to configure the DMZ port settings. Complete the following fields: • IP Address . Enter the IP address of the DMZ port. Make su[...]

  • Page 144

    Configur e the IPv4 L AN Settings 144 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 DHCP for DMZ Connected Computers Select one of the following radio buttons: • Disable DHCP Server . If another device in the DMZ functions as the Dynamic Host Configuration Protocol (DHCP) server for the DMZ, or if you intend to manually configure th[...]

  • Page 145

    Configur e the IPv4 L AN Settings 145 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. Manage St atic IPv4 Routing The following sections provide information about managing static IPv4 routing: • Static IPv4 Routes • Add a Static IPv4 Route • Change a Static IPv4 Route • Remove[...]

  • Page 146

    Configur e the IPv4 L AN Settings 146 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 and you do not need to configure additional static routes. Configure static routes only for unusual cases such as multiple firewalls or multiple IP subnets on your network. The VPN firewall automatically sets up routes between VLANs and secondary IPv4 [...]

  • Page 147

    Configur e the IPv4 L AN Settings 147 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Add Static Route screen displays. 8. Enter the settings as described in the following table. 9. Click the Apply button. Y our settings are saved. The new static route is added to the Static Routes table. Setting Description Route Name The route nam[...]

  • Page 148

    Configur e the IPv4 L AN Settings 148 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change a St atic IPv4 Rout e The following procedure describes how to change an existing IPv4 static route.  T o change an IPv4 static route: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP a[...]

  • Page 149

    Configur e the IPv4 L AN Settings 149 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3[...]

  • Page 150

    Configur e the IPv4 L AN Settings 150 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Stat[...]

  • Page 151

    Configur e the IPv4 L AN Settings 151 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. 9. Click the Apply button. Setting Description RIP RIP Direction From the RIP Direction menu, select the direction in which the VPN firewall sends and receives RIP packets: • None . The VPN f[...]

  • Page 152

    Configur e the IPv4 L AN Settings 152 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. IPv4 St atic Rout e Example In this example, we assume the following: • The VPN firewall’ s primary Internet access is through a cable modem to an ISP . • The VPN firewall is on a local LAN with IP address 192.168.1.100.[...]

  • Page 153

    153 5 5. Configur e the IPv6 L AN Settings This chapter describes how to configure the IPv6 LAN features of your VPN firewall. The chapter contains the following sections: • Manage the IPv6 LAN • Manage IPv6 Multihome LAN IP Addresses • Manage the DMZ Port for IPv6 T raffic • Manage Static IPv6 Routing[...]

  • Page 154

    Configur e the IPv6 L AN Settings 154 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage the IPv6 L AN The following sections provide information about managing the IPv6 LAN: • IPv6 LANs • DHCPv6 LAN Server Concepts and Configuration Roadmap • Configure a Stateless DHCPv6 Server Without Prefix Delegation for the LAN • Manage[...]

  • Page 155

    Configur e the IPv6 L AN Settings 155 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The VPN firewall provides three DHCPv6 options for the LAN. The following sections provide information about the DHCPv6 options for the LAN: • Concept: Stateless DHCPv6 Server Without Prefix Delegation for the LAN • Concept: Stateless DHCPv6 Server[...]

  • Page 156

    Configur e the IPv6 L AN Settings 156 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For stateless DHCPv6 with prefix delegation, you must enable and configure the RADVD, but you do not need to add advertisement prefixes to the RADVD because the DHCPv6 server assigns the prefixes that you specify for the DHCPv6 server .  T o set up [...]

  • Page 157

    Configur e the IPv6 L AN Settings 157 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3[...]

  • Page 158

    Configur e the IPv6 L AN Settings 158 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is fc00::1. (For more information, see IPv6 LANs on page 154.) IPv6 Prefix Length Enter the IPv6 [...]

  • Page 159

    Configur e the IPv6 L AN Settings 159 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. Manage a St at eless DHCPv6 Ser ver with P r efix Delegation f or the L AN The following sections provide information about managing a stateless DHCPv6 server with prefix delegation for the LAN: • [...]

  • Page 160

    Configur e the IPv6 L AN Settings 160 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 St ateless DHCPv6 Ser ver and P r efix Delegation f or the L AN As an option for a stateless DHCPv6 server , you can enable prefix delegation. Note that this is prefix delegation by the DHCPv6 server in the LAN, not by the ISP DHCPv6 sever in the W AN.[...]

  • Page 161

    Configur e the IPv6 L AN Settings 161 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The W AN Setup screen displays the IPv4 settings. b. In the upper right, select the IPv6 radio button. The W AN Setup screen displays the IPv6 settings. c. In the W AN IPv6 Settings table, click the Edit button for the WAN interface for which you want [...]

  • Page 162

    Configur e the IPv6 L AN Settings 162 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 f. Make sure that the Prefix Delegation check box is selected. g. If you made any changes, click the Apply button. Y our settings are saved. 7. Select Network Configuration > LAN Settings . The LAN Setup screen displays the IPv4 settings. 8. In the [...]

  • Page 163

    Configur e the IPv6 L AN Settings 163 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. DHCPv6 DHCP Status Enable the DHCPv6 server by selecting Enable DHCPv6 Server from the DHCP Status menu. The default menu selection is Disable DHCPv6 Server . DHCP Mode From the DHCP Mode menu, sele[...]

  • Page 164

    Configur e the IPv6 L AN Settings 164 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manually Add IPv6 L AN Pr efixes f or Pr efix Delegation As an option, you can also manually add prefixes to enable the DHCPv6 server to assign these prefixes to its IPv6 LAN clients.  T o add an IPv6 prefix manually for prefix delegation: 1. On you[...]

  • Page 165

    Configur e the IPv6 L AN Settings 165 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. The new prefix is added to the List of Prefixes for Prefix Delegation table on the LAN Setup screen for IPv6. Change an IPv6 L AN Pr efix for P r efix Delegation The following procedure describes ho[...]

  • Page 166

    Configur e the IPv6 L AN Settings 166 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove One or Mor e IPv6 L AN Pr efixes f or Pr efix Delegation The following procedure describes how to remove one or more prefixes that you no longer need for prefix delegation.  T o remove one or more prefixes for prefix delegation: 1. On your c[...]

  • Page 167

    Configur e the IPv6 L AN Settings 167 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Change an IPv6 LAN Address Pool • Remove One or More IPv6 LAN Address Pools St ateful DHCPv6 Ser ver and IPv6 Addr ess P ool f or the L AN With a stateful DHCPv6 server , the IPv6 clients in the LAN obtain an interface IP address, configuration i[...]

  • Page 168

    Configur e the IPv6 L AN Settings 168 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is fc00::1. (For more information, see IPv6 LANs on page 154.) IPv6 Prefix Length Enter the IPv6 [...]

  • Page 169

    Configur e the IPv6 L AN Settings 169 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. Add an IPv6 L AN Addr ess P ool If you configure a stateful DHCPv6 server for the LAN, you must add local DHCP IPv6 address pools so that the DHCPv6 server can control the allocation of IPv6 addresse[...]

  • Page 170

    Configur e the IPv6 L AN Settings 170 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings . The LAN Setup screen displays the[...]

  • Page 171

    Configur e the IPv6 L AN Settings 171 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3[...]

  • Page 172

    Configur e the IPv6 L AN Settings 172 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain o[...]

  • Page 173

    Configur e the IPv6 L AN Settings 173 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPv6 Rout er Advertisement Daemon f or the L AN The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect link-local advertisements of IPv6 addresses and IPv6 prefixes in the LAN. The RADVD then distributes this information[...]

  • Page 174

    Configur e the IPv6 L AN Settings 174 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default pass[...]

  • Page 175

    Configur e the IPv6 L AN Settings 175 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. Setting Description RADVD Status From the RADVD Status menu, select Enable . The RADVD is enabled, and the RADVD fields are available. The default selection is Disable . The RADVD is disabled, [...]

  • Page 176

    Configur e the IPv6 L AN Settings 176 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. View Aut omatically Added Advertisement Pr efixes f or the L AN and Manually Add Advertisement Pr efixes If you enabled the ISP DHCPv6 server to assign a prefix through prefix delegation to the VPN [...]

  • Page 177

    Configur e the IPv6 L AN Settings 177 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings . The LAN Setup screen displays the[...]

  • Page 178

    Configur e the IPv6 L AN Settings 178 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you enabled the ISP DHCPv6 server to assign a prefix through prefix delegation to the VPN firewall (see Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically on page 90), the advertisement prefixes that are based on the ISPs ass[...]

  • Page 179

    Configur e the IPv6 L AN Settings 179 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Enter the settings as described in the following table. 1 1. Click the Apply button. Y our settings are saved. The new advertisement prefix is added to the List of Prefixes to Advertise table on the RADVD screen for the LAN. Change an Advertisement[...]

  • Page 180

    Configur e the IPv6 L AN Settings 180 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings . The LAN Setup screen displays the[...]

  • Page 181

    Configur e the IPv6 L AN Settings 181 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings . The LAN Setup screen displays the[...]

  • Page 182

    Configur e the IPv6 L AN Settings 182 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Secondary LAN IP address . 2001:db8:3000::2192 with a prefix length of 10 Add a Secondary L AN IPv6 Addr ess The following procedure describes how to add a secondary LAN IPv6 address.  T o add a secondary LAN IPv6 address: 1. On your computer , [...]

  • Page 183

    Configur e the IPv6 L AN Settings 183 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the VPN firewall. 8. In the Add Secondary LAN IP Address section, enter the following settings: • IPv6 Address . Enter the secondary address that you want to assig[...]

  • Page 184

    Configur e the IPv6 L AN Settings 184 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the upper right, select the IPv6 radio button. The LAN Multi-homing screen displays the IPv6 settings. 8. In the Available Secondary LAN IPs table, click the Edit button for the secondary IP address that you want to change. The Edit LAN Multi-hom[...]

  • Page 185

    Configur e the IPv6 L AN Settings 185 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. In the A vailable Secondary LAN IPs table, s elect the check box to the left of each secondary IP address that you want to remove or click the Select All button to select all secondary IP addresses. 9. Click the Delete button. The selected secondary[...]

  • Page 186

    Configur e the IPv6 L AN Settings 186 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the IPv6 DMZ, the VPN firewall provides two DHCPv6 server options: • Stateless DHCPv6 server . The IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements, but receiv[...]

  • Page 187

    Configur e the IPv6 L AN Settings 187 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative [...]

  • Page 188

    Configur e the IPv6 L AN Settings 188 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description DMZ Port Setup Select the Ye s radio button to configure the DMZ port settings. Complete the following fields: • IPv6 Address . Enter the IP address of the DMZ port. Make [...]

  • Page 189

    Configur e the IPv6 L AN Settings 189 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. Manage the IPv6 Rout er Advertisement Daemon f or the DMZ Note: If you use a stateless DHCPv6 server for the DMZ, you must configure the Router Advertisement Deamon (RADVD) and advertisement prefixes[...]

  • Page 190

    Configur e the IPv6 L AN Settings 190 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ. RAs include IPv6 addresses, types of prefixes, prefix addresses, prefix lifetimes, the maximum transmissio[...]

  • Page 191

    Configur e the IPv6 L AN Settings 191 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Stat[...]

  • Page 192

    Configur e the IPv6 L AN Settings 192 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. Setting Description RADVD Status From the RADVD Status menu, select Enable . The RADVD is enabled and the RADVD fields are available. The default selection is Disable . The RADVD is disabled an[...]

  • Page 193

    Configur e the IPv6 L AN Settings 193 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. Add an Advertisement Pr efix f or the DMZ Y ou must configure the prefixes that are advertised in the DMZ router advertisements (RAs). For a 6to4 address, you must specify only the site level aggreg[...]

  • Page 194

    Configur e the IPv6 L AN Settings 194 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the upper right, select the IPv6 radio button. The DMZ Setup screen displays the IPv6 settings. The following figure shows an example. 8. Click the RADVD option arrow in the upper right. The RADVD screen for the DMZ displays. The following figure[...]

  • Page 195

    Configur e the IPv6 L AN Settings 195 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Under the List of Prefixes to Advertise table, click the Add button. The Add Advertisement Prefix screen displays.[...]

  • Page 196

    Configur e the IPv6 L AN Settings 196 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Enter the settings as described in the following table. 1 1. Click the Apply button. Y our settings are saved. The new IPv6 address pool is added to the List of Prefixes to Advertise table on the RADVD screen for the DMZ. Change an Advertisement Pr[...]

  • Page 197

    Configur e the IPv6 L AN Settings 197 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > DMZ Setup . The DMZ Setup screen displays the IP[...]

  • Page 198

    Configur e the IPv6 L AN Settings 198 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > DMZ Setup . The DMZ Setup screen displays the IP[...]

  • Page 199

    Configur e the IPv6 L AN Settings 199 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Configur e a St ateful DHCPv6 Ser ver f or the DMZ The following procedure describes how to configure a stateful DHCPv6 server and corresponding IPv6 settings for the DMZ.  T o configure a stateful DHCPv6 server and corresponding IPv6 settings for t[...]

  • Page 200

    Configur e the IPv6 L AN Settings 200 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description DMZ Port Setup Select the Ye s radio button to configure the DMZ port settings. Complete the following fields: • IPv6 Address . Enter the IP address of the DMZ port. Make [...]

  • Page 201

    Configur e the IPv6 L AN Settings 201 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. Add an IPv6 DMZ Addr ess P ool If you use a stateful DHCPv6 server for the DMZ, you must add local DHCP IPv6 address pools so that the DHCPv6 server can control the allocation of IPv6 addresses in th[...]

  • Page 202

    Configur e the IPv6 L AN Settings 202 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Stat[...]

  • Page 203

    Configur e the IPv6 L AN Settings 203 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. 10. Click the Apply button. Y our settings are saved. The new IPv6 address pool is added to the List of IPv6 Address Pools table on the DMZ Setup (IPv6) screen. Change an IPv6 DMZ Addr ess P oo[...]

  • Page 204

    Configur e the IPv6 L AN Settings 204 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > DMZ Setup . The DMZ Setup screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The DMZ Setup screen displays the IPv6 [...]

  • Page 205

    Configur e the IPv6 L AN Settings 205 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The DMZ Setup screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The DMZ Setup screen displays the IPv6 settings. 8. In List of IPv6 Address Pools table, s elect the check box to the left of each address pool that y[...]

  • Page 206

    Configur e the IPv6 L AN Settings 206 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > Routing . The Static Routing screen displays the[...]

  • Page 207

    Configur e the IPv6 L AN Settings 207 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. The new static route is added to the List of IPv6 Static Routes table on the Static Routing screen for IPv6. Change a St atic IPv6 Rout e The following procedure describes how to change an existing [...]

  • Page 208

    Configur e the IPv6 L AN Settings 208 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Static Routing screen displays the IPv6 settings. 8. In the List of IPv6 Static Routes table, click the Edit button for the route that you want to change. The Edit IPv6 Static Routing screen displays. 9. Change the settings. For information about t[...]

  • Page 209

    Configur e the IPv6 L AN Settings 209 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Delete button. The selected routes are removed from the List of IPv6 Static Routes table.[...]

  • Page 210

    210 6 6. Cust omize Fir ewall P r ot ec tion This chapter describes how to use the firewall features of the VPN firewall to protect your network. The chapter contains the following sections: • Firewall Protection • Overview of Rules to Block or Allow Specific Kinds of T raffic • Change the Default Outbound Policy for LAN WAN T raffic • Add [...]

  • Page 211

    Customiz e Firew all Pr otection 211 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Fir ewall P r ot ec tion A firewall protects one network (the trusted network, such as your LAN) from another (the untrusted network, such as the Internet) while allowing communication between the two. Y ou can further segment keyword blocking to certai[...]

  • Page 212

    Customiz e Firew all Pr otection 212 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Ov er view of Rules t o Block or Allow Specific Kinds of T r affic The following sections provide overviews of rules to block and allow specific kinds of traf fic: • Firewall Rules • Outbound Rules — Service Blocking • Settings for Outbound Rule[...]

  • Page 213

    Customiz e Firew all Pr otection 213 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Def ault DMZ W AN Rules For DMZ W AN traffic, the default policy is to block all traf fic from and to the Internet. Y ou can change the default policy by adding DMZ W AN firewall rules that allow specific types of traffic to go out from the DMZ to the I[...]

  • Page 214

    Customiz e Firew all Pr otection 214 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Profiles for IPv4 Firewall Rules on page 295 and Default Quality of Service Priorities for IPv6 Firewall Rules on page 300). • Bandwidth profiles . After you configure a bandwidth profile (see Manage Bandwidth Profiles for IPv4 T raffic on page 301), [...]

  • Page 215

    Customiz e Firew all Pr otection 215 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T able 5. Outbound rules overview Setting Description Outbound Rules Service The service or application to be covered by this rule. If the service or application does not display in the list, you must define it (see Manage Customized Services on page 28[...]

  • Page 216

    Customiz e Firew all Pr otection 216 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W AN Users The settings that determine which Internet locations are covered by the rule, based on their IP address. The options are as follows: • Any . All Internet IP addresses are covered by this rule. • Single address . Enter the required address[...]

  • Page 217

    Customiz e Firew all Pr otection 217 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Inbound Rules — P or t For war ding The VPN firewall has a default inbound LAN W AN rule, which blocks all access from outside except responses to requests from the LAN side. If you have enabled Network Address T ranslation (NA T), your network presen[...]

  • Page 218

    Customiz e Firew all Pr otection 218 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 rule informs the firewall to direct inbound traffic for a particular service to one local server based on the destination port number . This process is known as port forwarding. W ARNING: Allowing inbound services opens security holes in your network. E[...]

  • Page 219

    Customiz e Firew all Pr otection 219 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Settings f or Inbound Rules The following table describes the components that let you configure rules for inbound traffic. For information about the actual procedures to configure inbound rules, see the following sections: • Add LAN WAN Inbound Servic[...]

  • Page 220

    Customiz e Firew all Pr otection 220 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W AN Destination IP Address The setting that determines the destination IP address applicable to incoming traffic. This is the public IP address that maps to the internal LAN server . This can be either the address of the W AN interface or another publi[...]

  • Page 221

    Customiz e Firew all Pr otection 221 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 DMZ Users The settings that determine which DMZ computers on the DMZ network are covered by this rule. The options are as follows: • Any . All computers and devices on your DMZ network are covered by this rule. • Single address . Enter the required [...]

  • Page 222

    Customiz e Firew all Pr otection 222 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change the Def ault Outbound P olic y f or L AN W AN T r affic The default outbound policy allows all traffic to the Internet to pass through. Y ou can then apply firewall rules to block specific types of traffic from going out from the LAN to the Inter[...]

  • Page 223

    Customiz e Firew all Pr otection 223 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default passw[...]

  • Page 224

    Customiz e Firew all Pr otection 224 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change the Def ault L AN W AN Outbound P olic y f or IPv6 T r affic The following procedure describes how to change the default outbound policy for IPv6 traffic from the LAN to the W AN.  T o change the default outbound policy for LAN W AN IPv6 traff[...]

  • Page 225

    Customiz e Firew all Pr otection 225 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. From the Default Outbound Policy menu, select Block Always . By default, Allow Always is selected. 9. Click the Apply button. Y our settings are saved. Add L AN W AN Rules The following sections provide information about managing LAN W AN rules: • [...]

  • Page 226

    Customiz e Firew all Pr otection 226 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Add an IPv6 LAN WAN Outbound Rule Add an IPv4 L AN W AN Outbound Rule The following procedure describes how to add an IPv4 LAN W AN outbound rule.  T o add an IPv4 LAN W AN outbound rule: 1. On your computer , launch an Internet browser . 2. In t[...]

  • Page 227

    Customiz e Firew all Pr otection 227 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Under the Outbound Services table, click the Add button. The Add LAN W AN Outbound Service screen for IPv4 displays. 8. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Ou[...]

  • Page 228

    Customiz e Firew all Pr otection 228 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following table lists the menus that apply to an IPv4 LAN W AN outbound rule. 9. Click the Apply button. Y our settings are saved. The new rule is added to the Outbound Services table on the LAN W AN Rules screen. Add an IPv6 L AN W AN Outbound Rule[...]

  • Page 229

    Customiz e Firew all Pr otection 229 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Firewall submenu tabs display with the LAN W AN Rules screen in view , displaying the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The LAN W AN Rules screen displays the IPv6 settings. 8. Under the Outbound Services table, cli[...]

  • Page 230

    Customiz e Firew all Pr otection 230 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following table lists the menus that apply to an IPv6 LAN W AN outbound rule. 10. Click the Apply button. Y our settings are saved. The new rule is added to the Outbound Services table on the LAN W AN Rules screen. Add L AN W AN Inbound Ser vice Rul[...]

  • Page 231

    Customiz e Firew all Pr otection 231 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Add an IPv4 L AN W AN Inbound Rule The following procedure describes how you can add an IPv4 LAN W AN inbound rule.  T o add an IPv4 LAN W AN inbound rule: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , e[...]

  • Page 232

    Customiz e Firew all Pr otection 232 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Under the Inbound Services table, click the Add button. The Add LAN W AN Inbound Service screen for IPv4 displays. 8. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbo[...]

  • Page 233

    Customiz e Firew all Pr otection 233 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the LAN W AN Rules screen. Add an IPv6 L AN W AN Inbound Rule The following procedure describes how to add an IPv6 LAN W AN inbound rule.  T o[...]

  • Page 234

    Customiz e Firew all Pr otection 234 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Under the Inbound Services table, click the Add button. The Add LAN W AN Inbound Service screen for IPv6 displays. 9. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbo[...]

  • Page 235

    Customiz e Firew all Pr otection 235 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the LAN W AN Rules screen. Add DMZ W AN Rules The following sections provide information about managing DMZ W AN rules: • Add DMZ WAN Outbound[...]

  • Page 236

    Customiz e Firew all Pr otection 236 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or[...]

  • Page 237

    Customiz e Firew all Pr otection 237 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules on page 214. The following table lists the menus that apply to an IPv4 DMZ W AN outbound rule. 9. Click the[...]

  • Page 238

    Customiz e Firew all Pr otection 238 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3.[...]

  • Page 239

    Customiz e Firew all Pr otection 239 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules on page 214. The following table lists the menus that apply to an IPv6 DMZ W AN outbound rule. 10. Click th[...]

  • Page 240

    Customiz e Firew all Pr otection 240 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: Inbound LAN W AN rules take precedence over inbound DMZ WAN rules. When an inbound packet matches an inbound LAN W AN rule, the VPN firewall does not match the packet against inbound DMZ W AN rules. W ARNING: Make sure that you first configure the[...]

  • Page 241

    Customiz e Firew all Pr otection 241 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Under the Inbound Services table, click the Add button. The Add DMZ W AN Inbound Service screen for IPv4 displays. 8. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbo[...]

  • Page 242

    Customiz e Firew all Pr otection 242 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following table lists the menus that apply to an IPv4 DMZ W AN inbound rule. 9. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the DMZ W AN Rules screen. Add an IPv6 DMZ W AN Inbound Rule The[...]

  • Page 243

    Customiz e Firew all Pr otection 243 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Router Status screen displays. 6. Select Security > Firewall > DMZ W AN Rules . The DMZ W AN Rule screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The DMZ W AN Rule screen displays the IPv6 settings. 8. U[...]

  • Page 244

    Customiz e Firew all Pr otection 244 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following table lists the menus that apply to an IPv6 DMZ W AN inbound rule. 10. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the DMZ W AN Rules screen. Add L AN DMZ Rules The following sec[...]

  • Page 245

    Customiz e Firew all Pr otection 245 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o add an IPv4 LAN DMZ outbound rule: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory [...]

  • Page 246

    Customiz e Firew all Pr otection 246 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules on page 214. The following table lists the menus that apply to an IPv4 LAN DMZ outbound rule. 9. Click the [...]

  • Page 247

    Customiz e Firew all Pr otection 247 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default passw[...]

  • Page 248

    Customiz e Firew all Pr otection 248 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Outbound Rules on page 214. The following table lists the menus that apply to an IPv6 LAN DMZ outbound rule. 10. Click the[...]

  • Page 249

    Customiz e Firew all Pr otection 249 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following sections provide information about adding LAN DMZ inbound service rules: • Add an IPv4 LAN DMZ Inbound Rule • Add an IPv6 LAN DMZ Inbound Rule Add an IPv4 L AN DMZ Inbound Rule The following procedure describes how to add an IPv4 LAN D[...]

  • Page 250

    Customiz e Firew all Pr otection 250 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Under the Inbound Services table, click the Add button. The Add LAN DMZ Inbound Service screen for IPv4 displays. 8. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbou[...]

  • Page 251

    Customiz e Firew all Pr otection 251 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3.[...]

  • Page 252

    Customiz e Firew all Pr otection 252 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Make your selections from the menus and enter the settings. For more information about the menus and settings, see Settings for Inbound Rules on page 219. The following table lists the menus that apply to an IPv6 LAN DMZ inbound rule. 10. Click the A[...]

  • Page 253

    Customiz e Firew all Pr otection 253 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Remove the rule  T o manage an existing rule: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewal[...]

  • Page 254

    Customiz e Firew all Pr otection 254 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. T ake one of the actions that are described in the following table. Examples of Fir ewall Rules The following sections provide examples of firewall rules: Action Steps Change a rule 1. In the leftmost column of the table, select the check box for the[...]

  • Page 255

    Customiz e Firew all Pr otection 255 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Examples of Inbound Firewall Rules • Examples of Outbound Firewall Rules Examples of Inbound Fir ewall Rules The following sections provide examples of IPv4 and IPv6 LAN W AN inbound rules: • IPv4 LAN WAN Inbound Rule: Host a Local Public W eb S[...]

  • Page 256

    Customiz e Firew all Pr otection 256 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. 9. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the LAN W AN Rules screen. Setting Description Service From the menu, select HTTP . Ac[...]

  • Page 257

    Customiz e Firew all Pr otection 257 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPv4 L AN W AN Inbound Rule: Allow a Videoconf erenc e fr om Restricted Addr esses If you want to allow incoming videoconferencing to be initiated from a restricted range of outside IP addresses, such as from a branch office, you can create an inbound r[...]

  • Page 258

    Customiz e Firew all Pr otection 258 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description Service From the menu, select CU-SEEME:UDP . Action From the menu, select ALLOW by schedule, otherwise block . (If you do not want to use a schedule, select ALLOW always .) S[...]

  • Page 259

    Customiz e Firew all Pr otection 259 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the LAN W AN Rules screen. IPv4 L AN W AN Inbound Rule: Set Up One-to-One NA T Mapping In this example, you configure multi-NA T to support multi[...]

  • Page 260

    Customiz e Firew all Pr otection 260 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > W AN Settings > W AN Setup . The W AN Setup sc[...]

  • Page 261

    Customiz e Firew all Pr otection 261 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 13. Enter the settings as described in the following table. 14. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the LAN W AN Rules screen. 15. T o test the connection from a computer on the Intern[...]

  • Page 262

    Customiz e Firew all Pr otection 262 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPv6 L AN W AN Inbound Rule: Restrict RT elnet fr om a Single W AN User t o a Single L AN User If you want to restrict incoming reverse T elnet (RT elnet) sessions from a single IPv6 W AN user to a single IPv6 LAN user , specify the initiating IPv6 W AN[...]

  • Page 263

    Customiz e Firew all Pr otection 263 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. 10. Click the Apply button. Y our settings are saved. The new rule is added to the Inbound Services table on the LAN W AN Rules screen. Examples of Outbound Fir ewall Rules Outbound rules let yo[...]

  • Page 264

    Customiz e Firew all Pr otection 264 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPv4 L AN W AN Outbound Rule: Block Instant Messenger If you want to block Instant Messenger usage by employees during specific hours such as working hours, you can create an outbound rule to block such an application from any internal IP address to any[...]

  • Page 265

    Customiz e Firew all Pr otection 265 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. 9. Click the Apply button. Y our settings are saved. The new rule is added to the Outbound Services table on the LAN W AN Rules screen. Setting Description Service From the menu, select AIM . Ac[...]

  • Page 266

    Customiz e Firew all Pr otection 266 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPv6 DMZ W AN Outbound Rule: Allow a Gr oup of DMZ User to Ac cess an FTP Sit e on the Internet If you want to allow a group of DMZ users to access a particular FTP site on the Internet during specific hours such as working hours, you can create an outb[...]

  • Page 267

    Customiz e Firew all Pr otection 267 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. 10. Click the Apply button. Y our settings are saved. The new rule is added to the Outbound Services table on the DMZ W AN Rules screen. Configur e O ther Fir ewall F eatur es The following sect[...]

  • Page 268

    Customiz e Firew all Pr otection 268 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Set Limits for IPv4 Sessions • Manage Time-Out Periods for TCP , UDP , and ICMP Sessions • Manage Multicast Pass-Through • Manage the Application Level Gateway for SIP Sessions Y ou can configure attack checks, set session limits, configure mu[...]

  • Page 269

    Customiz e Firew all Pr otection 269 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Attack Checks screen displays the IPv4 settings. 7. Enter the settings as described in the following table. Setting Description W AN Security Checks Respond to Ping on Internet Ports Select the Respond to Ping on Internet Ports check box to enable t[...]

  • Page 270

    Customiz e Firew all Pr otection 270 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. Manage the Ping Settings f or the IPv6 W AN Ports The following procedure describes how to manage a W AN security check for IPv6 traffic by specifying the ping settings for the W AN ports. By default,[...]

  • Page 271

    Customiz e Firew all Pr otection 271 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or we[...]

  • Page 272

    Customiz e Firew all Pr otection 272 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Manage VPN Pass-Through in the IPv4 Network • Manage VPN Pass-Through in the IPv6 Network VPN P ass- Through When the VPN firewall functions in NA T mode, all packets going to a remote VPN gateway are first filtered through NA T and then encrypted[...]

  • Page 273

    Customiz e Firew all Pr otection 273 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. T o block VPN pass-through, clear any of the following check boxes, which are selected by default to allow VPN pass-through: • IPSec . Clearing this check box disables NA T filtering for IPSec tunnels. • PPTP . Clearing this check box disables NA[...]

  • Page 274

    Customiz e Firew all Pr otection 274 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Statu[...]

  • Page 275

    Customiz e Firew all Pr otection 275 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or we[...]

  • Page 276

    Customiz e Firew all Pr otection 276 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. 9. Click the Apply button. Y our settings are saved. Manage Time-Out P eriods f or T CP , UDP , and ICMP Sessions For IPv4 traffic, a TCP , UDP , or ICMP session expires if the VPN firewall does[...]

  • Page 277

    Customiz e Firew all Pr otection 277 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3.[...]

  • Page 278

    Customiz e Firew all Pr otection 278 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • ICMP Timeout . For ICMP traffic, the default time-out period is 8 seconds. 8. Click the Apply button. Y our settings are saved. Manage Multicast P ass- Through Multicast pass-through is supported for IPv4 traffic only . The following sections provid[...]

  • Page 279

    Customiz e Firew all Pr otection 279 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Security > Firewall > IGMP . The IGMP screen displays. The following f[...]

  • Page 280

    Customiz e Firew all Pr otection 280 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 b. Click the Add button. The multicast source address is added to the Alternate Networks table. c. Repeat Step a and Step b for each multicast source address that you must add to the Alternate Networks table. R emove One or Mor e Multicast Sour ce Addr [...]

  • Page 281

    Customiz e Firew all Pr otection 281 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o enable ALG for SIP: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP addr[...]

  • Page 282

    Customiz e Firew all Pr otection 282 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Manage Quality of Service Profiles for IPv4 Firewall Rules • Default Quality of Service Priorities for IPv6 Firewall Rules • Manage Bandwidth Profiles for IPv4 T raffic Fir ewall Objec ts When you create inbound and outbound firewall rules, you [...]

  • Page 283

    Customiz e Firew all Pr otection 283 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Ser vices Ov er view Examples of web servers that provide web services include the following: web servers provide web pages, time servers provide time and date information, and game hosts provide data about players’ moves. When a computer on the Inter[...]

  • Page 284

    Customiz e Firew all Pr otection 284 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select Security > Services . The Services screen displays. The Custom Services T able shows the user-defined services. The following figure shows some examples. 7. In the Add Customer Service section, enter the settings as described in the followi[...]

  • Page 285

    Customiz e Firew all Pr otection 285 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3.[...]

  • Page 286

    Customiz e Firew all Pr otection 286 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o remove one or more customized services: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall fac[...]

  • Page 287

    Customiz e Firew all Pr otection 287 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 single firewall rule. For example, in a configuration with 10 web servers, each of which requires the same three port-forwarding rules, you can create a service group for the port-forwarding rules and an IP group for the web servers (see Manage IP Addre[...]

  • Page 288

    Customiz e Firew all Pr otection 288 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. In the Name field, enter a name for the service. 9. Specify the services for the group by use the move buttons ( << and >> ) to move services between the A vailable Services field and the List of Selected Services field. Note: You cannot [...]

  • Page 289

    Customiz e Firew all Pr otection 289 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select Network Security > Services > Service Groups . The Service Group screen displays. 7. In the Custom Service Group T able, click the Edit button for the service group that you want to change. The Edit Service Group screen displays. 8. Chan[...]

  • Page 290

    Customiz e Firew all Pr otection 290 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage IP Addr ess Gr oups Y ou can combine individual IP addresses into IP address groups. The following sections provide information about managing IP address groups: • IP Address Groups Overview • Add an IP Address Group • Change an IP Address [...]

  • Page 291

    Customiz e Firew all Pr otection 291 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select Security > Services > IP Groups . The IP Groups screen displays. The following figure shows two groups in the Custom IP Groups T able as examples. 7. In the Add New Custom IP Group section, do the following: • In the IP Group Name fiel[...]

  • Page 292

    Customiz e Firew all Pr otection 292 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 12. Repeat the previous two steps to add more IP addresses to the IP Addresses Grouped table. 13. Click the Edit button again. The IP Groups screen displays. The group configuration is complete. Change an IP Addr ess Gr oup The following procedure descr[...]

  • Page 293

    Customiz e Firew all Pr otection 293 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The selected IP addresses are removed from the IP Addresses Grouped table. c. In the IP Address field, type an IP address. d. Click the Add button. The IP address is added to the IP Addresses Grouped table. e. T o add another IP address, repeat Step c a[...]

  • Page 294

    Customiz e Firew all Pr otection 294 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Define a Schedule Schedules define the time frames under which firewall rules are applied. Three schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any one of these when defining firewall rules. Other than the tab that[...]

  • Page 295

    Customiz e Firew all Pr otection 295 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Scheduled Days section, select a radio button: • All Days . The schedule is in effect all days of the week. • Specific Days . The schedule is in ef fect only on specific days. T o the right of the radio buttons, select the check box for ea[...]

  • Page 296

    Customiz e Firew all Pr otection 296 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Change an IPv4 QoS Profile • Remove One or More IPv4 QoS Profiles IPv4 QoS Pr ofiles Over view A QoS profile becomes active only when it is associated with a nonblocking inbound or outbound firewall rule or service and IPv4 traffic that matches th[...]

  • Page 297

    Customiz e Firew all Pr otection 297 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or[...]

  • Page 298

    Customiz e Firew all Pr otection 298 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. 9. Click the Apply button. Y our settings are saved. The new QoS profile is added to the List of QoS Profiles table. Change an IPv4 QoS Pr ofile The following procedure describes how to change a[...]

  • Page 299

    Customiz e Firew all Pr otection 299 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or[...]

  • Page 300

    Customiz e Firew all Pr otection 300 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Security > Services > QoS Profiles . The QoS Profiles screen displays.[...]

  • Page 301

    Customiz e Firew all Pr otection 301 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage Bandwidth Pr ofiles f or IPv4 T r affic Bandwidth profiles determine how fast or slow data is communicated with the hosts. The following sections provide information about managing quality of service profiles for IPv4 firewall rules: • Bandwidt[...]

  • Page 302

    Customiz e Firew all Pr otection 302 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Add and Enable a Bandwidth Pr ofile The following procedure describes how to add and enable a bandwidth profile that you then can use as an object for a firewall rule. Note: When you enable a bandwidth profile, the performance of the VPN firewall might [...]

  • Page 303

    Customiz e Firew all Pr otection 303 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Under the List of Bandwidth Profiles table, click the Add button. The Add Bandwidth Profile screen displays. 8. Enter the settings as described in the following table. Setting Description Profile Name A descriptive name of the bandwidth profile for i[...]

  • Page 304

    Customiz e Firew all Pr otection 304 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The new bandwidth profile is added to the List of Bandwidth Profiles table. 10. In the Bandwidth Profiles section, select the Ye s radio button under Enable Bandwidth Profiles? By default, the No radi[...]

  • Page 305

    Customiz e Firew all Pr otection 305 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or we[...]

  • Page 306

    Customiz e Firew all Pr otection 306 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 5. Click the Login button. The Router Status screen displays. 6. Select Security > Bandwidth Profiles . The Bandwidth Profiles screen displays. 7. In the List of Bandwidth Profiles table, select the check box to the left of each bandwidth profile tha[...]

  • Page 307

    307 7 7. P r ot ec t Y our Network This chapter describes how to protect your network through features other than the firewall. The chapter contains the following sections: • Manage Content Filtering • Enable Source MAC Filtering • Manage IP/MAC Bindings • Manage Port T riggering • Enable Universal Plug and Play[...]

  • Page 308

    Pr otect Y our Network 308 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage Cont ent Filt ering T o restrict internal LAN users from access to certain sites on the Internet, you can use the content filtering and web component blocking features of the VPN firewall. The following sections provide information about how to manage cont[...]

  • Page 309

    Pr otect Y our Network 309 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: Many websites require that cookies be accepted for the site to be accessed correctly . Blocking cookies might interfere with useful functions provided by these websites. • Keyword blocking (domain name blocking) . Y ou can specify up to 32 words to block.[...]

  • Page 310

    Pr otect Y our Network 310 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Security > Content Filtering . The Block Sites screen displays. The following figur[...]

  • Page 311

    Pr otect Y our Network 311 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. In the Web Components section, select the check boxes for the components that you want to block: • Proxy . Blocks proxy servers. • Java . Blocks Java applets from being downloaded. • ActiveX . Blocks ActiveX applets from being downloaded. • Cookies . B[...]

  • Page 312

    Pr otect Y our Network 312 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. T o compose the list of blocked keywords and domain names, add, change, or remove keywords and domain names: • Add . T o add a keyword or domain name, do the following: a. In the Add Blocked Keyword section, in the Blocked Keyword field, enter a keyword or d[...]

  • Page 313

    Pr otect Y our Network 313 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen d[...]

  • Page 314

    Pr otect Y our Network 314 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is pas[...]

  • Page 315

    Pr otect Y our Network 315 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o enable MAC filtering and manage MAC addresses to be permitted or blocked: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation proce[...]

  • Page 316

    Pr otect Y our Network 316 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Permit and Block the rest . T raffic coming from all addresses in the MAC Addresses table is permitted. T raffic from all other MAC addresses is blocked. 9. Click the Apply button. Y our settings are saved. The MAC Address field in the Add Source MAC Address [...]

  • Page 317

    Pr otect Y our Network 317 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 detects packets with an IP address that matches the IP address in the IP/MAC Bindings table but does not match the related MAC address in the IP/MAC Bindings table (or the other way around), the packets are dropped. If you enable the logging option for the IP/MAC[...]

  • Page 318

    Pr otect Y our Network 318 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View and Set Up an IPv4/MAC Binding The following procedure describes how to view existing IPv4/MAC bindings and set up a binding between a MAC address and an IPv4 address.  T o view existing bindings and set up a binding between a MAC address and an IPv4 addr[...]

  • Page 319

    Pr otect Y our Network 319 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Email IP/MAC Violations section, specify if you want to enable email logs for IP/MAC binding violations by selecting one of the following radio buttons: • Ye s . The VPN firewall does email IP/MAC binding violations. As an option, click the Firewall L[...]

  • Page 320

    Pr otect Y our Network 320 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not ass[...]

  • Page 321

    Pr otect Y our Network 321 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 5. Click the Login button. The Router Status screen displays. 6. Select Security > Address Filter > IP/MAC Binding . The IP/MAC Binding screen displays the IPv4 settings. 7. In the IP/MAC Bindings table, select the check box to the left of each IP/MAC bindi[...]

  • Page 322

    Pr otect Y our Network 322 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The pop-up screen displays the dropped IPv4 packets. 8. Click the Stop button. 9. W ait for the confirmation that the operation succeeded. 10. In the Poll Interval field, enter new poll interval in seconds. 1 1. Click the Set Interval button. 12. Close the pop-up[...]

  • Page 323

    Pr otect Y our Network 323 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not ass[...]

  • Page 324

    Pr otect Y our Network 324 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: Y ou must specify only once whether you want IP/MAC binding violations for IPv6 traffic to be logged and emailed. Y our selection applies to all IPv6 IP/MAC bindings. 9. Click the Apply button. Y our settings are saved. 10. In the IP/MAC Bindings section, e[...]

  • Page 325

    Pr otect Y our Network 325 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Router Status screen displays. 6. Select Security > Address Filter > IP/MAC Binding . The IP/MAC Binding screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The IP/MAC Binding screen displays the IPv6 settings. 8. In [...]

  • Page 326

    Pr otect Y our Network 326 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the upper right, select the IPv6 radio button. The IP/MAC Binding screen displays the IPv6 settings. 8. In the IP/MAC Bindings table, select the check box to the left of each IP/MAC binding that you want to remove or click the Select All button to select al[...]

  • Page 327

    Pr otect Y our Network 327 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The pop-up screen displays the dropped IPv6 packets. 9. Click the Stop button. 10. W ait for the confirmation that the operation succeeded. 1 1. In the Poll Interval field, enter new poll interval in seconds. 12. Click the Set Interval button. 13. Close the pop-u[...]

  • Page 328

    Pr otect Y our Network 328 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. The remote system receives the computer ’s request and responds using the incoming port or ports that are associated with the port triggering rule on the VPN firewall. 4. The VPN firewall matches the response to the previous request and forwards the response[...]

  • Page 329

    Pr otect Y our Network 329 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Port T riggering screen displays. The following figure shows a rule in the Port T riggering Rules table as an example. 7. In the Add Port T riggering Rule section, enter the settings as described in the following table. 8. Click the Add button. Y our settings[...]

  • Page 330

    Pr otect Y our Network 330 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change a P or t T riggering Rule The following procedure describes how to change an existing port triggering rule.  T o change a port triggering rule: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP add[...]

  • Page 331

    Pr otect Y our Network 331 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Us[...]

  • Page 332

    Pr otect Y our Network 332 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Security > Port T riggering . The Port T riggering screen displays. 7. Click the St[...]

  • Page 333

    Pr otect Y our Network 333 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Security > UPnP . The UPnP screen displays. The UPnP Portmap T able shows the IP ad[...]

  • Page 334

    Pr otect Y our Network 334 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Click the Refresh button. The content of the UPnP Portmap T able refreshes. Any UPnP devices that accessed the VPN firewall and that were automatically detected by the VPN firewall display in the UPnP Portmap T able.[...]

  • Page 335

    335 8 8. Set Up Vir tual P rivat e Networking With IPSec Connec tions This chapter describes how to use the IP security (IPSec) virtual private networking (VPN) features of the VPN firewall to provide secure, encrypted communications between your local network and a remote network or computer . The chapter contains the following sections: • Dual [...]

  • Page 336

    Set Up Virtual Private Netw orking With IPSec Connec tions 336 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Dual W AN P or t S yst ems If two W AN ports are configured for either IPv4 or IPv6, you can enable either auto-rollover mode for increased system reliability or load balancing mode for optimum bandwidth efficiency . The select[...]

  • Page 337

    Set Up Virtual Private Netw orking With IPSec Connec tions 337 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 7. W AN load balancing: FQDN required or optional for VPN The following table summarizes the W AN addressing requirements (FQDN or IP address) for a VPN tunnel in either dual W AN mode. Use the IPSec VPN Wizar d f or Cli[...]

  • Page 338

    Set Up Virtual Private Netw orking With IPSec Connec tions 338 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: Although the VPN firewall supports IPv6, the NETGEAR ProSAFE VPN Client supports IPv4 only; a future release of the VPN Client might support IPv6. IPSec VPN Wizar d Over view Configuring a VPN tunnel connection requires t[...]

  • Page 339

    Set Up Virtual Private Netw orking With IPSec Connec tions 339 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is a[...]

  • Page 340

    Set Up Virtual Private Netw orking With IPSec Connec tions 340 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Cr eat e an IPv4 Gatew ay-t o-Gatew ay VPN T unnel with the Wizar d The following figure shows an example of an IPv4 gateway-to-gateway IPSec VPN connection and the following procedure describes how to set up an IPv4 gateway-to[...]

  • Page 341

    Set Up Virtual Private Netw orking With IPSec Connec tions 341 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Enter the settings as described in the following table. Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local W AN port’s IP address or Internet[...]

  • Page 342

    Set Up Virtual Private Netw orking With IPSec Connec tions 342 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. The VPN Policies screen displays the IPv4 settings with the new , automatically generated VPN policy in the List of VPN Policies table. 9. On the remote gateway , configure a[...]

  • Page 343

    Set Up Virtual Private Netw orking With IPSec Connec tions 343 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The configuration steps depend on the remote gateway . 10. On the VPN firewall, activate the IPSec VPN connection: a. Select VPN > Connection Status . b. Locate the policy in the table and click the Connect button. The IPSec[...]

  • Page 344

    Set Up Virtual Private Netw orking With IPSec Connec tions 344 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o set up an IPv6 gateway-to-gateway VPN tunnel using the VPN Wizard: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall [...]

  • Page 345

    Set Up Virtual Private Netw orking With IPSec Connec tions 345 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the Gateway radio button. The local W AN port’s IP address or Internet[...]

  • Page 346

    Set Up Virtual Private Netw orking With IPSec Connec tions 346 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The VPN Policies screen displays the IPv6 settings with the new , automatically generated VPN policy in the List of VPN Policies table. 10. On the remote gateway , configure [...]

  • Page 347

    Set Up Virtual Private Netw orking With IPSec Connec tions 347 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 1 1. On the VPN firewall, activate the IPSec VPN connection: a. Select VPN > Connection Status . b. Locate the policy in the table and click the Connect button. The IPSec VPN connection becomes active. Note: If you use an FQ[...]

  • Page 348

    Set Up Virtual Private Netw orking With IPSec Connec tions 348 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 10. Example of an IPv4 client-to-gateway IPSec VPN connection The VPN firewall supports client connections with the NETGEAR ProSAFE VPN Client, which is an application that you can install on a computer . The VPN firewal[...]

  • Page 349

    Set Up Virtual Private Netw orking With IPSec Connec tions 349 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o set up the VPN firewall for a client-to-gateway VPN tunnel using the VPN Wizard: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the[...]

  • Page 350

    Set Up Virtual Private Netw orking With IPSec Connec tions 350 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Enter the settings as described in the following table. Setting Description About VPN Wizard This VPN tunnel will connect to the following peers Select the VPN Client radio button. The default remote FQDN (remote.com) and th[...]

  • Page 351

    Set Up Virtual Private Netw orking With IPSec Connec tions 351 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. The VPN Policies screen displays the IPv4 settings with the new , automatically generated VPN policy in the List of VPN Policies table. This VPN tunnel will use the following[...]

  • Page 352

    Set Up Virtual Private Netw orking With IPSec Connec tions 352 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Collect the information that you must use to configure the VPN client. Y ou can print the following table to keep track of this information. Use the NETGEAR Pr oSAFE VPN Client Wizard t o Creat e a Secure Connection t o the [...]

  • Page 353

    Set Up Virtual Private Netw orking With IPSec Connec tions 353 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. From the main menu, select Configuration > Wizard . 3. Select the A router or a VPN gateway radio button. 4. Click the Next button.[...]

  • Page 354

    Set Up Virtual Private Netw orking With IPSec Connec tions 354 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 5. Specify the following VPN tunnel parameters: • IP or DNS public (external) address of the remote equipment . Enter the remote IP address or DNS name of the VPN firewall. For example, enter 192.168.15.175 . • Preshared ke[...]

  • Page 355

    Set Up Virtual Private Netw orking With IPSec Connec tions 355 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Specify the local and remote IDs: a. In the tree list pane of the Configuration Panel screen, click Gateway (the default name given to the authentication phase). The Authentication pane displays in the Configuration Panel sc[...]

  • Page 356

    Set Up Virtual Private Netw orking With IPSec Connec tions 356 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Configure the global parameters: a. In the tree list pane of the Configuration Panel screen, click Global Parameters . b. Specify the default lifetimes in seconds: • Authentication (IKE) , Default . The default lifetime va[...]

  • Page 357

    Set Up Virtual Private Netw orking With IPSec Connec tions 357 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Save button. Y our settings are saved and the VPN client configuration is complete. For information about testing the new VPN tunnel connection, see T est the Connection and View Connection and Status Information [...]

  • Page 358

    Set Up Virtual Private Netw orking With IPSec Connec tions 358 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration , and select New Phase 1 . 3. Change the name of the authentication phase (the default name is Gateway): a. Right-click the authenticatio[...]

  • Page 359

    Set Up Virtual Private Netw orking With IPSec Connec tions 359 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. Specify the settings that are described in the following table. 5. Click the Save button. Y our settings are saved. 6. Click the Advanced tab in the Authentication pane. Setting Description Interface From the menu, select An[...]

  • Page 360

    Set Up Virtual Private Netw orking With IPSec Connec tions 360 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Specify the settings that are described in the following table. 8. Click the Save button. Setting Description Advanced features Aggressive Mode Select this check box to enable aggressive mode as the mode of negotiation with [...]

  • Page 361

    Set Up Virtual Private Netw orking With IPSec Connec tions 361 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. Continue the manual configuration of the VPN client with the IPSec configuration. 9. In the tree list pane of the Configuration Panel screen, right-click the vpn_client authentication phase name and se[...]

  • Page 362

    Set Up Virtual Private Netw orking With IPSec Connec tions 362 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 1 1. Specify the settings that are described in the following table. 12. Click the Save button. Y our settings are saved. Continue the manual configuration of the VPN client with the global parameters. 13. In the tree list pane[...]

  • Page 363

    Set Up Virtual Private Netw orking With IPSec Connec tions 363 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 14. Specify the default lifetimes in seconds: • Authentication (IKE) , Default . The default lifetime value is 3600 seconds. Change this setting to 28800 seconds to match the configuration of the VPN firewall. • Encryption [...]

  • Page 364

    Set Up Virtual Private Netw orking With IPSec Connec tions 364 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T est the NET GE AR Pr oSAFE VPN Client VPN T unnel Connec tion Note: In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. After you configure the IPSec VPN connection on the VPN firewall and the VP[...]

  • Page 365

    Set Up Virtual Private Netw orking With IPSec Connec tions 365 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 1 1. VPN client system tray color codes Both the NETGEAR ProSAFE VPN Client and the VPN firewall provide VPN connection and status information. This information is useful for verifying the status of a connection and trou[...]

  • Page 366

    Set Up Virtual Private Netw orking With IPSec Connec tions 366 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View the VPN Fir ewall IPSec VPN Connec tion St atus and T erminat e or Establish T unnels Y ou can view the connection status of all IPSec VPN tunnel sessions on the VPN firewall. For a gateway-to-gateway connection, you can t[...]

  • Page 367

    Set Up Virtual Private Netw orking With IPSec Connec tions 367 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Connection Status submenu tabs display with the IPSec VPN Connection Status screen in view . The following figure shows an IPSec security association (SA) as an example. The Active IPSec SA(s) table lists each active connec[...]

  • Page 368

    Set Up Virtual Private Netw orking With IPSec Connec tions 368 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o display the IPSec VPN log on the VPN firewall: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installat[...]

  • Page 369

    Set Up Virtual Private Netw orking With IPSec Connec tions 369 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y ou can change existing policies or manually add new VPN and IKE policies directly in the policy tables. The following sections provide information about managing IPSec VPN policies manually: • Manage IKE Policies • Manage[...]

  • Page 370

    Set Up Virtual Private Netw orking With IPSec Connec tions 370 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o view the IKE policies: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN fir[...]

  • Page 371

    Set Up Virtual Private Netw orking With IPSec Connec tions 371 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Each policy contains the settings that are described in the following table. These settings apply to both IPv4 and IPv6 IKE policies. For more information about these settings, see Manually Add an IKE Policy on page 371. Manual[...]

  • Page 372

    Set Up Virtual Private Netw orking With IPSec Connec tions 372 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select VPN > IPSec VPN . The IPSec VPN submenu tabs display with the IKE Policies screen for IPv4 in view . 7. T o add an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Poli[...]

  • Page 373

    Set Up Virtual Private Netw orking With IPSec Connec tions 373 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. Other than the nature of the IP addresses, the settings that you must enter for IPv4 and IPv6 settings are identical.[...]

  • Page 374

    Set Up Virtual Private Netw orking With IPSec Connec tions 374 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Setting Description Mode Config Record Do you want to use Mode Config Record? Specify whether the IKE policy uses a Mode Config record. For information about how to define a Mode Config record, see Mode Config Overview on page [...]

  • Page 375

    Set Up Virtual Private Netw orking With IPSec Connec tions 375 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Identifier T ype From the menu, select an ISAKMP identifier to be used by the VPN firewall and specify the identifier in the Identifier field: • Local W an IP . The W AN IP address of the VPN firewall. When you select this op[...]

  • Page 376

    Set Up Virtual Private Netw orking With IPSec Connec tions 376 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Diffie-Hellman (DH) Group The DH Group sets the strength of the algorithm in bits. The higher the group, the more secure the exchange. From the menu, select the strength: • Group 1 (768 bit) . • Group 2 (1024 bit) . This is[...]

  • Page 377

    Set Up Virtual Private Netw orking With IPSec Connec tions 377 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. The IKE policy is added to the List of IKE Policies table. A ssociat e a Manually added IKE polic y with an Existing VPN P olic y The following procedure describes you can a[...]

  • Page 378

    Set Up Virtual Private Netw orking With IPSec Connec tions 378 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. T o change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. Note: You can associate an IKE policy only with an Auto policy. 8. In th[...]

  • Page 379

    Set Up Virtual Private Netw orking With IPSec Connec tions 379 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 a. Select VPN > IPSec VPN > VPN Policies . The VPN Policies screen displays the IPv4 settings. b. T o disable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies scree[...]

  • Page 380

    Set Up Virtual Private Netw orking With IPSec Connec tions 380 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove One or Mor e IKE P olicies The following procedure describes how you can remove one or more IKE policies that you no longer need. W ARNING: If you remove an IKE policy that is associated with a VPN policy but do not rep[...]

  • Page 381

    Set Up Virtual Private Netw orking With IPSec Connec tions 381 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: When you use the VPN IPsec Wizard, the VPN and IKE policies that are added automatically have the same name. d. Click the Disable button. The VPN policy is disabled. The green circle to the left of the VPN policy turns gr[...]

  • Page 382

    Set Up Virtual Private Netw orking With IPSec Connec tions 382 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Auto . Some settings for the VPN tunnel are generated automatically through the use of the IKE protocol to perform negotiations between the two VPN endpoints (the local ID endpoint and the remote ID endpoint). Y ou still mu[...]

  • Page 383

    Set Up Virtual Private Netw orking With IPSec Connec tions 383 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Policies . The VPN Pol[...]

  • Page 384

    Set Up Virtual Private Netw orking With IPSec Connec tions 384 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manually Add a VPN P olic y The following procedure describes how to add a VPN policy manually .  T o manually add a VPN policy: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , en[...]

  • Page 385

    Set Up Virtual Private Netw orking With IPSec Connec tions 385 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The VPN Policies screen displays the IPV6 settings. 8. Under the List of VPN Policies table, click the Add button. The Add New VPN Policy screen displays. The Add New VPN Policy screen for IPv4 and the Add New VPN Policy screen[...]

  • Page 386

    Set Up Virtual Private Netw orking With IPSec Connec tions 386 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Other than the nature of the IP addresses, the settings that you must enter for IPv4 and IPv6 are identical with one exception. The IPv4 settings require a subnet mask but the IPv6 settings require a prefix length. Setting Desc[...]

  • Page 387

    Set Up Virtual Private Netw orking With IPSec Connec tions 387 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Enable Keepalive Select a radio button to specify if keep-alive is enabled: • No . Keep-alive requests are disabled for the VPN tunnel. This is the default setting. • Ye s . Keep-alive requests are enabled for the VPN tunne[...]

  • Page 388

    Set Up Virtual Private Netw orking With IPSec Connec tions 388 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Encryption Algorithm From the menu, select the algorithm to negotiate the security association (SA): • 3DES . T riple DES. This is the default algorithm. • None . No encryption algorithm. • DES . Data Encryption Standard [...]

  • Page 389

    Set Up Virtual Private Netw orking With IPSec Connec tions 389 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. The VPN policy is added to the List of VPN Policies table. Change a VPN P olic y The following procedure describes how to change an existing VPN policy that was added either[...]

  • Page 390

    Set Up Virtual Private Netw orking With IPSec Connec tions 390 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager[...]

  • Page 391

    Set Up Virtual Private Netw orking With IPSec Connec tions 391 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is a[...]

  • Page 392

    Set Up Virtual Private Netw orking With IPSec Connec tions 392 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Ex tended Authentication Ov er view When many VPN clients connect to a VPN firewall, you might want to use a unique user authentication method beyond relying on a single common pre-shared key for all clients. Although you could[...]

  • Page 393

    Set Up Virtual Private Netw orking With IPSec Connec tions 393 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Logi[...]

  • Page 394

    Set Up Virtual Private Netw orking With IPSec Connec tions 394 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Locate the Extended Authentication section. 1 1. Enter the settings as described in the following table. 12. Click the Apply button. Y our settings are saved. 13. If you disabled the VPN policy with which the IKE policy for[...]

  • Page 395

    Set Up Virtual Private Netw orking With IPSec Connec tions 395 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 c. In the List of VPN policies table, select the VPN policy that is associated with the IKE policy that you changed. d. Click the Enable button. The VPN policy is reenabled. The gray circle to the left of the VPN policy turns g[...]

  • Page 396

    Set Up Virtual Private Netw orking With IPSec Connec tions 396 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select VPN > IPSec VPN > RADIUS Client . The RADIUS[...]

  • Page 397

    Set Up Virtual Private Netw orking With IPSec Connec tions 397 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. A ssign IPv4 Addr esses t o Remot e Users The following sections provide information about how to configure Mode Config: • Mode Config Overview • Configure Mode Config Op[...]

  • Page 398

    Set Up Virtual Private Netw orking With IPSec Connec tions 398 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 to remote users IP addresses from a secured network space so that the remote users appear as seamless extensions of the network. Y ou can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4 address[...]

  • Page 399

    Set Up Virtual Private Netw orking With IPSec Connec tions 399 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select VPN > IPSec VPN > Mode Config . The Mode Config screen displays. As an example, the screen shows two existing Mode Config records with the names EMEA Sales and Americas Sales: • For EMEA Sales, a first pool (1[...]

  • Page 400

    Set Up Virtual Private Netw orking With IPSec Connec tions 400 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. Setting Description Client Pool Record Name A descriptive name of the Mode Config record for identification and management purposes. First Pool Assign at least one rang[...]

  • Page 401

    Set Up Virtual Private Netw orking With IPSec Connec tions 401 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The new Mode Config record is added to the List of Mode Config Records table. Continue the Mode Config configuration procedure by configuring an IKE policy . (Y ou can also c[...]

  • Page 402

    Set Up Virtual Private Netw orking With IPSec Connec tions 402 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 13. Enter the settings as described in the following table. Note: The IKE policy settings that are described in the following table are specifically for a Mode Config configuration. For information about general IKE policy sett[...]

  • Page 403

    Set Up Virtual Private Netw orking With IPSec Connec tions 403 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 General Policy Name A descriptive name of the IKE policy for identification and management purposes. This example uses ModeConfigAME_Sales. Note: The name is not supplied to the remote VPN endpoint. Direction / T ype Responder [...]

  • Page 404

    Set Up Virtual Private Netw orking With IPSec Connec tions 404 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 14. Click the Apply button. Y our settings are saved. The IKE policy that includes the Mode Config record is added to the List of IKE Policies table. Y ou can associate the IKE policy with a VPN policy . Enable Dead Peer Detect[...]

  • Page 405

    Set Up Virtual Private Netw orking With IPSec Connec tions 405 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Configur e the NE T GEAR Pr oSAFE VPN Client f or Mode Config Oper ation Note: In this section, the NETGEAR ProSAFE VPN Client is referred to as the VPN client. When the Mode Config feature is enabled, the following information[...]

  • Page 406

    Set Up Virtual Private Netw orking With IPSec Connec tions 406 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration , and select New Phase 1 . 3. Change the name of the authentication phase (the default is Gateway): a. Right-click the authentication pha[...]

  • Page 407

    Set Up Virtual Private Netw orking With IPSec Connec tions 407 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. Specify the settings that are described in the following table. 5. Click the Save button. Y our settings are saved. 6. In the Authentication pane, c lick the Advanced tab. Setting Description Interface From the menu, select [...]

  • Page 408

    Set Up Virtual Private Netw orking With IPSec Connec tions 408 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Specify the settings that are described in the following table. 8. Click the Save button. Y our settings are saved. Continue the Mode Config configuration of the VPN client with the IPSec configuration. Setting Description A[...]

  • Page 409

    Set Up Virtual Private Netw orking With IPSec Connec tions 409 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. In the tree list pane of the Configuration Panel screen, right-click the GW_ModeConfig authentication phase name and select New Phase 2 . 10. Change the name of the IPSec configuration (the default is T unnel): a. Right-clic[...]

  • Page 410

    Set Up Virtual Private Netw orking With IPSec Connec tions 410 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 12. Click the Save button. Y our settings are saved. Continue the Mode Config configuration of the VPN client with the global parameters. 13. Click Global Parameters in the left column of the Configuration Panel screen. The Glo[...]

  • Page 411

    Set Up Virtual Private Netw orking With IPSec Connec tions 411 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 14. Specify the following default lifetimes in seconds to match the configuration on the VPN firewall: • Authentication (IKE) , Default . Enter 3600 seconds. Note: The default setting is 28800 seconds (eight hours). However, [...]

  • Page 412

    Set Up Virtual Private Netw orking With IPSec Connec tions 412 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 After you have set up the Mode Config configuration on both the VPN client and the VPN firewall, test the configuration to make sure that the VPN firewall does assign an IP address to the VPN client.  T o test the Mode Confi[...]

  • Page 413

    Set Up Virtual Private Netw orking With IPSec Connec tions 413 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change a Mode Config R ecor d The following procedure describes how to change an existing Mode Config record. Note: Before you change a Mode Config record, make sure that it is not used in an IKE policy . If it is, temporarily [...]

  • Page 414

    Set Up Virtual Private Netw orking With IPSec Connec tions 414 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove One or Mor e Mode Config R ecor ds The following procedure describes how to remove one or more Mode Config records that you do no longer need in IKE policies. Note: Before you remove a Mode Config record, make sure that[...]

  • Page 415

    Set Up Virtual Private Netw orking With IPSec Connec tions 415 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Keep-Alive and Dead Peer Detection Overview • Configure Keep-Alives • Configure Dead Peer Detection K eep-Alive and Dead P eer Det ec tion Over view In some cases, you might not want a VPN tunnel to be disconnected when[...]

  • Page 416

    Set Up Virtual Private Netw orking With IPSec Connec tions 416 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The VPN Policies screen displays the IPv4 settings. 7. T o change a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. 8. In the List of VP[...]

  • Page 417

    Set Up Virtual Private Netw orking With IPSec Connec tions 417 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Configur e Dead P eer Detection The following procedure describes how to configure Dead Peer Detection for an existing IKE policy .  T o configure Dead Peer Detection for an existing IKE policy: 1. On your computer , launch [...]

  • Page 418

    Set Up Virtual Private Netw orking With IPSec Connec tions 418 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. T o change an IKE policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The IKE Policies screen for IPv6 displays. 9. In the List of IKE Policies table, click the Edit button for the IKE policy t[...]

  • Page 419

    Set Up Virtual Private Netw orking With IPSec Connec tions 419 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 b. T o reenable a VPN policy for IPv6 instead of IPv4, in the upper right, select the IPv6 radio button. The VPN Policies screen displays the IPv6 settings. c. In the List of VPN policies table, select the VPN policy that is as[...]

  • Page 420

    Set Up Virtual Private Netw orking With IPSec Connec tions 420 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. In the List of VPN Policies table, click the Edit button for the VPN policy that you want to change. The Edit VPN Policy screen displays. The following figure shows only the top part with the General section of the Edit VPN [...]

  • Page 421

    Set Up Virtual Private Netw orking With IPSec Connec tions 421 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 A PPTP user typically initiates a tunnel request; the PPTP server accommodates the tunnel request and assigns an IP address to the user . After a PPTP tunnel is established, the user can connect to a PPTP client that is located[...]

  • Page 422

    Set Up Virtual Private Netw orking With IPSec Connec tions 422 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Enter the settings as described in the following table. 8. Click the Apply button. Setting Description PPTP Server Enable T o enable the PPTP server , select the Enable check box. Start IP Address T ype the first IP address [...]

  • Page 423

    Set Up Virtual Private Netw orking With IPSec Connec tions 423 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. View the Ac tive PPTP User s and Disconnec t Ac tive User s The following procedure describes how to view all active PPTP users and disconnect active PPTP users.  T o view all active PPTP users and [...]

  • Page 424

    Set Up Virtual Private Netw orking With IPSec Connec tions 424 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. T o disable an active PPTP user , in the List of PPTP Active Users table, click the corresponding Disconnect button. The user is disconnected. 8. T o disable another active PPTP user , repeat Step 7 . Manage the L2TP Ser ver[...]

  • Page 425

    Set Up Virtual Private Netw orking With IPSec Connec tions 425 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o enable the L2TP server and configure the L2TP server pool: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during t[...]

  • Page 426

    Set Up Virtual Private Netw orking With IPSec Connec tions 426 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. View the Ac tive L2TP User s and Disconnec t Ac tive User s The following procedure describes how to view all active L2TP users and disconnect active L2TP users.  T o view[...]

  • Page 427

    Set Up Virtual Private Netw orking With IPSec Connec tions 427 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The List of L2TP Active Users table lists each active connection with the information that is described in the following table. 7. T o disable an active L2TP user , in the List of L2TP Active Users table, click the correspondin[...]

  • Page 428

    428 9 9. Set Up Vir tual P rivat e Networking with S SL Connec tions This chapter describes how to use the SSL VPN solution of the VPN firewall to provide remote access for mobile users to their corporate resources. The chapter contains the following sections: • SSL VPN Portals Overview • Build an SSL Portal Using the SSL VPN Wizard • Access [...]

  • Page 429

    Set Up Virtual Private Netw orking with SSL Connections 429 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 SSL VPN P or tals Ov er view The following sections provide concept information about the SSL VPN portal: • SSL VPN Capabilities • SSL T unnels • SSL Port Forwarding • Build and Access an SSL Portal SSL VPN Capabilities Th[...]

  • Page 430

    Set Up Virtual Private Netw orking with SSL Connections 430 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Port forwarding detects and reroutes individual data streams on the user ’s computer to the port forwarding connection rather than opening up a full tunnel to the corporate network. • Port forwarding offers more fine-grain[...]

  • Page 431

    Set Up Virtual Private Netw orking with SSL Connections 431 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 SSL VPN Wizar d Over view This section provides an overview of the SSL VPN Wizard. For more information about how to set up a portal, see Build an SSL Portal with the SSL VPN Wizard on page 432. The SSL VPN Wizard helps you set up[...]

  • Page 432

    Set Up Virtual Private Netw orking with SSL Connections 432 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Add SSL VPN users that are allowed to access the SSL portal (see Manage User Accounts on page 502. • Add more applications and services for SSL port forwarding (see Configure Applications for SSL VPN Port Forwarding on page [...]

  • Page 433

    Set Up Virtual Private Netw orking with SSL Connections 433 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Enter the settings as described in the following table. W ARNING: Do not enter an existing portal layout name in the Portal Layout Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings.[...]

  • Page 434

    Set Up Virtual Private Netw orking with SSL Connections 434 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Setting Description Portal Layout and Theme Name Portal Layout Name A descriptive name for the portal layout. This name is part of the path of the SSL VPN portal URL. Use only alphanumeric characters, hyphens (-), and underscores [...]

  • Page 435

    Set Up Virtual Private Netw orking with SSL Connections 435 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: For more information about portal settings, see Manage the Portal Layout on page 451. 8. Click the Next button. The SSL VPN Wizard Step 2 of 6 screen displays. 9. Enter the settings as described in the following table. W ARN[...]

  • Page 436

    Set Up Virtual Private Netw orking with SSL Connections 436 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Note: If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain[...]

  • Page 437

    Set Up Virtual Private Netw orking with SSL Connections 437 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: For more information about domains, see Manage Authentication Domains on page 492. 10. Click the Next button. The SSL VPN Wizard Step 3 of 6 screen displays. 1 1. Enter the settings as described in the following table. LDAP [...]

  • Page 438

    Set Up Virtual Private Netw orking with SSL Connections 438 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W ARNING: Do not enter an existing user name in the User Name field; otherwise, the SSL VPN Wizard fails when you attempt to apply the settings. Note: For more information about user accounts and about adding user accounts, see Ma[...]

  • Page 439

    Set Up Virtual Private Netw orking with SSL Connections 439 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 13. Enter the settings as described in the following table. W ARNING: Do not enter an existing route for a VPN tunnel client in the Destination Network and Subnet Mask fields; otherwise, the SSL VPN Wizard fails when you attempt t[...]

  • Page 440

    Set Up Virtual Private Netw orking with SSL Connections 440 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: For more information about client IP address ranges and route settings, see Configure the SSL VPN Client on page 462. 14. Click the Next button. The SSL VPN Wizard Step 5 of 6 screen displays. If you did not select the Port [...]

  • Page 441

    Set Up Virtual Private Netw orking with SSL Connections 441 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W ARNING: In the upper Local Server IP Address field, do not enter an IP address that is already in use or in the TCP Port Number field do not enter a port number that is already in use; otherwise, the SSL VPN Wizard fails when yo[...]

  • Page 442

    Set Up Virtual Private Netw orking with SSL Connections 442 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 17. V erify the settings. T o make changes to the settings: a. Click the Back button to navigate to the screen on which you want to change the settings. b. Change the settings. c. Click the Next button to navigate back to the SSL [...]

  • Page 443

    Set Up Virtual Private Netw orking with SSL Connections 443 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. If the VPN firewall accepts the settings, the Policies screen displays with a message Operation succeeded at the top of the screen. If the VPN firewall rejects the settings, review the settings that you e[...]

  • Page 444

    Set Up Virtual Private Netw orking with SSL Connections 444 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you change[...]

  • Page 445

    Set Up Virtual Private Netw orking with SSL Connections 445 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. In the Username field, type the name that you associated with the portal and in the Password / Passcode field, type the password that you associated with the portal. 10. From the Domain menu, select the domain that you associat[...]

  • Page 446

    Set Up Virtual Private Netw orking with SSL Connections 446 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following figure shows a portal screen with a Port Forwarding menu option only . A portal screen displays a simple menu that provides the SSL user with the following menu selections: • VPN T unnel . Provides full network con[...]

  • Page 447

    Set Up Virtual Private Netw orking with SSL Connections 447 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View SSL VPN C onnec tion and St atus Inf ormation The following sections provide information about viewing the SSL VPN tunnel connections and log: • View the VPN Firewall SSL VPN Connection Status and Disconnect Active Users ?[...]

  • Page 448

    Set Up Virtual Private Netw orking with SSL Connections 448 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The SSL VPN Connection Status table lists each active connection with the information that is described in the following table. 7. T o disable an active SSL user , in the SSL VPN Connection Status table, click the corresponding Di[...]

  • Page 449

    Set Up Virtual Private Netw orking with SSL Connections 449 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select Monitoring > VPN Logs > SSL VPN Logs . The SSL VPN Logs screen displays. Manually Set Up or Change an SSL P or tal The following sections provide information about manually setting up or changing an SSL portal: •[...]

  • Page 450

    Set Up Virtual Private Netw orking with SSL Connections 450 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 selection. The domain determines both the authentication method and the portal layout that are used. For an SSL portal, you must create authentication domains, user groups, and user accounts as follows: a. Create one or more authe[...]

  • Page 451

    Set Up Virtual Private Netw orking with SSL Connections 451 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Policies determine access to network resources and addresses for individual users, groups, or everyone. Manage the P or tal Lay out The following sections provide information about managing the portal layout: • Portal Layouts Ov[...]

  • Page 452

    Set Up Virtual Private Netw orking with SSL Connections 452 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Lo[...]

  • Page 453

    Set Up Virtual Private Netw orking with SSL Connections 453 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you have enabled IPv6, you can see the IPv6 URL by selecting the IPv6 radio button. • Action . The buttons, which allow you to change the portal layout or set it as the default. 7. Under the List of Layouts table, click the A[...]

  • Page 454

    Set Up Virtual Private Netw orking with SSL Connections 454 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The new portal layout is added to the List of Layouts table. For information about how to display the new portal layout, see Access a Custom SSL VPN Portal on page 443. Change a[...]

  • Page 455

    Set Up Virtual Private Netw orking with SSL Connections 455 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 way around. For this reason, the following procedure describes how to change an IPv4 portal layout only .  T o change a portal layout: 1. On your computer , launch an Internet browser . 2. In the address field of your browser ,[...]

  • Page 456

    Set Up Virtual Private Netw orking with SSL Connections 456 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 corresponding IPv4 portal is removed automatically . For this reason, the following procedure describes the removal of IPv4 portal layouts only .  T o remove one or more portal layouts: 1. On your computer , launch an Internet [...]

  • Page 457

    Set Up Virtual Private Netw orking with SSL Connections 457 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 SSL VPN P or t For war ding Over view Note: SSL port forwarding does not apply if you configure full VPN tunnel capability for an SSL portal. SSL VPN port forwarding is supported for IPv4 connections only . Port forwarding provide[...]

  • Page 458

    Set Up Virtual Private Netw orking with SSL Connections 458 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Add a Ser ver and P or t Number f or SSL P or t For war ding T o configure port forwarding, you must define the IP addresses of the internal servers and the port number for TCP applications and services that are available to remot[...]

  • Page 459

    Set Up Virtual Private Netw orking with SSL Connections 459 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Add New Application for Port Forwarding section, complete the following fields: • IP Address . The IP address of an internal server or host computer on which a service or application runs to which you want to grant a r[...]

  • Page 460

    Set Up Virtual Private Netw orking with SSL Connections 460 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not [...]

  • Page 461

    Set Up Virtual Private Netw orking with SSL Connections 461 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove a Ser ver and P or t Number Configur ation f or SSL P or t For war ding The following procedure describes how to remove a server and port number configuration that you no longer need for an SSL port forwarding application [...]

  • Page 462

    Set Up Virtual Private Netw orking with SSL Connections 462 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not [...]

  • Page 463

    Set Up Virtual Private Netw orking with SSL Connections 463 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 192.168.1.100 are assigned to devices on the local network, start the client address range at 192.168.1.101, or choose an entirely different subnet altogether . • The VPN tunnel client cannot contact a server on the local networ[...]

  • Page 464

    Set Up Virtual Private Netw orking with SSL Connections 464 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Client IP Address Range section, enter the settings as described in the following table. 8. Click the Apply button. Setting Description Enable Full T unnel Support Select this check box to enable full-tunnel support. Ful[...]

  • Page 465

    Set Up Virtual Private Netw orking with SSL Connections 465 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. VPN tunnel clients are now able to connect to the VPN firewall and receive a virtual IPv4 address in the client address range. Add an IPv4 Rout e f or VPN T unnel Clients If the assigned client IPv4 addre[...]

  • Page 466

    Set Up Virtual Private Netw orking with SSL Connections 466 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Add Routes for VPN T unnel Clients section, complete the following fields: • Destination Network . The IPv4 address of the local destination network or subnet that provides access to one or more port forwarding applica[...]

  • Page 467

    Set Up Virtual Private Netw orking with SSL Connections 467 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admi[...]

  • Page 468

    Set Up Virtual Private Netw orking with SSL Connections 468 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. In the Client IP Address Range section, enter the settings as described in the following table. 9. Click the Apply button. Y our settings are saved. VPN tunnel clients are now able to connect to the VPN firewall and receive a v[...]

  • Page 469

    Set Up Virtual Private Netw orking with SSL Connections 469 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the upper right, select the IPv6 radio button. The SSL VPN Client screen displays the IPv6 settings. The following figure shows examples. 8. In the Add Routes for VPN T unnel Clients section, complete the following fields: ?[...]

  • Page 470

    Set Up Virtual Private Netw orking with SSL Connections 470 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the d[...]

  • Page 471

    Set Up Virtual Private Netw orking with SSL Connections 471 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 resources. But for most organizations, NETGEAR recommends that you use network resources. If your server or network configuration changes, you can perform an update quickly by using network resources instead of individually updati[...]

  • Page 472

    Set Up Virtual Private Netw orking with SSL Connections 472 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Add New Resource section, specify the following information: • Resource Name . A descriptive name of the resource for identification and management purposes. • Service . From the Service menu, select the type of serv[...]

  • Page 473

    Set Up Virtual Private Netw orking with SSL Connections 473 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select VPN > SSL VPN > Resources . The Resources scree[...]

  • Page 474

    Set Up Virtual Private Netw orking with SSL Connections 474 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Click the Apply button. Y our settings are saved. The new configuration is added to the Defined Resource Addresses table. R emove One or Mor e SSL Network R esourc es The following procedure describes how you can remove an SSL[...]

  • Page 475

    Set Up Virtual Private Netw orking with SSL Connections 475 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Resources screen displays. 7. In the List of Resources table, s elect the check box to the left of each network resource that you want to remove or click the Select All button to select all network resources. 8. Click the Dele[...]

  • Page 476

    Set Up Virtual Private Netw orking with SSL Connections 476 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. In the Defined Resource Addresses table, click the Delete button to the right of the resource address configuration that you want to remove. The resource address configuration is removed from the Defined Resource Addresses tabl[...]

  • Page 477

    Set Up Virtual Private Netw orking with SSL Connections 477 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Assuming that no conflicting user or group policies are configured, if a user attempts to access FTP servers at the following addresses, the following actions occur: • 10.0.0.1 . The user is blocked by Policy 1. • 10.0.1.5 . T[...]

  • Page 478

    Set Up Virtual Private Netw orking with SSL Connections 478 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Query section, select a radio button: • Global . View all global policies. • Group . T o view group policies: a. Select the Group radio button. b. From the menu, select a user group. • User . T o view user policies[...]

  • Page 479

    Set Up Virtual Private Netw orking with SSL Connections 479 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Lo[...]

  • Page 480

    Set Up Virtual Private Netw orking with SSL Connections 480 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. 10. Click the Apply button. Y our settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into ef fect im[...]

  • Page 481

    Set Up Virtual Private Netw orking with SSL Connections 481 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admi[...]

  • Page 482

    Set Up Virtual Private Netw orking with SSL Connections 482 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. 10. Click the Apply button. Y our settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into ef fect im[...]

  • Page 483

    Set Up Virtual Private Netw orking with SSL Connections 483 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you change[...]

  • Page 484

    Set Up Virtual Private Netw orking with SSL Connections 484 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. 10. Click the Apply button. Y our settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into ef fect im[...]

  • Page 485

    Set Up Virtual Private Netw orking with SSL Connections 485 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Lo[...]

  • Page 486

    Set Up Virtual Private Netw orking with SSL Connections 486 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Enter the settings as described in the following table. 10. Click the Apply button. Y our settings are saved. The policy is added to the List of SSL VPN Policies table on the Policies screen. The new policy goes into ef fect im[...]

  • Page 487

    Set Up Virtual Private Netw orking with SSL Connections 487 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you change[...]

  • Page 488

    Set Up Virtual Private Netw orking with SSL Connections 488 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. The modified policy displays in the List of SSL VPN Policies table on the Policies screen. R emove One or Mor e IPv4 or IPV6 SSL VPN P olicies The following procedure describes how to remove an SSL policy[...]

  • Page 489

    Set Up Virtual Private Netw orking with SSL Connections 489 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The selected policies are removed from the List of SSL VPN Policies table.[...]

  • Page 490

    490 10 10. Manage User s, Authentication, and VPN Cer tificat es This chapter describes how to manage users, authentication, and security certificates for IPSec VPN and SSL VPN. The chapter contains the following sections: • VPN Firewall’s Authentication • Configure Authentication Domains, Groups, and User Accounts • Manage Digital Certific[...]

  • Page 491

    Manage Users, Authentication, and VPN Cer tificates 491 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 VPN Fir ewall’ s Authentication Users are assigned to a group, and a group is assigned to a domain. Therefore, first create any domains, then groups, then user accounts. Note: Do not confuse the authentication groups with the LAN gr[...]

  • Page 492

    Manage Users, Authentication, and VPN Cer tificates 492 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Configur e Authentication Domains, Gr oups, and User Acc ounts The following sections provide information about configuring authentication domains, groups, and user accounts: • Manage Authentication Domains • Manage Authentication[...]

  • Page 493

    Manage Users, Authentication, and VPN Cer tificates 493 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Remove One or More Authentication Domains Authentication Domains Ov er view An authentication domain specifies the authentication method for users that are assigned to the domain. For SSL connections, the domain also determines th[...]

  • Page 494

    Manage Users, Authentication, and VPN Cer tificates 494 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The List of Domains table lists the following information: • Check box . Allows you to select the domain in the table. • Domain Name . The name of the domain. The name of the default domain (geardomain) to which the default SSL-VP[...]

  • Page 495

    Manage Users, Authentication, and VPN Cer tificates 495 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Setting Description Domain Name A descriptive (alphanumeric) name of the domain for identification and management purposes. Note: If you leave the Domain Name field blank, the SSL VPN Wizard uses the default domain name geardomain. To[...]

  • Page 496

    Manage Users, Authentication, and VPN Cer tificates 496 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The domain is added to the List of Domains table. 10. If you use local authentication, make sure that it is not disabled: In the Local Authentication section of the Domain screen, s[...]

  • Page 497

    Manage Users, Authentication, and VPN Cer tificates 497 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the defau[...]

  • Page 498

    Manage Users, Authentication, and VPN Cer tificates 498 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed th[...]

  • Page 499

    Manage Users, Authentication, and VPN Cer tificates 499 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IMPORT ANT : When you add a domain, the VPN firewall creates a group with the same name as the new domain automatically . Y ou cannot remove such a group. However , when you remove the domain with which the group is associated, the gr[...]

  • Page 500

    Manage Users, Authentication, and VPN Cer tificates 500 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The List of Groups table lists the following information: • Check box . Allows you to select the group in the table. • Name . The name of the group. The name of the default group (geardomain) that is assigned to the default domain[...]

  • Page 501

    Manage Users, Authentication, and VPN Cer tificates 501 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change an Authentication Gr oup For a group that was automatically created when you added an authentication domain, you can modify only the idle time-out settings but not the group name or associated domain. For groups that you create[...]

  • Page 502

    Manage Users, Authentication, and VPN Cer tificates 502 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For a group that you created manually , if the group has users assigned to it, you first must assign the users to another group; otherwise, you cannot remove the group (see Change a User Account on page 506). Note: Y ou cannot remove [...]

  • Page 503

    Manage Users, Authentication, and VPN Cer tificates 503 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 User Acc ounts Over view When you create a user account, you must assign the user to a user group. When you create a group, you must assign the group to a domain that specifies the authentication method. Therefore, first create any do[...]

  • Page 504

    Manage Users, Authentication, and VPN Cer tificates 504 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Add a User Acc ount The following procedure describes how to manually add a user account.  T o add a user account: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address th[...]

  • Page 505

    Manage Users, Authentication, and VPN Cer tificates 505 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Name . The name of the user . If the user name is appended by an asterisk, the user is a default user that is preconfigured on the VPN firewall and you cannot remove the user . • Group . The group to which the user is assigned. [...]

  • Page 506

    Manage Users, Authentication, and VPN Cer tificates 506 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. The user is added to the List of Users table. Change a User Acc ount The following procedure describes how to change an existing user account. However , you cannot change the user n[...]

  • Page 507

    Manage Users, Authentication, and VPN Cer tificates 507 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The password fields become accessible. 10. Change the password. 1 1. Click the Apply button. Y our settings are saved. The modified user account displays in the List of Users table on the Users screen. R emove One or Mor e User Acc ou[...]

  • Page 508

    Manage Users, Authentication, and VPN Cer tificates 508 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage User Login P olicies Y ou can restrict the ability of defined users to log in to the VPN firewall’ s web management interface. Y ou can also require or prohibit logging in from certain IP addresses or from particular browsers[...]

  • Page 509

    Manage Users, Authentication, and VPN Cer tificates 509 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Select one or both check boxes: • Disable Login . Prohibits the user from logging in to the VPN firewall. • Deny Login from W AN Interface . Prohibits the user from logging in from the W AN interface. In this case, the user can[...]

  • Page 510

    Manage Users, Authentication, and VPN Cer tificates 510 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Router Status screen displays. 6. Select Users > Users . The Users screen displays. 7. In the List of Users table, to the right of the user for which you want to set login policies, click the corresponding Policies button. The [...]

  • Page 511

    Manage Users, Authentication, and VPN Cer tificates 511 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W ARNING: If you allow login only from the defined IP addresses, add your own IP address to the Defined Addresses table; otherwise, you are locked out. 13. Click the Add button. The address is added to the Defined Addresses table. 14.[...]

  • Page 512

    Manage Users, Authentication, and VPN Cer tificates 512 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Users > Users . The Users screen displays. 7. In the L[...]

  • Page 513

    Manage Users, Authentication, and VPN Cer tificates 513 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Router Status screen displays. 6. Select Users > Users . The Users screen displays. 7. In the List of Users table, to the right of the user for which you want to set login policies, click the corresponding Policies button. The [...]

  • Page 514

    Manage Users, Authentication, and VPN Cer tificates 514 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 12. Click the Add button. The browser is added to the Defined Browsers table. 13. Repeat Step 11 and Step 12 for any other browsers that you want to add to the Defined Browsers table. R emove One or Mor e W eb Browser s f or Login Res[...]

  • Page 515

    Manage Users, Authentication, and VPN Cer tificates 515 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change P asswor ds and Automatic L ogout P eriod For any user , you can change the password and automatic logout period. Only administrators have read/write access and can change these settings. All other users have read-only access. [...]

  • Page 516

    Manage Users, Authentication, and VPN Cer tificates 516 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the List of Users table, to the right of the user for which you want to change the settings, click the corresponding Edit button. The Edit Users screen displays. 8. Change the password and logout period settings as described in [...]

  • Page 517

    Manage Users, Authentication, and VPN Cer tificates 517 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 VPN Cer tificat es Over view The VPN firewall uses digital certificates (also known as X509 certificates) during the Internet Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN gateways or clients, or to be a[...]

  • Page 518

    Manage Users, Authentication, and VPN Cer tificates 518 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y ou can view loaded digital certificates, upload a new digital certificate, and generate a certificate signing request (CSR). The VPN firewall typically holds two types of digital certificates: • CA certificates . Each CA issues it[...]

  • Page 519

    Manage Users, Authentication, and VPN Cer tificates 519 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 5. If you changed th[...]

  • Page 520

    Manage Users, Authentication, and VPN Cer tificates 520 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove a C A Certificate The following procedure describes how to remove one or more CA certificates that you no longer need.  T o remove one or more CA certificates: 1. On your computer , launch an Internet browser . 2. In the ad[...]

  • Page 521

    Manage Users, Authentication, and VPN Cer tificates 521 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Gener ate a Certificate Signing R equest and Obtain a Self-Signed Certificate fr om a C A T o use a self-signed certificate, you first must request the digital certificate from a CA and then download and activate the digital certifica[...]

  • Page 522

    Manage Users, Authentication, and VPN Cer tificates 522 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Generate Self Certificate Request section, enter the settings as described in the following table. Setting Description Name A descriptive name of the domain for identification and management purposes. Subject The name that o[...]

  • Page 523

    Manage Users, Authentication, and VPN Cer tificates 523 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Generate button. A new SCR is created and added to the Self Certificate Requests table. 9. T o view the new SCR, in the Self Certificate Requests table, click the View button. The Certificate Request Data screen displays.[...]

  • Page 524

    Manage Users, Authentication, and VPN Cer tificates 524 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 16. Click the Upload button. The VPN firewall verifies the certificate for validity and purpose. If the VPN firewall approves the certificate, it is added to the Active Self Certificates table. View Self-Signed Certificates The follow[...]

  • Page 525

    Manage Users, Authentication, and VPN Cer tificates 525 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove One or Mor e Self-Signed Cer tificat es The following procedure describes how to remove one or more self-signed certificates that you no longer need.  T o remove one or more self-signed certificates: 1. On your computer , l[...]

  • Page 526

    Manage Users, Authentication, and VPN Cer tificates 526 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed th[...]

  • Page 527

    Manage Users, Authentication, and VPN Cer tificates 527 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed th[...]

  • Page 528

    Manage Users, Authentication, and VPN Cer tificates 528 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove One or Mor e Cer tificat e Rev ocation Lists The following procedure describes how to remove one or more Certificate Revocation Lists (CRLs) that you no longer need.  T o remove one or more CRLs: 1. On your computer , launc[...]

  • Page 529

    Manage Users, Authentication, and VPN Cer tificates 529 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 12. Security alert A security alert can be generated for a security certificate for three reasons: • The security certificate was issued by a company you have not chosen to trust. • The date of the security certificate is i[...]

  • Page 530

    530 11 1 1. Optimize P er f ormance and Manage Y our S yst em This chapter describes the tools for managing the network traffic to optimize its performance and the system management features of the VPN firewall. The chapter contains the following sections: • Performance Management • System Management[...]

  • Page 531

    Optimize P er formanc e and Manage Y our System 531 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 P er f ormance Management Performance management consists of controlling the traffic through the VPN firewall so that the necessary traffic gets through if a bottleneck occurs. T o prevent bottlenecks from occurring in the first place, yo[...]

  • Page 532

    Optimize P er formanc e and Manage Y our System 532 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Fe atur es That R educe T r affic The following sections provide information about features of the VPN firewall that you can change in such a way that the traffic load on the W AN side decreases: • LAN WAN Outbound Rules and DMZ W AN Ou[...]

  • Page 533

    Optimize P er formanc e and Manage Y our System 533 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 - Address range . The rule applies to a range of addresses. - Groups . The rule applies to a group of computers. (Y ou can configure groups for LAN W AN outbound rules but not for DMZ W AN outbound rules.) The Known PCs and Devices table [...]

  • Page 534

    Optimize P er formanc e and Manage Y our System 534 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T o further narrow down the content filtering, you can configure groups to which the content-filtering rules apply and trusted domains for which the content-filtering rules do not apply . Sour ce MA C Filt ering If you want to reduce outg[...]

  • Page 535

    Optimize P er formanc e and Manage Y our System 535 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Add LAN WAN Rules on page 225 and Add DMZ WAN Rules on page 235. When you define inbound firewall rules, you can further refine their application according to the following criteria: • Services . Y ou can specify the services or applica[...]

  • Page 536

    Optimize P er formanc e and Manage Y our System 536 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 P or t T riggering Port triggering allows some applications running on a LAN network to be available to external applications that would otherwise be partially blocked by the firewall. Using the port triggering feature requires that you k[...]

  • Page 537

    Optimize P er formanc e and Manage Y our System 537 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Use QoS and Bandwidth A ssignment t o Shif t the T r affic Mix By setting the Quality of Service (QoS) priority and assigning bandwidth profiles to firewall rules, you can shift the traffic mix to aim for optimum performance of the VPN fi[...]

  • Page 538

    Optimize P er formanc e and Manage Y our System 538 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 S yst em Management The following sections provide information about system management: • Set Up Remote Management Access • Use the Command-Line Interface • Use a Simple Network Management Protocol Manager • Manage the Configurati[...]

  • Page 539

    Optimize P er formanc e and Manage Y our System 539 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Tip: If you are using a Dynamic DNS service such as TZO, you can identify the W AN IP address of your VPN firewall by running tracert from the Windows Run menu option. T race the route to your registered FQDN. For example, enter tracert V[...]

  • Page 540

    Optimize P er formanc e and Manage Y our System 540 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. T o configure remote management for IPv6, in the upper right, select the IPv6 radio button. The Remote Management screen displays the IPv6 settings. 8. Enter the settings as described in the following table. Setting Description Secure [...]

  • Page 541

    Optimize P er formanc e and Manage Y our System 541 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W ARNING: If you are remotely connected to the VPN firewall and you select the No radio button to disable secure HTTP management, you and all other SSL VPN users are disconnected when you click the Apply button. 9. Click the Apply button.[...]

  • Page 542

    Optimize P er formanc e and Manage Y our System 542 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Use a Simple Network Management P r ot ocol Manager Simple Network Management Protocol (SNMP) lets you monitor and manage the VPN firewall from an SNMP manager . The following sections provide information about using an SNMP manager: • [...]

  • Page 543

    Optimize P er formanc e and Manage Y our System 543 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Administration > SNMP . The SNMP screen displays. The foll[...]

  • Page 544

    Optimize P er formanc e and Manage Y our System 544 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the Create New SNMP Configuration Entry section, enter the settings as described in the following table. 8. Click the Add button. Y our settings are saved and the new SNMP configuration is added to the SNMP Configuration table. Chan[...]

  • Page 545

    Optimize P er formanc e and Manage Y our System 545 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o change an SNMP configuration: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewal[...]

  • Page 546

    Optimize P er formanc e and Manage Y our System 546 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R emove One or Mor e SNMP Configur ations The following procedure describes how to remove one or more SNMP configurations that you no longer need.  T o remove one or more SNMP configurations: 1. On your computer , launch an Internet br[...]

  • Page 547

    Optimize P er formanc e and Manage Y our System 547 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the de[...]

  • Page 548

    Optimize P er formanc e and Manage Y our System 548 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Access T ype . Read-write user (RWUSER) or read-only user (ROUSER). By default, the user Admin is an RWUSER and the user guest is an ROUSER. • Security Level . The level of security that indicates whether security is disabled: - NoA[...]

  • Page 549

    Optimize P er formanc e and Manage Y our System 549 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. If you changed the security level, the new level displays in the SNMPv3 User table on the SNMP screen. Configur e the SNMP S ystem Inf ormation The following procedure describes how to [...]

  • Page 550

    Optimize P er formanc e and Manage Y our System 550 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Enter the settings as described in the following table. 9. Click the Apply button. Y our settings are saved. Manage the Configur ation File The configuration settings of the VPN firewall are stored in a configuration file on the VPN fi[...]

  • Page 551

    Optimize P er formanc e and Manage Y our System 551 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Back Up Settings The backup feature saves all VPN firewall settings to a file. Back up your settings periodically and store the backup file in a safe place. Tip: Y ou can use a backup file to export all settings to another VPN firewall th[...]

  • Page 552

    Optimize P er formanc e and Manage Y our System 552 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Click the Back Up button. A screen displays, showing the file name of the backup file ( FVS336GV3.cfg ). 8. Follow the directions of your browser to save the file. 9. Open the folder in which you saved the backup file and verify that i[...]

  • Page 553

    Optimize P er formanc e and Manage Y our System 553 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Administration > Settings Backup & Upgrade . The Setti[...]

  • Page 554

    Optimize P er formanc e and Manage Y our System 554 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Upgr ade the Firmwar e Y ou can install a dif ferent version of the VPN firewall firmware. For information about how to view the current version of the firmware that the VPN firewall is running, see Display an Overview of the VPN Firewall[...]

  • Page 555

    Optimize P er formanc e and Manage Y our System 555 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. T o the left of the Upgrade button, click the Browse button. 1 1. Follow the directions of your browser to locate and select the downloaded firmware file. W ARNING: After you have started the firmware installation process, do not inte[...]

  • Page 556

    Optimize P er formanc e and Manage Y our System 556 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W ARNING: When you press the hardware Factory Defaults reset button or use the web management interface to reset the VPN firewall to factory default settings, all custom VPN firewall settings are erased. All firewall rules, VPN policies, [...]

  • Page 557

    Optimize P er formanc e and Manage Y our System 557 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login scre[...]

  • Page 558

    Optimize P er formanc e and Manage Y our System 558 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 number of seconds left until the reboot process is complete. The reboot process takes about 160 seconds. (If you can see the unit: The reboot process is complete when the T est LED on the front panel turns off.) Configur e Date and T ime [...]

  • Page 559

    Optimize P er formanc e and Manage Y our System 559 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The bottom of the screen displays the current weekday , date, time, time zone, and year . In the example in the previous figure, the following displays: Current T ime: Wednesday , May 28, 2014, 01:03:52 (GMT +0000). 7. Enter the settings [...]

  • Page 560

    Optimize P er formanc e and Manage Y our System 560 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. Select NTP Mode In all three NTP modes, the VPN firewall functions both as a client and a server . The VPN firewall synchronizes its clock with the specified NTP server or servers and p[...]

  • Page 561

    561 12 12. Monit or S yst em Acc ess and P er f ormanc e This chapter describes the system-monitoring features of the VPN firewall. Y ou can be alerted to important events such W AN traffic limits reached, login failures, and attacks. Y ou can also view status information about the firewall, W AN ports, LAN ports, active VPN users and tunnels, and [...]

  • Page 562

    Monitor S ystem Ac cess and P erformanc e 562 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Configur e and Enable the W AN IPv4 T r affic Meter If your ISP charges by traffic volume over a given period, or if you want to study traf fic types over a period, you can activate the traffic meter for IPV4 traf fic on a W AN interface. For i[...]

  • Page 563

    Monitor S ystem Ac cess and P erformanc e 563 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. If you want to configure the settings for the W AN2 interface, click the W AN2 T raffic Meter tab. 8. Enter the settings as described in the following table. Setting Description Enable T raffic Meter In the Do you want to enable T raffic Met[...]

  • Page 564

    Monitor S ystem Ac cess and P erformanc e 564 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Click the Apply button. Y our settings are saved. Manage the L AN IPv4 T r affic Met er The following sections provide information about managing the LAN IPv4 traffic meter: • Configure and Enable the T raffic Meter for a LAN IPv4 Address [...]

  • Page 565

    Monitor S ystem Ac cess and P erformanc e 565 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Configur e and Enable the T r affic Met er f or a L AN IPv4 Addres s Acc ount If your ISP charges by traffic volume over a period and you must charge the costs to individual accounts, or if you want to study the traffic volume that is requested[...]

  • Page 566

    Monitor S ystem Ac cess and P erformanc e 566 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. Click the Advanced option arrow in the upper right. The IPv4 LAN Advanced screen displays. 8. Click the LAN T raffic Meter tab. The LAN T raffic Meter screen displays. The following figure shows some examples in the LAN T raffic Meter T able[...]

  • Page 567

    Monitor S ystem Ac cess and P erformanc e 567 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 10. Enter the settings as described in the following table. 1 1. Click the Apply button. Setting Description Add LAN T raffic Meter Account LAN IP Address The LAN IP address for the account. Direction From the Direction menu, select the directi[...]

  • Page 568

    Monitor S ystem Ac cess and P erformanc e 568 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y our settings are saved. The new account is added to the LAN T raffic Meter T able on the LAN T raffic Meter screen. View T r affic Meter S tatistics f or a L AN Acc ount The following procedure describes how to view the traffic meter statisti[...]

  • Page 569

    Monitor S ystem Ac cess and P erformanc e 569 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Change the T r affic Meter f or a L AN Account The following procedure describes how to change the traffic meter for an existing LAN IPv4 address account.  T o change the traffic meter for an existing LAN IPv4 address account: 1. On your com[...]

  • Page 570

    Monitor S ystem Ac cess and P erformanc e 570 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For more information about the settings, see Configure and Enable the T raffic Meter for a LAN IPv4 Address Account on page 565. 1 1. Click the Apply button. Y our settings are saved. The modified account displays in the LAN Traf fic Meter T ab[...]

  • Page 571

    Monitor S ystem Ac cess and P erformanc e 571 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Manage Logging, Alerts, and Event Notifications The following sections provide information about managing logging, alerts, and event notifications: • Logging, Alert, and Event Notification • Configure and Activate Logs • Enable and Schedu[...]

  • Page 572

    Monitor S ystem Ac cess and P erformanc e 572 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Monitoring > Firewall Logs & E-mail . The Firewall Logs &[...]

  • Page 573

    Monitor S ystem Ac cess and P erformanc e 573 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. Enable and Schedule Emailing of Logs Although you can view the logs onscreen, the VPN firewall provides the convenience of emailing the logs to a specific email address.  T o enable and sc[...]

  • Page 574

    Monitor S ystem Ac cess and P erformanc e 574 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the dom[...]

  • Page 575

    Monitor S ystem Ac cess and P erformanc e 575 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. Enable the S yslogs If you have a syslog server , you can enable the syslog of the VPN firewall. For information about sending syslogs from one site to another over a gateway-to-gateway VPN t[...]

  • Page 576

    Monitor S ystem Ac cess and P erformanc e 576 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the defa[...]

  • Page 577

    Monitor S ystem Ac cess and P erformanc e 577 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. View the Routing L ogs, Syst em Logs, and Other Ev ent Logs Y ou can view the routing logs, system logs, and other event logs onscreen. Y ou can manually send the logs to an email address and[...]

  • Page 578

    Monitor S ystem Ac cess and P erformanc e 578 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select Monitoring > Firewall Logs & E-mail . The Firewall Logs & E-mail screen displays. 7. Click the View Log option arrow in the upper right. The View Log screen displays the logs. 8. T o send the logs to the email address that [...]

  • Page 579

    Monitor S ystem Ac cess and P erformanc e 579 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Monitoring > Firewall Logs & E-mail . The Firewall Logs &[...]

  • Page 580

    Monitor S ystem Ac cess and P erformanc e 580 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Rou[...]

  • Page 581

    Monitor S ystem Ac cess and P erformanc e 581 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. At Site 2, set up a VPN tunnel between Gateway 2 and Gateway 1 at Site 1 (see Configure the VPN T unnel on Gateway 2 at Site 2 on page 583 ) 5. At Site 2, change the local IP address in the VPN policy on Gateway 2 to the W AN IP address of G[...]

  • Page 582

    Monitor S ystem Ac cess and P erformanc e 582 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Router Status screen displays. 6. Select VPN > IPSec VPN > VPN Wizard . The VPN Wizard screen displays. 7. Configure a gateway-to-gateway VPN tunnel using the following information: • Connection name . Any name of your choice • Pr[...]

  • Page 583

    Monitor S ystem Ac cess and P erformanc e 583 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. In the General section, clear the Enable NetBIOS check box. 8. In the T raffic Selector section, make the following changes: • From the Remote IP menu, select Single . • In the Start IP field, type 10.0.0.2. This IP address is the W AN I[...]

  • Page 584

    Monitor S ystem Ac cess and P erformanc e 584 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. Click the Apply button. Y our settings are saved. Change the R emote IP Addr ess in the VPN P olic y on Gatew ay 2 at Sit e 2 The following procedure describes how to change the local IP address in the VPN policy on Gateway 2 at Site 2 to th[...]

  • Page 585

    Monitor S ystem Ac cess and P erformanc e 585 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 On the Gat eway at Sit e 2, Specif y the Syslog Ser ver on Sit e 1 The following procedure describes how to specify that Gateway 2 at Site 2 must send the syslogs to the syslog server that is connected to Gateway 1 at Site 1.  T o specify th[...]

  • Page 586

    Monitor S ystem Ac cess and P erformanc e 586 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • View the VPN Connection Status, L2TP Users, and PPTP Users • View the VPN Logs • View the Port T riggering Status • View the W AN Port Status and T erminate or Establish the Internet Connection • Display Internet T raffic by T ype o[...]

  • Page 587

    Monitor S ystem Ac cess and P erformanc e 587 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Rou[...]

  • Page 588

    Monitor S ystem Ac cess and P erformanc e 588 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View the T r affic Statistics f or the Interf aces and Change the P olling Int er val The following procedure describes how to view the traffic statistics for the interfaces of the VPN firewall and change the polling interval.  T o view the [...]

  • Page 589

    Monitor S ystem Ac cess and P erformanc e 589 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the dom[...]

  • Page 590

    Monitor S ystem Ac cess and P erformanc e 590 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W ait for the counter to stop. b. In the Poll Interva l field, enter a new value in seconds. c. Click the Set interval button. View Detailed S tatus Inf ormation About the VPN Firew all The following procedure describes how to view detailed sta[...]

  • Page 591

    Monitor S ystem Ac cess and P erformanc e 591 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following table explains the fields of the Detailed Status screen. Item Description LAN Port Configuration The following fields are shown for each of the LAN ports. VLAN Profile The name of the VLAN profile that you assigned to the LAN port[...]

  • Page 592

    Monitor S ystem Ac cess and P erformanc e 592 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 VLAN ID The VLAN ID that you assigned to the LAN port (see Manage VLAN Profiles on page 121). If the default VLAN profile is used, the VLAN ID is 1, which means that all tagged and untagged traffic can pass on the LAN port. MAC Address The MAC [...]

  • Page 593

    Monitor S ystem Ac cess and P erformanc e 593 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W AN Configuration W AN Mode The W AN mode can be Single Port, Load Balancing, or Auto Rollover . For information about configuring the W AN mode, see Manage the IPv4 WAN Routing Mode on page 30. W AN State The W AN state can be either UP or DO[...]

  • Page 594

    Monitor S ystem Ac cess and P erformanc e 594 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View the VL AN Status Y ou can view information about the VLANs that are enabled. Disabled VLANs are not displayed. For information about enabling and disabling VLANs, see Assign VLAN Profiles on page 11 7 .  T o view the status of the IPv4 [...]

  • Page 595

    Monitor S ystem Ac cess and P erformanc e 595 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Router Status screen displays. 6. Select Monitoring > Router Status > VLAN Status . The VLAN Status sc[...]

  • Page 596

    Monitor S ystem Ac cess and P erformanc e 596 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default [...]

  • Page 597

    Monitor S ystem Ac cess and P erformanc e 597 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View the VPN Logs The following sections provide information about viewing the IPSec VPN and SSL VPN logs: • View the VPN Firewall IPSec VPN Log on page 367 • View the VPN Firewall SSL VPN Log on page 448 View the P or t T riggering St atus[...]

  • Page 598

    Monitor S ystem Ac cess and P erformanc e 598 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Port T riggering Status screen displays the information that is described in the following table. View the W AN P or t Status and T erminate or Est ablish the Int ernet Connec tion Y ou can view the status of the IPv4 and IPv6 W AN connecti[...]

  • Page 599

    Monitor S ystem Ac cess and P erformanc e 599 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain . 5. Click the Login button. The Rou[...]

  • Page 600

    Monitor S ystem Ac cess and P erformanc e 600 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. T o terminate an active connection, click the Disconnect button. 9. T o establish a connection, click Connect button. View the St atus of an IPv6 W AN P or t and T erminate or Est ablish the Connection If a W AN port is active, you can termi[...]

  • Page 601

    Monitor S ystem Ac cess and P erformanc e 601 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Select Network Configuration > W AN Settings > W AN Setup . The W AN Setup screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The W AN Setup screen displays the IPv6 settings: 8. Click the Status bu[...]

  • Page 602

    Monitor S ystem Ac cess and P erformanc e 602 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. T o terminate an active connection, click the Disconnect button. 10. T o establish a connection, click the Connect button. Display Int ernet T r affic by Type of T r affic If you enabled the W AN traffic meter for an interface (see Configure[...]

  • Page 603

    Monitor S ystem Ac cess and P erformanc e 603 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The incoming and outgoing volume of traffic for each protocol and the total volume of traffic are displayed. Traf fic counters are updated in MBs; the counter starts only when traffic passed is at least 1 MB. In addition, the pop-up screen disp[...]

  • Page 604

    Monitor S ystem Ac cess and P erformanc e 604 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The Router Status screen displays. 6. Select Network Configuration > LAN Settings > LAN Groups . The LAN Groups screen displays. The following figure shows some examples in the Known PCs and Devices table. The Known PCs and Devices table [...]

  • Page 605

    Monitor S ystem Ac cess and P erformanc e 605 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 View the DHCP Log The following procedure describes how to view and clear the DHCP log. Note: For information about how to change the DHCP settings, see Manage VLAN Profiles on page 121.  T o view the most recent entries in the DHCP log or c[...]

  • Page 606

    Monitor S ystem Ac cess and P erformanc e 606 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 8. T o view the most recent entries, click the Refresh Log button. The information onscreen is updated. 9. T o remove all existing log entries, click the Clear Log button. All log entries are removed.[...]

  • Page 607

    607 13 13. Diagnostic s and T r oubleshooting This chapter provides troubleshooting tips and information for the VPN firewall. After each problem description, instructions are provided to help you diagnose and solve the problem. For the common problems listed, go to the section indicated. The chapter contains the following sections: • Use the Dia[...]

  • Page 608

    Diagnostics and Tr oubleshooting 608 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Use the Diagnostic s Utilities The following sections provide information about using the diagnostic utilities: • Diagnostic Utility • Send a Ping Packet • T race a Route • Look Up a DNS Address • Display the Routing T ables • Capture Packet[...]

  • Page 609

    Diagnostics and Tr oubleshooting 609 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or we[...]

  • Page 610

    Diagnostics and Tr oubleshooting 610 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 9. Select either a gateway or a VPN policy: • Clear the Ping through VPN tunnel? check box and select a gateway from the Select Local Gateway menu. The Select VPN Policy menu is masked out. • Select the Ping through VPN tunnel? check box and select [...]

  • Page 611

    Diagnostics and Tr oubleshooting 611 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 7. T o trace the route to an IPv6 location instead of an IPv4 location, in the upper right, select the IPv6 radio button. The Diagnostics screen displays the IPv6 settings. Except for the Domain Name field, which is the IP Address / Domain Name field on[...]

  • Page 612

    Diagnostics and Tr oubleshooting 612 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Look Up a DNS Addr ess A Domain Name Server (DNS) converts the Internet name (for example, www .netgear .com) to an IP address. If you need the IP address of a web, FTP , mail, or other server on the Internet, request a DNS lookup to find the IP address[...]

  • Page 613

    Diagnostics and Tr oubleshooting 613 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o display the routing table: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default [...]

  • Page 614

    Diagnostics and Tr oubleshooting 614 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For the default administrative account, the default user name is admin and the default password is password . 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or we[...]

  • Page 615

    Diagnostics and Tr oubleshooting 615 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R eboot the VPN Fir ewall R emot ely Y ou can perform a remote reboot, for example, when the VPN firewall seems to have become unstable or is not operating normally . For information about scheduling the VPN firewall to reboot, see Schedule the VPN Fire[...]

  • Page 616

    Diagnostics and Tr oubleshooting 616 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3  T o schedule the VPN firewall to reboot: 1. On your computer , launch an Internet browser . 2. In the address field of your browser , enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factor[...]

  • Page 617

    Diagnostics and Tr oubleshooting 617 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 If a port’s left LED lights, a link is established to the connected device. The port’s right LED indicates the connection speed: • If the port is connected to a 1000 Mbps device, the right LED lights green. • If the port is connected to a 100 Mb[...]

  • Page 618

    Diagnostics and Tr oubleshooting 618 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 cannot reach a DHCP server . These autogenerated addresses are in the range of 169.254.x.x. If your IP address is in this range, check the connection from the computer to the VPN firewall and reboot your computer . • If your VPN firewall’s IP addres[...]

  • Page 619

    Diagnostics and Tr oubleshooting 619 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • If the computer is configured correctly but still not working, ensure that the VPN firewall is connected and turned on. Connect to the web management interface and check the VPN firewall’s settings. If you cannot connect to the VPN firewall, see T[...]

  • Page 620

    Diagnostics and Tr oubleshooting 620 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The W AN Setup screen for IPv4 displays. 7. T o check the W AN IPv6 address instead of the W AN IPv4 address, in the upper right, select the IPv6 radio button. The W AN Setup screen for IPv6 displays. 8. Click the Status button that corresponds to the W[...]

  • Page 621

    Diagnostics and Tr oubleshooting 621 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • If your ISP allows only one Ethernet MAC address to connect to the Internet and checks for your computer ’s MAC address, do one of the following: - Inform your ISP that you have a new network device and ask them to use the VPN firewall’s MAC add[...]

  • Page 622

    Diagnostics and Tr oubleshooting 622 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 - Windows Server 2003 R2, all versions - Linux and other UNIX-based systems with a correctly configured kernel - MAC OS X • Make sure that IPv6 is enabled on the computer . On a computer that runs a Windows-based operating system, do the following (no[...]

  • Page 623

    Diagnostics and Tr oubleshooting 623 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 c. Click or double-click View status of this connection . The Local Area Connection Status screen displays. d. Make sure that Internet access shows for the IPv6 connection. The previous figure shows that there is no Internet access. e. Click the Details[...]

  • Page 624

    Diagnostics and Tr oubleshooting 624 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with fe80. T roubleshoot a T CP / IP N[...]

  • Page 625

    Diagnostics and Tr oubleshooting 625 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 - V erify that the Ethernet card driver software and TCP/IP software are both installed and configured on your computer or workstation. - V erify that the IP address for your VPN firewall and your workstation are correct and that the addresses are on th[...]

  • Page 626

    Diagnostics and Tr oubleshooting 626 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 correctly . If you have just completed configuring the VPN firewall, wait at least five minutes, and check the date and time again. • T ime is off by one hour . Cause: The VPN firewall does not automatically detect daylight saving time.  T o config[...]

  • Page 627

    Diagnostics and Tr oubleshooting 627 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default passw[...]

  • Page 628

    628 A A. Network Planning f or Multiple W AN P or ts This appendix describes the factors to consider when planning a network using a firewall that has more than one W AN port. This appendix contains the following sections: • What to Consider Before Y ou Begin • Overview of the Planning Process • Planning for Inbound T raffic • Planning for [...]

  • Page 629

    Network Planning f or Multiple W AN Ports 629 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 What t o Consider Bef or e Y ou Begin The following sections provide information about planning and requirements: • Planning Overview • Cabling and Computer Hardware Requirements • Computer Network Configuration Requirements • Internet [...]

  • Page 630

    Network Planning f or Multiple W AN Ports 630 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • If your ISP charges by the volume of data traffic each month, consider enabling the VPN firewall’s traf fic meter to monitor or limit your traffic. Figure 13. Planning for route diversity b. Contact a Dynamic DNS service and register FQDN[...]

  • Page 631

    Network Planning f or Multiple W AN Ports 631 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Int ernet Configur ation R equirements Depending on how your ISP sets up your Internet accounts, you need the following Internet configuration information to connect VPN firewall to the Internet: • Host and domain names • One or more ISP lo[...]

  • Page 632

    Network Planning f or Multiple W AN Ports 632 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 W AN 1 gateway IP address: ______.______.______.______ W AN 1 subnet mask: ______.______.______.______ W AN 2 fixed or static Internet IP address: ______.______.______.______ W AN 2 gateway IP address: ______.______.______.______ W AN 2 subnet [...]

  • Page 633

    Network Planning f or Multiple W AN Ports 633 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Y ou can configure two W AN ports on a mutually exclusive basis to do either of the following: • Auto-rollover for increased reliability • Load balance for outgoing traffic These various types of traffic and auto-rollover or load balancing,[...]

  • Page 634

    Network Planning f or Multiple W AN Ports 634 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 15. Dual W AN ports in load balancing mode Planning f or Inbound T r affic Incoming traffic from the Internet is normally discarded by the VPN firewall unless the traf fic is a response to one of your local computers or a service for whi[...]

  • Page 635

    Network Planning f or Multiple W AN Ports 635 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Inbound T r affic to a Single W AN P or t Syst em The Internet IP address of the VPN firewall’s W AN port must be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled.[...]

  • Page 636

    Network Planning f or Multiple W AN Ports 636 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. T o maintain better control of W AN port traffic, consider making one of the W AN port Internet addresses public and to keep the other one private. Figure 18[...]

  • Page 637

    Network Planning f or Multiple W AN Ports 637 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 For a single W AN gateway configuration, use an FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed. The situation is dif ferent in dual W AN port gateway configurations. • Dual W AN po[...]

  • Page 638

    Network Planning f or Multiple W AN Ports 638 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 VPN T elecommut er - Client-to-Gat eway The following situations exemplify the requirements for a remote computer client with no firewall to establish a VPN tunnel with a gateway VPN firewall: • Single-gateway W AN port • Redundant dual-gat[...]

  • Page 639

    Network Planning f or Multiple W AN Ports 639 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The IP addresses of the W AN ports can be either fixed or dynamic, but you always must use an FQDN because the active W AN port could be either W AN1 or WAN2 (that is, the IP address of the active W AN port is not known in advance). After a rol[...]

  • Page 640

    Network Planning f or Multiple W AN Ports 640 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 VPN Gat eway-t o-Gatew ay The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall: • Single-gateway W AN ports • Redundant dual-gateway W AN ports for increa[...]

  • Page 641

    Network Planning f or Multiple W AN Ports 641 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 26. Gateway-to-gateway example in a dual W AN port configuration before auto-rollover The IP addresses of the gateway W AN ports can be either fixed or dynamic, but you must always use an FQDN because the active W AN ports could be eithe[...]

  • Page 642

    Network Planning f or Multiple W AN Ports 642 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 28. Gateway-to-gateway example in a dual W AN port configuration with load balancing The IP addresses of the gateway W AN ports can be either fixed or dynamic. If an IP address is dynamic, you must use an FQDN. If an IP address is fixed,[...]

  • Page 643

    Network Planning f or Multiple W AN Ports 643 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 29. T elecommuter example in a single W AN port configuration with NA T The IP address of the gateway W AN port can be either fixed or dynamic. If the IP address is dynamic, you must use an FQDN. If the IP address is fixed, an FQDN is op[...]

  • Page 644

    Network Planning f or Multiple W AN Ports 644 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Figure 31. T elecommuter example in a dual W AN port configuration with NA T after auto-rollover The purpose of the FQDN is to toggle the domain name of the gateway between the IP addresses of the active W AN port (that is, W AN1 and WAN2) so t[...]

  • Page 645

    645 B B. S yst em L ogs and Err or Messages This appendix provides examples and explanations of system logs and error message. When applicable, a recommended action is provided. This appendix contains the following sections: • Log Message T erms • System Log Messages • Routing Logs • Other Event Logs • DHCP Logs[...]

  • Page 646

    Syst em Logs and Err or Messages 646 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Log Mes sage T erms This appendix uses the following log message terms. S yst em Log Mes sages The following sections provide information about system log messages: • NTP • Login and Logout • System Startup • Reboot • Firewall Restart • IPSe[...]

  • Page 647

    Syst em Logs and Err or Messages 647 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 These sections describe log messages that belong to one of the following categories: • Logs generated by traffic that is meant for the VPN firewall. • Logs generated by traffic that is routed or forwarded through the VPN firewall. • Logs generated[...]

  • Page 648

    Syst em Logs and Err or Messages 648 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 S yst em Startup This section describes the log message generated during system startup. R eboot This section describes the log message generated during system reboot. Fir ewall R estart This section describes logs that are generated when the VPN firewa[...]

  • Page 649

    Syst em Logs and Err or Messages 649 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPSec R estar t This section describes logs that are generated when IPSec restarts. Unicast , Multicast , and Broadcast L ogs ICMP R edirect Logs T able 19. System logs: IPSec restart Message Jan 23 16:20:44 [FVS336Gv3] [wand] [IPSEC] IPSEC Restarted Ex[...]

  • Page 650

    Syst em Logs and Err or Messages 650 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Multicast and Br oadcast Logs W AN Status This section describes the logs generated by the W AN component. If you have several ISP links for Internet connectivity , you can configure the VPN firewall either in auto-rollover or load balancing mode. • L[...]

  • Page 651

    Syst em Logs and Err or Messages 651 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 becomes active only until the primary link comes back up. The VPN firewall monitors the status of the primary link using the configured W AN failure detection method. This section describes the logs generated when the W AN mode is set to auto-rollover .[...]

  • Page 652

    Syst em Logs and Err or Messages 652 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 PPP Logs This section describes the W AN PPP connection logs. The PPP type can be configured from the web management interface (see Manually Configure a PPPoE IPv4 Internet Connection on page 39). • PPPoE idle time-out logs T able 25. System logs: W A[...]

  • Page 653

    Syst em Logs and Err or Messages 653 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • PPTP idle time-out logs • PPP authentication logs T able 26. System logs: W AN status, PPTP idle time-out Message Nov 29 1 1:19:02 [FVS336Gv3] [pppd] Starting connection Nov 29 1 1:19:05 [FVS336Gv3] [pppd] CHAP authentication succeeded Nov 29 1 1:[...]

  • Page 654

    Syst em Logs and Err or Messages 654 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R esolved DNS Names This section describes the logs of DNS name resolution messages. VPN Log Mes sages This section explains logs that are generated by IPSec VPN and SSL VPN policies. These logs are generated automatically and do not need to be enabled.[...]

  • Page 655

    Syst em Logs and Err or Messages 655 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T able 29. System logs: IPSec VPN tunnel, tunnel establishment Messages 1 through 5 Messages 6 and 7 Messages 8 through 19 Messages 20 and 21 2000 Jan 1 04:01:39 [FVS336Gv3] [wand] [IPSEC] IPSEC Restarted 2000 Jan 1 04:02:09 [FVS336Gv3] [wand] [FW] Fire[...]

  • Page 656

    Syst em Logs and Err or Messages 656 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Recommended action None T able 30. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel is reestablished Message 1 Messages 2 through 6 Message 7 Messages 8 through 1 1 2000 Jan 1 04:32:25 [FVS336Gv3] [IKE] Sen[...]

  • Page 657

    Syst em Logs and Err or Messages 657 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T able 31. System logs: IPSec VPN tunnel, SA lifetime (150 sec in phase 1; 300 sec in phase 2), VPN tunnel not reestablished Message 2000 Jan 1 04:52:33 [FVS336Gv3] [IKE] Using IPSec SA configuration: 192.168.1 1.0/24<->192.168.10.0/24_ 2000 Jan 1[...]

  • Page 658

    Syst em Logs and Err or Messages 658 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T able 33. System logs: IPSec VPN tunnel, Dead Peer Detection and keep-alive (default 30 sec), VPN tunnel torn down Message 1 Message 2 Message 3 2000 Jan 1 06:01:18 [FVS336Gv3] [VPNKA] Keep alive to peer 192.168.10.2 failed 3 consecutive times and 5 ti[...]

  • Page 659

    Syst em Logs and Err or Messages 659 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 SSL VPN L ogs This section describes the log messages that are generated by SSL VPN policies. T able 35. System logs: IPSec VPN tunnel, client policy behind a NA T device Message 3 Message 6 2000 Jan 1 01:54:21 [FVS336Gv3] [IKE] Floating ports for NA T [...]

  • Page 660

    Syst em Logs and Err or Messages 660 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 T r affic Meter L ogs Routing L ogs The following sections provide information about routing log messages: • LAN to WAN Logs • LAN to DMZ Logs • DMZ to WAN Logs • WAN to LAN Logs • DMZ to LAN Logs • WAN to DMZ Logs These sections explain the[...]

  • Page 661

    Syst em Logs and Err or Messages 661 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 L AN to W AN Logs L AN to DMZ L ogs DMZ t o W AN Logs W AN to L AN Logs T able 40. Routing logs: LAN to W AN Message Nov 29 09:19:43 [FVS336Gv3] [kernel] LAN2W AN[ACCEPT] IN=LAN OUT=W AN SRC=192.168.10.10 DST=72.14.207.99 PROTO=ICMP TYPE=8 CODE=0 Explan[...]

  • Page 662

    Syst em Logs and Err or Messages 662 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 DMZ t o L AN Logs W AN to DMZ L ogs Other Event L ogs The following sections provide information about other event messages: • Session Limit Logs • Source MAC Filter Logs • Bandwidth Limit Logs These sections describe the log messages generated by[...]

  • Page 663

    Syst em Logs and Err or Messages 663 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Sour ce MA C Filter L ogs Bandwidth Limit Logs T able 47. Other event logs: source MAC filter logs Message 2000 Jan 1 06:40:10 [FVS336Gv3] [kernel] SRC_MAC_MA TCH[DROP] SRC MAC = 00:12:3f:34:41:14 IN=LAN OUT=W AN SRC=192.168.1 1.3 DST=209.85.153.103 PRO[...]

  • Page 664

    Syst em Logs and Err or Messages 664 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 DHCP Logs This section explains the log messages that are generated when a host is assigned a dynamic IP address. These messages are displayed on the DHCP Log screen (see View the DHCP Log on page 605). T able 50. DHCP logs Message 1 Message 2 Message 3[...]

  • Page 665

    665 C C. T wo-F ac tor A uthentication This appendix provides an overview of two-factor authentication and an example of how to implement the WiKID solution. The appendix contains the following sections: • Why Do I Need T wo-Factor Authentication? • NETGEAR T wo-Factor Authentication Solutions[...]

  • Page 666

    Tw o-Factor Authentication 666 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Why Do I Need T wo-F ac t or Authentication? This section includes the following topics: • What Are the Benefits of T wo-Factor Authentication? • What Is T wo-Factor Authentication? In today’s market, online identity theft and online fraud continue to b[...]

  • Page 667

    Tw o-Factor Authentication 667 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 • Something the user is—for example, biometrics such as a fingerprint or retinal print. This appendix focuses on and discusses only the first two factors, something you know and something you have. This security method can be viewed as a two-tiered authen[...]

  • Page 668

    Tw o-Factor Authentication 668 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The WiKID authentication server generates the one-time passcode (“ something the user has” ). The one-time passcode (OTP) is time-synchronized to the authentication server so that you can use the OTP only once and you must the OTP before the expiration ti[...]

  • Page 669

    Tw o-Factor Authentication 669 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 6. Enter the OTP as the login password. 7. Click the Login button. Y ou are logged in.[...]

  • Page 670

    670 D D. Def ault Settings and T echnical Specifications This appendix provides the default settings and the physical and technical specifications of the VPN firewall in the following sections: • Factory Default Settings • Physical and T echnical Specifications[...]

  • Page 671

    Def ault Settings and T echnical Specifications 671 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 F ac tory Def ault Settings For information about restoring the VPN firewall to factory default settings, see Revert to Factory Default Settings on page 555. The following table shows the default configuration settings for the VPN firewal[...]

  • Page 672

    Def ault Settings and T echnical Specifications 672 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPv4 LAN, DMZ, and routing settings LAN IPv4 address for the default VLAN 192.168.1.1 LAN IPv4 subnet mask for the default VLAN 255.255.255.0 VLAN 1 membership All ports LAN DHCP server for the default VLAN Enabled LAN DHCP IPv4 starting [...]

  • Page 673

    Def ault Settings and T echnical Specifications 673 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Firewall and security settings Inbound LAN W AN rules (communications coming in from the Internet) All traffic is blocked, except for traf fic in response to requests from the LAN. Outbound LAN W AN rules (communications from the LAN to t[...]

  • Page 674

    Def ault Settings and T echnical Specifications 674 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 QoS priorities (for IPv6 firewall rules) Normal-Service Minimize-Cost Maximize-Reliability Maximize-Throughput Minimize-Delay Content filtering Disabled Proxy server blocking Disabled Java applets blocking Disabled ActiveX controls blocki[...]

  • Page 675

    Def ault Settings and T echnical Specifications 675 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 VPN IPsec Wizard: IKE policy settings for IPv4 gateway-to-client tunnels Exchange mode Aggressive ID type FQDN Local W AN ID remote.com Remote W AN ID local.com Encryption algorithm 3DES Authentication algorithm SHA-1 Authentication metho[...]

  • Page 676

    Def ault Settings and T echnical Specifications 676 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 Physical and T echnical Specifications The following table shows the physical and technical specifications for the VPN firewall: Administrative and monitoring settings Secure HTTP management Enabled T elnet management Disabled T raffic me[...]

  • Page 677

    Def ault Settings and T echnical Specifications 677 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following table shows the IPSec VPN specifications for the VPN firewall: Environmental specifications Operating temperatures 0º to 45ºC 32º to 1 13ºF Storage temperatures –20º to 70ºC –4º to 158ºF Operating humidity 90% ma[...]

  • Page 678

    Def ault Settings and T echnical Specifications 678 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 The following table shows the SSL VPN specifications for the VPN firewall: T able 54. VPN firewall SSL VPN specifications Setting Specification Network management W eb-based configuration and status monitoring Number of concurrent users s[...]

  • Page 679

    679 Inde x Numeric s 10BASE- T , 100BASE- T , and 1000BASE-T speeds 69 3322.or g 63 – 65 6to4 tunnels configuring globally 101 DMZ , configuring f or 196 L AN, configuring f or 179 A A A A (authentication, authorization, and acc ounting) 395 AC input 21 acc ess, r emot e management 538 acc ount name, PPTP and PPP oE 45 action buttons (web managem[...]

  • Page 680

    680 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 configuring 56 – 58 described 49 IPv6 configuring 110 described 110 VPN IPSec 336 , 342 , 346 , 351 autosensing port speed 69 B backing up configur ation file 551 bandwidth allocation, W AN traffic 74 – 77 bandwidth capacity 531 bandwidth limits, logging dr opped packets 573 bandwi[...]

  • Page 681

    681 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 configur ation settings 671 – 676 DMZ port IPv4 address and subnet mask 143 IPv6 address and prefix length 188 , 200 settings 141 , 185 domain, users 493 DPD settings 418 f ac tory 21 , 555 f ailure de tection settings IPv4 59 IPv6 113 fir ewall rules 212 gr oup, users 498 idle time-[...]

  • Page 682

    682 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 pr oxy, VL ANs 120 , 124 queries, auto-r ollover 56 ser ver IP addr esses SSL VPN settings 439 ser ver IPv4 addr esses broadband settings 42 , 47 DMZ settings 144 LAN/VLAN settings 124 SSL VPN settings 464 ser ver IPv6 addr esses broadband settings 96 , 100 DMZ settings 189 , 201 LAN s[...]

  • Page 683

    683 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 fr ont panel LEDs 19 ports 18 FTP acces s, allowing from D MZ (rule example) 266 full tunnel, SSL VPN 463 fully qualified domain names. See FQDNs. G gatew ay, ISP IPv4 addr ess 38 IPv6 addr ess 96 global addr esses, IPv6 104 global IPv6 tunnels DMZ , configuring f or 196 L AN, configur[...]

  • Page 684

    684 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IP pr ecedenc e, QoS 298 IP /MAC bindings 316 – 326 IPSec hosts, XAUTH 392 – 394 IPSec VPN Wizar d client-to-gat eway tunnels, setting up 349 def ault settings 338 described 17 gatew ay-to-gat eway tunnels, setting up 340 , 344 IPSec VPN. See VPN tunnels. IPv4 addr esses autogener [...]

  • Page 685

    685 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 IPv6 tunnel status and addr esses, viewing 107 IPv6 tunnels configuring globally 101 – 108 DMZ , configuring f or 196 L AN, configuring f or 179 ISAKMP identifier 371 , 375 , 403 ISA T AP (Intra-Site Aut omatic T unnel Addr essing Pr ot ocol) tunnels configuring globally 103 DMZ , co[...]

  • Page 686

    686 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 login time-out changing 515 def ault 26 looking up DNS addr ess 612 M MAC addr esses blocked or permitt ed, adding 315 configuring 70 def aults, L AN and W AN por ts 592 – 594 f ormat 71 , 316 IP bindings 316 – 326 spoofing 621 VL ANs, unique 127 main navigation menu (web managemen[...]

  • Page 687

    687 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 NT domain 492 NTP (Network T ime Pr ot ocol) modes and ser vers, settings 560 tr oubleshooting 625 O one-time passcode (O TP) 666 – 668 online documentation 626 online games, DMZ port 141 , 185 option arr ows (web management int erfac e) 23 Oray .net 63 – 65 or der of prec edence, [...]

  • Page 688

    688 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 cust omized services 283 port triggering 327 SSL VPN port f orwarding 441 , 457 port ranges port triggering 329 SSL VPN policies 482 , 484 , 486 SSL VPN r esourc es 474 port speed 69 port triggering configuring 327 – 332 incr easing traffic 536 status monit oring 331 , 597 port VL AN[...]

  • Page 689

    689 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 R rack-mounting kit 22 RADIUS CHAP and P AP domain authentication 436 , 495 MSCHAP(v2), domain authentication 436 , 495 RADIUS authentication CHAP and P AP domain authentication 495 XAUTH 377 , 392 – 394 , 404 described 491 RADIUS ser vers configuring 395 – 397 edge devices 394 RAD[...]

  • Page 690

    690 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 shar ed bandwidth allocation, W AN traffic 77 shutting down 615 signatur e key length 522 SIIT (St ateless IP / ICMP T ranslation) 108 Simple Network Management P r ot ocol (SNMP) configuring 542 – 550 described 17 single W AN port mode bandwidth capacity 531 IPv4, described 49 IPv6,[...]

  • Page 691

    691 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 technic al support 2 , 613 telec ommuter (client-t o-gatew ay) 638 T elnet and RT elnet , restricting acc ess (rule ex ample) 262 T elnet management 541 temper atures, oper ating and stor age 677 T est LED 19 , 617 testing, Int ernet connectivity 84 , 114 time settings configuring 559 [...]

  • Page 692

    692 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 versions SNMP 544 videoconf erencing DMZ port 141 , 185 fr om res tric ted addr ess (rule example) 257 violations, IP /MAC binding 319 , 323 virtual L AN. See VL ANs. Virtual Privat e Network Consortium (VPNC) 17 , 338 virtual private netw ork . See VPN tunnels. VL ANs advantages 116 d[...]

  • Page 693

    693 Pr oSAFE Dual W AN Gigabit W AN SSL VPN Fir ewall FVS336Gv3 classical r outing (IPv4), configuring 31 connection speed 73 connection status IPv4, viewing 35 , 39 , 43 , 47 , 599 IPv6, viewing 93 , 96 , 100 , 601 connection type and stat e, viewing 593 def ault por t MAC addr esses 594 def ault settings 671 DHCPv6 client , prefix delegation 90 ,[...]