Netgear FVS318N Owner's manual

Netgear FVS318N Owner's manual
ProSafe Wireless-N 8-Port
Gigabit VPN Firewall
FVS318N
Reference M anua l
350 East Plumeria Drive
San Jose, CA 95134
USA
March 16, 2012
202-10836-02
v1.0
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
© 2011–2012 NETGEAR, Inc. All rights reserved.
No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated
into any language in any form or by any means without the written permission of NETGEAR, Inc.
Technical Support
Thank you for choosing NETGEAR. To register your product, get the latest product updates, get support online, or
for more information about the topics covered in this manual, visit the Support website at
http://support.netgear.com.
Phone (US & Canada only): 1-888-NETGEAR
Phone (Other Countries): Check the list of phone numbers at
http://support.netgear.com/app/answers/detail/a_id/984.
Trademarks
NETGEAR, the NETGEAR logo, and Connect with Innovation are trademarks and/or registered trademarks of
NETGEAR, Inc. and/or its subsidiaries in the United States and/or other countries. Information is subject to change
without notice. Other brand and product names are registered trademarks or trademarks of their respective
holders. © 2012 NETGEAR, Inc. All rights reserved.
Statement of Conditions
To improve internal design, operational function, and/or reliability, NETGEAR reserves the right to make changes
to the products described in this document without notice. NETGEAR does not assume any liability that may occur
due to the use, or application of, the product(s) or circuit layout(s) described herein.
Revision History
Publication
Part Number
Version
202-10836-02 1.0
Publish Date
Comments
March 16, 2012
Added the following menus and features:
• New and improved general menu structure with IPv4 and IPv6
radio buttons
• New LAN IPv6 configuration menu with the LAN Setup (IPv6)
screen (see Manage the IPv6 LAN) and a new screen, the LAN
Multi-homing (IPv6) screen (see Configure IPv6 Multihome LAN
IP Addresses on the Default VLAN)
• IPv6 DMZ (Enable and Configure the DMZ Port for IPv4 and
IPv6 Traffic)
• IPv6 firewall rules (see Configure LAN WAN Rules, Configure
DMZ WAN Rules, Configure LAN DMZ Rules, and Examples of
Firewall Rules)
• IPv6 attack checks (see Attack Checks)
• IPv6/MAC bindings (see Set Up IP/MAC Bindings)
• Simplified wireless settings submenus for easier configuration
(see Chapter 4, Wireless Configuration and Security)
• IPSec VPN IPv6 address support (see Chapter 6, Virtual Private
Networking Using IPSec and L2TP Connections)
• IPSec VPN autoinitiate support (see Manually Add or Edit a
VPN Policy)
• SSL VPN IPv6 address support (see Chapter 7, Virtual Private
Networking Using SSL Connections)
2
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
(continued)
• User login restrictions based on IPv6 addresses (see Configure
Login Restrictions Based on IPv6 Addresses)
• IPv6 remote management access (see Configure Remote
Management Access)
• IPv6 time zone (see Configure Date and Time Service)
• IPv6 diagnostics (see Diagnostics Utilities)
• Extensive list of factory default settings (see Appendix A,
Default Settings and Technical Specifications)
202-10836-01 1.0
September 2011 First publication
3
Contents
Chapter 1 Introduction
What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N? . 10
Key Features and Capabilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Advanced VPN Support for Both IPSec and SSL. . . . . . . . . . . . . . . . . . 11
A Powerful, True Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Security Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Autosensing Ethernet Connections with Auto Uplink . . . . . . . . . . . . . . . 13
Extensive Protocol Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Easy Installation and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Maintenance and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Package Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Hardware Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Front Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Rear Panel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Bottom Panel with Product Label . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Choose a Location for the Wireless VPN Firewall . . . . . . . . . . . . . . . . . . . 19
Log In to the Wireless VPN Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Web Management Interface Menu Layout . . . . . . . . . . . . . . . . . . . . . . . 22
Requirements for Entering IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . 24
Chapter 2 Internet and Broadband Settings
Internet and WAN Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Tasks to Set Up an IPv4 Internet Connection to Your ISP . . . . . . . . . . . 25
Tasks to Set Up an IPv6 Internet Connection to Your ISP . . . . . . . . . . . 26
Configure the IPv4 Internet Connection and WAN Settings . . . . . . . . . . . . 26
Configure the IPv4 WAN Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Let the Wireless VPN Firewall Automatically Detect and
Configure an IPv4 Internet Connection . . . . . . . . . . . . . . . . . . . . . . . . . 28
Manually Configure an IPv4 Internet Connection . . . . . . . . . . . . . . . . . . 31
Configure the IPv6 Internet Connection and WAN Settings . . . . . . . . . . . . 35
Configure the IPv6 Routing Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36
Use a DHCPv6 Server to Configure an IPv6 Internet Connection . . . . . 37
Configure a Static IPv6 Internet Connection . . . . . . . . . . . . . . . . . . . . . 39
Configure 6to4 Automatic Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Configure ISATAP Automatic Tunnelling . . . . . . . . . . . . . . . . . . . . . . . . 42
View the Tunnel Status and IPv6 Addresses . . . . . . . . . . . . . . . . . . . . . 45
Configure Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Configure Advanced WAN Options and Other Tasks. . . . . . . . . . . . . . . . . 47
4
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Additional WAN-Related Configuration Tasks . . . . . . . . . . . . . . . . . . . . 50
Verify the Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
What to Do Next . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 3 LAN Configuration
Manage IPv4 Virtual LANs and DHCP Options . . . . . . . . . . . . . . . . . . . . . 51
Port-Based VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Assign and Manage VLAN Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
VLAN DHCP Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Configure a VLAN Profile . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Configure VLAN MAC Addresses and LAN Advanced Settings. . . . . . . 61
Configure IPv4 Multihome LAN IP Addresses on the Default VLAN . . . . . 62
Manage IPv4 Groups and Hosts (IPv4 LAN Groups) . . . . . . . . . . . . . . . . . 64
Manage the Network Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Change Group Names in the Network Database . . . . . . . . . . . . . . . . . . 68
Set Up DHCP Address Reservation . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Manage the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
DHCPv6 Server Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Configure the IPv6 LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the LAN . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configure IPv6 Multihome LAN IP Addresses on the Default VLAN . . . . . 81
Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic. . . . . . . . . . 82
DMZ Port for IPv4 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
DMZ Port for IPv6 Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the DMZ. . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Manage Static IPv4 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configure Static IPv4 Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95
Configure the Routing Information Protocol . . . . . . . . . . . . . . . . . . . . . . 97
IPv4 Static Route Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Manage Static IPv6 Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100
Chapter 4 Wireless Configuration and Security
Overview of the Wireless Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103
Wireless Equipment Placement and Range Guidelines . . . . . . . . . . . . 104
Configure the Basic Radio Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105
Operating Frequency (Channel) Guidelines . . . . . . . . . . . . . . . . . . . . . 107
Wireless Data Security Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 107
Wireless Security Profiles. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 109
Before You Change the SSID, WEP, and WPA Settings . . . . . . . . . . . 110
Configure and Enable Wireless Profiles . . . . . . . . . . . . . . . . . . . . . . . . 112
Restrict Wireless Access by MAC Address . . . . . . . . . . . . . . . . . . . . . 117
View the Status of a Wireless Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 119
Configure Wi-Fi Protected Setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120
Configure Advanced Radio Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122
Test Basic Wireless Connectivity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124
5
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Chapter 5 Firewall Protection
About Firewall Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Administrator Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126
Overview of Rules to Block or Allow Specific Kinds of Traffic . . . . . . . . . 126
Outbound Rules (Service Blocking) . . . . . . . . . . . . . . . . . . . . . . . . . . . 127
Inbound Rules (Port Forwarding) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 130
Order of Precedence for Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134
Configure LAN WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135
Create LAN WAN Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . 137
Create LAN WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . 139
Configure DMZ WAN Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142
Create DMZ WAN Outbound Service Rules. . . . . . . . . . . . . . . . . . . . . 145
Create DMZ WAN Inbound Service Rules . . . . . . . . . . . . . . . . . . . . . . 147
Configure LAN DMZ Rules. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Create LAN DMZ Outbound Service Rules . . . . . . . . . . . . . . . . . . . . . 152
Create LAN DMZ Inbound Service Rules. . . . . . . . . . . . . . . . . . . . . . . 153
Examples of Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Examples of Inbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Examples of Outbound Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . 160
Configure Other Firewall Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Attack Checks. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 162
Set Limits for IPv4 Sessions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166
Manage the Application Level Gateway for SIP Sessions . . . . . . . . . . 167
Services, Bandwidth Profiles, and QoS Profiles. . . . . . . . . . . . . . . . . . . . 168
Add Customized Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Create Bandwidth Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Preconfigured Quality of Service Profiles . . . . . . . . . . . . . . . . . . . . . . . 173
Configure Content Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174
Set a Schedule to Block or Allow Specific Traffic. . . . . . . . . . . . . . . . . . . 178
Enable Source MAC Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 179
Set Up IP/MAC Bindings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180
Configure Port Triggering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Configure Universal Plug and Play. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
Chapter 6 Virtual Private Networking
Using IPSec and L2TP Connections
Use the IPSec VPN Wizard for Client and Gateway Configurations . . . . 189
Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard. . . 190
Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard. . . 194
Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard . . . . . 198
Test the Connection and View Connection and Status Information . . . . . 213
Test the NETGEAR VPN Client Connection . . . . . . . . . . . . . . . . . . . . 213
NETGEAR VPN Client Status and Log Information . . . . . . . . . . . . . . . 215
View the Wireless VPN Firewall IPSec VPN Connection Status . . . . . 215
View the Wireless VPN Firewall IPSec VPN Log . . . . . . . . . . . . . . . . . 216
Manage IPSec VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
Manage IKE Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 217
6
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Manage VPN Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225
Configure Extended Authentication (XAUTH) . . . . . . . . . . . . . . . . . . . . . 233
Configure XAUTH for VPN Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234
User Database Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
RADIUS Client and Server Configuration . . . . . . . . . . . . . . . . . . . . . . . 235
Assign IPv4 Addresses to Remote Users (Mode Config). . . . . . . . . . . . . 237
Mode Config Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238
Configure Mode Config Operation on the Wireless VPN Firewall . . . . 238
Configure the ProSafe VPN Client for Mode Config Operation . . . . . . 245
Test the Mode Config Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 252
Modify or Delete a Mode Config Record. . . . . . . . . . . . . . . . . . . . . . . . 253
Configure Keep-Alives and Dead Peer Detection . . . . . . . . . . . . . . . . . . 253
Configure Keep-Alives . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 254
Configure Dead Peer Detection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255
Configure NetBIOS Bridging with IPSec VPN . . . . . . . . . . . . . . . . . . . . . 256
Configure the L2TP Server. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257
View the Active L2TP Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Chapter 7 Virtual Private Networking
Using SSL Connections
SSL VPN Portal Options. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 260
Overview of the SSL Configuration Process . . . . . . . . . . . . . . . . . . . . . . 261
Create the Portal Layout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 262
Configure Domains, Groups, and Users. . . . . . . . . . . . . . . . . . . . . . . . . . 266
Configure Applications for Port Forwarding . . . . . . . . . . . . . . . . . . . . . . . 267
Add Servers and Port Numbers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267
Add a New Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268
Configure the SSL VPN Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
Add Routes for VPN Tunnel Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . 272
Use Network Resource Objects to Simplify Policies . . . . . . . . . . . . . . . . 273
Add New Network Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 273
Edit Network Resources to Specify Addresses . . . . . . . . . . . . . . . . . . 274
Configure User, Group, and Global Policies. . . . . . . . . . . . . . . . . . . . . . . 276
View Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 277
Add an IPv4 or IPv6 SSL VPN Policy . . . . . . . . . . . . . . . . . . . . . . . . . . 278
Access the New SSL Portal Login Screen . . . . . . . . . . . . . . . . . . . . . . . . 282
View the SSL VPN Connection Status . . . . . . . . . . . . . . . . . . . . . . . . . 285
View the SSL VPN Log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 285
Chapter 8 Manage Users, Authentication, and VPN Certificates
The Wireless VPN Firewall’s Authentication Process and Options . . . . . 287
Configure Authentication Domains, Groups, and Users. . . . . . . . . . . . . . 289
Configure Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
Configure Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293
Configure User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Set User Login Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299
Change Passwords and Other User Settings . . . . . . . . . . . . . . . . . . . . 304
7
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Manage Digital Certificates for VPN Connections . . . . . . . . . . . . . . . . . . 306
VPN Certificates Screen. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307
Manage VPN CA Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 308
Manage VPN Self-Signed Certificates . . . . . . . . . . . . . . . . . . . . . . . . . 309
Manage the VPN Certificate Revocation List . . . . . . . . . . . . . . . . . . . . 313
Chapter 9 Network and System Management
Performance Management. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Bandwidth Capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Features That Reduce Traffic. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 314
Features That Increase Traffic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Use QoS and Bandwidth Assignment to Shift the Traffic Mix. . . . . . . . 319
Monitoring Tools for Traffic Management. . . . . . . . . . . . . . . . . . . . . . . 320
System Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 320
Change Passwords and Administrator and Guest Settings . . . . . . . . . 320
Configure Remote Management Access . . . . . . . . . . . . . . . . . . . . . . . 322
Use a Simple Network Management Protocol Manager. . . . . . . . . . . . 326
Manage the Configuration File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 329
Configure Date and Time Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . 333
Chapter 10
Monitor System Access and Performance
Enable the WAN Traffic Meter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 335
Configure Logging, Alerts, and Event Notifications . . . . . . . . . . . . . . . . . 338
How to Send Syslogs over a VPN Tunnel between Sites . . . . . . . . . . 342
View Status Screens . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
View the System Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 345
View the VPN Connection Status and L2TP Users . . . . . . . . . . . . . . . 353
View the VPN Logs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 354
View the Port Triggering Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 355
View the WAN Port Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 356
View the Attached Devices and the DHCP Log . . . . . . . . . . . . . . . . . . 359
View the Status of a Wireless Profile . . . . . . . . . . . . . . . . . . . . . . . . . . 361
Diagnostics Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 362
Send a Ping Packet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Trace a Route. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Look Up a DNS Address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 364
Display the Routing Tables. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Capture Packets in Real Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 365
Reboot the Wireless VPN Firewall Remotely . . . . . . . . . . . . . . . . . . . . 366
Chapter 11
Troubleshooting
Basic Functioning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Power LED Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
Test LED Never Turns Off . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 368
LAN or WAN Port LEDs Not On . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 369
Troubleshoot the Web Management Interface . . . . . . . . . . . . . . . . . . . . . 369
8
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
When You Enter a URL or IP Address, a Time-Out Error Occurs . . . . . . 370
Troubleshoot the ISP Connection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 370
Troubleshooting the IPv6 Connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 372
Troubleshoot a TCP/IP Network Using a Ping Utility . . . . . . . . . . . . . . . . 375
Test the LAN Path to Your Wireless VPN Firewall . . . . . . . . . . . . . . . . 375
Test the Path from Your Computer to a Remote Device . . . . . . . . . . . 376
Restore the Default Configuration and Password . . . . . . . . . . . . . . . . . . 376
Address Problems with Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . 377
Access the Knowledge Base and Documentation . . . . . . . . . . . . . . . . . . 378
Appendix A Default Settings and Technical Specifications
Factory Default Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 379
Physical and Technical Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . 385
Appendix B Two-Factor Authentication
Why Do I Need Two-Factor Authentication? . . . . . . . . . . . . . . . . . . . . . . 389
What Are the Benefits of Two-Factor Authentication? . . . . . . . . . . . . . 389
What Is Two-Factor Authentication?. . . . . . . . . . . . . . . . . . . . . . . . . . . 390
NETGEAR Two-Factor Authentication Solutions . . . . . . . . . . . . . . . . . . . 390
Appendix C Notification of Compliance (Wired)
Appendix D Notification of Compliance (Wireless)
Index
9
1.
Introduction
1
This chapter provides an overview of the features and capabilities of the ProSafe Wireless-N
8-Port Gigabit VPN Firewall FVS318N and explains how to log in to the device and use its web
management interface. This chapter contains the following sections:
•
What Is the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N?
•
Key Features and Capabilities
•
Package Contents
•
Hardware Features
•
Choose a Location for the Wireless VPN Firewall
•
Log In to the Wireless VPN Firewall
Note: For more information about the topics covered in this manual, visit
the FVS318N support website at http://support.netgear.com.
What Is the ProSafe Wireless-N 8-Port Gigabit VPN
Firewall FVS318N?
The ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N, hereafter referred to as the
wireless VPN firewall, connects your local area network (LAN) and wireless LAN (WLAN) to
the Internet through an external broadband access device such as a cable or DSL modem,
satellite or wireless Internet dish, or another router. A 2.4-GHz radio supports wireless
connections in 802.11n mode with support for legacy clients in 802.11b and 802.11g mode.
The wireless VPN firewall routes both IPv4 and IPv6 traffic. A powerful, flexible firewall
protects your IPv4 and IPv6 networks from denial of service (DoS) attacks, unwanted traffic,
and traffic with objectionable content. IPv6 traffic is supported through 6to4 and Intra-Site
Automatic Tunnel Addressing Protocol (ISATAP) tunnels.
The wireless VPN firewall provides advanced IPSec and SSL VPN technologies with support
for up to 12 IPSec VPN tunnels and 5 SSL VPN tunnels, as well as L2TP support for easy
and secure remote connections. The use of Gigabit Ethernet WAN and LAN ports ensures
high data transfer speeds.
10
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Key Features and Capabilities
The wireless VPN firewall provides the following key features and capabilities:
•
A single 10/100/1000 Mbps Gigabit Ethernet WAN port
•
Built-in eight-port 10/100/1000 Mbps Gigabit Ethernet LAN switch for extremely fast data
transfer between local network resources
•
A wireless radio with up to four wireless profiles
•
Both IPv4 and IPv6 support
•
Advanced IPSec VPN and SSL VPN support
•
L2TP tunnel support
•
Advanced stateful packet inspection (SPI) firewall with multi-NAT support
•
SNMP manageable
•
Front panel LEDs for easy monitoring of status and activity
•
Flash memory for firmware upgrade
•
Internal universal switching power supply
Wireless Features
The wireless VPN firewall supports the following features:
•
2.4 GHz radio. 2.4-GHz band support with 802.11b/g/n wireless modes.
•
Wireless profiles. Support for up to four wireless profiles, each with its own SSID.
•
Access control. The Media Access Control (MAC) address filtering feature can ensure
that only trusted wireless stations can use the wireless VPN firewall to gain access to
your LAN.
•
Hidden mode. The SSID is not broadcast, assuring that only clients configured with the
correct SSID can connect.
•
Secure and economical operation. Adjustable power output allows more secure or
economical operation.
Advanced VPN Support for Both IPSec and SSL
The wireless VPN firewall supports IPSec and SSL virtual private network (VPN)
connections:
•
IPSec VPN delivers full network access between a central office and branch offices, or
between a central office and telecommuters. Remote access by telecommuters requires
the installation of VPN client software on the remote computer.
-
IPSec VPN with broad protocol support for secure connection to other IPSec
gateways and clients.
-
Up to 12 simultaneous IPSec VPN connections.
-
Bundled with a 30-day trial license for the ProSafe VPN Client software (VPN01L).
Introduction
11
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
SSL VPN provides remote access for mobile users to selected corporate resources
without requiring a preinstalled VPN client on their computers.
-
Uses the familiar Secure Sockets Layer (SSL) protocol, commonly used for
e-commerce transactions, to provide client-free access with customizable user portals
and support for a wide variety of user repositories.
-
Up to five simultaneous SSL VPN connections.
-
Allows browser-based, platform-independent remote access through a number of
popular browsers, such as Microsoft Internet Explorer, Mozilla Firefox, and Apple
Safari.
-
Provides granular access to corporate resources based on user type or group
membership.
A Powerful, True Firewall
Unlike simple NAT routers, the wireless VPN firewall is a true firewall, using stateful packet
inspection (SPI) to defend against hacker attacks. Its firewall features have the following
capabilities:
•
DoS protection. Automatically detects and thwarts denial of service (DoS) attacks such
as Ping of Death and SYN flood.
•
Secure firewall. Blocks unwanted traffic from the Internet to your LAN.
•
Schedule policies. Permits scheduling of firewall policies by day and time.
•
Logs security incidents. Logs security events such as logins and secure logins. You can
configure the firewall to email the log to you at specified intervals.
Security Features
The wireless VPN firewall is equipped with several features designed to maintain security:
•
Computers hidden by NAT. NAT opens a temporary path to the Internet for requests
originating from the local network. Requests originating from outside the LAN are
discarded, preventing users outside the LAN from finding and directly accessing the
computers on the LAN.
•
Port forwarding with NAT. Although NAT prevents Internet locations from directly
accessing the computers on the LAN, the wireless VPN firewall allows you to direct
incoming traffic to specific computers based on the service port number of the incoming
request.
•
DMZ port. Incoming traffic from the Internet is usually discarded by the wireless VPN
firewall unless the traffic is a response to one of your local computers or a service for
which you have configured an inbound rule. Instead of discarding this traffic, you can use
the dedicated demilitarized zone (DMZ) port to forward the traffic to one computer on your
network.
Introduction
12
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Autosensing Ethernet Connections with Auto Uplink
With its internal eight-port 10/100/1000 Mbps switch and 10/100/1000 WAN port, the wireless
VPN firewall can connect to either a 10 Mbps standard Ethernet network, a 100 Mbps Fast
Ethernet network, or a 1000 Mbps Gigabit Ethernet network. The LAN and WAN interfaces
are autosensing and capable of full-duplex or half-duplex operation.
The wireless VPN firewall incorporates Auto UplinkTM technology. Each Ethernet port
automatically senses whether the Ethernet cable plugged into the port should have a normal
connection such as to a computer or an uplink connection such as to a switch or hub. That
port then configures itself correctly. This feature eliminates the need for you to think about
crossover cables, as Auto Uplink accommodates either type of cable to make the right
connection.
Extensive Protocol Support
The wireless VPN firewall supports the Transmission Control Protocol/Internet Protocol
(TCP/IP) and Routing Information Protocol (RIP). The wireless VPN firewall provides the
following protocol support:
•
IP address sharing by NAT. The wireless VPN firewall allows many networked
computers to share an Internet account using only a single IP address, which might be
statically or dynamically assigned by your Internet service provider (ISP). This technique,
known as Network Address Translation (NAT), allows the use of an inexpensive
single-user ISP account.
•
Automatic configuration of attached computers by DHCP. The wireless VPN firewall
dynamically assigns network configuration information, including IP, gateway, and
Domain Name Server (DNS) addresses, to attached computers on the LAN using the
Dynamic Host Configuration Protocol (DHCP). This feature greatly simplifies
configuration of computers on your local network.
•
DNS proxy. When DHCP is enabled and no DNS addresses are specified, the firewall
provides its own address as a DNS server to the attached computers. The firewall obtains
actual DNS addresses from the ISP during connection setup and forwards DNS requests
from the LAN.
•
PPP over Ethernet (PPPoE). PPPoE is a protocol for connecting remote hosts to the
Internet over a DSL connection by simulating a dial-up connection.
•
Quality of Service (QoS). The wireless VPN firewall supports QoS.
•
Layer 2 Tunneling Protocol (L2TP). A tunneling protocol that is used to support virtual
private networks (VPNs).
Introduction
13
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Easy Installation and Management
You can install, configure, and operate the wireless VPN firewall within minutes after
connecting it to the network. The following features simplify installation and management
tasks:
•
Browser-based management. Browser-based configuration allows you to easily
configure the wireless VPN firewall from almost any type of operating system, such as
Windows, Macintosh, or Linux. Online help documentation is built into the browser-based
web management interface.
•
Auto-detection of ISP. The wireless VPN firewall automatically senses the type of
Internet connection, asking you only for the information required for your type of ISP
account.
•
IPSec VPN Wizard. The wireless VPN firewall includes the NETGEAR IPSec VPN
Wizard so you can easily configure IPSec VPN tunnels according to the
recommendations of the Virtual Private Network Consortium (VPNC). This ensures that
the IPSec VPN tunnels are interoperable with other VPNC-compliant VPN routers and
clients.
•
SNMP. The wireless VPN firewall supports the Simple Network Management Protocol
(SNMP) to let you monitor and manage log resources from an SNMP-compliant system
manager. The SNMP system configuration lets you change the system variables for
MIB2.
•
Diagnostic functions. The wireless VPN firewall incorporates built-in diagnostic
functions such as ping, traceroute, DNS lookup, and remote reboot.
•
Remote management. The wireless VPN firewall allows you to log in to the web
management interface from a remote location on the Internet. For security, you can limit
remote management access to a specified remote IP address or range of addresses.
•
Visual monitoring. The wireless VPN firewall’s front panel LEDs provide an easy way to
monitor its status and activity.
Maintenance and Support
NETGEAR offers the following features to help you maximize your use of the wireless VPN
firewall:
•
Flash memory for firmware upgrades.
•
Technical support seven days a week, 24 hours a day. Information about support is
available on the NETGEAR website at
http://support.netgear.com/app/answers/detail/a_id/212.
Introduction
14
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Package Contents
The wireless VPN firewall product package contains the following items:
•
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
One 12V 1A power supply unit for your region
•
Rubber feet
•
Ethernet cable
•
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N Installation Guide
•
Resource CD, including:
-
Application Notes and other helpful information
-
30-day trial license for the ProSafe VPN Client software (VPN01L)
If any of the parts are incorrect, missing, or damaged, contact your NETGEAR dealer. Keep
the carton, including the original packing materials, in case you need to return the product for
repair.
Hardware Features
The front panel ports and LEDs, rear panel ports, and bottom label of the wireless VPN
firewall are described in the following sections.
Front Panel
Viewed from left to right, the wireless VPN firewall front panel contains the following ports:
•
LAN Ethernet ports. Eight switched N-way automatic speed negotiating, Auto MDI/MDIX,
Gigabit Ethernet ports with RJ-45 connectors.
•
WAN Ethernet port. One independent N-way automatic speed negotiating, Auto
MDI/MDIX, Gigabit Ethernet port with an RJ-45 connector.
The front panel also contains three groups of status indicator light-emitting diodes (LEDs),
including Power and Test LEDs, LAN LEDs, and WAN LEDs, all of which are explained in
detail in the following table. Some LED explanation is provided on the front panel.
Introduction
15
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Power
LED
Left WAN LED
(green)
Left LAN LEDs
(green, one for each port)
Wireless LED
Right WAN LED
Right LAN LEDs
(one for each port)
DMZ LED
Test LED
Active WAN LED
Figure 1.
The following table describes the function of each LED.
Table 1. LED descriptions
LED
Activity
Description
Power LED
On (green)
Power is supplied to the wireless VPN firewall.
Off
Power is not supplied to the wireless VPN firewall.
Test LED
On (amber) during Test mode. The wireless VPN firewall is initializing. After approximately 2
startup.
minutes, when the wireless VPN firewall has completed its initialization, the
Test LED goes off.
On (amber) during The initialization has failed, or a hardware failure has occurred.
any other time
Blinking (amber)
The wireless VPN firewall is writing to flash memory (during upgrading or
resetting to defaults).
Off
The wireless VPN firewall has booted successfully.
Introduction
16
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 1. LED descriptions (continued)
LED
Activity
Description
Off
The LAN port has no link.
On (green)
The LAN port has detected a link with a connected Ethernet device.
Blinking (green)
Data is being transmitted or received by the LAN port.
Off
The LAN port is operating at 10 Mbps.
On (amber)
The LAN port is operating at 100 Mbps.
On (green)
The LAN port is operating at 1000 Mbps.
Off
Port 8 is operating as a normal LAN port.
On (green)
Port 8 is operating as a dedicated hardware DMZ port.
Off
The WAN port has no physical link, that is, no Ethernet cable is plugged into
the wireless VPN firewall.
On (green)
The WAN port has a valid connection with a device that provides an Internet
connection.
Blinking (green)
Data is being transmitted or received by the WAN port.
Off
The WAN port is operating at 10 Mbps.
On (amber)
The WAN port is operating at 100 Mbps.
On (green)
The WAN port is operating at 1000 Mbps.
Off
There is no link to the Internet.
On (green)
There is a link to the Internet.
LAN Ports
Left LED
Right LED
DMZ LED
WAN Port
Left LED
Right LED
Active LED
Introduction
17
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Rear Panel
The rear panel of the wireless VPN firewall includes the antennas, a cable lock receptacle, a
console port, a Reset button, a DC power connection, and a power switch.
Antennas
(1) and (7)
(6) Power
switch
(2) Security lock
receptacle
(4) Factory default
Reset button
(5) DC power
receptacle
(3) Console port
Figure 2.
Viewed from left to right, the rear panel contains the following components:
1. Dipole antenna.
2. Cable security lock receptacle.
3. Console port. Port for connecting to an optional console terminal. The port has a DB9 male
connector. The default baud rate is 9600 K. The pinouts are (2) Tx, (3) Rx, (5) and (7) Gnd.
4. Factory default Reset button. Using a sharp object, press and hold this button for about
8 seconds until the front panel Test LED flashes to reset the wireless VPN firewall to factory
default settings. All configuration settings are lost, and the default password is restored.
5. DC power plug receptacle. Power input is 12VDC, 1A. The power plug is localized to the
country of sale.
6. Power On/Off switch.
7. Dipole antenna.
Introduction
18
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Bottom Panel with Product Label
The product label on the bottom of the wireless VPN firewall’s enclosure displays factory
defaults settings, regulatory compliance, and other information.
Figure 3.
Choose a Location for the Wireless VPN Firewall
The wireless VPN firewall is suitable for use in an office environment where it can be
freestanding (on its runner feet) or mounted into a standard 19-inch equipment rack.
Alternatively, you can rack-mount the wireless VPN firewall in a wiring closet or equipment
room.
Consider the following when deciding where to position the wireless VPN firewall:
•
The unit is accessible, and cables can be connected easily.
•
Cabling is away from sources of electrical noise. These include lift shafts, microwave
ovens, and air-conditioning units.
•
Water or moisture cannot enter the case of the unit.
•
Airflow around the unit and through the vents in the side of the case is not restricted.
Provide a minimum of 25 mm or 1 inch clearance.
•
The air is as free of dust as possible.
•
Temperature operating limits are not likely to be exceeded. Install the unit in a clean,
air-conditioned environment. For information about the recommended operating
temperatures for the wireless VPN firewall, see Appendix A, Default Settings and
Technical Specifications.
Introduction
19
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Log In to the Wireless VPN Firewall
Note: To connect the wireless VPN firewall physically to your network,
connect the cables and restart your network according to the
instructions in the Installation Guide. See the ProSafe Wireless-N
8-Port Gigabit VPN Firewall FVS318N Installation Guide for
complete steps. A PDF of the Installation Guide is on the NETGEAR
support website at
http://support.netgear.com/app/products/model/a_id/19435.
To configure the wireless VPN firewall, you need to use a web browser such as Microsoft
Internet Explorer 7.0 or later, Mozilla Firefox 4.0 or later, or Apple Safari 3.0 or later with
JavaScript, cookies, and SSL enabled. (Google Chrome is not supported at this time.)
Although these web browsers are qualified for use with the wireless VPN firewall’s web
management interface, SSL VPN users should choose a browser that supports JavaScript,
Java, cookies, SSL, and ActiveX to take advantage of the full suite of applications. Note that
Java is required only for the SSL VPN portal, not for the web management interface.

To log in to the wireless VPN firewall:
1. Start any of the qualified web browsers.
2. In the address field, enter https://192.168.1.1. The NETGEAR Configuration Manager Login
screen displays in the browser.
Note: The wireless VPN firewall factory default IP address is 192.168.1.1.
If you change the IP address, you need to use the IP address that
you assigned to the wireless VPN firewall to log in to the wireless
VPN firewall.
Introduction
20
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 4.
3. In the User Name field, type admin. Use lowercase letters.
4. In the Password / Passcode field, type password. Here, too, use lowercase letters.
Note: The wireless VPN firewall user name and password are not the
same as any user name or password you might use to log in to your
Internet connection.
Note: Leave the domain as it is (geardomain).
5. Click Login. The web management interface displays, showing the Router Status screen.
The following figure shows the top part of the Router Status screen. For more information,
see View the System Status on page 345.
Note: After 5 minutes of inactivity (the default login time-out), you are
automatically logged out.
Introduction
21
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 5.
Web Management Interface Menu Layout
The following figure shows the menu at the top the web management interface:
3rd level: Submenu tab (blue)
2nd level: Configuration menu link (gray)
1st level: Main navigation menu link (orange)
IP radio buttons
Option arrows: Additional screen for submenu item
Figure 6.
The web management interface menu consists of the following components:
•
1st level: Main navigation menu links. The main navigation menu in the orange bar
across the top of the web management interface provides access to all the configuration
functions of the wireless VPN firewall, and remains constant. When you select a main
navigation menu link, the letters are displayed in white against an orange background.
Introduction
22
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
2nd level: Configuration menu links. The configuration menu links in the gray bar
(immediately below the main navigation menu bar) change according to the main
navigation menu link that you select. When you select a configuration menu link, the
letters are displayed in white against a gray background.
•
3rd level: Submenu tabs. Each configuration menu item has one or more submenu tabs
that are listed below the gray menu bar. When you select a submenu tab, the text is
displayed in white against a blue background.
•
Option arrows. If there are additional screens for the submenu item, links to the screens
display on the right side in blue letters against a white background, preceded by a white
arrow in a blue circle.
•
IP radio buttons. The IPv4 and IPv6 radio buttons let you select the IP version for the
feature to be configured onscreen. There are four options:
-
Both buttons are operational.
You can configure the feature onscreen
for IPv4 functionality or for IPv6 functionality. After you have correctly configured the
feature for both IP versions, the feature can function with both IP versions
simultaneously.
-
The IPv4 button is operational but the IPv6 button is disabled.
can configure the feature onscreen for IPv4 functionality only.
You
-
The IPv6 button is operational but the IPv4 button is disabled.
can configure the feature onscreen for IPv6 functionality only.
You
-
Both buttons are disabled.
IP functionality is not applicable.
The bottom of each screen provides action buttons. The nature of the screen determines
which action buttons are shown. The following figure shows an example:
Figure 7.
Any of the following action buttons might display onscreen (this list might not be complete):
•
Apply. Save and apply the configuration.
•
Reset. Reset the configuration to the previously saved configuration.
•
Test. Test the configuration before you decide whether or not to save and apply the
configuration.
•
Auto Detect. Enable the wireless VPN firewall to detect the configuration automatically
and suggest values for the configuration.
•
Cancel. Cancel the operation.
When a screen includes a table, table buttons display to let you configure the table entries.
The nature of the screen determines which table buttons are shown. The following figure
shows an example:
Figure 8.
Introduction
23
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Any of the following table buttons might display onscreen:
•
Select All. Select all entries in the table.
•
Delete. Delete the selected entry or entries from the table.
•
Enable. Enable the selected entry or entries in the table.
•
Disable. Disable the selected entry or entries in the table.
•
Add. Add an entry to the table.
•
Edit. Edit the selected entry.
•
Up. Move the selected entry up in the table.
•
Down. Move the selected entry down in the table.
•
Apply. Apply the selected entry.
Almost all screens and sections of screens have an accompanying help screen. To open the
help screen, click the
(question mark) icon.
Requirements for Entering IP Addresses
To connect to the wireless VPN firewall, your computer needs to be configured to obtain an IP
address automatically from the wireless VPN firewall, either an IPv4 address through DHCP
or an IPv6 address through DHCPv6, or both.
IPv4
The fourth octet of an IP address needs to be between 1 and 254 (both inclusive). This
requirement applies to any IP address that you enter on a screen of the web management
interface.
IPv6
IPv6 addresses are denoted by eight groups of hexadecimal quartets that are separated by
colons. Any four-digit group of zeroes within an IPv6 address can be reduced to a single zero
or altogether omitted.
The following errors invalidate an IPv6 address:
•
More than eight groups of hexadecimal quartets
•
More than four hexadecimal characters in a quartet
•
More than two colons in a row
Introduction
24
2.
Internet and Broadband Settings
2
This chapter explains how to configure the Internet and WAN settings. This chapter contains the
following sections:
•
Internet and WAN Configuration Tasks
•
Configure the IPv4 Internet Connection and WAN Settings
•
Configure the IPv6 Internet Connection and WAN Settings
•
Configure Dynamic DNS
•
Configure Advanced WAN Options and Other Tasks
•
What to Do Next
Internet and WAN Configuration Tasks
The tasks that are required to complete the Internet connection of your wireless VPN firewall
depend on whether you use an IPv4 connection or an IPv6 connection to your Internet
service provider (ISP).
Note: The wireless VPN firewall supports simultaneous IPv4 and IPv6
connections.
Tasks to Set Up an IPv4 Internet Connection to Your ISP

Complete these four tasks:
1. Configure the IPv4 WAN mode. Select either NAT or classical routing: see Configure
the IPv4 WAN Mode on page 26.
2. Configure the IPv4 Internet connection to your ISP. Connect to your ISP: see Let the
Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet Connection on
page 28 or Manually Configure an IPv4 Internet Connection on page 31. You can also
program the WAN traffic meter if you wish: see Enable the WAN Traffic Meter on page 335.
3. Configure Dynamic DNS on the WAN port (optional). If required, configure your fully
qualified domain names: see Configure Dynamic DNS on page 45.
25
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Configure the WAN options (optional). If required, change the factory default MTU size,
port speed, and MAC address of the wireless VPN firewall: see Configure Advanced WAN
Options and Other Tasks on page 47. These are advanced features, and you usually do not
need to change them.
Each of these four tasks is detailed separately in this chapter.
Tasks to Set Up an IPv6 Internet Connection to Your ISP

Complete these four tasks:
1. Configure the IPv6 WAN mode. Select the IPv4 / IPv6 mode to support both IPv4 and
IPv6 traffic: see Configure the IPv6 Routing Mode on page 36.
2. Configure the IPv6 Internet connection to your ISP. Connect to your ISP: see Use a
DHCPv6 Server to Configure an IPv6 Internet Connection on page 37 or Configure a Static
IPv6 Internet Connection on page 39. You can also program the WAN traffic meter if you
wish: see Enable the WAN Traffic Meter on page 335.
3. Configure the IPv6 tunnels. Enable 6to4 tunnels and configure ISATAP tunnels: see
Configure 6to4 Automatic Tunneling on page 41 and Configure ISATAP Automatic
Tunnelling on page 42.
4. Configure the WAN options (optional). If required, change the factory default MTU size,
port speed, and MAC address of the wireless VPN firewall: see Configure Advanced WAN
Options and Other Tasks on page 47. These are advanced features, and you usually do not
need to change them.
Each of these four tasks is detailed separately in this chapter.
Configure the IPv4 Internet Connection and WAN Settings
To set up your wireless VPN firewall for secure IPv4 Internet connections, you need to
determine the IPv4 WAN mode (see the next section) and then configure the IPv4 Internet
connection to your ISP on the WAN port. The web management interface offers two
connection configuration options, discussed in the following sections:
•
Let the Wireless VPN Firewall Automatically Detect and Configure an IPv4 Internet
Connection on page 28
•
Manually Configure an IPv4 Internet Connection on page 31
Configure the IPv4 WAN Mode
By default, IPv4 is supported and functions in NAT mode but can also function in classical
routing mode. IPv4 functions the same way in IPv4-only mode as it does in IPv4 / IPv6 mode.
The latter mode adds IPv6 functionality (see Configure the IPv6 Routing Mode on page 36).
Internet and Broadband Settings
26
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Network Address Translation
Network Address Translation (NAT) allows all computers on your LAN to share a single public
Internet IP address. From the Internet, there is only a single device (the wireless VPN
firewall) and a single IP address. Computers on your LAN can use any private IP address
range, and these IP addresses are not visible from the Internet.
Note the following about NAT:
•
The wireless VPN firewall uses NAT to select the correct computer (on your LAN) to
receive any incoming data.
•
If you have only a single public Internet IP address, you need to use NAT (the default
setting).
•
If your ISP has provided you with multiple public IP addresses, you can use one address
as the primary shared address for Internet access by your computers, and you can map
incoming traffic on the other public IP addresses to specific computers on your LAN. This
one-to-one inbound mapping is configured using an inbound firewall rule.
Classical Routing
In classical routing mode, the wireless VPN firewall performs routing, but without NAT. To
gain Internet access, each computer on your LAN needs to have a valid static Internet IP
address.
If your ISP has allocated a number of static IP addresses to you, and you have assigned one
of these addresses to each computer, you can choose classical routing. Or, you can use
classical routing for routing private IP addresses within a campus environment.
To view the status of the WAN ports, you can view the Router Status screen (see View the
System Status on page 345).
Configure the IPv4 Routing Mode

To configure the IPv4 routing mode:
1. Select Network Configuration > WAN Settings. The WAN Mode screen displays:
Internet and Broadband Settings
27
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 9.
2. Select the NAT radio button or the Classical Routing radio button.
WARNING:
Changing the WAN mode causes all LAN WAN and DMZ WAN
inbound rules to revert to default settings.
3. Click Apply to save your settings.
Let the Wireless VPN Firewall Automatically Detect and
Configure an IPv4 Internet Connection

To automatically configure the WAN port for an IPv4 connection to the Internet:
1. Select Network Configuration > WAN Settings > Broadband ISP Settings. In the
upper right of the screen, the IPv4 radio button is selected by default. The ISP
Broadband Settings screen displays the IPv4 settings:
Internet and Broadband Settings
28
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 10.
2. Click the Auto Detect button at the bottom of the screen. The autodetect process probes
the WAN port for a range of connection methods and suggests one that your ISP is most
likely to support.
The autodetect process returns one of the following results:
•
If the autodetect process is successful, a status bar at the top of the screen displays
the results (for example, DHCP service detected).
•
If the autodetect process senses a connection method that requires input from you, it
prompts you for the information. The following table explains the settings that you
might have to enter:
Internet and Broadband Settings
29
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 2. IPv4 Internet connection methods
Connection Method Manual Data Input Required
•
DHCP (Dynamic IP)
No manual data input is required.
PPPoE
The following fields are required:
• Login
• Password
• Account Name
• Domain Name
PPTP
The following fields are required:
• Login
• Password
• Account Name
• Domain Name
• My IP Address
• Server IP Address
Fixed (Static) IP
The following fields are required:
• IP Address
• IP Subnet Mask
• Gateway IP Address
• Primary DNS Server
• Secondary DNS Server
If the autodetect process does not find a connection, you are prompted either to
check the physical connection between your wireless VPN firewall and the cable, DSL
line, or satellite or wireless Internet dish, or to check your wireless VPN firewall’s MAC
address. For more information, see Configure Advanced WAN Options and Other
Tasks on page 47 and Troubleshoot the ISP Connection on page 370.
3. To verify the connection, click the Broadband Status option arrow in the upper right of the
screen to display the Connection Status pop-up screen. (The following figure shows a static
IP address configuration.)
Figure 11.
Internet and Broadband Settings
30
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The Connection Status screen should show a valid IP address and gateway, and you are
connected to the Internet. If the configuration was not successful, skip ahead to Manually
Configure an IPv4 Internet Connection on page 31, or see Troubleshoot the ISP
Connection on page 370.
Note: For more information about the Connection Status screen, see View
the WAN Port Status on page 356.
If the automatic WAN ISP configuration is successful, you can skip ahead to Configure the
IPv4 WAN Mode on page 26.
Manually Configure an IPv4 Internet Connection
Unless your ISP automatically assigns your configuration through a DHCP server, you need
to obtain configuration parameters from your ISP to manually establish an Internet
connection. The required parameters for various connection types are listed in Table 2 on
page 30.

To manually configure the IPv4 broadband ISP settings:
1. Select Network Configuration > WAN Settings > Broadband ISP Settings. In the
upper right of the screen, the IPv4 radio button is selected by default. The ISP
Broadband Settings screen displays the IPv4 settings (see Figure 10 on page 29).
2. Locate the ISP Login section on the screen:
Figure 12.
In the ISP Login section, select one of the following options:
•
If your ISP requires an initial login to establish an Internet connection, select Yes.
(The default is No.)
•
If a login is not required, select No, and ignore the Login and Password fields.
3. If you selected Yes, enter the login name in the Login field and the password in the
Password field. This information is provided by your ISP.
4. In the ISP Type section of the screen, select the type of ISP connection that you use from
the two listed options. By default, Austria (PPTP) is selected, as shown in the following
figure:
Internet and Broadband Settings
31
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 13.
5. If your connection is PPTP or PPPoE, your ISP requires an initial login. Enter the settings as
explained in the following table:
Table 3. PPTP and PPPoE settings
Setting
Description
Austria (PPTP)
If your ISP is Austria Telecom or any other ISP that uses PPTP for login, select this
radio button, and enter the following settings:
Account Name
Note: For login
and password
information, see
Step 2 and Step 3.
The account name is also known as the host name or system name.
Enter the valid account name for the PPTP connection (usually your
email ID assigned by your ISP). Some ISPs require you to enter
your full email address here.
Domain Name
Your domain name or workgroup name assigned by your ISP, or
your ISP’s domain name. You can leave this field blank.
Idle Timeout
Select the Keep Connected radio button to keep the connection
always on. To log out after the connection is idle for a period of time,
select the Idle Timeout radio button and, in the Idle TImeout field,
enter the number of minutes to wait before disconnecting. This is
useful if your ISP charges you based on the period that you have
logged in.
My IP Address
The IP address assigned by the ISP to make the connection with the
ISP server.
Server IP
Address
The IP address of the PPTP server.
Internet and Broadband Settings
32
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 3. PPTP and PPPoE settings (continued)
Setting
Description
Other (PPPoE)
If you have installed login software, then your connection type is PPPoE. Select this
radio button, and enter the following settings:
Note: For login
Account Name
and password
information, see
Step 2 and Step 3. Domain Name
The valid account name for the PPPoE connection.
The name of your ISP’s domain or your domain name if your ISP
has assigned one. You can leave this field blank.
Idle Timeout
Select the Keep Connected radio button to keep the connection
always on. To log out after the connection is idle for a period of time,
select the Idle Timeout radio button and, in the Idle TImeout field,
enter the number of minutes to wait before disconnecting. This is
useful if your ISP charges you based on the period that you have
logged in.
Connection
Reset
Select the Connection Reset check box to specify a time when the
PPPoE WAN connection is reset, that is, the connection is
disconnected momentarily and then reestablished. Then, specify the
disconnect time and delay.
Disconnect
Time
Specify the hour and minutes when the connection
should be disconnected.
Delay
Specify the period in seconds after which the
connection should be reestablished.
6. In the Internet (IP) Address section of the screen (see the following figure), configure the IP
address settings as explained in the following table. Click the Current IP Address link to
see the currently assigned IP address.
Internet and Broadband Settings
33
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 4. Internet IP address settings
Setting
Description
Get Dynamically If your ISP has not assigned you a static IP address, select the Get Dynamically from
from ISP
ISP radio button. The ISP automatically assigns an IP address to the wireless VPN
firewall using DHCP network protocol.
Use Static IP
Address
Client Identifier
If your ISP requires the client identifier information to assign an
IP address using DHCP, select the Client Identifier check box.
Vendor Class Identifier
If your ISP requires the vendor class identifier information to
assign an IP address using DHCP, select the Vendor Class
Identifier check box.
If your ISP has assigned you a fixed (static or permanent) IP address, select the Use
Static IP Address radio button, and enter the following settings:
IP Address
The static IP address assigned to you. This address identifies
the wireless VPN firewall to your ISP.
Subnet Mask
The subnet mask is usually provided by your ISP.
Gateway IP Address
The IP address of the ISP’s gateway is usually provided by
your ISP.
7. In the Domain Name Server (DNS) Servers section of the screen (see the following figure),
specify the DNS settings as explained in the following table.
Figure 14.
Table 5. DNS server settings
Setting
Description
Get Automatically
from ISP
If your ISP has not assigned any Domain Name Server (DNS) addresses, select the
Get Automatically from ISP radio button.
Use These DNS
Servers
If your ISP has assigned DNS addresses, select the Use These DNS Servers radio
button. Make sure that you fill in valid DNS server IP addresses in the fields. Incorrect
DNS entries might cause connectivity issues.
Primary DNS Server
The IP address of the primary DNS server.
Secondary DNS Server
The IP address of the secondary DNS server.
Internet and Broadband Settings
34
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
8. Click Test to evaluate your entries. The wireless VPN firewall attempts to make a connection
according to the settings that you entered.
9. Click Apply to save your changes.
10. To verify the connection, click the Broadband Status option arrow in the upper right of the
screen to display the Connection Status pop-up screen. (The following figure shows a
PPPoE configuration; the IP addresses are not related to any other examples in this
manual.)
Figure 15.
Note: If your ISP requires MAC authentication and another MAC address
has been previously registered with your ISP, then you need to enter
that address on the Broadband Advanced Options screen for the
WAN interface (see Configure Advanced WAN Options and Other
Tasks on page 47).
Configure the IPv6 Internet Connection and WAN Settings
The nature of your IPv6 network determines how you need to configure the IPv6 Internet
connection:
•
Native IPv6 network. Your network is a native IPv6 network if the wireless VPN firewall
has an IPv6 address and is connected to an IPv6 ISP and if your network consists of
IPv6-only devices. However, because we are in a IPv4-to-IPv6 transition period, native
IPv6 is not yet very common.
•
Isolated IPv6 network. If your network is an isolated IPv6 network that is not connected
to an IPv6 ISP, you need to make sure that the IPv6 packets can travel over the IPv4
Internet backbone; you do this by enabling automatic 6to4 tunneling (see Configure 6to4
Automatic Tunneling on page 41).
•
Mixed network with IPv4 and IPv6 devices. If your network is an IPv4 network that
consists of both IPv4 and IPv6 devices, you need to make sure that the IPv6 packets can
Internet and Broadband Settings
35
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
travel over the IPv4 intranet; you do this by enabling and configuring ISATAP tunneling
(see Configure ISATAP Automatic Tunnelling on page 42).
Note: A network can be both and isolated IPv6 network and a mixed
network with IPv4 and IPv6 devices.
After you have configured the IPv6 routing mode (see the next section), you need to
configure the WAN port with a global unicast address to enable secure IPv6 Internet
connections on your wireless VPN firewall. A global unicast address is a public and routable
IPv6 WAN address that can be statically or dynamically assigned. The web management
interface offers two connection configuration options:
•
Automatic configuration of the network connection (see Use a DHCPv6 Server to
Configure an IPv6 Internet Connection on page 37)
•
Manual configuration of the network connection (see Configure a Static IPv6 Internet
Connection on page 39)
Configure the IPv6 Routing Mode
By default, the wireless VPN firewall supports IPv4 only. To use IPv6, you need to enable the
wireless VPN firewall to support both devices with IPv4 addresses and devices with IPv6
addresses. The routing mode does not include an IPv6-only option; however, you still can
configure a native IPv6 network if your ISP supports IPv6. These are the options:
•
IPv4-only mode. The wireless VPN firewall communicates only with devices that have
IPv4 addresses.
•
IPv4/IPv6 mode. The wireless VPN firewall communicates with both devices that have
IPv4 addresses and devices that have IPv6 addresses.
Note: IPv6 always functions in classical routing mode between the WAN
interface and the LAN interfaces; NAT does not apply to IPv6.

To configure the IPv6 routing mode:
1. Select Network Configuration > WAN Settings. The WAN Mode screen displays:
Internet and Broadband Settings
36
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 16.
2. Select the IPv4 / IPv6 mode radio button. By default, the IPv4 only mode radio button is
selected, and IPv6 is disabled.
WARNING:
Changing the IP routing mode causes the wireless VPN firewall to
reboot.
3. Click Apply to save your changes.
Use a DHCPv6 Server to Configure an IPv6 Internet
Connection
The wireless VPN firewall can autoconfigure its ISP settings through a DHCPv6 server by
using either stateless or stateful address autoconfiguration:
•
Stateless address autoconfiguration. The wireless VPN firewall generates its own IP
address by using a combination of locally available information and router
advertisements, but receives DNS server information from a DHCPv6 server.
Router advertisements include a prefix that identifies the subnet that is associated with
the WAN port. The IP address is formed by combining this prefix and the MAC address of
the WAN port. The IP address is a dynamic address.
•
Stateful address autoconfiguration. The wireless VPN firewall obtains an interface
address, configuration information such as DNS server information, and other
parameters from a DHCPv6 server. The IP address is a dynamic address.
Internet and Broadband Settings
37
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To automatically configure the WAN port for an IPv6 connection to the Internet:
1. Select Network Configuration > WAN Settings > Broadband ISP Settings.
2. In the upper right of the screen, select the IPv6 radio button. The ISP Broadband Settings
screen displays the IPv6 settings:
Figure 17.
3. In the Internet Address section of the screen, from the IPv6 drop-down list, select DHCPv6.
4. In the DHCPv6 section of the screen, select one of the following radio buttons:
• Stateless Address Auto Configuration.
•
Stateful Address Auto Configuration.
5. As an optional step: If you have selected the Stateless Address Auto Configuration radio
button, you can select the Prefix Delegation check box:
• Prefix delegation check box is selected. A prefix is assigned by the ISP’s stateful
DHCPv6 server through prefix delegation. For example, 2001:db8:: /64. The wireless
VPN firewall’s stateless DHCPv6 server can assign this prefix to its IPv6 LAN clients.
For more information about prefix delegation, see Stateless DHCPv6 Server With
Prefix Delegation on page 71.
•
Prefix delegation check box is cleared. Prefix delegation is disabled. This is the
default setting.
6. Click Apply to save your changes.
Internet and Broadband Settings
38
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
7. To verify the connection, click the Status option arrow in the upper right of the screen to
display the Connection Status pop-up screen. (The following figure shows a dynamic IP
address configuration.)
Figure 18.
The Connection Status screen should show a valid IP address and gateway, and you are
connected to the Internet. If the configuration was not successful, see Troubleshoot the
ISP Connection on page 370.
Note: For more information about the Connection Status screen, see View
the WAN Port Status on page 356.
Configure a Static IPv6 Internet Connection
To configure a static IPv6 Internet connection, you need to enter the IPv6 address information
that you should have received from your ISP.

To configure static IPv6 broadband ISP settings:
1. Select Network Configuration > WAN Settings > Broadband ISP Settings.
2. In the upper right of the screen, select the IPv6 radio button. The ISP Broadband Settings
screen displays the IPv6 settings:
Internet and Broadband Settings
39
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 19.
3. In the Internet Address section of the screen, from the IPv6 drop-down list, select Static
IPv6.
4. In the Static IP Address section of the screen, enter the settings as explained in the following
table. You should have received static IPv6 address information from your IPv6 ISP:
Table 6. Broadband ISP Settings screen settings for IPv6
Setting
Description
IPv6 Address
The IP address that your ISP assigned to you. Enter the address in one of the
following formats (all four examples specify the same IPv6 address):
• 2001:db8:0000:0000:020f:24ff:febf:dbcb
• 2001:db8:0:0:20f:24ff:febf:dbcb
• 2001:db8::20f:24ff:febf:dbcb
• 2001:db8:0:0:20f:24ff:128.141.49.32
IPv6 Prefix Length
The prefix length that your ISP assigned to you, typically 64.
Default IPv6 Gateway
The IPv6 IP address of the ISP’s default IPv6 gateway.
Primary DNS Server
The IPv6 IP address of the ISP’s primary DNS server.
Secondary DNS Server The IPv6 IP address of the ISP’s secondary DNS server.
5. Click Apply to save your changes.
Internet and Broadband Settings
40
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
6. To verify the connection, click the Status option arrow in the upper right of the screen to
display the Connection Status pop-up screen. (The following figure shows a static IP
address configuration; the IP addresses are not related to any other examples in this
manual.)
Figure 20.
The Connection Status screen should show a valid IP address and gateway, and you are
connected to the Internet. If the configuration was not successful, see Troubleshoot the
ISP Connection on page 370.
Note: For more information about the Connection Status screen, see View
the WAN Port Status on page 356.
Note: If your ISP requires MAC authentication and another MAC address
has been previously registered with your ISP, then you need to enter
that address on the Broadband Advanced Options screen for the
corresponding WAN interface (see Configure Advanced WAN
Options and Other Tasks on page 47).
Configure 6to4 Automatic Tunneling
If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you need to
make sure that the IPv6 packets can travel over the IPv4 Internet backbone by enabling
automatic 6to4 tunneling.
6to4 is a WAN tunnel mechanism for automatic tunneling of IPv6 traffic between a device
with an IPv6 address and a device with an IPv4 address, or the other way around. 6to4
tunneling is used to transfer IPv6 traffic between LAN IPv6 hosts and WAN IPv6 networks
over the IPv4 network.
Internet and Broadband Settings
41
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
With 6to4 tunnels, IPv6 packets are embedded within the IPv4 packet and then transported
over the IPv4 network. You do not need to specify remote tunnel endpoints, which are
automatically determined by relay routers on the Internet. You cannot use 6to4 tunnels for
traffic between IPv4-only devices and IPv6-only devices.
Note: If the wireless VPN firewall functions as the endpoint for 6to4
tunnels in your network, make sure that the wireless VPN firewall
has a static IPv4 address (see Manually Configure an IPv4 Internet
Connection on page 31). A dynamic IPv4 address can cause routing
problems on the 6to4 tunnels.
Note: If you do not use a stateful DHCPv6 server in your LAN, you need to
configure the Router Advertisement Daemon (RADVD), and set up
6to4 advertisement prefixes for 6to4 tunneling to function correctly.
For more information, see Manage the IPv6 LAN on page 70.
Typically, 6to4 tunnel addresses start with a 2002 prefix (decimal notification). On the
wireless VPN firewall, a 6to4 tunnel is indicated by sit0-WAN1 (see View the Tunnel Status
and IPv6 Addresses on page 45).

To enable 6to4 automatic tunneling:
1. Select Network Configuration > WAN Settings > 6 to 4 Tunneling.
Figure 21.
2. Select the Enable Automatic Tunneling check box.
3. Click Apply to save your changes.
Configure ISATAP Automatic Tunnelling
If your network is an IPv4 network or IPv6 network that consists of both IPv4 and IPv6
devices, you need to make sure that the IPv6 packets can travel over the IPv4 intranet by
Internet and Broadband Settings
42
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
enabling and configuring Intra-Site Automatic Tunnel Addressing Protocol (ISATAP)
tunneling.
ISATAP is a LAN tunnel mechanism in which the IPv4 network functions as a virtual IPv6
local link. Each IPv4 address is mapped to a link-local IPv6 address, that is, the IPv4 address
is used in the interface portion of the IPv6 address. ISATAP tunneling is used intra-site, that
is, between addresses in the LAN. For more information about link-local addresses, see
Manage the IPv6 LAN on page 70.
Note: If you do not use a stateful DHCPv6 server in your LAN, you need to
configure the Router Advertisement Daemon (RADVD), and set up
ISATAP advertisement prefixes (which are referred to as
Global/Local/ISATAP prefixes) for ISATAP tunneling to function
correctly. For more information, see Manage the IPv6 LAN on
page 70.
The wireless VPN firewall determines the link-local address by concatenating the IPv6
address with the 32 bits of the IPv4 host address:

•
For a unique global address:
fe80:0000:0000:0000:0000:5efe (or fe80::5efe) is concatenated with the IPv4 address.
For example, fe80::5efe with 10.29.33.4 becomes fe80::5efe:10.29.33.4, or in
hexadecimal format, fe80::5efe:a1d:2104.
•
For a private address:
fe80:0000:0000:0000:0200:5efe (or fe80::200:5efe) is concatenated with the IPv4
address. For example, fe80::200:5efe with 192.168.1.1 becomes
fe80::200:5efe:192.168.1.1, or in hexadecimal format, fe80::200:5efe:c0a8:101.
To configure an ISATAP tunnel:
1. Select Network Configuration > WAN Settings > ISATAP Tunnels. The ISATAP
Tunnels screen displays. (The following figure shows some examples.)
Figure 22.
Internet and Broadband Settings
43
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Click the Add table button under the List of Available ISATAP Tunnels table. The Add
ISATAP Tunnel screen displays:
Figure 23.
3. Specify the tunnel settings as explained in the following table.
Table 7. Add ISATAP Tunnel screen settings
Setting
Description
ISATAP Subnet Prefix
The IPv6 prefix for the tunnel.
Local End Point
Address
From the drop-down list, select the type of local address:
• LAN. The local end point address is the address of the default VLAN.
• Other IP. The local end point address is another LAN IP address that you need
to specify in the IPv4 Address fields.
IPv4 Address
If you select Other IP from the Local End Point Address drop-down list, enter the
IPv4 address.
4. Click Apply to save your changes.

To edit an ISATAP tunnel:
1. On the ISATAP Tunnels screen, click the Edit button in the Action column for the tunnel
that you want to modify. The Edit ISATAP Tunnel screen displays. This screen is
identical to the Add ISATAP Tunnel screen.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more tunnels:
1. On the ISATAP Tunnels screen, select the check box to the left of each tunnel that you
want to delete, or click the Select All table button to select all tunnels.
2. Click the Delete table button.
Internet and Broadband Settings
44
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
View the Tunnel Status and IPv6 Addresses
The IPv6 Tunnel Status screen displays the status of all active 6to4 and ISATAP tunnels and
their IPv6 addresses.

To view the status of the tunnels and IPv6 addresses:
Select Monitoring > Router Status > Tunnel Status. The Tunnel Status screen displays:
Figure 24.
The IPv6 Tunnel Status table shows the following fields:
•
Tunnel Name. The tunnel name for the 6to4 tunnel is always sit0-WAN1 (SIT stands for
simple Internet transition); the tunnel name for an ISATAP tunnel is isatapx-LAN, in which
x is an integer.
•
IPv6 Address. The IPv6 address of the local tunnel endpoint.
Configure Dynamic DNS
Dynamic DNS (DDNS) is an Internet service that allows devices with varying public IPv4
addresses to be located using Internet domain names. To use DDNS, you need to set up an
account with a DDNS provider such as DynDNS.org, TZO.com, Oray.net, or 3322.org. (Links
to DynDNS, TZO, Oray, and 3322 are provided for your convenience as option arrows on the
DDNS configuration screens.) The wireless VPN firewall firmware includes software that
notifies DDNS servers of changes in the WAN IP address so that the services running on this
network can be accessed by others on the Internet.
If your network has a permanently assigned IP address, you can register a domain name and
have that name linked with your IP address by public Domain Name Servers (DNS).
However, if your Internet account uses a dynamically assigned IP address, you will not know
in advance what your IP address will be, and the address can change frequently—hence, the
need for a commercial DDNS service, which allows you to register an extension to its
domain, and restores DNS requests for the resulting fully qualified domain name (FQDN) to
your frequently changing IP address.
After you have configured your account information on the wireless VPN firewall, when your
ISP-assigned IP address changes, your wireless VPN firewall automatically contacts your
DDNS service provider, logs in to your account, and registers your new IP address.
Internet and Broadband Settings
45
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: If your ISP assigns a private WAN IP address such as 192.168.x.x
or 10.x.x.x, the DDNS service does not work because private
addresses are not routed on the Internet.

To configure DDNS:
1. Select Network Configuration > Dynamic DNS. The Dynamic DNS screen displays
(see the following figure).
2. Click the submenu tab for your DDNS service provider:
• Dynamic DNS for DynDNS.org (which is shown in the following figure)
•
DNS TZO for TZO.com
•
DNS Oray for Oray.net
•
3322 DDNS for 3322.org
Figure 25.
3. Click the Information option arrow in the upper right of a DNS screen for registration
information (for example, DynDNS Information).
Figure 26.
4. Access the website of the DDNS service provider, and register for an account (for example,
for DynDNS.org, go to http://www.dyndns.com/).
Internet and Broadband Settings
46
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5. Configure the DDNS service settings as explained in the following table:
Table 8. DDNS service settings
Setting
Description
Change DNS to Select the Yes radio button to enable the DDNS service. The fields that display on the
(DynDNS, TZO, screen depend on the DDNS service provider that you have selected. Enter the following
Oray, or 3322)
settings:
Host and Domain Name
The host and domain name for the DDNS service.
Username or
User Email Address
The user name or email address for DDNS server
authentication.
Password or User Key
The password that is used for DDNS server authentication.
Change DNS to Use wildcards
(DynDNS, TZO,
Oray, or 3322)
(continued)
Update every 30 days
If your DDNS provider allows the use of wildcards in resolving
your URL, you can select the Use wildcards check box to
activate this feature. For example, the wildcard feature
causes *.yourhost.dyndns.org to be aliased to the same IP
address as yourhost.dyndns.org.
If your WAN IP address does not change often, you might
need to force a periodic update to the DDNS service to
prevent your account from expiring. If the Update every 30
days check box displays, select it to enable a periodic
update.
6. Click Apply to save your configuration.
Configure Advanced WAN Options and Other Tasks
The advanced options include configuring the maximum transmission unit (MTU) size, port
speed, wireless VPN firewall’s MAC address, and setting a rate limit on the traffic that is
being forwarded by the wireless VPN firewall.
Note: Although you can access the Broadband Advanced Options screen
only through the Broadband ISP Settings (IPv4) screen, the
advanced options apply to both IPv4 and IPv6 WAN connections.

To configure advanced WAN options:
1. Select Network Configuration > WAN Settings > Broadband ISP Settings. The
Broadband ISP Settings screen displays the IPv4 settings (see Figure 10 on page 29).
2. Click the Advanced option arrow in the upper right of the screen. The Broadband Advanced
Options screen displays:
Internet and Broadband Settings
47
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 27.
3. Enter the settings as explained in the following table:
Table 9. Broadband Advanced Options screen settings
Setting
Description
MTU Size
Make one of the following selections:
Default
Select the Default radio button for the normal maximum transmit unit (MTU)
value. For most Ethernet networks this value is 1500 bytes, or 1492 bytes for
PPPoE connections.
Custom
Select the Custom radio button, and enter an MTU value in the Bytes field. For
some ISPs, you might need to reduce the MTU. This is rarely required, and
should not be done unless you are sure it is necessary for your ISP connection.
Internet and Broadband Settings
48
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 9. Broadband Advanced Options screen settings (continued)
Setting
Description
Speed
In most cases, the wireless VPN firewall can automatically determine the connection speed of the WAN
port of the device (modem, dish, or router) that provides the WAN connection. If you cannot establish an
Internet connection, you might need to manually select the port speed. If you know the Ethernet port speed
of the modem, dish, or router, select it from the drop-down list. Use the half-duplex settings only if the
full-duplex settings do not function correctly.
Select one of the following speeds from the drop-down list:
• AutoSense. Speed autosensing. This is the default setting, which can sense all Ethernet speeds and
duplex modes, including 1000BASE-T speed at full duplex.
• 10BaseT Half_Duplex. Ethernet speed at half duplex.
• 10BaseT Full_Duplex. Ethernet speed at full duplex.
• 100BaseT Half_Duplex. Fast Ethernet speed at half duplex.
• 100BaseT Full_Duplex. Fast Ethernet speed at full duplex.
• 1000BaseT Half_Duplex. Gigabit Ethernet speed at half duplex.
• 1000BaseT Full_Duplex. Gigabit Ethernet speed at full duplex.
Router’s MAC Address
Each computer or router on your network has a unique 48-bit local Ethernet address. This is also referred to
as the computer’s Media Access Control (MAC) address. The default is set to Use Default Address.
Make one of the following selections:
Use Default Address
Each computer or router on your network has a unique 32-bit local Ethernet
address. This is also referred to as the computer’s Media Access Control (MAC)
address. To use the wireless VPN firewall’s own MAC address, select the Use
Default Address radio button.
Use this computer’s MAC Select the Use this computer’s MAC Address radio button to allow the
Address
wireless VPN firewall to use the MAC address of the computer you are now
using to access the web management interface. This setting is useful if your ISP
requires MAC authentication.
Use this MAC Address
Select the Use this MAC Address radio button, and manually enter the MAC
address in the field next to the radio button. You would typically enter the MAC
address that your ISP is requiring for MAC authentication.
Note: The format for the MAC address is 01:23:45:67:89:AB (numbers
0–9 and either uppercase or lowercase letters A–F). If you enter a MAC
address, the existing entry is overwritten.
4. Click Apply to save your changes.
Internet and Broadband Settings
49
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Additional WAN-Related Configuration Tasks
•
If you want the ability to manage the wireless VPN firewall remotely, enable remote
management (see Configure Remote Management Access on page 322). If you enable
remote management, NETGEAR strongly recommends that you change your password
(see Change Passwords and Administrator and Guest Settings on page 320).
•
You can set up the traffic meter for the WAN interface, if you wish. See Enable the WAN
Traffic Meter on page 335.
Verify the Connection
Test the wireless VPN firewall before deploying it in a live production environment. Verify that
network traffic can pass through the wireless VPN firewall:
•
Ping an Internet URL.
•
Ping the IP address of a device on either side of the wireless VPN firewall.
What to Do Next
You have completed setting up the WAN connection for the wireless VPN firewall. The
following chapters and sections describe important tasks that you need to address before you
deploy the wireless VPN firewall in your network:
•
Chapter 3, LAN Configuration
•
Chapter 4, Wireless Configuration and Security
•
Configure Authentication Domains, Groups, and Users
•
Manage Digital Certificates for VPN Connections
•
Use the IPSec VPN Wizard for Client and Gateway Configurations
•
Virtual Private Networking Using SSL Connections
Internet and Broadband Settings
50
3.
LAN Configuration
3
This chapter describes how to configure the advanced LAN features of your wireless VPN
firewall. This chapter contains the following sections:
•
Manage IPv4 Virtual LANs and DHCP Options
•
Configure IPv4 Multihome LAN IP Addresses on the Default VLAN
•
Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
•
Manage the IPv6 LAN
•
Configure IPv6 Multihome LAN IP Addresses on the Default VLAN
•
Enable and Configure the DMZ Port for IPv4 and IPv6 Traffic
•
Manage Static IPv4 Routing
•
Manage Static IPv6 Routing
Manage IPv4 Virtual LANs and DHCP Options
A local area network (LAN) can generally be defined as a broadcast domain. Hubs, bridges,
or switches in the same physical segment or segments connect all end node devices.
Endpoints can communicate with each other without the need for a router. Routers connect
LANs together, routing the traffic to the appropriate port.
A virtual LAN (VLAN) is a local area network with a definition that maps workstations on
some basis other than geographic location (for example, by department, type of user, or
primary application). To enable traffic to flow between VLANs, traffic needs to go through a
router, just as if the VLANs were on two separate LANs.
A VLAN is a group of computers, servers, and other network resources that behave as if they
were connected to a single network segment—even though they might not be. For example,
all marketing personnel might be spread throughout a building. Yet if they are all assigned to
a single VLAN, they can share resources and bandwidth as if they were connected to the
same segment. The resources of other departments can be invisible to the marketing VLAN
members, accessible to all, or accessible only to specified individuals, depending on how the
IT manager has set up the VLANs.
51
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
VLANs have a number of advantages:
•
It is easy to set up network segmentation. Users who communicate most frequently with
each other can be grouped into common VLANs, regardless of physical location. Each
group’s traffic is contained largely within the VLAN, reducing extraneous traffic and
improving the efficiency of the whole network.
•
They are easy to manage. The addition of nodes, as well as moves and other changes,
can be dealt with quickly and conveniently from a management interface rather than from
the wiring closet.
•
They provide increased performance. VLANs free up bandwidth by limiting node-to-node
and broadcast traffic throughout the network.
•
They ensure enhanced network security. VLANs create virtual boundaries that can be
crossed only through a router. So standard, router-based security measures can be used
to restrict access to each VLAN.
Port-Based VLANs
The wireless VPN firewall supports port-based VLANs. Port-based VLANs help to confine
broadcast traffic to the LAN ports. Even though a LAN port can be a member of more than
one VLAN, the port can have only one VLAN ID as its port VLAN identifier (PVID). By default,
all eight LAN ports of the wireless VPN firewall are assigned to the default VLAN, or VLAN 1.
Therefore, by default, all eight LAN ports have the default PVID 1. However, you can assign
another PVID to a LAN port by selecting a VLAN profile from the drop-down list on the LAN
Setup screen.
After you have created a VLAN profile and assigned one or more ports to the profile, you
need to enable the profile to activate it.
The wireless VPN firewall’s default VLAN cannot be deleted. All untagged traffic is routed
through the default VLAN (VLAN1), which you need to assign to at least one LAN port.
Note the following about VLANs and PVIDs:
•
One physical port is assigned to at least one VLAN.
•
One physical port can be assigned to multiple VLANs.
•
When one port is assigned to multiple VLANs, the port is used as a trunk port to connect
to another switch or router.
•
When a port receives an untagged packet, this packet is forwarded to a VLAN based on
the PVID.
•
When a port receives a tagged packet, this packet is forwarded to a VLAN based on the
ID that is extracted from the tagged packet.
When you create a VLAN profile, assign LAN ports to the VLAN, and enable the VLAN, the
LAN ports that are members of the VLAN can send and receive both tagged and untagged
packets. Untagged packets that enter these LAN ports are assigned to the default PVID 1;
packets that leave these LAN ports with the same default PVID 1 are untagged. All other
packets are tagged according to the VLAN ID that you assigned to the VLAN when you
created the VLAN profile.
LAN Configuration
52
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
This is a typical scenario for a configuration with an IP phone that has two Ethernet ports, one
of which is connected to the wireless VPN firewall, the other one to another device:
Packets coming from the IP phone to the wireless VPN firewall LAN port are tagged. Packets
passing through the IP phone from the connected device to the wireless VPN firewall LAN
port are untagged. When you assign the wireless VPN firewall LAN port to a VLAN, packets
entering and leaving the port are tagged with the VLAN ID. However, untagged packets
entering the wireless VPN firewall LAN port are forwarded to the default VLAN with PVID 1;
packets that leave the LAN port with the same default PVID 1 are untagged.
Note: The configuration of the DHCP options for the default VLAN are
explained in Configure the IPv4 Internet Connection and WAN
Settings on page 26. For information about how to add and edit a
VLAN profile, including its DHCP options, see Configure a VLAN
Profile on page 56.
Assign and Manage VLAN Profiles

To assign VLAN profiles to the LAN ports and manage VLAN profiles:
1. Select Network Configuration > LAN Setup. In the upper right of the screen, the IPv4
radio button is selected by default. The LAN submenu tabs display, with the LAN Setup
screen in view, displaying the IPv4 settings. (The following figure contains some VLAN
profiles as an example.)
Figure 28.
LAN Configuration
53
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
For each VLAN profile, the following fields display in the VLAN Profiles table:
•
Check box. Allows you to select the VLAN profile in the table.
•
Status icon. Indicates the status of the VLAN profile:
-
Green circle. The VLAN profile is enabled.
-
Gray circle. The VLAN profile is disabled.
•
Profile Name. The unique name assigned to the VLAN profile.
•
VLAN ID. The unique ID (or tag) assigned to the VLAN profile.
•
Subnet IP. The subnet IP address for the VLAN profile.
•
DHCP Status. The DHCP server status for the VLAN profile, which can be either
DHCP Enabled or DHCP Disabled.
•
Action. The Edit table button, which provides access to the Edit VLAN Profile screen.
2. Assign a VLAN profile to a LAN port by selecting a VLAN profile from the drop-down list. The
enabled VLAN profiles are displayed in the drop-down lists.
3. Click Apply to save your settings.
VLAN DHCP Options
For each VLAN, you need to specify the Dynamic Host Configuration Protocol (DHCP)
options (see Configure a VLAN Profile on page 56). The configuration of the DHCP options
for the wireless VPN firewall’s default VLAN, or VLAN 1, is explained in Configure the IPv4
Internet Connection and WAN Settings on page 26. This section provides further information
about the DHCP options.
DHCP Server
The default VLAN (VLAN 1) has the DHCP server option enabled by default, allowing the
wireless VPN firewall to assign IP, DNS server, WINS server, and default gateway addresses
to all computers connected to the wireless VPN firewall’s LAN. The assigned default gateway
address is the LAN address of the wireless VPN firewall. IP addresses are assigned to the
attached computers from a pool of addresses that you need to specify. Each pool address is
tested before it is assigned to avoid duplicate addresses on the LAN. When you create a new
VLAN, the DHCP server option is disabled by default.
For most applications, the default DHCP server and TCP/IP settings of the wireless VPN
firewall are satisfactory.
The wireless VPN firewall delivers the following settings to any LAN device that requests
DHCP:
•
An IP address from the range that you have defined
•
Subnet mask
•
Gateway IP address (the wireless VPN firewall’s LAN IP address)
•
Primary DNS server (the wireless VPN firewall’s LAN IP address)
LAN Configuration
54
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
WINS server (if you entered a WINS server address in the DHCP Setup screen)
•
Lease time (the date obtained and the duration of the lease)
DHCP Relay
DHCP relay options allow you to make the wireless VPN firewall a DHCP relay agent for a
VLAN. The DHCP relay agent makes it possible for DHCP broadcast messages to be sent
over routers that do not support forwarding of these types of messages. The DHCP relay
agent is therefore the routing protocol that enables DHCP clients to obtain IP addresses from
a DHCP server on a remote subnet. If you do not configure a DHCP relay agent for a VLAN,
its clients can obtain IP addresses only from a DHCP server that is on the same subnet. To
enable clients to obtain IP addresses from a DHCP server on a remote subnet, you need to
configure the DHCP relay agent on the subnet that contains the remote clients, so that the
DHCP relay agent can relay DHCP broadcast messages to your DHCP server.
DNS Proxy
When the DNS proxy option is enabled for a VLAN, the wireless VPN firewall acts as a proxy
for all DNS requests and communicates with the ISP’s DNS servers (as configured on the
Broadband ISP Settings screens). All DHCP clients receive the primary and secondary DNS
IP addresses along with the IP address where the DNS proxy is located (that is, the wireless
VPN firewall’s LAN IP address). When the DNS proxy option is disabled for a VLAN, all
DHCP clients receive the DNS IP addresses of the ISP but without the DNS proxy IP
address.
LDAP Server
A Lightweight Directory Access Protocol (LDAP) server allows a user to query and modify
directory services that run over TCP/IP. For example, clients can query email addresses,
contact information, and other service information using an LDAP server. For each VLAN,
you can specify an LDAP server and a search base that defines the location in the directory
(that is, the directory tree) from which the LDAP search begins.
LAN Configuration
55
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure a VLAN Profile
For each VLAN on the wireless VPN firewall, you can configure its profile, port membership,
LAN TCP/IP settings, DHCP options, DNS server, and inter-VLAN routing capability.

To add a VLAN profile:
1. Select Network Configuration > LAN Setup. In the upper right of the screen, the IPv4
radio button is selected by default. The LAN submenu tabs display, with the LAN Setup
screen in view, displaying the IPv4 settings. (The following figure contains some VLAN
profiles as an example.)
Note: For information about how to manage VLANs, see Port-Based
VLANs on page 52. The following information describes how to
configure a VLAN profile.
Figure 29.
2. Click the Add table button under the VLAN Profiles table. The Add VLAN Profile screen
displays:
LAN Configuration
56
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 30.
LAN Configuration
57
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Enter the settings as explained in the following table:
Table 10. Add VLAN Profile screen settings
Setting
Description
VLAN Profile
Profile Name
Enter a unique name for the VLAN profile.
VLAN ID
Enter a unique ID number for the VLAN profile. No two VLANs can have the same
VLAN ID number.
Note: You can enter VLAN IDs from 2 to 4089. VLAN ID 1 is reserved for the
default VLAN; VLAN ID 4094 is reserved for the DMZ interface.
Port Membership
Port 1, Port 2, Port 3,
Port 4, Port 5, Port 6,
Port 7, and
Port 8 / DMZ
Select one, several, or all port check boxes to make the ports members of this
VLAN.
Note: A port that is defined as a member of a VLAN profile can send and receive
data frames that are tagged with the VLAN ID.
IP Setup
IP Address
Enter the IP address of the wireless VPN firewall (the factory default address is
192.168.1.1).
Note: Always make sure that the LAN port IP address and DMZ port IP address
are in different subnets.
Note: If you change the LAN IP address of the VLAN while being connected
through the browser to the VLAN, you are disconnected. You then need to open
a new connection to the new IP address and log in again. For example, if you
change the default IP address 192.168.1.1 to 10.0.0.1, you now need to enter
https://10.0.0.1 in your browser to reconnect to the web management interface.
Subnet Mask
Enter the IP subnet mask. The subnet mask specifies the network number portion
of an IP address. Based on the IP address that you assign, the wireless VPN
firewall automatically calculates the subnet mask. Unless you are implementing
subnetting, use 255.255.255.0 as the subnet mask (computed by the wireless
VPN firewall).
DHCP
Disable DHCP Server
If another device on your network is the DHCP server for the VLAN, or if you will
manually configure the network settings of all of your computers, select the
Disable DHCP Server radio button to disable the DHCP server. With the
exception of the default VLAN for which the DHCP server is enabled, this is the
default setting.
LAN Configuration
58
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 10. Add VLAN Profile screen settings (continued)
Setting
Description
Enable DHCP Server
Select the Enable DHCP Server radio button to enable the wireless VPN firewall
to function as a Dynamic Host Configuration Protocol (DHCP) server, providing
TCP/IP configuration for all computers connected to the VLAN. (For the default
VLAN, the DHCP server is enabled by default.) Enter the following settings:
DHCP Relay
Domain Name
This setting is optional. Enter the domain name of the
wireless VPN firewall.
Start IP Address
Enter the start IP address. This address specifies the first of
the contiguous addresses in the IP address pool. Any new
DHCP client joining the LAN is assigned an IP address
between this address and the end IP address. For the default
VLAN, the default start IP address is 192.168.1.100.
End IP Address
Enter the end IP address. This address specifies the last of
the contiguous addresses in the IP address pool. Any new
DHCP client joining the LAN is assigned an IP address
between the start IP address and this IP address. For the
default VLAN, the default end IP address is 192.168.1.254.
The start and end DHCP IP addresses should be in the same
network as the LAN IP address of the wireless VPN firewall
(that is, the IP address in the IP Setup section as described
earlier in this table).
Primary DNS
Server
This setting is optional. If an IP address is specified, the
wireless VPN firewall provides this address as the primary
DNS server IP address. If no address is specified, the
wireless VPN firewall uses the VLAN IP address as the
primary DNS server IP address.
Secondary DNS
Server
This setting is optional. If an IP address is specified, the
wireless VPN firewall provides this address as the secondary
DNS server IP address.
WINS Server
This setting is optional. Enter a WINS server IP address to
specify the Windows NetBIOS server, if one is present in your
network.
Lease Time
Enter a lease time. This specifies the duration for which IP
addresses are leased to clients.
To use the wireless VPN firewall as a DHCP relay agent for a DHCP server
somewhere else in your network, select the DHCP Relay radio button. Enter the
following setting:
Relay Gateway
The IP address of the DHCP server for which the wireless
VPN firewall serves as a relay.
LAN Configuration
59
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 10. Add VLAN Profile screen settings (continued)
Setting
Description
Enable LDAP
information
To enable the DHCP server to provide Lightweight Directory Access Protocol
(LDAP) server information, select the Enable LDAP information check box.
Enter the following settings.
LDAP Server
The IP address or name of the LDAP server.
Search Base
The search objects that specify the location in the directory
tree from which the LDAP search begins. You can specify
multiple search objects, separated by commas. The search
objects include:
• CN (for common name)
• OU (for organizational unit)
• O (for organization)
• C (for country)
• DC (for domain)
For example, to search the Netgear.net domain for all last
names of Johnson, you would enter:
cn=Johnson,dc=Netgear,dc=net
Port
The port number for the LDAP server. The default setting is 0
(zero).
DNS Proxy
Enable DNS Proxy
This setting is optional. To enable the wireless VPN firewall to provide a LAN IP
address for DNS address name resolution, select the Enable DNS Proxy check
box. This setting is disabled by default.
Note: When the DNS proxy option is disabled for a VLAN, all DHCP clients
receive the DNS IP addresses of the ISP but without the DNS proxy IP address.
Inter VLAN Routing
Enable Inter VLAN
Routing
This setting is optional. To ensure that traffic is routed only to VLANs for which
inter-VLAN routing is enabled, select the Enable Inter VLAN Routing check box.
This setting is disabled by default. When the Enable Inter VLAN Routing check
box is not selected, traffic from this VLAN is not routed to other VLANs, and traffic
from other VLANs is not routed to this VLAN.
4. Click Apply to save your settings.
Note: Once you have completed the LAN setup, all outbound traffic is
allowed and all inbound traffic is discarded except responses to
requests from the LAN side. For information about how to change
these default traffic rules, see Chapter 5, Firewall Protection.
LAN Configuration
60
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To edit a VLAN profile:
1. On the LAN Setup screen for IPv4 (see Figure 29 on page 56), click the Edit button in
the Action column for the VLAN profile that you want to modify. The Edit VLAN Profile
screen displays. This screen is identical to the Add VLAN Profile screen (see the
previous figure).
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To enable, disable, or delete one or more VLAN profiles:
1. On the LAN Setup screen for IPv4 (see Figure 29 on page 56), select the check box to
the left of each VLAN profile that you want to enable, disable, or delete, or click the
Select All table button to select all profiles. (You cannot select the default VLAN profile.)
2. Click one of the following table buttons:
• Enable. Enables the VLAN or VLANs. The ! status icon changes from a gray circle to
a green circle, indicating that the selected VLAN or VLANs are enabled. (By default,
when a VLAN is added to the table, it is automatically enabled.)
•
Disable. Disables the VLAN or VLANs. The ! status icon changes from a green circle
to a gray circle, indicating that the selected VLAN or VLANs are disabled.
•
Delete. Deletes the VLAN or VLANs.
Configure VLAN MAC Addresses and LAN Advanced Settings
By default, all configured VLAN profiles share the same single MAC address as the LAN
ports. (All LAN ports share the same MAC address.) However, you can change the VLAN
MAC settings to allow up to 16 VLANs to each be assigned a unique MAC address.
You can also enable or disable the broadcast of Address Resolution Protocol (ARP) packets
for the default VLAN. If the broadcast of ARP packets is enabled, IP addresses can be
mapped to physical addresses (that is, MAC addresses).

To configure a VLAN to have a unique MAC address:
1. Select Network Configuration > LAN Setup. In the upper right of the screen, the IPv4
radio button is selected by default. The LAN submenu tabs display, with the LAN Setup
screen in view, displaying the IPv4 settings (see Figure 29 on page 56).
2. Click the Advanced option arrow in the upper middle of the LAN Setup screen. The IPv4
LAN Advanced screen displays:
LAN Configuration
61
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 31.
3. From the MAC Address for VLANs drop-down list, select Unique. (The default is Same.)
4. As an option, you can disable the broadcast of ARP packets for the default VLAN by
clearing the Enable ARP Broadcast check box. (The broadcast of ARP packets is enabled
by default for the default VLAN.)
5. Click Apply to save your settings.
Note: If you attempt to configure more than 16 VLANs while the MAC
address for VLANs is set to Unique on the LAN Advanced screen,
the MAC addresses that are assigned to each VLAN might no longer
be distinct.
Configure IPv4 Multihome LAN IP Addresses on the
Default VLAN
If you have computers using different IPv4 networks in the LAN, (for example, 172.124.10.0
or 192.168.200.0), you can add aliases to the LAN ports and give computers on those
networks access to the Internet, but you can do so only for the default VLAN. The IP address
that is assigned as a secondary IP address needs to be unique and cannot be assigned to a
VLAN.
Make sure that any secondary LAN addresses are different from the primary LAN, WAN, and
DMZ IP addresses and subnet addresses that are already configured on the wireless VPN
firewall. The following is an example of correctly configured IPv4 addresses:
•
WAN IP address. 10.0.0.1 with subnet 255.0.0.0
•
DMZ IP address. 176.16.2.1 with subnet 255.255.255.0
LAN Configuration
62
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

•
Primary LAN IP address. 192.168.1.1 with subnet 255.255.255.0
•
Secondary LAN IP address. 192.168.20.1 with subnet 255.255.255.0
To add a secondary LAN IPv4 address:
1. Select Network Configuration > LAN Setup > LAN Multi-homing. In the upper right of
the screen, the IPv4 radio button is selected by default. The LAN Multi-homing screen
displays the IPv4 settings. (The following figure contains one example.)
Figure 32.
The Available Secondary LAN IPs table displays the secondary LAN IP addresses added
to the wireless VPN firewall.
2. In the Add Secondary LAN IP Address section of the screen, enter the following settings:
• IP Address. Enter the secondary address that you want to assign to the LAN ports.
•
Subnet Mask. Enter the subnet mask for the secondary IP address.
3. Click the Add table button in the rightmost column to add the secondary IP address to the
Available Secondary LAN IPs table.
Repeat Step 2 and Step 3 for each secondary IP address that you want to add to the
Available Secondary LAN IPs table.
Note: Secondary IP addresses cannot be configured in the DHCP server.
The hosts on the secondary subnets need to be manually configured
with the IP addresses, gateway IP address, and DNS server IP
addresses.

To edit a secondary LAN IP address:
1. On the LAN Multi-homing screen for IPv4 (see the previous figure), click the Edit button
in the Action column for the secondary IP address that you want to modify. The Edit
LAN Multi-homing screen displays.
2. Modify the IP address or subnet mask, or both.
LAN Configuration
63
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Click Apply to save your settings.

To delete one or more secondary LAN IP addresses:
1. On the LAN Multi-homing screen for IPv4 (see the previous figure), select the check box
to the left of each secondary IP address that you want to delete, or click the Select All
table button to select secondary IP addresses.
2. Click the Delete table button.
Manage IPv4 Groups and Hosts (IPv4 LAN Groups)
The Known PCs and Devices table on the LAN Groups (IPv4) screen (see Figure 33 on
page 65) contains a list of all known computers and network devices that are assigned
dynamic IP addresses by the wireless VPN firewall, have been discovered by other means,
or were entered manually. Collectively, these entries make up the network database.
The network database is updated by these methods:
•
DHCP client requests. When the DHCP server is enabled, it accepts and responds to
DHCP client requests from computers and other network devices. These requests also
generate an entry in the network database. This is an advantage of enabling the DHCP
server feature.
•
Scanning the network. The local network is scanned using Address Resolution Protocol
(ARP) requests. The ARP scan detects active devices that are not DHCP clients.
Note: In large networks, scanning the network might generate unwanted
traffic.
Note: When the wireless VPN firewall receives a reply to an ARP request,
it might not be able to determine the device name if the software
firewall of the device blocks the name.
•
Manual entry. You can manually enter information about a network device.
These are some advantages of the network database:
•
Generally, you do not need to enter an IP address or a MAC address. Instead, you can
just select the name of the desired computer or device.
•
There is no need to reserve an IP address for a computer in the DHCP server. All IP
address assignments made by the DHCP server are maintained until the computer or
device is removed from the network database, either by expiration (inactive for a long
time) or by you.
LAN Configuration
64
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
There is no need to use a fixed IP address on a computer. Because the IP address
allocated by the DHCP server never changes, you do not need to assign a fixed IP
address to a computer to ensure that it always has the same IP address.
•
A computer is identified by its MAC address—not its IP address. The network database
uses the MAC address to identify each computer or device. Therefore, changing a
computer’s IP address does not affect any restrictions applied to that computer.
•
Control over computers can be assigned to groups and individuals:
-
You can assign computers to groups (see Manage the Network Database on this
page) and apply restrictions (outbound rules and inbound rules) to each group (see
Overview of Rules to Block or Allow Specific Kinds of Traffic on page 126).
-
You can select groups that are allowed access to URLs that you have blocked for
other groups, or the other way around, block access to URLs that you have allowed
access to for groups (see Configure Content Filtering on page 174).
-
If necessary, you can also create firewall rules to apply to a single computer (see
Enable Source MAC Filtering on page 179). Because the MAC address is used to
identify each computer, users cannot avoid these restrictions by changing their IP
address.
Manage the Network Database
You can view the network database, manually add or remove database entries, and edit
database entries.
To view the network database, select Network Configuration > LAN Setup > LAN Groups.
The LAN Groups screen displays. (The following figure shows some manually added devices
in the Known PCs and Devices table as an example.)
Figure 33.
LAN Configuration
65
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The Known PCs and Devices table lists the entries in the network database. For each
computer or device, the following fields display:
•
Check box. Allows you to select the computer or device in the table.
•
Name. The name of the computer or device. For computers that do not support the
NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to
add a meaningful name). If the computer or device was assigned an IP address by the
DHCP server, then the name is appended by an asterisk.
•
IP Address. The current IP address of the computer or device. For DHCP clients of the
wireless VPN firewall, this IP address does not change. If a computer or device is
assigned a static IP address, you need to update this entry manually after the IP address
on the computer or device has changed.
•
MAC Address. The MAC address of the computer or device’s network interface.
•
Group. Each computer or device can be assigned to a single LAN group. By default, a
computer or device is assigned to Group 1. You can select a different LAN group from the
Group drop-down list in the Add Known PCs and Devices section or on the Edit Groups
and Hosts screen.
•
Profile Name. Each computer or device can be assigned to a single VLAN. By default, a
computer or device is assigned to the default VLAN (VLAN 1). You can select a different
VLAN profile name from the Profile Name drop-down list in the Add Known PCs and
Devices section or on the Edit Groups and Hosts screen.
•
Action. The Edit table button, which provides access to the Edit Groups and Hosts
screen.
Add Computers or Devices to the Network Database

To add computers or devices manually to the network database:
1. In the Add Known PCs and Devices section of the LAN Groups screen (see the previous
figure), enter the settings as explained in the following table:
Table 11. Add Known PCs and Devices section settings
Setting
Description
Name
Enter the name of the computer or device.
IP Address Type
From the drop-down list, select how the computer or device receives its IP address:
• Fixed (set on PC). The IP address is statically assigned on the computer or
device.
• Reserved (DHCP Client). The DHCP server of the wireless VPN firewall always
assigns the specified IP address to this client during the DHCP negotiation (see
also Set Up DHCP Address Reservation on page 69).
Note: For both types of IP addresses, the wireless VPN firewall reserves the IP
address for the associated MAC address.
LAN Configuration
66
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 11. Add Known PCs and Devices section settings (continued)
Setting
Description
IP Address
Enter the IP address that this computer or device is assigned to:
• If the IP address type is Fixed (set on PC), the IP address needs to be outside of
the address range that is allocated to the DHCP server pool to prevent the IP
address from also being allocated by the DHCP server.
• If the IP address type is Reserved (DHCP Client), the IP address can be inside or
outside the address range that is allocated to the DHCP server pool.
Note: Make sure that the IP address is in the IP subnet for the VLAN profile that
you select from the Profile Name drop-down list.
MAC Address
Enter the MAC address of the computer’s or device’s network interface. The MAC
address format is six colon-separated pairs of hexadecimal characters (0–9 and
a–f), such as 01:23:d2:6f:89:ab.
Group
From the drop-down list, select the group to which the computer or device is
assigned. (Group 1 is the default group.)
Profile Name
From the drop-down list, select the name of the VLAN profile to which the computer
or device is assigned.
2. Click the Add table button to add the computer or device to the Known PCs and Devices
table.
3. As an optional step: To save the binding between the IP address and MAC address for the
entry that you just added to the Known PCs and Devices table, select the check box for the
table entry, and click the Save Binding button.
Note: The saved binding is also displayed on the IP/MAC Binding screen
(see Figure 97 on page 181).
Edit Computers or Devices in the Network Database

To edit computers or devices manually in the network database:
1. In the Known PCs and Devices table of the LAN Groups screen (see the previous
figure), click the Edit table button of a table entry. The Edit LAN Groups screen displays
(see the following figure, which contains an example).
LAN Configuration
67
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 34.
2. Modify the settings as explained in Table 11 on page 66.
3. Click Apply to save your settings in the Known PCs and Devices table.
Deleting Computers or Devices from the Network Database

To delete one or more computers or devices from the network database:
1. On the LAN Groups screen (see Figure 33 on page 65), select the check box to the left
of each computer or device that you want to delete, or click the Select All table button
to select all computers and devices.
2. Click the Delete table button.
Note: If you delete a saved binding between an IP and MAC address on
the LAN Groups screen, make sure that you also delete the binding
on the IP/MAC Binding screen (see Figure 97 on page 181).
Change Group Names in the Network Database
By default, the groups are named Group1 through Group8. You can change these group
names to be more descriptive, such as GlobalMarketing and GlobalSales. However, note that
on the Content Filtering screen (see Configure Content Filtering on page 174), the default
group names are displayed and not the names that you specified.

To edit the names of any of the eight available groups:
1. Select Network Configuration > LAN Setup > LAN Groups. The LAN Groups screen
displays (see Figure 33 on page 65, which shows some examples in the Known PCs
and Devices table).
LAN Configuration
68
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Click the Edit Group Names option arrow to the right of the LAN submenu tabs. The
Network Database Group Names screen displays. (The following figure shows some
examples.)
Figure 35.
3. Select the radio button next to the group name that you want to edit.
4. Type a new name in the field. The maximum number of characters is 15. Do not use a
double quote (''), single quote('), or space in the name.
5. Repeat Step 3 and Step 4 for any other group names.
6. Click Apply to save your settings.
Set Up DHCP Address Reservation
When you specify a reserved IP address for a computer or device on the LAN (based on the
MAC address of the device), that computer or device always receives the same IP address
each time it accesses the wireless VPN firewall’s DHCP server. Reserved IP addresses
should be assigned to servers or access points that require permanent IP address settings.
The reserved IP address that you select needs to be outside of the DHCP server pool.
To reserve and bind an IP address to a MAC address, select Reserved (DHCP Client) from
the IP Address Type drop-down list on the LAN Groups screen and save the binding by
clicking the Save Binding button on the same screen. For detailed steps, see Add Computers
or Devices to the Network Database on page 66.
Note: The reserved address is not assigned until the next time the
computer or device contacts the wireless VPN firewall’s DHCP
server. Reboot the computer or device, or access its IP configuration
and force a DHCP release and renew.
LAN Configuration
69
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: The saved binding is also displayed on the IP/MAC Binding screen
(see Figure 97 on page 181).
Manage the IPv6 LAN
An IPv6 LAN typically functions with site-local and link-local unicast addresses. Each
physical interface requires an IPv6 link-local address that is automatically derived from the
MAC addresses of the IPv4 interface and that is used for address configuration and neighbor
discovery. (Normally, you would not manually configure a link-local address.)
Traffic with site-local or link-local addresses is never forwarded by the wireless VPN firewall
(or by any other router), that is, the traffic remains in the LAN subnet and is processed over
the default VLAN only. A site-local address always starts with FEC0 (hexadecimal); a
link-local unicast address always starts with FE80 (hexadecimal). To forward traffic from
sources with a site local or link-local unicast address in the LAN, a DHCP server is required.
For more information about link-local unicast addresses, see Configure ISATAP Automatic
Tunnelling on page 42.
Because each interface is automatically assigned a link-local IP address, it is not useful to
assign another link-local IP address as the default IPv6 LAN address. The default IPv6 LAN
address is a site-local address. You can change this address to any other IPv6 address for
LAN use.
Note: Site-local addresses, that is, addresses that start with FEC0, have
been depreciated. However, NETGEAR has implemented a
site-local address as a temporary default IPv6 LAN address that you
can replace with another LAN address. The firewall restricts external
communication of this default site-local address.
DHCPv6 Server Options
The IPv6 clients in the LAN can autoconfigure their own IPv6 address or obtain an IPv6
address through a DHCPv6 server. For the LAN, there are three DHCPv6 options:
Stateless DHCPv6 Server
The IPv6 clients in the LAN generate their own IP address by using a combination of locally
available information and router advertisements, but receive DNS server information from the
DHCPv6 server. For stateless DHCPv6, you need to configure the RADVD and
advertisement prefixes (see Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the LAN on page 77).
LAN Configuration
70
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Stateless DHCPv6 Server With Prefix Delegation
As an option for a stateless DHCPv6 server, you can enable prefix delegation. The ISP’s
stateful DHCPv6 server assigns a prefix that is used by the wireless VPN firewall’s stateless
DHCPv6 server to assign to its IPv6 LAN clients.
Prefix delegation functions in the following way:
1. The wireless VPN firewall’s DHCPv6 client requests prefix delegation from the ISP.
You need to select the Prefix Delegation check box on the ISP Broadband Settings
screen for IPv6 (see Use a DHCPv6 Server to Configure an IPv6 Internet Connection on
page 37).
2. The ISP allocates a prefix to the wireless VPN firewall.
This prefix is automatically added to the List of Prefixes for Prefix Delegation table on the
LAN Setup screen for IPv6 (see IPv6 LAN Prefixes for Prefix Delegation on page 76).
3. The stateless DHCPv6 server allocates the prefix to the IPv6 LAN clients through the
RADVD. When prefix delegation is enabled, the RADVD advertises the following prefixes:
• The prefix that was added through prefix delegation.
•
Prefixes that you manually added to the List of Prefixes for Prefix Delegation table on
the LAN Setup screen for IPv6.
•
Prefixes that you manually added to the List of Prefixes to Advertise table on the
RADVD screen.
You need to perform the following tasks:
•
Select the Prefix Delegation check box on the LAN Setup screen for IPv6 (see
Configure the IPv6 LAN on page 72).
•
Configure the RADVD (see Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the LAN on page 77).
•
Optionally, manually add prefixes to the List of Prefixes for Prefix Delegation table on
the LAN Setup screen for IPv6 (see IPv6 LAN Prefixes for Prefix Delegation on
page 76).
•
Optionally, manually add prefixes to List of Prefixes to Advertise table on the RADVD
screen (see Advertisement Prefixes for the LAN on page 79).
Stateful DHCPv6 Server
The IPv6 clients in the LAN obtain an interface IP address, configuration information such as
DNS server information, and other parameters from the DHCPv6 server. The IP address is a
dynamic address. For stateful DHCPv6, you need to configure IPv6 address pools (see IPv6
LAN Address Pools on page 74).
LAN Configuration
71
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure the IPv6 LAN

To configure the IPv6 LAN settings:
1. Select Network Configuration > LAN Setup.
2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays
the IPv6 settings. (The following figure contains some examples.)
Figure 36.
LAN Configuration
72
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Enter the settings as explained in the following table. The IPv6 address pools and prefixes
for prefix delegation are explained in the sections following the table.
Table 12. LAN Setup screen settings for IPv6
Setting
Description
IPv6 LAN Setup
IPv6 Address
Enter the LAN IPv6 address. The default address is FEC0::1.(For more information,
see the introduction to this section, Manage the IPv6 LAN.)
IPv6 Prefix Length Enter the IPv6 prefix length, for example, 10 or 64. The default prefix length is 64.
DHCPv6
DHCP Status
Specify the status of the DHCPv6 server:
• Disable DHCPv6 Server. This is the default setting, and the DHCPv6 fields are
masked out.
• Enable the DHCPv6 Server. If you enable the server, you need to complete the
DHCPv6 fields.
DHCP Mode
Select one of the DHCPv6 modes from the drop-down list:
• Stateless. The IPv6 clients generate their own IP address by
using a combination of locally available information and router
advertisements, but receive DNS server information from the
DHCPv6 server. For stateless DHCPv6, you need to configure
the RADVD and advertisement prefixes (see Configure the
IPv6 Router Advertisement Daemon and Advertisement
Prefixes for the LAN on page 77). As an option, you can
enable prefix delegation (see the explanation further down in
this table).
• Stateful. The IPv6 clients obtain an interface IP address,
configuration information such as DNS server information, and
other parameters from the DHCPv6 server. The IP address is a
dynamic address. You need to add IPv6 address pools to the
List of IPv6 Address Pools table on the LAN Setup screen (see
IPv6 LAN Address Pools on page 74).
Prefix Delegation
If you have selected the stateless DHCPv6 mode, you can select
the Prefix Delegation check box:
• Prefix delegation check box is selected. The stateless
DHCPv6 server assigns prefixes to its IPv6 LAN clients. Make
sure that the Prefix Delegation check box on the ISP
Broadband Settings screen for IPv6 is also selected (see Use
a DHCPv6 Server to Configure an IPv6 Internet Connection on
page 37) to enable the wireless VPN firewall to acquire a prefix
from the ISP through prefix delegation. In this configuration, a
prefix is automatically added to the List of Prefixes for Prefix
Delegation table at the bottom of the LAN Setup screen (see
IPv6 LAN Prefixes for Prefix Delegation on page 76).
• Prefix delegation check box is cleared. Prefix delegation is
disabled in the LAN. This is the default setting.
Domain Name
Enter the domain name of the DHCP server.
LAN Configuration
73
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 12. LAN Setup screen settings for IPv6 (continued)
Setting
Description
DHCP Status
(continued)
Server Preference
Enter the DHCP server preference value. The possible values
are 0–255, with 255 as the default setting.
This is an optional setting that specifies the server’s preference
value in a server advertise message. The client selects the
server with the highest preference value as the preferred server.
DNS Servers
Select one of the DNS server options from the drop-down lists:
• Use DNS Proxy. The wireless VPN firewall acts as a proxy for
all DNS requests and communicates with the ISP’s DNS
servers that you configured on the Broadband ISP Settings
(IPv6) screen (see Configure a Static IPv6 Internet Connection
on page 39).
• Use DNS from ISP. The wireless VPN firewall uses the ISP’s
DNS servers that you configured on the Broadband ISP
Settings (IPv6) screen (see Configure a Static IPv6 Internet
Connection on page 39).
• Use below. When you select this option, the DNS server fields
become available for you to enter IP addresses.
Primary DNS Server
Enter the IP address of the primary
DNS server.
Secondary DNS Server
Enter the IP address of the secondary
DNS server.
Lease/Rebind Time Enter the period after which the DHCP lease is renewed with the
original DHCP server or rebound with another DHCP server to
extend the existing DHCP lease. The default period is
86400 seconds (24 hours).
4. Click Apply to save your changes.
IPv6 LAN Address Pools
If you configure a stateful DHCPv6 server for the LAN, you need to add local DHCP IPv6
address pools so the DHCPv6 server can control the allocation of IPv6 addresses in the LAN.

To add an IPv6 LAN address pool:
1. On the LAN Setup screen for IPv6, under the List of IPv6 Address Pools table, click
Add. The LAN IPv6 Config screen displays:
LAN Configuration
74
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 37.
2. Enter the settings as explained in the following table:
Table 13. LAN IPv6 Config screen settings
Setting
Description
Start IPv6 Address
Enter the start IP address. This address specifies the first of the contiguous
addresses in the IP address pool. Any new DHCPv6 client joining the LAN is
assigned an IP address between this address and the end IP address.
End IPv6 Address
Enter the end IP address. This address specifies the last of the contiguous
addresses in the IP address pool. Any new DHCPv6 client joining the LAN is
assigned an IP address between the start IP address and this IP address.
Prefix Length
Enter the IPv6 prefix length, for example, 10 or 64.
3. Click Apply to save your changes and add the new IPv6 address pool to the List of IPv6
Address Pools table on the LAN Setup screen for IPv6.

To edit an IPv6 LAN address pool:
1. On the LAN Setup screen for IPv6 (see Figure 36 on page 72), click the Edit button in
the Action column for the address pool that you want to modify. The LAN IPv6 Config
screen displays.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more IPv6 LAN address pools:
1. On the LAN Setup screen for IPv6 (see Figure 36 on page 72), select the check box to
the left of each address pool that you want to delete, or click the Select All table button
to select all address pools.
2. Click the Delete table button.
LAN Configuration
75
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 LAN Prefixes for Prefix Delegation
If you configure a stateless DHCPv6 server for the LAN and select the Prefix Delegation
check box (both on the ISP Broadband Settings screen for IPv6 and on the LAN Setup
screen for IPv6, a prefix delegation pool is automatically added to the List of Prefixes for
Prefix Delegation table. You can also manually add prefixes to the List of Prefixes for Prefix
Delegation table to enable the DHCPv6 server to assign these prefixes to its IPv6 LAN
clients.

To add an IPv6 prefix:
1. On the LAN Setup screen for IPv6, under the List of Prefixes for Prefix Delegation table,
click Add. The Add Prefix Delegation Prefixes screen displays:
Figure 38.
2. Enter the following settings:
• IPv6 Prefix. Enter a prefix, for example, 2001:db8::.
•
IPv6 Prefix Length. Enter the IPv6 prefix length, for example, 64.
3. Click Apply to save your changes and add the new prefix to the List of Prefixes for Prefix
Delegation table on the LAN Setup screen for IPv6.

To edit a prefix:
1. On the LAN Setup screen for IPv6 (see Figure 36 on page 72), click the Edit button in
the Action column for the prefix that you want to modify. The Edit Prefix Delegation
Prefixes screen displays.
2. Modify the settings as explained in Step 2 of the previous procedure.
3. Click Apply to save your settings.

To delete one or more prefixes:
1. On the LAN Setup screen for IPv6 (see Figure 36 on page 72), select the check box to
the left of each prefix that you want to delete, or click the Select All table button to
select all prefixes.
2. Click the Delete table button.
LAN Configuration
76
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the LAN
Note: If you do not configure stateful DHCPv6 for the LAN but use
stateless DHCPv6, you need to configure the Router Advertisement
Deamon (RADVD) and advertisement prefixes.
The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect
link-local advertisements of IPv6 addresses and IPv6 prefixes in the LAN. The RADVD then
distributes this information in the LAN, which allows IPv6 clients to configure their own IPv6
address.
Hosts and routers in the LAN use NDP to determine the link-layer addresses and related
information of neighbors in the LAN that can forward packets on their behalf. The wireless
VPN firewall periodically distributes router advertisements (RAs) throughout the LAN to
provide such information to the hosts and routers in the LAN. RAs include IPv6 addresses,
types of prefixes, prefix addresses, prefix lifetimes, the maximum transmission unit (MTU),
and so on. In addition to configuring the RADVD, you also need to configure the prefixes that
are advertised in the LAN RAs.
The following table provides an overview of how information is obtained in the LAN when you
have configured a stateless DHCPv6 server and the RADVD:
Table 14. DHCPv6 and RADVD interaction in the LAN
Flags in the RADVD
DHCPv6 Server Provides
RADVD Provides
Managed RA flag is set
• IP address assignment
• IP address assignment
• DNS server and other configuration information • Prefix
• Prefix length
• Gateway address
Other RA flag is set
DNS server and other configuration information
•
•
•
•
IP address assignment
Prefix
Prefix length
Gateway address
When the Managed flag is set in the RADVD, the DHCPv6 server can assign IP addresses,
and the RADVD also assigns IP addresses in the sense that it provides information that
allows IPv6 clients to configure their own IPv6 address.
When the Other flag is set, the DHCPv6 server does not assign IP addresses but provides
DNS server and other configuration information only.

To configure the Router Advertisement Daemon for the LAN:
1. Select Network Configuration > LAN Setup.
LAN Configuration
77
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. In the upper right of the screen, select the IPv6 radio button. The LAN Setup screen displays
the IPv6 settings (see Figure 36 on page 72.)
3. To the right of the LAN Setup tab, click the RADVD option arrow. The RADVD screen for the
LAN displays. (The following figure contains some examples.)
Figure 39.
4. Enter the settings as explained in the following table:
Table 15. RADVD screen settings for the LAN
Setting
Description
RADVD Status
Specify the RADVD status by making a selection from the drop-down list:
• Enable. The RADVD is enabled, and the RADVD fields become available for you to
configure.
• Disable. The RADVD is disabled, and the RADVD fields are masked out. This is the
default setting.
Advertise Mode
Specify the advertisement mode by making a selection from the drop-down list:
• Unsolicited Multicast. The wireless VPN firewall advertises unsolicited multicast
packets at a rate that is specified by the advertisement interval.
• Unicast only. The wireless VPN firewall responds to unicast packet requests only.
No unsolicited packets are advertised. Select this option for nonbroadcast multiple
access (NBMA) links such as ISATAP.
LAN Configuration
78
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 15. RADVD screen settings for the LAN (continued)
Setting
Description
Advertise Interval
Enter the advertisement interval of unsolicited multicast packets in seconds. The
minimum value is 10 seconds; the maximum value is 1800 seconds.
RA Flags
Specify what type of information the DHCPv6 server provides in the LAN by making a
selection from the drop-down list:
• Managed. The DHCPv6 server is used for autoconfiguration of the IP address.
• Other. The DHCPv6 server is not used for autoconfiguration of the IP address, but
other configuration information such as DNS information is available through the
DHCPv6 server.
Note: Irrespective of the RA flag settings, the RADVD provides information about the
prefix, prefix length, and gateway addresses and is also used for autoconfiguration of
the IP address.
Router Preference Specify the wireless VPN firewall’s preference in relation to other hosts and routers in
the LAN by making a selection from the drop-down list:
• Low. The wireless VPN firewall is treated as a nonpreferred router in the LAN.
• Medium. The wireless VPN firewall is treated as a neutral router in the LAN.
• High. The wireless VPN firewall is treated as a preferred router in the LAN.
MTU
The maximum transmission unit (MTU) size for a packet in one transmission over a
link. The default setting is 1500.
Router Lifetime
The router lifetime specifies how long the default route that was created as a result of
the router advertisement should remain valid.
Enter the router lifetime in seconds. This is the period that the advertised prefixes are
valid for route determination. The default period is 3600 seconds (one hour). The
minimum value is 30 seconds; the maximum value is 9000 seconds.
5. Click Apply to save your changes.
Advertisement Prefixes for the LAN
You need to configure the prefixes that are advertised in the LAN RAs. For a 6to4 address,
you need to specify only the site level aggregation identifier (SLA ID) and the prefix lifetime.
For a global, local, or ISATAP address, you need to specify the prefix, prefix length, and
prefix lifetime.

To add an advertisement prefix for the LAN:
1. On the RADVD screen for the LAN, under the List of Prefixes to Advertise table, click
Add. The Add Advertisement Prefix screen displays:
LAN Configuration
79
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 40.
2. Enter the settings as explained in the following table:
Table 16. Add Advertisement Prefix screen settings for the LAN
Setting
Description
IPv6 Prefix Type
Specify the IPv6 prefix type by making a selection from the drop-down list:
• 6to4. The prefix is for a 6to4 address. You need to complete the SLA ID field and
Prefix Lifetime field. The other fields are masked out.
• Global/Local/ISATAP. The prefix is for a global, local, or ISATAP address. This
needs to be a global prefix or a site-local prefix; it cannot be a link-local prefix. You
need to complete the IPv6 Prefix field, IPv6 Prefix Length field, and Prefix Lifetime
field. The SLA ID field is masked out.
SLA ID
Enter the site level aggregation identifier (SLA ID) for the 6to4 address prefix that
should be included in the advertisement.
IPv6 Prefix
Enter the IPv6 prefix for the wireless VPN firewall’s LAN that should be included in the
advertisement.
IPv6 Prefix Length
Enter the IPv6 prefix length (typically 64) that should be included in the advertisement.
Prefix Lifetime
The prefix lifetime specifies how long the IP address that was created as a result of the
router advertisement should remain valid.
Enter the prefix lifetime in seconds that should be included in the advertisement. The
minimum period is 0 seconds; the maximum period is 65536 seconds.
3. Click Apply to save your changes and add the new IPv6 address pool to the List of Prefixes
to Advertise table on the RADVD screen for the LAN.

To edit an advertisement prefix:
1. On the RADVD screen for the LAN (see Figure 39 on page 78), click the Edit button in
the Action column for the advertisement prefix that you want to modify. The Add
Advertisement Prefix screen displays.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.
LAN Configuration
80
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To delete one or more advertisement prefixes:
1. On the RADVD screen for the LAN (see Figure 39 on page 78), select the check box to
the left of each advertisement prefix that you want to delete, or click the Select All table
button to select all advertisement prefixes.
2. Click the Delete table button.
Configure IPv6 Multihome LAN IP Addresses on the
Default VLAN
If you have computers using different IPv6 networks in the LAN, (for example, FEC0::2 or
FEC0::1000:10), you can add aliases to the LAN ports and give computers on those
networks access to the Internet, but you can do so only for the default VLAN. The IP address
that is assigned as a secondary IP address needs to be unique and cannot be assigned to a
VLAN.
Make sure that any secondary LAN addresses are different from the primary LAN, WAN, and
DMZ IP addresses and subnet addresses that are already configured on the wireless VPN
firewall. The following is an example of correctly configured IPv6 addresses:

•
WAN IP address. 2000::e246:9aff:fe1d:1a9c with a prefix length of 64
•
DMZ IP address. 176::e246:9aff:fe1d:a1bc with a prefix length of 64
•
Primary LAN IP address. FEC0::1 with a prefix length of 10
•
Secondary LAN IP address. 2001:db8:3000::2192 with a prefix length of 10.
To add a secondary LAN IPv6 address:
1. Select Network Configuration > LAN Setup > LAN Multi-homing.
2. In the upper right of the screen, select the IPv6 radio button. The LAN Multi-homing screen
displays the IPv6 settings. (The following figure contains one example.)
Figure 41.
The Available Secondary LAN IPs table displays the secondary LAN IP addresses added
to the wireless VPN firewall.
LAN Configuration
81
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. In the Add Secondary LAN IP Address section of the screen, enter the following settings:
• IPv6 Address. Enter the secondary address that you want to assign to the LAN ports.
•
Prefix Length. Enter the prefix length for the secondary IP address.
4. Click the Add table button in the rightmost column to add the secondary IP address to the
Available Secondary LAN IPs table.
Repeat Step 2 and Step 3 for each secondary IP address that you want to add to the
Available Secondary LAN IPs table.
Note: Secondary IP addresses cannot be configured in the DHCP server.
The hosts on the secondary subnets need to be manually configured
with the IP addresses, gateway IP address, and DNS server IP
addresses.

To edit a secondary LAN IP address:
1. On the LAN Multi-homing screen for IPv6 (see the previous figure), click the Edit button
in the Action column for the secondary IP address that you want to modify. The Edit LAN
Multi-homing screen displays.
2. Modify the IP address or prefix length, or both.
3. Click Apply to save your settings.

To delete one or more secondary LAN IP addresses:
1. On the LAN Multi-homing screen for IPv6 (see the previous figure), select the check box
to the left of each secondary IP address that you want to delete, or click the Select All
table button to select secondary IP addresses.
2. Click the Delete table button.
Enable and Configure the DMZ Port for IPv4 and IPv6
Traffic
The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions than
the LAN. The DMZ can be used to host servers (such as a web server, FTP server, or email
server) and provide public access to them. The rightmost LAN port on the wireless VPN
firewall can be dedicated as a hardware DMZ port to safely provide services to the Internet
without compromising security on your LAN.
By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling
the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN
ports.
LAN Configuration
82
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Using a DMZ port is also helpful with online games and videoconferencing applications that
are incompatible with NAT. The wireless VPN firewall is programmed to recognize some of
these applications and to work correctly with them, but there are other applications that might
not function well. In some cases, local computers can run the application correctly if those
computers are used on the DMZ port.
Note: A separate firewall security profile is provided for the DMZ port that
is also physically independent of the standard firewall security
component that is used for the LAN.
Note: For information about how to define the DMZ WAN rules and LAN
DMZ rules, see Configure DMZ WAN Rules on page 142 and
Configure LAN DMZ Rules on page 150, respectively.
Note: When you enable the DMZ port for IPv4 traffic, IPv6 traffic, or both,
the DMZ LED next to LAN port 8 (see Front Panel on page 15) lights
green to indicate that the DMZ port is enabled.
DMZ Port for IPv4 Traffic
The DMZ Setup (IPv4) screen lets you set up the DMZ port for IPv4 traffic. You can enable or
disable the hardware DMZ port (LAN port 8; see Front Panel on page 15) and configure an
IPv4 address and subnet mask for the DMZ port.

To enable and configure the DMZ port for IPv4 traffic:
1. Select Network Configuration > DMZ Setup. In the upper right of the screen, the IPv4
radio button is selected by default. The DMZ Setup screen displays the IPv4 settings:
LAN Configuration
83
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 42.
2. Enter the settings as explained in the following table:
Table 17. DMZ Setup screen settings for IPv4
Setting
Description
DMZ Port Setup
Do you want to
enable DMZ Port?
Select one of the following radio buttons:
• Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and
Subnet Mask fields.
• No. Allows you to disable the DMZ port after you have configured it.
IP Address
Enter the IP address of the DMZ port. Make sure that the DMZ
port IP address and LAN port IP address are in different
subnets (for example, an address outside the LAN DHCP
address pool, such as 192.168.1.101 when the LAN DHCP
pool is 192.168.1.2–192.168.1.100). The default IP address for
the DMZ port 176.16.2.1.
LAN Configuration
84
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 17. DMZ Setup screen settings for IPv4 (continued)
Setting
Description
Do you want to
enable DMZ Port?
(continued)
Subnet Mask
Enter the IP subnet mask of the DMZ port. The subnet mask
specifies the network number portion of an IP address. The
subnet mask for the DMZ port is 255.255.255.0.
DHCP for DMZ Connected Computers
Disable DHCP Server If another device on your network is the DHCP server for the VLAN, or if you will
manually configure the network settings of all of your computers, select the Disable
DHCP Server radio button to disable the DHCP server. This is the default setting.
Enable DHCP Server Select the Enable DHCP Server radio button to enable the wireless VPN firewall to
function as a Dynamic Host Configuration Protocol (DHCP) server, providing
TCP/IP configuration for all computers connected to the VLAN. Enter the following
settings:
Domain Name
This setting is optional. Enter the domain name of the wireless
VPN firewall.
Start IP Address
Enter the start IP address. This address specifies the first of
the contiguous addresses in the IP address pool. Any new
DHCP client joining the LAN is assigned an IP address
between this address and the end IP address. The default IP
address 176.16.2.100.
End IP Address
Enter the end IP address. This address specifies the last of the
contiguous addresses in the IP address pool. Any new DHCP
client joining the LAN is assigned an IP address between the
start IP address and this IP address. The default IP address
176.16.2.254.
Note: The start and end DHCP IP addresses should be in the
same network as the LAN TCP/IP address of the wireless VPN
firewall (that is, the IP address in the DMZ Port Setup section
as described earlier in this table).
Primary DNS
Server
This setting is optional. If an IP address is specified, the
wireless VPN firewall provides this address as the primary
DNS server IP address. If no address is specified, the wireless
VPN firewall provides its own LAN IP address as the primary
DNS server IP address.
Secondary DNS
Server
This setting is optional. If an IP address is specified, the
wireless VPN firewall provides this address as the secondary
DNS server IP address.
WINS Server
This setting is optional. Enter a WINS server IP address to
specify the Windows NetBIOS server, if one is present in your
network.
Lease Time
Enter a lease time. This specifies the duration for which IP
addresses are leased to clients.
LAN Configuration
85
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 17. DMZ Setup screen settings for IPv4 (continued)
Setting
Description
DHCP Relay
To use the wireless VPN firewall as a DHCP relay agent for a DHCP server
somewhere else in your network, select the DHCP Relay radio button. Enter the
following setting:
Relay Gateway
Enable LDAP
information
The IP address of the DHCP server for which the wireless VPN
firewall serves as a relay.
To enable the DHCP server to provide Lightweight Directory Access Protocol
(LDAP) server information, select the Enable LDAP information check box. Enter
the following settings.
LDAP Server
The IP address or name of the LDAP server.
Search Base
The search objects that specify the location in the directory tree
from which the LDAP search begins. You can specify multiple
search objects, separated by commas. The search objects
include:
• CN (for common name)
• OU (for organizational unit)
• O (for organization)
• C (for country)
• DC (for domain)
For example, to search the Netgear.net domain for all last
names of Johnson, you would enter:
cn=Johnson,dc=Netgear,dc=net
Port
The port number for the LDAP server. The default setting is 0
(zero).
DNS Proxy
Enable DNS Proxy
This setting is optional. To enable the wireless VPN firewall to provide a LAN IP
address for DNS address name resolution, select the Enable DNS Proxy check
box. This check box is selected by default.
Note: When the DNS Proxy option is disabled, all DHCP clients receive the DNS
IP addresses of the ISP but without the DNS proxy IP address.
3. Click Apply to save your settings.
DMZ Port for IPv6 Traffic
The DMZ Setup (IPv6) screen lets you set up the DMZ port for IPv6 traffic. You can enable or
disable the hardware DMZ port (LAN port 8; see Front Panel on page 15) for IPv6 traffic and
configure an IPv6 address and prefix length for the DMZ port.
The IPv6 clients in the DMZ can autoconfigure their own IPv6 address or obtain an IPv6
address through a DHCPv6 server.
LAN Configuration
86
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
For the DMZ, there are two DHCPv6 server options:

•
Stateless DHCPv6 server. The IPv6 clients in the DMZ generate their own IP address by
using a combination of locally available information and router advertisements, but
receive DNS server information from the DHCPv6 server. For stateless DHCPv6, you
need to configure the RADVD and advertisement prefixes (see Configure the IPv6 Router
Advertisement Daemon and Advertisement Prefixes for the DMZ on page 90).
•
Stateful DHCPv6 server. The IPv6 clients in the DMZ obtain an interface IP address,
configuration information such as DNS server information, and other parameters from the
DHCPv6 server. The IP address is a dynamic address. For stateful DHCPv6, you need to
configure IPv6 address pools (see IPv6 DMZ Address Pools on page 89).
To enable and configure the DMZ port for IPv6 traffic:
1. Select Network Configuration > DMZ Setup.
2. In the upper right of the screen, select the IPv6 radio button. The DMZ Setup screen
displays the IPv6 settings:
Figure 43.
LAN Configuration
87
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Enter the settings as explained in the following table:
Table 18. DMZ Setup screen settings for IPv6
Setting
Description
DMZ Port Setup
Do you want to
enable DMZ Port?
Select one of the following radio buttons:
• Yes. Enables you to configure the DMZ port settings. Fill in the IP Address and
Subnet Mask fields.
• No. Allows you to disable the DMZ port after you have configured it.
IPv6 Address
Enter the IP address of the DMZ port. Make sure that the DMZ
port IP address, LAN port IP address, and WAN port IP
address are in different subnets. The default IP address for the
DMZ port is 176::1.
Prefix Length
Enter the IPv6 prefix length, for example, 10 or 64. The default
prefix length for the DMZ port is 64.
DHCPv6 for DMZ Connected Computers
DHCP Status
Specify the status of the DHCPv6 server:
• Disable DHCPv6 Server. This is the default setting, and the DHCPv6 fields are
masked out.
• Enable the DHCPv6 Server. If you enable the server, you need to complete the
DHCPv6 fields.
DHCP Mode
Select one of the DHCPv6 modes from the drop-down list:
• Stateless. The IPv6 clients generate their own IP address by
using a combination of locally available information and
router advertisements, but receive DNS server information
from the DHCPv6 server. For stateless DHCPv6, you need to
configure the RADVD and advertisement prefixes (see
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the DMZ on page 90).
• Stateful. The IPv6 clients obtain an interface IP address,
configuration information such as DNS server information,
and other parameters from the DHCPv6 server. The IP
address is a dynamic address. (see IPv6 DMZ Address
Pools on page 89).
Domain Name
Enter the domain name of the DHCP server.
Server Preference Enter the DHCP server preference value. The possible values
are 0–255, with 255 as the default setting.
This is an optional setting that specifies the server’s preference
value in a server advertise message. The client selects the
server with the highest preference value as the preferred
server.
LAN Configuration
88
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 18. DMZ Setup screen settings for IPv6 (continued)
Setting
Description
DHCP Status
(continued)
DNS Server
Select one of the DNS server options from the drop-down lists:
• Use DNS Proxy. The wireless VPN firewall acts as a proxy
for all DNS requests and communicates with the ISP’s DNS
servers that you configured on the Broadband ISP Settings
(IPv6) screen (see Configure a Static IPv6 Internet
Connection on page 39).
• Use DNS from ISP. The wireless VPN firewall uses the ISP’s
DNS servers that you configured on the Broadband ISP
Settings (IPv6) screen (see Configure a Static IPv6 Internet
Connection on page 39).
• Use below. When you select this option, the DNS server
fields become available for you to enter IP addresses.
Primary DNS Server
Secondary DNS Server
Lease/Rebind
Time
Enter the period after which the DHCP lease is renewed with
the original DHCP server or rebound with another DHCP
server to extend the existing DHCP lease. The default period is
86400 seconds (24 hours).
4. Click Apply to save your settings.
IPv6 DMZ Address Pools
If you configure a stateful DHCPv6 server for the DMZ, you need to add local DHCP IPv6
address pools so the DHCPv6 server can control the allocation of IPv6 addresses in the
DMZ.

To add an IPv6 DMZ address pool:
1. On the DMZ Setup screen for IPv6 (see Figure 43 on page 87), under the List of IPv6
Address Pools table, click Add. The DMZ IPv6 Config screen displays:
Figure 44.
LAN Configuration
89
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Enter the settings as explained in the following table:
Table 19. DMZ IPv6 Config screen settings
Setting
Description
Start IPv6 Address
Enter the start IP address. This address specifies the first of the contiguous
addresses in the IP address pool. Any new DHCPv6 client joining the DMZ is
assigned an IP address between this address and the end IP address.
End IPv6 Address
Enter the end IP address. This address specifies the last of the contiguous
addresses in the IP address pool. Any new DHCPv6 client joining the DMZ is
assigned an IP address between the start IP address and this IP address.
Prefix Length
Enter the IPv6 prefix length, for example, 10 or 64.
3. Click Apply to save your changes and add the new IPv6 address pool to the List of IPv6
Address Pools table on the DMZ Setup (IPv6) screen.

To edit an IPv6 DMZ address pool:
1. On the DMZ Setup screen for IPv6 (see Figure 43 on page 87), click the Edit button in
the Action column for the address pool that you want to modify. The DMZ IPv6 Config
screen displays.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more IPv6 DMZ address pools:
1. On the DMZ Setup screen for IPv6 (see Figure 43 on page 87), select the check box to
the left of each address pool that you want to delete, or click the Select All table button
to select all address pools.
2. Click the Delete table button.
Configure the IPv6 Router Advertisement Daemon and
Advertisement Prefixes for the DMZ
Note: If you do not configure stateful DHCPv6 for the DMZ but use
stateless DHCPv6, you need to configure the Router Advertisement
Deamon (RADVD) and advertisement prefixes.
The RADVD is an application that uses the Neighbor Discovery Protocol (NDP) to collect
link-local advertisements of IPv6 addresses and IPv6 prefixes in the DMZ. The RADVD then
distributes this information in the DMZ, which allows IPv6 clients to configure their own IPv6
address.
LAN Configuration
90
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Hosts and routers in the LAN use NDP to determine the link-layer addresses and related
information of neighbors in the LAN that can forward packets on their behalf. The wireless
VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to
provide such information to the hosts and routers in the DMZ. RAs include IPv6 addresses,
types of prefixes, prefix addresses, prefix lifetimes, the maximum transmission unit (MTU),
and so on. In addition to configuring the RADVD, you also need to configure the prefixes that
are advertised in the DMZ RAs.
The following table provides an overview of how information is obtained in the DMZ when you
have configured a stateless DHCPv6 server and the RADVD:
Table 20. DHCPv6 and RADVD interaction in the DMZ
Flags in the RADVD
DHCPv6 Server Provides
RADVD Provides
Managed RA flag is set
• IP address assignment
• IP address assignment
• DNS server and other configuration information • Prefix
• Prefix length
• Gateway address
Other RA flag is set
DNS server and other configuration information
•
•
•
•
IP address assignment
Prefix
Prefix length
Gateway address
When the Managed flag is set in the RADVD, the DHCPv6 server can assign IP addresses,
and the RADVD also assigns IP addresses in the sense that it provides information that
allows IPv6 clients to configure their own IPv6 address.
When the Other flag is set, the DHCPv6 server does not assign IP addresses but provides
DNS server and other configuration information only.

To configure the Router Advertisement Daemon for the DMZ:
1. Select Network Configuration > DMZ Setup.
2. In the upper right of the screen, select the IPv6 radio button. The DMZ Setup screen
displays the IPv6 settings (see Figure 43 on page 87).
3. Click the RADVD option arrow to the right of the DMZ Setup tab. The RADVD screen for the
DMZ displays. (The following figure contains some examples.)
LAN Configuration
91
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 45.
4. Enter the settings as explained in the following table:
Table 21. RADVD screen settings for the DMZ
Setting
Description
RADVD Status
Specify the RADVD status by making a selection from the drop-down list:
• Enable. The RADVD is enabled, and the RADVD fields become available for you to
configure.
• Disable. The RADVD is disabled, and the RADVD fields are masked out. This is the
default setting.
Advertise Mode
Specify the advertisement mode by making a selection from the drop-down list:
• Unsolicited Multicast. The wireless VPN firewall advertises unsolicited multicast
packets at a rate that is specified by the advertisement interval.
• Unicast only. The wireless VPN firewall responds to unicast packet requests only.
No unsolicited packets are advertised. Select this option for nonbroadcast multiple
access (NBMA) links such as ISATAP.
Advertise Interval
Enter the advertisement interval of unsolicited multicast packets in seconds. The
minimum value is 10 seconds; the maximum value is 1800 seconds.
LAN Configuration
92
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 21. RADVD screen settings for the DMZ (continued)
Setting
Description
RA Flags
Specify what type of information the DHCPv6 server provides in the DMZ by making a
selection from the drop-down list:
• Managed. The DHCPv6 server is used for autoconfiguration of the IP address.
• Other. The DHCPv6 server is not used for autoconfiguration of the IP address, but
other configuration information such as DNS information is available through the
DHCPv6 server.
Note: Irrespective of the RA flag settings, the RADVD provides information about the
prefix, prefix length, and gateway addresses and is also used for autoconfiguration of
the IP address.
Router Preference Specify the wireless VPN firewall’s preference in relation to other hosts and routers in
the DMZ by making a selection from the drop-down list:
• Low. The wireless VPN firewall is treated as a nonpreferred router in the DMZ.
• Medium. The wireless VPN firewall is treated as a neutral router in the DMZ.
• High. The wireless VPN firewall is treated as a preferred router in the DMZ.
MTU
The maximum transmission unit (MTU) size for a packet in one transmission over a
link. The default setting is 1500.
Router Lifetime
The router lifetime specifies how long the default route that was created as a result of
the router advertisement should remain valid.
Enter the router lifetime in seconds. This is the period that the advertised prefixes are
valid for route determination. The default period is 3600 seconds (one hour). The
minimum value is 30 seconds; the maximum value is 9000 seconds.
5. Click Apply to save your changes.
Advertisement Prefixes for the DMZ
You need to configure the prefixes that are advertised in the DMZ RAs. For a 6to4 address,
you need to specify only the site level aggregation identifier (SLA ID) and the prefix lifetime.
For a global, local, or ISATAP address, you need to specify the prefix, prefix length, and
prefix lifetime.

To add an advertisement prefix for the DMZ:
1. On the RADVD screen for the DMZ, under the List of Prefixes to Advertise table, click
Add. The Add Advertisement Prefix screen displays:
LAN Configuration
93
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 46.
2. Enter the settings as explained in the following table:
Table 22. Add Advertisement Prefix screen settings for the DMZ
Setting
Description
IPv6 Prefix Type
Specify the IPv6 prefix type by making a selection from the drop-down list:
• 6to4. The prefix is for a 6to4 address. You need to complete the SLA ID field and
Prefix Lifetime field. The other fields are masked out.
• Global/Local/ISATAP. The prefix is for a global, local, or ISATAP address. This
needs to be a global prefix or a site-local prefix; it cannot be a link-local prefix. You
need to complete the IPv6 Prefix field, IPv6 Prefix Length field, and Prefix Lifetime
field. The SLA ID field is masked out.
SLA ID
Enter the site level aggregation identifier (SLA ID) for the 6to4 address prefix that
should be included in the advertisement.
IPv6 Prefix
Enter the IPv6 prefix for the wireless VPN firewall’s DMZ that should be included in the
advertisement.
IPv6 Prefix Length
Enter the IPv6 prefix length (typically 64) that should be included in the advertisement.
Prefix Lifetime
The prefix lifetime specifies how long the IP address that was created as a result of the
router advertisement should remain valid.
Enter the prefix lifetime in seconds that should be included in the advertisement. The
minimum period is 0 seconds; the maximum period is 65536 seconds.
3. Click Apply to save your changes and add the new IPv6 address pool to the List of Prefixes
to Advertise table on the RADVD screen for the DMZ.

To edit an advertisement prefix:
1. On the RADVD screen for the DMZ (see Figure 45 on page 92), click the Edit button in
the Action column for the advertisement prefix that you want to modify. The Add
Advertisement Prefix screen displays.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.
LAN Configuration
94
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To delete one or more advertisement prefixes:
1. On the RADVD screen for the DMZ screen (see Figure 45 on page 92), select the check
box to the left of each advertisement prefix that you want to delete, or click the Select
All table button to select all advertisement prefixes.
2. Click the Delete table button.
Manage Static IPv4 Routing
Static routes provide additional routing information to your wireless VPN firewall. Under
normal circumstances, the wireless VPN firewall has adequate routing information after it has
been configured for Internet access, and you do not need to configure additional static
routes. You should configure static routes only for unusual cases such as multiple firewalls or
multiple IP subnets located on your network.
Note: The wireless VPN firewall automatically sets up routes between
VLANs and secondary IPv4 addresses that you have configured on
the LAN Multi-homing (IPv4) screen (see Configure IPv4 Multihome
LAN IP Addresses on the Default VLAN on page 62). Therefore, you
do not need to manually add an IPv4 static route between a VLAN
and a secondary IPv4 address.
Configure Static IPv4 Routes

To add an IPv4 static route to the Static Route table:
1. Select Network Configuration > Routing. In the upper right of the screen, the IPv4
radio button is selected by default. The Static Routing screen displays the IPv4 settings.
(The following figure contains one example.)
Figure 47.
2. Click the Add table button under the Static Routes table. The Add Static Route screen
displays:
LAN Configuration
95
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 48.
3. Enter the settings as explained in the following table:
Table 23. Add Static Route screen settings for IPv4
Setting
Description
Route Name
The route name for the static route (for purposes of identification and
management).
Active
To make the static route effective, select the Active check box.
Note: A route can be added to the table and made inactive if not needed. This
allows you to use routes as needed without deleting and re-adding the entry. An
inactive route is not advertised if RIP is enabled.
Private
If you want to limit access to the LAN only, select the Private check box. Doing so
prevents the static route from being advertised in RIP.
Destination IP Address The destination IP address of the host or network to which the route leads.
Subnet Mask
The IP subnet mask of the host or network to which the route leads. If the
destination is a single host, enter 255.255.255.255.
Interface
From the drop-down list, select the physical or virtual network interface (WAN,
LAN, or DMZ interface ) through which the route is accessible.
Gateway IP Address
The gateway IP address through which the destination host or network can be
reached.
Metric
The priority of the route. Select a value between 2 and 15. If multiple routes to the
same destination exist, the route with the lowest metric is used.
4. Click Apply to save your settings. The new static route is added to the Static Routes table.
LAN Configuration
96
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To edit an IPv4 static route:
1. On the Static Routing screen for IPv4 (see Figure 47 on page 95), click the Edit button
in the Action column for the route that you want to modify. The Edit Static Route screen
displays. This screen is identical to the Add Static Route screen (see the previous
figure).
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more routes:
1. On the Static Routing screen for IPv4 (see Figure 47 on page 95), select the check box
to the left of each route that you want to delete, or click the Select All table button to
select all routes.
2. Click the Delete table button.
Configure the Routing Information Protocol
Routing Information Protocol (RIP), RFC 2453, is an Interior Gateway Protocol (IGP) that is
commonly used in internal IPv4 networks (LANs). RIP enables a router to exchange its
routing information automatically with other routers, to dynamically adjust its routing tables,
and to adapt to changes in the network. RIP is disabled by default. RIP does not apply to
IPv6.

To enable and configure RIP:
1. Select Network Configuration > Routing. In the upper right of the screen, the IPv4
radio button is selected by default. The Static Routing screen displays the IPv4 settings
(see Figure 47 on page 95).
2. Click the RIP Configuration option arrow to the right of the Static Routing submenu tab.
The RIP Configuration screen displays. (The following figure contains some examples.)
LAN Configuration
97
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 49.
3. Enter the settings as explained in the following table:
Table 24. RIP Configuration screen settings
Setting
Description
RIP
RIP Direction
From the RIP Direction drop-down list, select the direction in which the wireless
VPN firewall sends and receives RIP packets:
• None. The wireless VPN firewall neither advertises its route table, nor accepts
any RIP packets from other routers. This effectively disables RIP, and is the
default setting.
• In Only. The wireless VPN firewall accepts RIP information from other routers
but does not advertise its routing table.
• Out Only. The wireless VPN firewall advertises its routing table but does not
accept RIP information from other routers.
• Both. The wireless VPN firewall advertises its routing table and also processes
RIP information received from other routers.
LAN Configuration
98
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 24. RIP Configuration screen settings (continued)
Setting
Description
RIP Version
By default, the RIP version is set to Disabled. From the RIP Version drop-down list,
select the version:
• RIP-1. Classful routing that does not include subnet information. This is the most
commonly supported version.
• RIP-2. Routing that supports subnet information. Both RIP-2B and RIP-2M send
the routing data in RIP-2 format:
- RIP-2B. Sends the routing data in RIP-2 format and uses subnet
broadcasting.
- RIP-2M. Sends the routing data in RIP-2 format and uses multicasting.
Authentication for RIP-2B/2M
Authentication for
RIP-2B/2M required?
Authentication for RP-2B or RIP-2M is disabled by default, that is, the No radio
button is selected. To enable authentication for RP-2B or RIP-2M, select the Yes
radio button, and enter the settings for the following fields.
First Key Parameters
MD5 Key Id
The identifier for the key that is used for authentication.
MD5 Auth Key
The password that is used for MD5 authentication.
Not Valid Before
The beginning of the lifetime of the MD5 key. Enter the month,
date, year, hour, minute, and second. Before this date and
time, the MD5 key is not valid.
Not Valid After
The end of the lifetime of the MD5 key. Enter the month, date,
year, hour, minute, and second. After this date and time, the
MD5 key is no longer valid.
Second Key Parameters
MD5 Key Id
The identifier for the key that is used for authentication.
MD5 Auth Key
The password that is used for MD5 authentication.
Not Valid Before
The beginning of the lifetime of the MD5 key. Enter the month,
date, year, hour, minute, and second. Before this date and
time, the MD5 key is not valid.
Not Valid After
The end of the lifetime of the MD5 key. Enter the month, date,
year, hour, minute, and second. After this date and time, the
MD5 key is no longer valid.
4. Click Apply to save your settings.
LAN Configuration
99
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 Static Route Example
In this example, we assume the following:
•
The wireless VPN firewall’s primary Internet access is through a cable modem to an ISP.
•
The wireless VPN firewall is on a local LAN with IP address 192.168.1.100.
•
The wireless VPN firewall connects to a remote network where you need to access a
device.
•
The LAN IP address of the remote network is 134.177.0.0.
When you first configured the wireless VPN firewall, two implicit static routes were created:
•
A default static route was created with your ISP as the gateway.
•
A second static route was created to the local LAN for all 192.168.1.x addresses.
With this configuration, if you attempt to access a device on the 134.177.0.0 remote network,
the wireless VPN firewall forwards your request to the ISP. In turn, the ISP forwards your
request to the remote network, where the request is likely to be denied by the remote
network’s firewall.
In this case, you need to define a static route, informing the wireless VPN firewall that the
134.177.0.0 IP address should be accessed through the local LAN IP address
(192.168.1.100).
The static route on the wireless VPN firewall needs to be defined as follows:
•
The destination IP address and IP subnet mask need to specify that the static route
applies to all 134.177.x.x IP addresses.
•
The gateway IP address needs to specify that all traffic for the 134.177.x.x IP addresses
should be forwarded to the local LAN IP address (192.168.1.100).
•
A metric value of 1 should work since the wireless VPN firewall is on the local LAN.
•
The static route can be made private only as a precautionary security measure in case
RIP is activated.
Manage Static IPv6 Routing
At this time, NETGEAR’s implementation of IPv6 does not support RIP next generation
(RIPng) to exchange routing information, and dynamic changes to IPv6 routes are not
possible. To enable routers to exchange information over a static IPv6 route, you need to
manually configure the static route information on each router.

To add an IPv6 static route to the Static Route table:
1. Select Network Configuration > Routing.
2. In the upper right of the screen, select the IPv6 radio button. The Static Routing screen
displays the IPv6 settings:
LAN Configuration
100
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 50.
3. Click the Add table button under the Static Routes table. The Add IPv6 Static Routing
screen displays:
Figure 51.
4. Enter the settings as explained in the following table:
Table 25. Add IPv6 Static Routing screen settings
Setting
Description
Route Name
The route name for the static route (for purposes of identification and
management).
Active
To make the static route effective, select the Active check box.
Note: A route can be added to the table and made inactive if not needed. This
allows you to use routes as needed without deleting and re-adding the entry.
IPv6 Destination
The destination IPv6 address of the host or network to which the route leads.
IPv6 Prefix Length
The destination IPv6 prefix length of the host or network to which the route leads.
LAN Configuration
101
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 25. Add IPv6 Static Routing screen settings (continued)
Setting
Description
Interface
From the drop-down list, select the physical or virtual network interface (WAN1,
sit0 Tunnel, or LAN) through which the route is accessible.
IPv6 Gateway
The gateway IPv6 address through which the destination host or network can be
reached.
Metric
The priority of the route. Select a value between 2 and 15. If multiple routes to the
same destination exist, the route with the lowest metric is used.
5. Click Apply to save your settings. The new static route is added to the List of IPv6 Static
Routes table.

To edit an IPv6 static route:
1. On the Static Routing screen for IPv6 (see Figure 50 on page 101), click the Edit button
in the Action column for the route that you want to modify. The Edit IPv6 Static Routing
screen displays. This screen is identical to the Add IPv6 Static Routing screen.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more routes:
1. On the Static Routing screen for IPv6 (see Figure 50 on page 101), select the check box
to the left of each route that you want to delete, or click the Select All table button to
select all routes.
2. Click the Delete table button.
LAN Configuration
102
4.
Wireless Configuration and Security
4
This chapter describes how to configure the wireless features of your ProSafe Wireless-N 8-Port
Gigabit VPN Firewall FVS318N. This chapter includes the following sections:
•
Overview of the Wireless Features
•
Configure the Basic Radio Settings
•
Wireless Data Security Options
•
Wireless Security Profiles
•
Configure Advanced Radio Settings
•
Test Basic Wireless Connectivity
Before you set up the wireless features that are described in this chapter, connect the
wireless VPN firewall and get the Internet connection working. The wireless VPN firewall
should work with an Ethernet WAN connection. In planning your wireless network, consider
the level of security required.
WARNING:
If you are configuring the wireless settings from a wireless
computer and you change the wireless VPN firewall’s SSID,
channel, or wireless security settings, you will lose your wireless
connection when you click Apply. You then need to change the
wireless settings of your computer to match the wireless VPN
firewall’s new settings.
Overview of the Wireless Features
The wireless VPN firewall integrates a single 2.4 GHz radio and physical access point that
provides 2.4 GHz 802.11b/g/n connectivity between wired Ethernet networks and
radio-equipped wireless notebook systems, desktop systems, print servers, and other
devices. You can configure up to four wireless security profiles and SSIDs, allowing you to
tailor access and security to a variety of wireless clients.
The wireless VPN firewall provides wireless connectivity to multiple wireless network devices
within a fixed range or area of coverage—interacting with a wireless network interface card
103
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
(NIC) through an antenna. Typically, an individual in-building wireless access point provides a
maximum connectivity area of about a 300-foot radius. The wireless VPN firewall can support
a small group of wireless users—typically 10 to 32 users.
Configure the wireless features according to the order of the following sections:
1. Configure the Basic Radio Settings
2. Configure and Enable Wireless Profiles
3. (Optional) Configure Wi-Fi Protected Setup
4. (Optional) Configure Advanced Radio Settings
Wireless Equipment Placement and Range Guidelines
The range of your wireless connection can vary significantly based on the location of the
wireless VPN firewall. The latency, data throughput performance, and notebook power
consumption of wireless adapters also vary depending on your configuration choices.
Note: Failure to follow these guidelines can result in significant performance
degradation or inability to wirelessly connect to the wireless VPN firewall.
For complete performance specifications, see the Data Sheet at
http://www.netgear.com/images/FVS318N_DS_23Aug1118-36060.pdf.
For best results, place your wireless VPN firewall according to the following general
guidelines:
•
Near the center of the area in which your wireless devices will operate.
•
In an elevated location such as a high shelf where the wirelessly connected devices have
line-of-sight access (even if through walls).
•
Away from sources of interference, such as computers, microwaves ovens, and 2.4-GHz
cordless phones.
•
Away from large metal surfaces or water.
•
Placing the antennas in a vertical position provides the best side-to-side coverage.
Placing the antennas in a horizontal position provides the best up-and-down coverage.
•
If you are using multiple wireless access points such as the wireless VPN firewall, it is
better if access points use different radio frequency channels to reduce interference. The
recommended channel space between adjacent access points is five channels (for
example, use channels 1 and 6, or 6 and 11, or 1 and 11).
•
The time it takes to establish a wireless connection can vary depending on both your
security settings and placement. WEP connections can take slightly longer to establish.
Also, WEP encryption can consume more battery power on a notebook computer.
Wireless Configuration and Security
104
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure the Basic Radio Settings
The radio settings apply to all wireless profiles on the wireless VPN firewall. The default
wireless mode is 802.11ng. You can change the wireless mode, country, and many other
radio settings on the Radio Settings screen (described in this section) and on the Advanced
Wireless screen (see Configure Advanced Radio Settings on page 122). The default radio
settings should work well for most configurations.

To configure the basic radio settings:
1. Select Network Configuration > Wireless Settings > Radio Settings. The Radio
Settings screen displays:
Figure 52.
2. Specify the remaining wireless settings as explained the following table:
Table 26. Radio Settings screen settings
Setting
Descriptions
Region
This is a preconfigured field that you cannot change.
Country
Specify the country by making a selection from the drop-down list.
Operating Frequency
This is a nonconfigurable field. The radio’s operating frequency is fixed at
2.4 GHz.
Wireless Configuration and Security
105
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 26. Radio Settings screen settings (continued)
Setting
Descriptions
Mode
Specify the wireless mode in the 2.4-GHz band by making a selection from the
drop-down list:
• g and b. In addition to 802.11b- and 802.11g-compliant devices,
802.11n-compliant devices can connect to the wireless access point because
they are backward compatible.
• g only. 802.11g- and 802.11n-compliant devices can connect to the wireless
access point, but 802.11n-compliant devices function below their capacity in
802.11g mode. 802.11b-compliant devices cannot connect.
• ng. This is the default setting for most countries. 802.11g- and
802.11n-compliant devices can connect to the wireless access point.
802.11b-compliant devices cannot connect.
• n only. Only 802.11n-compliant devices can connect to the wireless access
point.
Channel Spacing
For the ng and n only modes, specify the channel spacing by making a selection
from the drop-down list:
• 20/40MHz. Select this option to improve the performance. Some legacy
devices (that is, devices that function only in b or g mode) can operate only in
20 MHz.
• 20MHz. Select this option if your network includes legacy devices. This is the
default setting.
Note: The channel spacing is fixed at 20 MHz for the g and b and g only modes.
Current Channel
This is a nonconfigurable field that shows the current channel if you have
selected Auto from the Channel drop-down list.
Channel
Specify the channel you wish to use on your wireless LAN by making a selection
from the drop-down list. The wireless channels and frequencies depend on the
country and wireless mode. The default setting is Auto.
Note: It should not be necessary to change the wireless channel unless you
notice interference in the network (indicated by lost connections or slow data
transfers). If this happens, you might want to experiment with different channels
to see which is the best. For more information, see Operating Frequency
(Channel) Guidelines following this table.
Note: For more information about available channels and frequencies, see
Physical and Technical Specifications on page 385.
Default Transmit Power
From the drop-down list, select the default transmit power:
• Full. This is the default setting.
• Half.
• Quarter.
• Eighth.
• Minimum.
If the country regulation does not allow the transmit power that you select, the
power is automatically adjusted to the legally allowed power, which is then
displayed in the Transmit Power field.
Wireless Configuration and Security
106
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 26. Radio Settings screen settings (continued)
Setting
Descriptions
Transmit Power
This is a nonconfigurable field that shows the actual transmit power in dBm.
Transmission rate
Specify the transmission data rate by making a selection from the drop-down list.
The default setting is Best (Automatic).
Note: For information about the available MCS indexes and transmission data
rates, see Physical and Technical Specifications on page 385.
WARNING:
When you have changed the country settings, the wireless VPN
firewall will reboot when you click Apply.
3. Click Apply to save your settings.
Operating Frequency (Channel) Guidelines
You should not need to change the operating frequency (channel) unless you notice
interference problems, or are setting up the wireless VPN firewall near another wireless
access point. Observe the following guidelines:
•
Wireless access points use a fixed channel. You can select a channel that provides the
least interference and best performance. In the United States and Canada, 11 channels
are available.
•
If you are using multiple wireless access points, it is better if adjacent wireless access
points use different channels to reduce interference. The recommended channel spacing
between adjacent wireless access points is 5 channels (for example, use channels 1 and
6, or 6 and 11).
•
In infrastructure mode, wireless devices normally scan all channels, looking for a wireless
access point. If more than one wireless access point can be used, the one with the
strongest signal is used. This can happen only when the wireless access points use the
same SSID. The FVS318N wireless VPN firewall functions in infrastructure mode by
default.
Wireless Data Security Options
Indoors, computers can connect over 802.11n wireless networks at a maximum range of
300 feet. Typically, a wireless VPN firewall inside a building works best with devices within a
100 foot radius. Such distances can allow for others outside your immediate area to access
your network.
Unlike wired network data, your wireless data transmissions can extend beyond your walls
and can be received by anyone with a compatible adapter. For this reason, use the security
features of your wireless equipment. The wireless VPN firewall provides highly effective
Wireless Configuration and Security
107
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
security features that are covered in detail in this chapter. Deploy the security features
appropriate to your needs.
Figure 53.
There are several ways you can enhance the security of your wireless network:
•
Restrict access based by MAC address. You can allow only trusted computers to
connect so that unknown computers cannot wirelessly connect to the wireless VPN
firewall. Restricting access by MAC address adds an obstacle against unwanted access
to your network, but the data broadcast over the wireless link is fully exposed. For
information about how to restrict access by MAC address, see Restrict Wireless Access
by MAC Address on page 117.
•
Turn off the broadcast of the wireless network name (SSID). If you disable broadcast
of the SSID, only devices that have the correct SSID can connect. This nullifies the
wireless network discovery feature of some products, such as Windows XP, but the data
is still exposed. For information about how to turn of broadcast of the SSID, see
Configure and Enable Wireless Profiles on page 112.
•
WEP. Wired Equivalent Privacy (WEP) data encryption provides data security. WEP
shared key authentication and WEP data encryption block all but the most determined
eavesdropper. This data encryption mode has been superseded by WPA-PSK and
WPA2-PSK.
For information about how to configure WEP, see Configure and Enable Wireless Profiles
on page 112.
•
WPA. Wi-Fi Protected Access (WPA) data encryption provides strong data security with
Temporal Key Integrity Protocol (TKIP) or a combination of TKIP and Counter Mode with
Cipher Block Chaining Message Authentication Code Protocol (CCMP) encryption. The
very strong authentication along with dynamic per frame rekeying of WPA make it virtually
impossible to compromise. The wireless VPN firewall supports WPA with a pre-shared
key (PSK), RADIUS, or a combination of PSK and RADIUS.
For more information about how to configure WPA, see Configure and Enable Wireless
Profiles on page 112.
•
WPA2. Wi-Fi Protected Access version 2 (WPA2) data encryption provides strong data
security with CCMP encryption or a combination of TKIP and CCMP encryption. WPA2
Wireless Configuration and Security
108
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
provides the most reliable security. Use WPA2 only if all clients in your network support
WPA2. The wireless VPN firewall supports WPA2 with PSK, RADIUS, or a combination of
PSK and RADIUS.
For more information about how to configure WPA2, see Configure and Enable Wireless
Profiles on page 112.
•
WPA+WPA2 mixed mode. This mode supports data encryption with a combination of
TKIP and CCMP for both WPA and WPA2 clients. The very strong authentication along
with dynamic per frame rekeying of WPA2 make it virtually impossible to compromise.
The wireless VPN firewall supports WPA+WPA2 with PSK, RADIUS, or a combination of
PSK and RADIUS.
For more information about how to configure WPA+WPA2 mixed mode, see Configure
and Enable Wireless Profiles on page 112.
Note: TKIP provides only legacy (slower) rates of operation. NETGEAR
recommends WPA2 with CCMP to make use of 802.11n rates and
speed.
Wireless Security Profiles
This section consists of the following subsections:
•
Before You Change the SSID, WEP, and WPA Settings
•
Configure and Enable Wireless Profiles
•
Restrict Wireless Access by MAC Address
•
View the Status of a Wireless Profile
•
Configure Wi-Fi Protected Setup
Wireless security profiles, hereafter referred to as wireless profiles, let you configure unique
security settings for each SSID on the wireless VPN firewall. The wireless VPN firewall
supports up to four wireless profiles (BSSIDs) that you can configure from the Wireless
Profiles screen (see Configure and Enable Wireless Profiles on page 112).
Each wireless profile provides the following features:
•
Capability to turn off the wireless profile during scheduled vacations and office
shutdowns, on evenings, or on weekends. This a green feature that allows you to save
energy.
•
WLAN partitioning to prevent associated wireless clients (using the same wireless profile)
from communicating with each other. This feature is useful for hotspots and other public
access situations.
•
MAC address access control list that lets you add another level of security.
•
Capability to monitor the clients that are connected to the SSID of the wireless profile.
Wireless Configuration and Security
109
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
To set up a wireless profile, specify a name for the profile and the SSID, type of security with
authentication and data encryption, and whether or not the SSID is broadcast.
•
Network authentication
The wireless VPN firewall is set by default as an open system with no authentication.
When you configure network authentication, bear in mind that older wireless adapters
might not support WPA or WPA2. Windows XP, Windows 2000 with Service Pack 3,
Windows Vista, and Windows 7 do include the client software that supports WPA.
However, client software is required on the client. Consult the product documentation for
your wireless adapter and WPA or WPA2 client software for instructions on configuring
WPA2 settings.
For information about the types of network authentication that the wireless VPN firewall
supports, see Configure and Enable Wireless Profiles on page 112.
•
Data encryption
Select the data encryption that you want to use. The available options depend on the
network authentication setting described earlier (otherwise, the default is None). The data
encryption settings are explained in Configure and Enable Wireless Profiles on page 112.
Some concepts and guidelines regarding the SSID are:
•
A basic service set (BSS) is a group of wireless devices and a single wireless access
point, all using the same wireless profile or service set identifier (BSSID). The actual
identifier in the BSSID is the MAC address of the wireless radio. (A wireless radio can
have multiple MAC addresses, one for each wireless profile.)
•
An extended service set (ESS) is a group of wireless devices, all using the same identifier
(ESSID).
•
Different devices within an ESS can use different channels. To reduce interference,
adjacent devices should use different channels.
•
Roaming is the ability of wireless devices to connect wirelessly when they physically
move from one BSS to another one within the same ESS. The wireless device
automatically changes to the wireless access point with the least interference or best
performance.
Before You Change the SSID, WEP, and WPA Settings
For a new wireless network, print or copy the following form and fill in the settings. For an
existing wireless network, the network administrator can provide this information. Be sure to
set the Country/Region correctly as the first step.
Wireless Configuration and Security
110
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
_________________________________________________________________________
Store this information in a safe place:
•
SSID
The service set identifier (SSID) identifies the wireless local area network. You can
customize it by using up to 32 alphanumeric characters. Write your SSID on the line.
SSID: ___________________________________
The SSID in the wireless access point is the SSID you configure on the wireless adapter
card. All wireless nodes in the same network need to be configured with the same SSID.
•
WEP key size, key format, authentication type, and passphrase
Choose the key size by circling one: 64 or 128 bits.
Choose the key format by circling one: ASCII or HEX.
Choose the authentication type by circling one: Open or Shared.
Passphrase: ___________________________________
Note: If you select shared key, the other devices in the network will not connect unless
they are set to shared key and have the same keys in the same positions as those in the
wireless VPN firewall.
•
WPA-PSK (Pre-Shared Key) and WPA2-PSK
Record the WPA-PSK passphrase:
WPA-PSK passphrase: ________________________________
Record the WPA2-PSK passphrase:
WPA2-PSK passphrase: ________________________________
•
WPA RADIUS settings
For WPA, record the following settings for the primary and secondary RADIUS servers:
Server name/IP address: Primary ________________ Secondary _________________
Port:
___________________________________
Shared secret: ___________________________________
•
WPA2 RADIUS settings
For WPA2, record the following settings for the primary and secondary RADIUS servers:
Server name/IP address: Primary ________________ Secondary _________________
Port:
___________________________________
Shared secret: ___________________________________
_________________________________________________________________________
Wireless Configuration and Security
111
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure and Enable Wireless Profiles

To add a wireless profile:
1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless
Profiles screen displays. (The following figure shows some examples.)
Figure 54.
The following table explains the fields of the Wireless Profiles screen:
Table 27. Wireless Profiles screen settings
Setting
Description
Status
The status of the profile: Enabled or Disabled.
Profile
The unique name of the wireless profile that makes it easy to recognize the profile.
SSID
The wireless network name (SSID) for the wireless profile.
Broadcast
Indicates whether or not the SSID is broadcast. A green circle indicates that the
SSID is broadcast; a gray circle indicates that it is not.
Security
The configured security method for the wireless profile.
Encryption
The configured encryption method for the wireless profile.
Authentication
The configured authentication method for the wireless profile.
Active Time
Indicates whether or not the timer for the wireless profile is activated (Yes or No).
Start Time
The start time for the timer.
Stop Time
The stop time for the timer.
2. Under the List of Profiles table, click the Add table button. The Add Wireless Profiles screen
displays:
Wireless Configuration and Security
112
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 55.
3. Specify the settings as explained in the following table:
Table 28. Add Wireless Profiles screen settings
Setting
Description
Wireless Profile Configuration
Profile Name
The name for the default wireless profile is default1. You cannot change this
name. For additional profiles, enter a unique name to make it easy to recognize
the profile. You can enter a name of up to 32 alphanumeric characters.
Wireless Configuration and Security
113
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 28. Add Wireless Profiles screen settings (continued)
Setting
Description
SSID
The wireless network name (SSID) for the wireless profile. The default SSID
name is FVS318N_1. You can change this name by entering up to
32 alphanumeric characters. Make sure that additional SSIDs have unique
names.
Broadcast SSID
Select the check box to enable the wireless VPN firewall to broadcast its SSID,
allowing wireless stations that have a null (blank) SSID to adopt the wireless
VPN firewall’s SSID. To prevent the SSID from being broadcast, clear the check
box.
Security
Note: Before you configure security, you might want to read Wireless Data
Security Options on page 107.
Specify the wireless security by making a selection from the drop-down list:
• OPEN. This is the default setting. An open system has no authentication and
no encryption, and therefore no security configuration. However, you can use
an open system with encryption. To do so, select WEP from the Security
drop-down list. In the WEP Index and Keys section of the screen, take the
following steps:
- Select Open System authentication.
- Select the encryption.
- Enter a passphrase and generate a key, or enter a key manually.
• WEP. To configure WEP, take the following steps in the WEP Index and Keys
section of the screen:
- Select Shared Key authentication.
- Select the encryption.
- Enter a passphrase and generate a key, or enter a key manually.
• WPA. To configure WPA, select the encryption and authentication. The
remaining configuration depends on the selected authentication:
- For WPA-PSK, select a password.
- For WPA with RADIUS, configure the RADIUS server settings.
- For WPA with PSK+RADIUS, select a password and configure the
RADIUS server settings.
• WPA2. To configure WPA2, select the encryption and authentication. The
remaining configuration depends on the selected authentication:
- For WPA2-PSK, select a password.
- For WPA2 with RADIUS, configure the RADIUS server settings. As an
option, you can enable RADIUS preauthentication.
- For WPA2 with PSK+RADIUS, select a password and configure the
RADIUS server settings. As an option, you can enable RADIUS
preauthentication.
• WPA+WPA2. To configure WPA, select the encryption and authentication.
The remaining configuration depends on the selected authentication:
- For WPA+WPA2 with PSK, select a password.
- For WPA+WPA2 with RADIUS, configure the RADIUS server settings.
- For WPA+WPA2 with PSK+RADIUS, select a password and configure the
RADIUS server settings.
Wireless Configuration and Security
114
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 28. Add Wireless Profiles screen settings (continued)
Setting
Description
Encryption
The encryption that you can select depends on the type of WPA security that
you have selected:
Note: WPA, WPA2, and • WPA. You can select the following encryption from the drop-down list:
WPA+WPA2 only.
- TKIP
- TKIP+CCMP
• WPA2. You can select the following encryption from the drop-down list:
- CCMP
- TKIP+CCMP
• WPA+WPA2. The encryption is TKIP+CCMP.
Authentication
For WPA, WPA2, and WPA+WPA2 only, specify the authentication by making a
selection from the drop-down list:
Note: WPA, WPA2, and • PSK
WPA+WPA2 only.
• RADIUS
• PSK+RADIUS
WPA Password
For WPA, WPA2, and WPA+WPA2 only, if you have selected PSK or
Note: WPA, WPA2, and PSK+RADIUS authentication, enter a pre-shared key or password.
WPA+WPA2 only.
Enable
Pre-Authentication
Note: WPA2 only.
For WPA2 only, if you have selected RADIUS authentication, configure
preauthentication by selecting the check box. Preauthentication allows a client
to roam from one access point to another access point without having to be
reauthenticated.
Radius Server Settings
For WPA, WPA2, and WPA+WPA2 only, if you have selected RADIUS or
PSK+RADIUS authentication, click the Radius Server Settings link to
Note: WPA, WPA2, and configure the RADIUS settings (see RADIUS Client and Server Configuration
on page 235).
WPA+WPA2 only.
VLAN
From the drop-down list, select the VLAN to which the wireless profile should
be allocated.
VLAN Profiles
Click the VLAN Profiles link to configure a VLAN profile (see Configure a
VLAN Profile on page 56).
Active Time
To enable the timer, select the Active Time check box. When the timer is
enabled, the wireless profile is turned off from the start time until the stop time.
To disable the timer, clear the check box.
Start Time
Specify the start hour in the Hours field and the start minute in the Minutes field,
and then select AM or PM from the drop-down list.
Stop Time
Specify the stop hour in the Hours field and the stop minute in the Minutes field,
and then select AM or PM from the drop-down list.
WLAN Partition
To enable wireless client separation and prevent wireless clients that are
connected to this wireless profile from communicating with each other, select
the WLAN Partition check box. To disable wireless client separation, clear the
check box. By default, WLAN partition is disabled.
Wireless Configuration and Security
115
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 28. Add Wireless Profiles screen settings (continued)
Setting
Description
WEP Index and Keys
Authentication
Specify the authentication by making a selection from the drop-down list:
• Open System. Select this option to use WEP encryption without
authentication.
• Shared Key. Select this option to use WEP authentication and encryption
with a shared key (passphrase).
Encryption
Select the encryption key size by making a selection from the drop-down list:
• 64-bit WEP. Standard WEP encryption, using 40/64-bit encryption.
• 128-bit WEP. Standard WEP encryption, using 104/128-bit encryption.
Passphrase
Enter a passphrase. The passphrase length needs to be between 8 and
63 characters (inclusive). The secret passphrase allows you to automatically
generate the keys by clicking Generate.
Encryption Key
(Key1–Key4)
Specify the active key by selecting one of the four radio buttons. Only one key
can be the active key. Either enter a key manually or generate the key
automatically by clicking Generate. The length of the key depends on the
selected encryption:
• 64-bit WEP. A key length of 5 ASCII or 10 hexadecimal characters.
• 128-bit WEP. A key length of 13 ASCII or 26 hexadecimal characters.
Note: Wireless stations need to use the key to access the wireless VPN
firewall.
4. Click Apply to save your settings. The new profile is added to the List of Available Wireless
Profiles table on the Wireless Profiles screen.
WARNING:
If you use a wireless computer to configure wireless security
settings, you will be disconnected when you click Apply.
Reconfigure your wireless computer to match the new settings, or
access the wireless VPN firewall from a wired computer to make
further changes.
Note: For information about how to configure WPS, see Configure Wi-Fi
Protected Setup on page 120.
Wireless Configuration and Security
116
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To edit a wireless profile:
1. On the Wireless Profiles screen (see Figure 54 on page 112), click the Edit button in the
Action column for the wireless profile that you want to modify. The Edit Profiles screen
displays. This screen is identical to the Add Profiles screen.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.
Note: If WPS is enabled for the wireless profile, first disable WPS before
you edit the wireless profile.

To delete one or more wireless profiles:
1. On the Wireless Profiles screen (see Figure 54 on page 112), select the check box to
the left of each wireless profile that you want to delete, or click the Select All table
button to select all wireless profiles. (You cannot select the default wireless profile.)
2. Click the Delete table button.
Note: If WPS is enabled for the wireless profile, first disable WPS before
you delete the wireless profile.

To enable or disable one or more wireless profiles:
1. On the Wireless Profiles screen (see Figure 54 on page 112), select the check box to
the left of each wireless profile that you want to enable or disable, or click the Select All
table button to select all wireless profiles.
2. Click one of the following table buttons:
• Enable. Enables the wireless profile or wireless profiles and allows wireless clients to
make a connection.
•
Disable. Disables the wireless profile or wireless profiles and prevents wireless
clients from making a connection.
Restrict Wireless Access by MAC Address
For increased security, you can restrict access to an SSID by allowing access to only specific
computers or wireless stations based on their MAC addresses. You can restrict access to
only trusted computers so that unknown computers cannot wirelessly connect to the wireless
VPN firewall. MAC address filtering adds an obstacle against unwanted access to your
network, but the data broadcast over the wireless link is fully exposed.
Wireless Configuration and Security
117
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: For wireless adapters, you can usually find the MAC address printed
on the wireless adapter.

To allow or restrict access based on MAC addresses:
1. On the Wireless Profiles screen (see Figure 54 on page 112), click the ACL button in the
ACL column for the wireless profile for which you want to set up access control. The
MAC Address Filtering screen displays. (The following figure shows some examples.)
Figure 56.
2. Click Add to open the MAC Address screen (not shown in this manual).
3. Enter a MAC address in the MAC Address field.
4. Click Apply to add the MAC address to the MAC Address table on the MAC Address
Filtering screen.
5. Repeat Step 2 through Step 4 for any other MAC address that you want to add to the MAC
Address table.
6. From the ACL Policy Status drop-down list, select if access control is enabled, and if so, how
the MAC addresses in the MAC Address table are treated:
• Open. Access control is disabled. All MAC addresses, including the ones in the MAC
Address table, are allowed access.
•
Allow. Only the MAC addresses in the MAC Address table are allowed access. All
other MAC addresses are denied access.
•
Deny. The MAC addresses in the MAC Address table are denied access. All other
MAC addresses are allowed access.
7. Click Apply to save your settings.
Wireless Configuration and Security
118
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
WARNING:
When configuring the wireless VPN firewall from a wireless
computer whose MAC address is not in the access control list and
when the ACL policy status is set to deny access, you will lose
your wireless connection when you click Apply. You then need to
access the wireless VPN firewall from a wired computer or from a
wireless computer that is on the access control list to make any
further changes.

To remove one or more MAC addresses from the table:
1. In the MAC Address table, select the check box to the left of each MAC address that
you want to delete, or click the Select All table button to select all MAC addresses.
2. Click the Delete table button.
View the Status of a Wireless Profile

To view the status of a specific wireless profile:
On the Wireless Profiles screen (see Figure 54 on page 112), click the Status button in the
Status column for the wireless profile for which you want to display the status information.
The Access Point screen displays:
Figure 57.
Note: On the Access Point screen, the wireless profile is stated in the AP
Name column: the first wireless profile is indicated by ap1, the
second by ap2, and so on.
Wireless Configuration and Security
119
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The following table explains the fields of the Access Point Status screen.
To change the poll interval period, enter a new value in the Poll Interval field, and then click
Set interval. To stop polling, click Stop.
Table 29. Access Point screen fields
Item
Description
Access Point
AP Name
The names for the four wireless profiles are ap1, ap2, ap3, and ap4.
Radio
The radio to which the client is connected. By default, the radio is always 1, indicating the
2.4 GHz radio.
Packet
The number of received (rx) and transmitted (tx) packets on the access point in bytes.
Bytes
The number of received (rx) and transmitted (tx) bytes on the access point.
Errors
The number of received (rx) and transmitted (tx) errors on the access point.
Dropped
The number of received (rx) and transmitted (tx) dropped packets on the access point.
Multicast
The number of received (rx) and transmitted (tx) multicast packets on the access point.
Collisions
The number of signal collisions that have occurred on the access point. A collision occurs
when the access point attempts to send data at the same time as a wireless station that is
connected to the access point.
Connected Clients
MAC Address
The MAC address of the client.
Radio
The radio to which the client is connected. By default, the radio is always 1, indicating the
2.4 GHz radio.
Security
The type of security that the client is using (Open, WEP, WPA, WPA2, or WPA+WPA2).
Encryption
The type of encryption that the client is using (CCMP, TKIP, or TKIP + CCMP).
Authentication
The type of authentication that the client is using (Open, PSK, RADIUS, or PSK+RADIUS).
Time
Connected
The period in minutes since the connection was established between the access point and the
client.
Configure Wi-Fi Protected Setup
Push 'N' Connect using Wi-Fi Protected Setup™ (WPS) allows you to connect computers to a
secure wireless network with WPA or WPA2 wireless security. The wireless VPN firewall
automatically sets security for each computer or device that uses WPS to join the wireless
network. To use WPS, make sure that your wireless devices are Wi-Fi certified and support
WPS. NETGEAR products that use WPS call it Push 'N' Connect.
You can use a WPS button or the wireless router interface method to add wireless computers
and devices to your wireless network.
Wireless Configuration and Security
120
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: For a list of other Wi-Fi-certified products available from NETGEAR,
go to http://www.wi-fi.org.

To enable WPS and initiate the WPS process on the wireless VPN firewall:
1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless
Profiles screen displays (see Figure 54 on page 112).
2. On the Wireless Profiles screen, to the right of the Wireless Profiles tab, click the WPS
option arrow. The WPS screen displays:
Figure 58.
3. From the Select Wireless Profile SSID drop-down list, select the name of the SSID for which
you want to enable WPS. The wireless profile with which the SSID is associated needs to be
configured for WPA, WPA, or WPA+WPA2 security in order to be displayed as a selection in
the drop-down list.
4. From the WPS Status drop-down list, select Enabled to enable the WPS feature.
5. Click Apply to save your changes.
Note: The Security, Authentication, and Encryption fields are nonconfigurable
fields that are for information only.
Wireless Configuration and Security
121
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
6. In the WPS Setup Method section of the screen, use one of the following methods to initiate
the WPS process for a wireless device:
• PIN method:
a. Collect the pin of the wireless device.
b. In the Station PIN field, enter the pin.
•
c. Click the PIN button.
Push button configuration (PBC) method:
a. Click the PBC button.
b. Within 2 minutes, press the WPS button on your wireless device to enable the
device to connect the access point of the wireless VPN firewall, or follow the
WPS instructions that came with the device.
With either method, the wireless VPN firewall tries to communicate with the wireless
device, set the wireless security for the wireless device, and allow it to join the wireless
network.
Note: There is no physical WPS push button on the wireless VPN firewall.
Configure Advanced Radio Settings

To configure advanced radio settings:
1. Select Network Configuration > Wireless Settings > Radio Settings. The Radio
Settings screen displays (see Figure 52 on page 105).
2. On the Radio Settings screen, to the right of the Wireless Profiles tab, click the
Advanced option arrow. The Advanced Wireless screen displays:
Figure 59.
Wireless Configuration and Security
122
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Specify the settings as explained in the following table:
Table 30. Advanced Wireless screen settings
Setting
Description
Beacon Interval
Enter an interval between 40 ms and 3500 ms for each beacon transmission,
which allows the wireless VPN firewall to synchronize the wireless network. The
default setting is 100.
DTIM Interval
Enter the Delivery Traffic Indication Message (DTIM) interval, also referred to
as the data beacon rate, which indicates the period for the beacon DTIM in
multiples of beacon intervals. This value needs to be between 1 and 255. The
default setting is 2.
RTS Threshold
Enter the Request to Send (RTS) threshold. The default setting is 2346 bytes.
If the packet size is equal to or less than the RTS threshold, the wireless VPN
firewall uses the Carrier Sense Multiple Access with Collision Detection
(CSMA/CD) mechanism, and the data frame is transmitted immediately after
the silence period.
If the packet size is larger than the RTS threshold, the wireless VPN firewall
uses the CSMA with Collision Avoidance (CSMA/CA) mechanism. In this
situation, the transmitting station sends an RTS packet to the receiving station
and waits for the receiving station to return a Clear to Send (CTS) packet before
sending the actual packet data. This method improves the performance but
reduces the throughput.
Fragmentation Threshold Enter the maximum packet size that is used for the fragmentation of data
packets. Packets that are larger than the specified fragmentation length are
broken up into smaller packets before being transmitted. The fragmentation
threshold needs to be an even number. The default setting is 2346 bytes.
Preamble Mode
Specify the preamble mode by making a selection from the drop-down list:
• Long. A long transmit preamble might provide a more reliable connection or
a slightly longer range. This is the default mode.
• Short. A short transmit preamble gives better performance.
Protection Mode
Specify the Clear to Send (CTS)-to-self protection mode by making a selection
from the drop-down list:
• None. CTS-to-self protection mode is disabled. This is the default mode.
• CTS-to-Self-Protection. CTS-to-self protection mode is enabled. This mode
increases the performance but reduces the throughput slightly.
Power Save Enable
To enable the Wi-Fi Multimedia (WMM) Powersave feature, select the Power
Save Enable check box. This feature saves power for battery-powered
equipment by increasing the efficiency and flexibility of data transmission. Clear
the check box to disable the feature, which is the default setting.
4. Click Apply to save your settings.
Wireless Configuration and Security
123
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Test Basic Wireless Connectivity
After you have configured the wireless VPN firewall as explained in the previous sections,
test your wireless clients for wireless connectivity before you place the wireless VPN firewall
at its permanent position.

To test for wireless connectivity:
1. Configure the 802.11b/g/n wireless clients so that they all have the same SSID that you
have configured on the wireless VPN firewall. Make sure that the wireless mode on the
wireless VPN firewall supports the wireless capacity of the wireless clients. (For
example, 802.11b-compliant devices cannot connect to the wireless VPN firewall if the
wireless mode is set to ng.)
2. Verify that your wireless clients have a link to the wireless VPN firewall. If you have enabled
the DHCP server on the wireless VPN firewall (see Configure a VLAN Profile on page 56
(for IPv4) and Manage the IPv6 LAN on page 70), verify that your wireless clients are able
to obtain an IP address through DHCP from the wireless VPN firewall.
3. Verify network connectivity by using a browser such as Internet Explorer 7.0 or later or
Mozilla Firefox 4.0 or later to browse the Internet, or check for file and printer access on your
network.
If you have trouble connecting to the wireless VPN firewall, try to connect without security by
selecting OPEN from the Security drop-down list on the Edit Wireless Profiles screen for the
profile that you are using. If that does not help you to solve the connection problem, see
Chapter 11, Troubleshooting.
Wireless Configuration and Security
124
5.
Firewall Protection
5
This chapter describes how to use the firewall features of the wireless VPN firewall to protect
your network. This chapter contains the following sections:
•
About Firewall Protection
•
Overview of Rules to Block or Allow Specific Kinds of Traffic
•
Configure LAN WAN Rules
•
Configure DMZ WAN Rules
•
Configure LAN DMZ Rules
•
Examples of Firewall Rules
•
Configure Other Firewall Features
•
Services, Bandwidth Profiles, and QoS Profiles
•
Configure Content Filtering
•
Set a Schedule to Block or Allow Specific Traffic
•
Enable Source MAC Filtering
•
Set Up IP/MAC Bindings
•
Configure Port Triggering
•
Configure Universal Plug and Play
About Firewall Protection
A firewall protects one network (the trusted network, such as your LAN) from another (the
untrusted network, such as the Internet), while allowing communication between the two.
You can further segment keyword blocking to certain known groups. For information about
how to set up LAN groups, see Manage IPv4 Groups and Hosts (IPv4 LAN Groups) on
page 64.
For IPv4, a firewall incorporates the functions of a Network Address Translation (NAT) router,
protects the trusted network from hacker intrusions or attacks, and controls the types of
traffic that can flow between the Internet, DMZ, and LAN. Unlike simple NAT routers, a
firewall uses a process called stateful packet inspection to protect your network from attacks
and intrusions. NAT performs a very limited stateful inspection in that it considers whether
125
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
the incoming packet is in response to an outgoing request, but true stateful packet inspection
goes far beyond NAT.
For IPv6, which in itself provides stronger security than IPv4, a firewall in particular controls
the exchange of traffic between the Internet, DMZ, and LAN.
Administrator Tips
Consider the following operational items:
1. As an option, you can enable remote management if you have to manage distant sites
from a central location (see Configure Authentication Domains, Groups, and Users on
page 289 and Configure Remote Management Access on page 322).
2. Although rules are the basic way of managing the traffic through your system (see Overview
of Rules to Block or Allow Specific Kinds of Traffic on page 126), you can further refine your
control using the following features and capabilities of the wireless VPN firewall:
- Groups and hosts (see Manage IPv4 Groups and Hosts (IPv4 LAN Groups) on
page 64)
-
Services (see Outbound Rules (Service Blocking) on page 127 and Inbound Rules
(Port Forwarding) on page 130)
-
Schedules (see Set a Schedule to Block or Allow Specific Traffic on page 178)
-
Allowing or blocking sites (see Configure Content Filtering on page 174)
-
Source MAC filtering (see Enable Source MAC Filtering on page 179)
-
Port triggering (see Configure Port Triggering on page 185)
3. Some firewall settings might affect the performance of the wireless VPN firewall. For more
information, see Performance Management on page 314.
4. The firewall logs can be configured to log and then email denial of access, general attack,
and other information to a specified email address. For information about how to configure
logging and notifications, see Configure Logging, Alerts, and Event Notifications on
page 338.
Overview of Rules to Block or Allow Specific Kinds of
Traffic
Firewall rules are used to block or allow specific traffic passing through from one side to the
other. You can configure up to 800 firewall rules on the wireless VPN firewall (see the
following table). Inbound rules (WAN to LAN) restrict access by outsiders to private
resources, selectively allowing only specific outside users to access specific resources.
Outbound rules (LAN to WAN) determine what outside resources local users can have
access to.
Firewall Protection
126
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
A firewall has two default rules, one for inbound traffic and one for outbound. The default
rules of the wireless VPN firewall are:
•
Inbound. Block all access from outside except responses to requests from the LAN side.
•
Outbound. Allow all access from the LAN side to the outside.
The firewall rules for blocking and allowing traffic on the wireless VPN firewall can be applied
to LAN WAN traffic, DMZ WAN traffic, and LAN DMZ traffic.
Table 31. Number of supported firewall rule configurations
Traffic Rule
Maximum Number of Maximum Number of Maximum Number of
Outbound Rules
Inbound Rules
Supported Rules
LAN WAN
300
300
600
DMZ WAN
50
50
100
LAN DMZ
50
50
100
Total Rules
400
400
800
The rules to block or allow traffic are based on the traffic’s category of service:
•
Outbound rules (service blocking). Outbound traffic is allowed unless you configure
the firewall to block specific or all outbound traffic.
•
Inbound rules (port forwarding). Inbound traffic is blocked unless the traffic is in
response to a request from the LAN side. You can configure the firewall to allow specific
or all inbound traffic.
•
Customized services. You can add additional services to the list of services in the
factory defaults list. You can then define rules for these added services to either allow or
block that traffic (see Add Customized Services on page 168).
•
Quality of Service (QoS) priorities. Each service has its own native priority that impacts
its quality of performance and tolerance for jitter or delays. You can change the QoS
priority, which changes the traffic mix through the system (see Preconfigured Quality of
Service Profiles on page 173).
•
Bandwidth profiles. After you have a configured a bandwidth profile (see Create
Bandwidth Profiles on page 171), you can assign it to a rule.
Outbound Rules (Service Blocking)
The wireless VPN firewall allows you to block the use of certain Internet services by
computers on your network. This is called service blocking or port filtering.
Note: See Enable Source MAC Filtering on page 179 for yet another way
to block outbound traffic from selected computers that would
otherwise be allowed by the firewall.
Firewall Protection
127
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The following table describes the fields that define the rules for outbound traffic and that are
common to most Outbound Service screens (see Figure 63 on page 138, Figure 69 on
page 145, and Figure 75 on page 152).
The steps to configure outbound rules are described in the following sections:
•
Configure LAN WAN Rules
•
Configure DMZ WAN Rules
•
Configure LAN DMZ Rules
Table 32. Outbound rules overview
Setting
Description
Outbound Rules
Service
The service or application to be covered by this rule. If the service All rules
or application does not display in the list, you need to define it
using the Services screen (see Add Customized Services on
page 168).
Action
The action for outgoing connections covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise allow
• ALLOW always
• ALLOW by schedule, otherwise block
All rules
Note: Any outbound traffic that is not blocked by rules you create
is allowed by the default rule.
Note: ALLOW rules are useful only if the traffic is already
covered by a BLOCK rule. That is, you wish to allow a subset of
traffic that is currently blocked by another rule.
Select Schedule
The time schedule (that is, Schedule1, Schedule2, or Schedule3)
that is used by this rule.
• This drop-down list is activated only when BLOCK by schedule,
otherwise allow or ALLOW by schedule, otherwise block is
selected as the action.
• Use the Schedule screen to configure the time schedules (see
Set a Schedule to Block or Allow Specific Traffic on page 178).
LAN Users
The settings that determine which computers on your network are LAN WAN rules
affected by this rule. The options are:
LAN DMZ rules
• Any. All computers and devices on your LAN.
• Single address. Enter the required address in the Start field to
apply the rule to a single device on your LAN.
• Address range. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of devices.
• Group. Select the LAN group to which the rule applies. Use the
LAN Groups screen to assign computers to groups (see
Manage the Network Database on page 65).Groups are
applicable only to IPv4 rules.
Firewall Protection
128
All rules when
BLOCK by schedule,
otherwise allow or
ALLOW by schedule,
otherwise block is
selected as the
action.
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 32. Outbound rules overview (continued)
Setting
Description
Outbound Rules
WAN Users
The settings that determine which Internet locations are covered
by the rule, based on their IP address. The options are:
• Any. All Internet IP address are covered by this rule.
• Single address. Enter the required address in the Start field.
• Address range. Enter the required addresses the Start and
Finish fields.
LAN WAN rules
DMZ WAN rules
DMZ Users
The settings that determine which DMZ computers on the DMZ
DMZ WAN rules
network are affected by this rule. The options are:
LAN DMZ rules
• Any. All computers and devices on your DMZ network.
• Single address. Enter the required address in the Start field to
apply the rule to a single computer on the DMZ network.
• Address range. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of DMZ computers.
QoS Priority
The priority assigned to IP packets of this service. The priorities LAN WAN rules
are defined by Type of Service (ToS) in the Internet Protocol Suite DMZ WAN rules
standards, RFC 1349. The QoS profile determines the priority of
a service, which, in turn, determines the quality of that service for
the traffic passing through the firewall.
The wireless VPN firewall marks the Type of Service (ToS) field
as defined in the QoS profiles that you create. For more
information, see Preconfigured Quality of Service Profiles on
page 173.
Note: The wireless VPN firewall has preconfigured default QoS
profiles; you cannot configure the QoS profiles. A QoS profile can
become active only when you apply it to a nonblocking inbound
or outbound firewall rule.
Bandwidth Profile
Bandwidth limiting determines the way in which the data is sent to IPv4 LAN WAN rules
and from your host. The purpose of bandwidth limiting is to
provide a solution for limiting the outgoing and incoming traffic,
thus preventing the LAN users from consuming all the bandwidth
of the Internet link. For more information, see Create Bandwidth
Profiles on page 171. For outbound traffic, you can configure
bandwidth limiting only on the WAN interface for a LAN WAN rule.
Note: Bandwidth limiting does not apply to the DMZ interface.
Firewall Protection
129
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 32. Outbound rules overview (continued)
Setting
Description
Outbound Rules
Log
The setting that determines whether packets covered by this rule All rules
are logged. The options are:
• Always. Always log traffic that matches this rule. This is useful
when you are debugging your rules.
• Never. Never log traffic that matches this rule.
NAT IP
The setting that specifies whether the source address of the
IPv4 LAN WAN rules
outgoing packets on the WAN should be assigned the address of IPv4 DMZ WAN rules
the WAN interface or the address of a different interface. You can
specify these settings only for outbound traffic of the WAN
interface. The options are:
• WAN Interface Address. All the outgoing packets on the WAN
are assigned to the address of the specified WAN interface.
• Single Address. All the outgoing packets on the WAN are
assigned to the specified IP address, for example, a secondary
WAN address that you have configured.
Note: The NAT IP drop-down list is available only when the WAN
mode is NAT. If you select Single Address, the IP address
specified should fall under the WAN subnet.
Inbound Rules (Port Forwarding)
If you have enabled Network Address Translation (NAT), your network presents one IP
address only to the Internet, and outside users cannot directly access any of your local
computers (LAN users). (For information about configuring NAT, see Network Address
Translation on page 27.) However, by defining an inbound rule you can make a local server
(for example, a web server or game server) visible and available to the Internet. The rule
informs the firewall to direct inbound traffic for a particular service to one local server based
on the destination port number. This process is also known as port forwarding.
WARNING:
Allowing inbound services opens security holes in your network.
Enable only those ports that are necessary for your network.
Whether or not DHCP is enabled, how the computer accesses the server’s LAN address
impacts the inbound rules. For example:
•
If your external IP address is assigned dynamically by your ISP (DHCP enabled), the IP
address might change periodically as the DHCP lease expires. Consider using Dyamic
DNS so that external users can always find your network (see Configure Dynamic DNS
on page 45).
•
If the IP address of the local server computer is assigned by DHCP, it might change when
the computer is rebooted. To avoid this, use the Reserved (DHCP Client) feature in the
Firewall Protection
130
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
LAN Groups screen to keep the computer’s IP address constant (see Set Up DHCP
Address Reservation on page 69).
•
Local computers need to access the local server using the computers’ local LAN address.
Attempts by local computers to access the server using the external WAN IP address will
fail.
Note: See Configure Port Triggering on page 185 for yet another way to
allow certain types of inbound traffic that would otherwise be
blocked by the firewall.
Note: The wireless VPN firewall always blocks denial of service (DoS)
attacks. A DoS attack does not attempt to steal data or damage your
computers, but overloads your Internet connection so you cannot
use it (that is, the service becomes unavailable).
Note: When the Block TCP Flood and Block UDP Flood check boxes are
selected on the Attack Checks screen (which they are by default;
see Attack Checks on page 162), multiple concurrent connections of
the same application from one host or IP address (such as multiple
DNS queries from one computer) trigger the wireless VPN firewall’s
DoS protection.
The following table describes the fields that define the rules for inbound traffic and that are
common to most Inbound Service screens (see Figure 65 on page 140, Figure 71 on
page 148, and Figure 77 on page 154).
The steps to configure inbound rules are described in the following sections:
•
Configure LAN WAN Rules
•
Configure DMZ WAN Rules
•
Configure LAN DMZ Rules
Firewall Protection
131
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 33. Inbound rules overview
Setting
Description
Inbound Rules
Service
The service or application to be covered by this rule. If the
service or application does not display in the list, you need to
define it using the Services screen (see Add Customized
Services on page 168).
All rules
Action
The action for outgoing connections covered by this rule:
• BLOCK always
• BLOCK by schedule, otherwise allow
• ALLOW always
• ALLOW by schedule, otherwise block
All rules
Note: Any inbound traffic that is not blocked by rules you create
is allowed by the default rule.
Select Schedule
The time schedule (that is, Schedule1, Schedule2, or
Schedule3) that is used by this rule.
• This drop-down list is activated only when BLOCK by
schedule, otherwise allow or ALLOW by schedule, otherwise
block is selected as the action.
• Use the Schedule screen to configure the time schedules (see
Set a Schedule to Block or Allow Specific Traffic on page 178).
Send to LAN Server
The LAN server address determines which computer on your
IPv4 LAN WAN rules
network is hosting this service rule. (You can also translate this
address to a port number.) The options are:
• Single address. Enter the required address in the Start field to
apply the rule to a single device on your LAN.
• Address range. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of devices.
All rules when BLOCK
by schedule,
otherwise allow or
ALLOW by schedule,
otherwise block is
selected as the action.
Send to DMZ Server The DMZ server address determines which computer on your
network is hosting this service rule. (You can also translate this
address to a port number.)
IPv4 DMZ WAN rules
Translate to Port
Number
If the LAN server or DMZ server that is hosting the service is
using a port other than the default port for the service, you can
enable this setting and specify a port number. If the service is
using the default port, you do not need to enable this setting.
IPv4 LAN WAN rules
IPv4 DMZ WAN rules
WAN Destination IP
Address
The setting that determines the destination IP address applicable IPv4 LAN WAN rules
to incoming traffic. This is the public IP address that maps to the IPv4 DMZ WAN rules
internal LAN server.
This can be either the address of the WAN interface or another
public IP address.
You also have the option to enter an address range. Enter the
required addresses in the Start and Finish fields to apply the rule
to a range of devices.
Firewall Protection
132
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 33. Inbound rules overview (continued)
Setting
Description
Inbound Rules
LAN Users
These settings apply to a LAN WAN inbound rule when the WAN LAN WAN rules
mode is classical routing, and determine which computers on
LAN DMZ rules
your network are affected by this rule. The options are:
• Any. All computers and devices on your LAN.
• Single address. Enter the required address in the Start field to
apply the rule to a single device on your LAN.
• Address range. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of devices.
• Group. Select the LAN group to which the rule applies. Use
the LAN Groups screen to assign computers to groups (see
Manage the Network Database on page 65). Groups are
applicable only to IPv4 rules.
Note: For IPv4 LAN WAN inbound rules, this field is not
applicable when the WAN mode is NAT because your network
presents only one IP address to the Internet.
WAN Users
The settings that determine which Internet locations are covered LAN WAN rules
by the rule, based on their IP address. The options are:
DMZ WAN rules
• Any. All Internet IP address are covered by this rule.
• Single address. Enter the required address in the Start field.
• Address range. Enter the required addresses in the Start and
Finish fields.
DMZ Users
The settings that determine which DMZ computers on the DMZ DMZ WAN rules
network are affected by this rule. The options are:
LAN DMZ rules
• Any. All computers and devices on your DMZ network.
• Single address. Enter the required address in the Start field to
apply the rule to a single computer on the DMZ network.
• Address range. Enter the required addresses in the Start and
Finish fields to apply the rule to a range of DMZ computers.
Note: For IPv4 DMZ WAN inbound rules, this field is not
applicable when the WAN mode is NAT because your network
presents only one IP address to the Internet.
Log
The setting that determines whether packets covered by this rule All rules
are logged. The options are:
• Always. Always log traffic that matches this rule. This is useful
when you are debugging your rules.
• Never. Never log traffic that matches this rule.
Bandwidth Profile
Bandwidth limiting determines the way in which the data is sent IPv4 LAN WAN rules
to and from your host. The purpose of bandwidth limiting is to
provide a solution for limiting the outgoing and incoming traffic,
thus preventing the LAN users from consuming all the bandwidth
of the Internet link. For more information, see Create Bandwidth
Profiles on page 171. For inbound traffic, you can configure
bandwidth limiting only on the LAN interface for a LAN WAN rule.
Bandwidth limiting does not apply to the DMZ interface.
Firewall Protection
133
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: Some residential broadband ISP accounts do not allow you to run
any server processes (such as a web or FTP server) from your
location. Your ISP might periodically check for servers and might
suspend your account if it discovers any active servers at your
location. If you are unsure, see the acceptable use policy of your
ISP.
Order of Precedence for Rules
As you define a new rule, it is added to a table in a Rules screen as the last item in the list, as
shown in the following figure, which shows the LAN WAN Rules screen for IPv4 as an
example:
Figure 60.
For any traffic attempting to pass through the firewall, the packet information is subjected to
the rules in the order shown in the Rules table, beginning at the top and proceeding to the
bottom. In some cases, the order of precedence of two or more rules might be important in
determining the disposition of a packet. For example, you should place the most strict rules at
the top (those with the most specific services or addresses). The Up and Down table buttons
in the Action column allow you to relocate a defined rule to a new position in the table.
Firewall Protection
134
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure LAN WAN Rules
The default outbound policy is to allow all traffic to the Internet to pass through. Firewall rules
can then be applied to block specific types of traffic from going out from the LAN to the
Internet (outbound). This feature is also referred to as service blocking. You can change the
default policy of Allow Always to Block Always to block all outbound traffic, which then allows
you to enable only specific services to pass through the wireless VPN firewall.

To change the default outbound policy for IPv4 traffic or to make changes to existing
IPv4 rules:
1. Select Security > Firewall. The Firewall submenu tabs display with the LAN WAN
Rules screen in view. In the upper right of the screen, the IPv4 radio button is selected
by default. The LAN WAN Rules screen displays the IPv4 settings. (The following figure
contains examples.)
Figure 61.
2. From the Default Outbound Policy drop-down list, select Block Always. (By default, Allow
Always is selected.)
3. Next to the drop-down list, click the Apply table button.
To make changes to an existing outbound or inbound service rule, in the Action column to the
right of to the rule, click one of the following table buttons:
•
Up. Moves the rule up one position in the table rank.
•
Down. Moves the rule down one position in the table rank.
Firewall Protection
135
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•

Edit. Allows you to make any changes to the definition of an existing rule. Depending on
your selection, one of the following screens displays:
-
Edit LAN WAN Outbound Service screen for IPv4 (identical to Figure 63 on page 138)
-
Edit LAN WAN Inbound Service screen for IPv4 (identical to Figure 65 on page 140)
To change the default outbound policy for IPv6 traffic or to make changes to existing
IPv6 rules:
1. Select Security > Firewall. The Firewall submenu tabs display with the LAN WAN
Rules screen for IPv4 in view
2. In the upper right of the screen, select the IPv6 radio button. The LAN WAN Rules screen
displays the IPv6 settings. (The following figure contains examples.)
Figure 62.
3. From the Default Outbound Policy drop-down list, select Block Always. (By default, Allow
Always is selected.)
4. Next to the drop-down list, click the Apply table button.
To make changes to an existing outbound or inbound service rule, in the Action column to the
right of to the rule, click one of the following table buttons:
•
Up. Moves the rule up one position in the table rank.
•
Down. Moves the rule down one position in the table rank.
•
Edit. Allows you to make any changes to the definition of an existing rule. Depending on
your selection, one of the following screens displays:
-
Edit LAN WAN Outbound Service screen for IPv6 (identical to Figure 64 on page 139)
-
Edit LAN WAN Inbound Service screen for IPv6 (identical to Figure 66 on page 141)
Firewall Protection
136
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To enable, disable, or delete one or more IPv4 or IPv6 rules:
1. select the check box to the left of each rule that you want to enable, disable, or delete,
or click the Select All table button to select all rules.
2. Click one of the following table buttons:
• Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a
green circle, indicating that the selected rule or rules are enabled. (By default, when a
rule is added to the table, it is automatically enabled.)
•
Disable. Disables the rule or rules. The ! status icon changes from a green circle to a
gray circle, indicating that the selected rule or rules are disabled.
•
Delete. Deletes the selected rule or rules.
Create LAN WAN Outbound Service Rules
You can define rules that specify exceptions to the default rules. By adding custom rules, you
can block or allow access based on the service or application, source or destination IP
addresses, and time of day. An outbound rule can block or allow traffic between an internal IP
LAN address and any external WAN IP address according to the schedule created on the
Schedule screen.
WARNING:
Make sure that you understand the consequences of a LAN WAN
outbound rule before you apply the rule. Incorrect configuration
might cause serious connection problems.
You can also tailor these rules to your specific needs (see Administrator Tips on page 126).
IPv4 LAN WAN Outbound Rules

To create a new IPv4 LAN WAN outbound rule:
1. In the upper right of the LAN WAN Rules screen, select the IPv4 radio button. The screen
displays the IPv4 settings (see Figure 61 on page 135).
2. Click the Add table button under the Outbound Services table. The Add LAN WAN
Outbound Service screen for IPv4 displays:
Firewall Protection
137
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 63.
3. Enter the settings as explained in Table 32 on page 128. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• LAN Users
•
WAN Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make selections from the following drop-down lists:
•
Select Schedule
•
QoS Priority
•
Bandwidth Profile
•
NAT IP (This drop-down list is available only when the WAN mode is NAT. If you
select Single Address, the IP address specified should fall under the WAN subnet.)
4. Click Apply to save your changes. The new rule is now added to the Outbound Services
table.
Firewall Protection
138
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 LAN WAN Outbound Rules

To create a new IPv6 LAN WAN outbound rule:
1. In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen
displays the IPv6 settings (see Figure 62 on page 136).
2. Click the Add table button under the Outbound Services table. The Add LAN WAN
Outbound Service screen for IPv6 displays:
Figure 64.
3. Enter the settings as explained in Table 32 on page 128. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• LAN Users
•
WAN Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make a selection from the following drop-down lists:
•
Select Schedule
•
QoS Priority
4. Click Apply to save your changes. The new rule is now added to the Outbound Services
table.
Create LAN WAN Inbound Service Rules
The Inbound Services table lists all existing rules for inbound traffic. If you have not defined
any rules, no rules are listed. By default, all inbound traffic (from the Internet to the LAN) is
Firewall Protection
139
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
blocked. Remember that allowing inbound services opens potential security holes in your
firewall. Enable only those ports that are necessary for your network.
WARNING:
Make sure that you understand the consequences of a LAN WAN
inbound rule before you apply the rule. Incorrect configuration
might cause serious connection problems. If you are configuring
the wireless VPN firewall from a remote connection, you might be
locked out.
IPv4 LAN WAN Inbound Service Rules

To create a new IPv4 LAN WAN inbound rule:
1. In the upper right of the LAN WAN Rules screen, select the IPv4 radio button. The screen
displays the IPv4 settings (see Figure 61 on page 135).
2. Click the Add table button under the Inbound Services table. The Add LAN WAN Inbound
Service screen for IPv4 displays:
Figure 65.
Firewall Protection
140
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• WAN Destination IP Address
•
LAN Users (This drop-down list is available only when the WAN mode is Classical
Routing. When the WAN mode is NAT, your network presents only one IP address to
the Internet.)
•
WAN Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make selections from the following drop-down lists:
•
Select Schedule
•
Send to Lan Server
•
Bandwidth Profile
The following configuration is optional:
•
Translate to Port Number
4. Click Apply to save your changes. The new rule is now added to the Inbound Services
table.
IPv6 LAN WAN Inbound Rules

To create a new IPv6 LAN WAN inbound rule:
1. In the upper right of the LAN WAN Rules screen, select the IPv6 radio button. The screen
displays the IPv6 settings (see Figure 62 on page 136).
2. Click the Add table button under the Inbound Services table. The Add LAN WAN Inbound
Service screen for IPv6 displays:
Figure 66.
Firewall Protection
141
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• LAN Users
•
WAN Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make a selection from the following drop-down list:
•
Select Schedule
4. Click Apply to save your changes. The new rule is now added to the Inbound Services
table.
Configure DMZ WAN Rules
The firewall rules for traffic between the DMZ and the Internet are configured on the DMZ
WAN Rules screen. The default outbound policy is to block all traffic from and to the Internet.
You can then apply firewall rules to allow specific types of traffic either going out from the
DMZ to the Internet (outbound) or coming in from the Internet to the DMZ (inbound).
There is no drop-down list that lets you set the default outbound policy as there is on the LAN
WAN Rules screen. You can change the default outbound policy by enabling all outbound
traffic and then blocking only specific services from passing through the wireless VPN
firewall. You do so by adding outbound services rules (see Create DMZ WAN Outbound
Service Rules on page 145).

To access the DMZ WAN Rules screen for IPv4 or to make changes to existing IPv4
rules:
Select Security > Firewall > DMZ WAN Rules. In the upper right of the screen, the IPv4
radio button is selected by default. The DMZ WAN Rules screen displays the IPv4 settings.
(The following figure contains examples.)
Firewall Protection
142
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 67.
To make changes to an existing outbound or inbound service rule, in the Action column to the
right of to the rule, click one of the following table buttons:

•
Up. Moves the rule up one position in the table rank.
•
Down. Moves the rule down one position in the table rank.
•
Edit. Allows you to make any changes to the definition of an existing rule. Depending on
your selection, one of the following screens displays:
-
Edit DMZ WAN Outbound Service screen for IPv4 (identical to Figure 69 on
page 145)
-
Edit DMZ WAN Inbound Service screen for IPv4 (identical to Figure 71 on page 148)
To access the DMZ WAN Rules screen for IPv6 or to make changes to existing IPv6
rules:
1. Select Security > Firewall > DMZ WAN Rules. The Firewall submenu tabs display with
the DMZ WAN Rules screen for IPv4 in view.
2. In the upper right of the screen, select the IPv6 radio button. The DMZ WAN Rules screen
displays the IPv6 settings. (The following figure contains examples.)
Firewall Protection
143
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 68.
To make changes to an existing outbound or inbound service rule, in the Action column to the
right of to the rule, click one of the following table buttons:

•
Up. Moves the rule up one position in the table rank.
•
Down. Moves the rule down one position in the table rank.
•
Edit. Allows you to make any changes to the definition of an existing rule. Depending on
your selection, one of the following screens displays:
-
Edit DMZ WAN Outbound Service screen for IPv6 (identical to Figure 70 on
page 146)
-
Edit DMZ WAN Inbound Service screen for IPv6 (identical to Figure 72 on page 149)
To enable, disable, or delete one or more IPv4 or IPv6 rules:
1. select the check box to the left of each rule that you want to enable, disable, or delete,
or click the Select All table button to select all rules.
2. Click one of the following table buttons:
• Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a
green circle, indicating that the selected rule or rules are enabled. (By default, when a
rule is added to the table, it is automatically enabled.)
•
Disable. Disables the rule or rules. The ! status icon changes from a green circle to a
gray circle, indicating that the selected rule or rules are disabled.
•
Delete. Deletes the selected rule or rules.
Firewall Protection
144
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Create DMZ WAN Outbound Service Rules
You can change the default outbound policy or define rules that specify exceptions to the
default outbound policy. By adding custom rules, you can block or allow access based on the
service or application, source or destination IP addresses, and time of day. An outbound rule
can block or allow traffic between the DMZ and any external WAN IP address according to
the schedule created on the Schedule screen.
IPv4 DMZ WAN Outbound Service Rules

To create a new IPv4 DMZ WAN outbound rule:
1. In the upper right of the DMZ WAN Rules screen, select the IPv4 radio button. The screen
displays the IPv4 settings (see Figure 67 on page 143).
2. Click the Add table button under the Outbound Services table. The Add DMZ WAN
Outbound Service screen for IPv4 displays:
Figure 69.
3. Enter the settings as explained in Table 32 on page 128. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• DMZ Users
•
WAN Users
Firewall Protection
145
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make selections from the following drop-down lists:
•
Select Schedule
•
QoS Priority
•
NAT IP (This drop-down list is available only when the WAN mode is NAT. If you
select Single Address, the IP address specified should fall under the WAN subnet.)
4. Click Apply. The new rule is now added to the Outbound Services table. The rule is
automatically enabled.
IPv6 DMZ WAN Outbound Service Rules

To create a new IPv6 DMZ WAN outbound rule:
1. In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen
displays the IPv6 settings (see Figure 68 on page 144).
2. Click the Add table button under the Outbound Services table. The Add DMZ WAN
Outbound Service screen for IPv6 displays:
Figure 70.
3. Enter the settings as explained in Table 32 on page 128. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• DMZ Users
•
WAN Users
Firewall Protection
146
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make selections from the following drop-down lists:
•
Select Schedule
•
QoS Priority
4. Click Apply. The new rule is now added to the Outbound Services table. The rule is
automatically enabled.
Create DMZ WAN Inbound Service Rules
The Inbound Services table lists all existing rules for inbound traffic. If you have not defined
any rules, no rules are listed. By default, all inbound traffic (from the Internet to the DMZ) is
blocked.
Inbound rules that are configured on the LAN WAN Rules screen take precedence over
inbound rules that are configured on the DMZ WAN Rules screen. As a result, if an inbound
packet matches an inbound rule on the LAN WAN Rules screen, it is not matched against the
inbound rules on the DMZ WAN Rules screen.
IPv4 DMZ WAN Inbound Service Rules

To create a new IPv4 DMZ WAN inbound rule:
1. In the upper right of the DMZ WAN Rules screen, select the IPv4 radio button. The screen
displays the IPv4 settings (see Figure 67 on page 143).
2. Click the Add table button under the Inbound Services table. The Add DMZ WAN Inbound
Service screen for IPv4 displays:
Firewall Protection
147
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 71.
3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• WAN Destination IP Address
•
DMZ Users (This drop-down list is available only when the WAN mode is Classical
Routing. When the WAN mode is NAT, your network presents only one IP address to
the Internet.)
•
WAN Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make selections from the following drop-down lists:
•
Select Schedule
•
Send to DMZ Server
The following configuration is optional:
•
Translate to Port Number
4. Click Apply to save your changes. The new rule is now added to the Inbound Services
table.
Firewall Protection
148
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 DMZ WAN Inbound Service Rules

To create a new IPv6 DMZ WAN inbound rule:
1. In the upper right of the DMZ WAN Rules screen, select the IPv6 radio button. The screen
displays the IPv6 settings (see Figure 68 on page 144).
2. Click the Add table button under the Inbound Services table. The Add DMZ WAN Inbound
Service screen for IPv6 displays:
Figure 72.
3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• DMZ Users
•
WAN Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make selections from the following drop-down list:
•
Select Schedule
4. Click Apply to save your changes. The new rule is now added to the Inbound Services
table.
Firewall Protection
149
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure LAN DMZ Rules
The LAN DMZ Rules screen allows you to create rules that define the movement of traffic
between the LAN and the DMZ. The default outbound and inbound policies are to block all
traffic between the local LAN and DMZ network. You can then apply firewall rules to allow
specific types of traffic either going out from the LAN to the DMZ (outbound) or coming in
from the DMZ to the LAN (inbound).
There is no drop-down list that lets you set the default outbound policy as there is on the LAN
WAN Rules screen. You can change the default outbound policy by allowing all outbound
traffic and then blocking specific services from passing through the wireless VPN firewall. You
do so by adding outbound service rules (see Create LAN DMZ Outbound Service Rules on
page 152).

To access the LAN DMZ Rules screen for IPv4 or to make changes to existing IPv4
rules:
Select Security > Firewall > LAN DMZ Rules. In the upper right of the screen, the IPv4 radio
button is selected by default. The LAN DMZ Rules screen displays the IPv4 settings. (The
following figure contains examples.)
Figure 73.
To make changes to an existing outbound or inbound service rule, in the Action column to the
right of to the rule, click one of the following table buttons:
•
Up. Moves the rule up one position in the table rank.
•
Down. Moves the rule down one position in the table rank.
•
Edit. Allows you to make any changes to the rule definition of an existing rule. Depending
on your selection, one of the following screens displays:
-
Edit LAN DMZ Outbound Service screen for IPv4 (identical to Figure 75 on page 152)
-
Edit LAN DMZ Inbound Service screen for IPv4 (identical to Figure 77 on page 154)
Firewall Protection
150
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To access the LAN DMZ Rules screen for IPv6 or to make changes to existing IPv6
rules:
1. Select Security > Firewall > LAN DMZ Rules. The Firewall submenu tabs display with
the LAN DMZ Rules screen for IPv4 in view.
2. In the upper right of the screen, select the IPv6 radio button. The LAN DMZ Rules screen
displays the IPv6 settings. (The following figure contains examples.)
Figure 74.
To make changes to an existing outbound or inbound service rule, in the Action column to the
right of to the rule, click one of the following table buttons:

•
Up. Moves the rule up one position in the table rank.
•
Down. Moves the rule down one position in the table rank.
•
Edit. Allows you to make any changes to the rule definition of an existing rule. Depending
on your selection, one of the following screens displays:
-
Edit LAN DMZ Outbound Service screen for IPv6 (identical to Figure 76 on page 153)
-
Edit LAN DMZ Inbound Service screen for IPv6 (identical to Figure 78 on page 155)
To enable, disable, or delete one or more IPv4 or IPv6 rules:
1. Select the check box to the left of each rule that you want to enable, disable, or delete,
or click the Select All table button to select all rules.
2. Click one of the following table buttons:
• Enable. Enables the rule or rules. The ! status icon changes from a gray circle to a
green circle, indicating that the selected rule or rules are enabled. (By default, when a
rule is added to the table, it is automatically enabled.)
•
Disable. Disables the rule or rules. The ! status icon changes from a green circle to a
gray circle, indicating that the selected rule or rules are disabled.
•
Delete. Deletes the selected rule or rules.
Firewall Protection
151
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Create LAN DMZ Outbound Service Rules
You can change the default outbound policy or define rules that specify exceptions to the
default outbound policy. By adding custom rules, you can block or allow access based on the
service or application, source or destination IP addresses, and time of day. An outbound rule
can block or allow traffic between the DMZ and any internal LAN IP address according to the
schedule created on the Schedule screen.
IPv4 LAN DMZ Outbound Service Rules

To create a new IPv4 LAN DMZ outbound rule:
1. In the upper right of the LAN DMZ Rules screen, select the IPv4 radio button. The screen
displays the IPv4 settings (see Figure 73 on page 150).
2. Click the Add table button under the Outbound Services table. The Add LAN DMZ
Outbound Service screen for IPv4 displays:
Figure 75.
3. Enter the settings as explained in Table 32 on page 128. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• LAN Users
•
DMZ Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make a selection from the following drop-down list:
•
Select Schedule
4. Click Apply. The new rule is now added to the Outbound Services table. The rule is
automatically enabled.
Firewall Protection
152
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 LAN DMZ Outbound Service Rules

To create a new IPv6 LAN DMZ outbound rule:
1. In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button. The screen
displays the IPv6 settings (see Figure 74 on page 151).
2. Click the Add table button under the Outbound Services table. The Add LAN DMZ
Outbound Service screen for IPv6 displays:
Figure 76.
3. Enter the settings as explained in Table 32 on page 128. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• LAN Users
•
DMZ Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make a selection from the following drop-down list:
•
Select Schedule
4. Click Apply. The new rule is now added to the Outbound Services table. The rule is
automatically enabled.
Create LAN DMZ Inbound Service Rules
The Inbound Services table lists all existing rules for inbound traffic. If you have not defined
any rules, no rules are listed. By default, all inbound traffic (from the LAN to the DMZ) is
blocked.
Firewall Protection
153
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 LAN DMZ Inbound Service Rules

To create a new IPv4 LAN DMZ inbound rule:
1. In the upper right of the LAN DMZ Rules screen, select the IPv4 radio button. The screen
displays the IPv4 settings (see Figure 73 on page 150).
2. Click the Add table button under the Inbound Services table. The Add LAN DMZ Inbound
Service screen for IPv4 displays:
Figure 77.
3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• LAN Users
•
DMZ Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make a selection from the following drop-down list:
•
Select Schedule
4. Click Apply to save your changes. The new rule is now added to the Inbound Services
table.
IPv6 LAN DMZ Inbound Service Rules

To create a new IPv6 LAN DMZ inbound rule:
1. In the upper right of the LAN DMZ Rules screen, select the IPv6 radio button. The screen
displays the IPv6 settings (see Figure 74 on page 151).
Firewall Protection
154
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Click the Add table button under the Inbound Services table. The Add LAN DMZ Inbound
Service screen for IPv6 displays:
Figure 78.
3. Enter the settings as explained in Table 33 on page 132. In addition to selections from the
Service, Action, and Log drop-down lists, you need to make selections from the following
drop-down lists:
• LAN Users
•
DMZ Users
Unless your selection from the Action drop-down list is BLOCK always, you also need to
make a selection from the following drop-down list:
•
Select Schedule
4. Click Apply to save your changes. The new rule is now added to the Inbound Services
table.
Examples of Firewall Rules
Examples of Inbound Firewall Rules
IPv4 LAN WAN Inbound Rule: Host a Local Public Web Server
If you host a public web server on your local network, you can define a rule to allow inbound
web (HTTP) requests from any outside IP address to the IP address of your web server at
any time of the day.
Firewall Protection
155
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 79.
IPv4 LAN WAN Inbound Rule: Allow a Videoconference from Restricted
Addresses
If you want to allow incoming videoconferencing to be initiated from a restricted range of
outside IP addresses, such as from a branch office, you can create an inbound rule (see the
following figure). In the example, CU-SeeMe connections are allowed only from a specified
range of external IP addresses.
Firewall Protection
156
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 80.
IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Set Up One-to-One NAT
Mapping
In this example, multi-NAT is configured to support multiple public IP addresses on one WAN
interface. An inbound rule configures the wireless VPN firewall to host an additional public IP
address and associate this address with a web server on the LAN.
The following addressing scheme is used to illustrate this procedure:
•
•
NETGEAR wireless VPN firewall:
-
WAN IP address. 10.1.0.118
-
LAN IP address subnet. 192.168.1.1 with subnet 255.255.255.0
-
DMZ IP address subnet. 192.168.10.1 with subnet 255.255.255.0
Web server computer on the wireless VPN firewall’s LAN:
-
LAN IP address. 192.168.1.2
-
DMZ IP address. 192.168.10.2
-
Access to web server is (simulated) public IP address. 10.1.0.52
Firewall Protection
157
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Tip: If you arrange with your ISP to have more than one public IP address for
your use, you can use the additional public IP addresses to map to
servers on your LAN or DMZ. One of these public IP addresses is used
as the primary IP address of the router that provides Internet access to
your LAN computers through NAT. The other addresses are available to
map to your servers.

To configure the wireless VPN firewall for additional IP addresses:
1. Select Security > Firewall. The Firewall submenu tabs display.
2. If your server is to be on your LAN, click the LAN WAN Rules submenu tab. (This is the
screen used in this example). If your server is to be on your DMZ, click the DMZ WAN
Rules submenu tab.
3. Click the Add table button under the Inbound Services table. The Add LAN WAN Inbound
Service screen displays:
Figure 81.
4. From the Service drop-down list, select HTTP for a web server.
5. From the Action drop-down list, select ALLOW Always.
Firewall Protection
158
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
6. In the Send to LAN Server field, enter the local IP address of your web server computer
(192.168.1.2 in this example).
7. In the WAN Destination IP Address fields, enter 10.1.0.52.
8. Click Apply to save your settings. The rule is now added to the Inbound Services table of
the LAN WAN Rules screen.
To test the connection from a computer on the Internet, type http://<IP_address>, in which
<IP_address> is the public IP address that you have mapped to your web server in Step 7.
You should see the home page of your web server.
IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an Exposed Host
Specifying an exposed host allows you to set up a computer or server that is available to
anyone on the Internet for services that you have not yet defined.
WARNING:
Do not set up an exposed host from a remote connection because
you will very likely lock yourself out from the wireless VPN
firewall.

To expose one of the computers on your LAN or DMZ as this host:
1. Create an inbound rule that allows all protocols.
2. Place the rule below all other inbound rules.
See an example in the following figure. (The inbound rule that allows all protocols is disabled
in this figure.)
1. Select Any and Allow Always (or Allow by Schedule).
2. Place the rule below all other inbound rules. (The rule is disabled in this example.)
Figure 82.
Firewall Protection
159
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
WARNING:
For security, NETGEAR strongly recommends that you avoid
creating an exposed host. When a computer is designated as the
exposed host, it loses much of the protection of the firewall and is
exposed to many exploits from the Internet. If compromised, the
computer can be used to attack your network.
IPv6 LAN WAN Inbound Rule: Restrict RTelnet from a Single WAN User to a
Single LAN User
If you want to restrict incoming RTelnet sessions from a single IPv6 WAN user to a single
IPv6 LAN user, specify the initiating IPv6 WAN address and the receiving IPv6 LAN address.
See an example in the following figure.
Figure 83.
Examples of Outbound Firewall Rules
Outbound rules let you prevent users from using applications such as Instant Messenger,
Real Audio, or other nonessential sites.
IPv4 LAN WAN Outbound Rule: Block Instant Messenger
If you want to block Instant Messenger usage by employees during working hours, you can
create an outbound rule to block such an application from any internal IP address to any
external address according to the schedule that you have created on the Schedule screen.
The schedule should specify working hours.
Firewall Protection
160
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
You can also enable the wireless VPN firewall to log any attempt to use Instant Messenger
during the blocked period. See an example in the following figure.
Figure 84.
IPv6 DMZ WAN Outbound Rule: Allow a Group of DMZ User to Access an FTP
Site on the Internet
If you want to allow a group of DMZ users to access a particular FTP site on the Internet
during working hours, you can create an outbound rule to allow such traffic by specifying the
IPv6 DMZ start and finish addresses and the IPv6 WAN address. On the Schedule screen,
create a schedule that specifies working hours, and assign it to the rule.
You can also configure the QoS profile to maximize the throughput. See an example in the
following figure.
Firewall Protection
161
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 85.
Configure Other Firewall Features
You can configure attack checks, set session limits, and manage the application level
gateway (ALG) for SIP sessions.
Attack Checks
The Attack Checks screen allows you to specify whether or not the wireless VPN firewall
should be protected against common attacks in the DMZ, LAN, and WAN networks. The
various types of IPv4 attack checks are listed on the Attack Checks screen and defined in
Table 34 on page 163. For IPv6, the only options are to specify whether or not to allow a ping
on the WAN port and whether or not to allow VPN pass-through for IPSec.
Firewall Protection
162
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv4 Attack Checks

To enable IPv4 attack checks for your network environment:
1. Select Security > Firewall > Attack Checks. In the upper right of the screen, the IPv4
radio button is selected by default. The Attack Checks screen displays the IPv4 settings:
Figure 86.
2. Enter the settings as explained in the following table:
Table 34. Attack Checks screen settings for IPv4
Setting
Description
WAN Security Checks
Respond to Ping on
Internet Ports
Select the Respond to Ping on Internet Ports check box to enable the wireless
VPN firewall to respond to a ping from the Internet to its IPv4 address. A ping can be
used as a diagnostic tool. Keep this check box cleared unless you have a specific
reason to enable the wireless VPN firewall to respond to a ping from the Internet.
Enable Stealth Mode Select the Enable Stealth Mode check box (which is the default setting) to prevent
the wireless VPN firewall from responding to port scans from the WAN, thus making
it less susceptible to discovery and attacks.
Block TCP flood
Select the Block TCP flood check box (which is the default setting) to enable the
wireless VPN firewall to drop all invalid TCP packets and to protect the wireless VPN
firewall from a SYN flood attack.
A SYN flood is a form of denial of service attack in which an attacker sends a
succession of SYN (synchronize) requests to a target system. When the system
responds, the attacker does not complete the connections, thus leaving the
connection half open and flooding the server with SYN messages. No legitimate
connections can then be made.
Firewall Protection
163
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 34. Attack Checks screen settings for IPv4 (continued)
Setting
Description
LAN Security Checks
Block UDP flood
Select the Block UDP flood check box (which is the default setting) to prevent the
wireless VPN firewall from accepting more than 20 simultaneous, active User
Datagram Protocol (UDP) connections from a single device on the LAN.
A UDP flood is a form of denial of service attack that can be initiated when one
device sends a large number of UDP packets to random ports on a remote host. As a
result, the distant host does the following:
1. Checks for the application listening at that port.
2. Sees that no application is listening at that port.
3. Replies with an ICMP Destination Unreachable packet.
When the victimized system is flooded, it is forced to send many ICMP packets,
eventually making it unreachable by other clients. The attacker might also spoof the
IP address of the UDP packets, ensuring that the excessive ICMP return packets do
not reach the attacker, thus making the attacker’s network location anonymous.
Disable Ping Reply
on LAN Ports
Select the Disable Ping Reply on LAN Ports check box to prevent the wireless
VPN firewall from responding to a ping on a LAN port. A ping can be used as a
diagnostic tool. Keep this check box cleared unless you have a specific reason to
prevent the wireless VPN firewall from responding to a ping on a LAN port.
VPN Pass through
IPSec
PPTP
L2TP
When the wireless VPN firewall functions in NAT mode, all packets going to the
remote VPN gateway are first filtered through NAT and then encrypted according to
the VPN policy. For example, if a VPN client or gateway on the LAN side of the
wireless VPN firewall wants to connect to another VPN endpoint on the WAN side
(placing the wireless VPN firewall between two VPN endpoints), encrypted packets
are sent to the wireless VPN firewall. Because the wireless VPN firewall filters the
encrypted packets through NAT, the packets become invalid unless you enable the
VPN Pass through feature.
To enable the VPN tunnel to pass the VPN traffic without any filtering, select any or
all of the following check boxes:
• IPSec. Disables NAT filtering for IPSec tunnels.
• PPTP. Disables NAT filtering for PPTP tunnels.
• L2TP. Disables NAT filtering for L2TP tunnels.
By default, all three check boxes are selected.
Multicast Pass through
Enable IGMP
IP multicast pass-through allows multicast packets that originate in the WAN, such
as packets from a media streaming or gaming application, to be forwarded to the
LAN subnet. Internet Group Management Protocol (IGMP) is used to support
multicast between IP hosts and their adjacent neighbors.
Select the Enable IGMP check box to enable IP multicast pass-through. By default,
IP multicast pass-through is disabled.
Firewall Protection
164
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 34. Attack Checks screen settings for IPv4 (continued)
Setting
Description
Jumbo Frames
Enable Jumbo
Frame
Jumbo frames allow multiple smaller packets to be combined into a single larger
packet, reducing network overhead and increasing data transfer performance.
Jumbo frames are supported on ports 1, 2, 3, and 4 only.
Select the Jumbo Frame check box to enable jumbo frames. By default, jumbo
frames are disabled.
Note: Jumbo frames are not supported on Fast Ethernet interfaces.
3. Click Apply to save your settings.
IPv6 Attack Checks

To enable IPv6 attack checks for your network environment:
1. Select Security > Firewall > Attack Checks.
2. In the upper right of the screen, select the IPv6 radio button. The Attack Checks screen
displays the IPv6 settings:
Figure 87.
3. Configure the following settings:
• Respond to Ping on Internet Port. Select the Respond to Ping on Internet Ports
check box to enable the wireless VPN firewall to respond to a ping from the Internet to
its IPv6 address. A ping can be used as a diagnostic tool. Keep this check box
cleared unless you have a specific reason to enable the wireless VPN firewall to
respond to a ping from the Internet.
•
IPsec. Select the IPsec check box to enable IPSec VPN traffic that is initiated from
the LAN to reach the WAN, irrespective of the default firewall outbound policy and
custom firewall rules.
4. Click Apply to save your settings.
Firewall Protection
165
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Set Limits for IPv4 Sessions
The session limits feature allows you to specify the total number of sessions that are allowed,
per user, over an IPv4 connection across the wireless VPN firewall. The session limits feature
is disabled by default.

To enable and configure session limits:
1. Select Security > Firewall > Session Limit. The Session Limit screen displays:
Figure 88.
2. Select the Yes radio button under Do you want to enable Session Limit?
3. Enter the settings as explained in the following table:
Table 35. Session Limit screen settings
Setting
Description
Session Limit
User Limit Parameter
From the User Limit Parameter drop-down list, select one of the following options:
• Percentage of Max Sessions. A percentage of the total session connection
capacity of the wireless VPN firewall.
• Number of Sessions. An absolute number of maximum sessions.
User Limit
Enter a number to indicate the user limit. Note the following:
• If the User Limit Parameter is set to Percentage of Max Sessions, the number
specifies the maximum number of sessions that are allowed from a single-source
device as a percentage of the total session connection capacity of the wireless
VPN firewall. (The session limit is per-device based.)
• If the User Limit Parameter is set to Number of Sessions, the number specifies
an absolute value.
Note: Some protocols such as FTP and RSTP create two sessions per connection,
which should be considered when configuring a session limit.
Firewall Protection
166
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 35. Session Limit screen settings (continued)
Setting
Description
Total Number of
This is a nonconfigurable counter that displays the total number of dropped packets
Packets Dropped due when the session limit is reached.
to Session Limit
Session Timeout
TCP Timeout
UDP Timeout
ICMP Timeout
For each protocol, specify a time-out in seconds. A session expires if no data for
the session is received for the duration of the time-out period. The default time-out
periods are 1800 seconds for TCP sessions, 120 seconds for UDP sessions, and
60 seconds for ICMP sessions.
4. Click Apply to save your settings.
Manage the Application Level Gateway for SIP Sessions
The application level gateway (ALG) facilitates multimedia sessions such as voice over IP
(VoIP) sessions that use the Session Initiation Protocol (SIP) across the firewall and provides
support for multiple SIP clients. SIP support for the ALG, which is an IPv4 feature, is disabled
by default.

To enable ALG for SIP:
1. Select Security > Firewall > Advanced. The Advanced screen displays:
Figure 89.
2. Select the Enable SIP ALG check box.
3. Click Apply to save your settings.
Firewall Protection
167
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Services, Bandwidth Profiles, and QoS Profiles
When you create inbound and outbound firewall rules, you use firewall objects such as
services, QoS profiles, bandwidth profiles, and schedules to narrow down the firewall rules:
•
Services. A service narrows down the firewall rule to an application and a port number.
For information about adding services, see Add Customized Services on page 168.
•
Bandwidth profiles. A bandwidth profile allocates and limits traffic bandwidth for the LAN
users to which an IPv4 firewall rule is applied. For information about creating bandwidth
profiles, see Create Bandwidth Profiles on page 171.
•
QoS profiles. A Quality of Service (QoS) profile defines the relative priority of an IP
packet for traffic that matches the firewall rule. For information about QoS profiles, see
Preconfigured Quality of Service Profiles on page 173.
Note: A schedule narrows down the period during which a firewall rule is
applied. For information about specifying schedules, see Set a
Schedule to Block or Allow Specific Traffic on page 178.
Add Customized Services
Services are functions performed by server computers at the request of client computers. You
can configure up to 124 custom services.
For example, web servers serve web pages, time servers serve time and date information,
and game hosts serve data about other players’ moves. When a computer on the Internet
sends a request for service to a server computer, the requested service is identified by a
service or port number. This number appears as the destination port number in the
transmitted IP packets. For example, a packet that is sent with destination port number 80 is
an HTTP (web server) request.
The service numbers for many common protocols are defined by the Internet Engineering
Task Force (IETF) and published in RFC 1700, Assigned Numbers. Service numbers for
other applications are typically chosen from the range 1024 to 65535 by the authors of the
application. However, on the wireless VPN firewall you can select service numbers in the
range from 1 to 65535.
Although the wireless VPN firewall already holds a list of many service port numbers, you are
not limited to these choices. Use the Services screen to add additional services and
applications to the list for use in defining firewall rules. The Services screen shows a list of
services that you have defined, as shown in the following figure.
To define a new service, you need to determine first which port number or range of numbers
is used by the application. You can usually determine this information by contacting the
publisher of the application, user groups, or newsgroups. When you have the port number
information, you can enter it on the Services screen.
Firewall Protection
168
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To add a customized service:
1. Select Security > Services. The Services screen displays. The Custom Services table
shows the user-defined services. (The following figure shows some examples.)
Figure 90.
2. In the Add Customer Service section of the screen, enter the settings as explained in the
following table:
Table 36. Services screen settings
Setting
Description
Name
A descriptive name of the service for identification and management purposes.
Type
From the Type drop-down list, select the Layer 3 protocol that the service uses as its
transport protocol:
• TCP
• UDP
• ICMP
• ICMPv6
ICMP Type
A numeric value that can range between 0 and 40. For a list of ICMP types, see
http://www.iana.org/assignments/icmp-parameters.
Note: This field is enabled only when you select ICMP or ICMPv6 from the Type
drop-down list.
Start Port
The first TCP or UDP port of a range that the service uses.
Note: This field is enabled only when you select TCP or UDP from the Type drop-down list.
Firewall Protection
169
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 36. Services screen settings (continued)
Setting
Description
Finish Port
The last TCP or UDP port of a range that the service uses. If the service uses only a single
port number, enter the same number in the Start Port and Finish Port fields.
Note: This field is enabled only when you select TCP or UDP from the Type drop-down list.
Default QoS
Priority
From the Default QoS Priority drop-down list, select the QoS profile that you want to assign
to the service. For more information about QoS profiles, see Preconfigured Quality of
Service Profiles on page 173.
3. Click Apply to save your settings. The new custom service is added to the Custom Services
table.

To edit a service:
1. In the Custom Services table, click the Edit table button to the right of the service that
you want to edit. The Edit Service screen displays:
Figure 91.
2. Modify the settings that you wish to change (see the previous table).
3. Click Apply to save your changes. The modified service is displayed in the Custom Services
table.

To delete one or more services:
1. In the Custom Services table, select the check box to the left of each service that you
want to delete, or click the Select All table button to select all services.
2. Click the Delete table button.
Firewall Protection
170
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Create Bandwidth Profiles
Bandwidth profiles determine the way in which data is communicated with the hosts. The
purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus
allocating LAN users sufficient bandwidth while preventing them from consuming all the
bandwidth on your WAN link. A single bandwidth profile can be for both outbound and
inbound traffic.
For outbound IPv4 traffic, you can apply bandwidth profiles on the WAN interface; for inbound
IPv4 traffic, you can apply bandwidth profiles to a LAN interface. Bandwidth profiles do not
apply to the DMZ interface, nor to IPv6 traffic.
When a new connection is established by a device, the device locates the firewall rule
corresponding to the connection:
•
If the rule has a bandwidth profile specification, the device creates a bandwidth class in
the kernel.
•
If multiple connections correspond to the same firewall rule, the connections all share the
same bandwidth class.
An exception occurs for an individual bandwidth profile if the classes are per-source IP
address classes. The source IP address is the IP address of the first packet that is
transmitted for the connection. So for outbound firewall rules, the source IP address is the
LAN-side IP address; for inbound firewall rules, the source IP address is the WAN-side IP
address. The class is deleted when all the connections that are using the class expire.
After you have created a bandwidth profile, you can assign the bandwidth profile to firewall
rules on the following screens:

•
Add LAN WAN Outbound Services screen for IPv4 (see Figure 63 on page 138)
•
Add LAN WAN Inbound Services screen for IPv4 (see Figure 65 on page 140)
To add and enable a bandwidth profile:
1. Select Security > Bandwidth Profiles. The Bandwidth Profiles screen displays. (The
following figure shows some examples.)
Figure 92.
Firewall Protection
171
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Under the List of Bandwidth Profiles table, click the Add table button. The Add Bandwidth
Profile screen displays:
Figure 93.
3. Enter the settings as explained in the following table:
Table 37. Add Bandwidth Profile screen settings
Setting
Description
Profile Name
A descriptive name of the bandwidth profile for identification and management
purposes.
Direction
From the Direction drop-down list, select the traffic direction for the bandwidth profile:
• Inbound Traffic. The bandwidth profile is applied only to inbound traffic. Specify
the inbound minimum and maximum bandwidths.
• Outbound Traffic. The bandwidth profile is applied only to outbound traffic.
Specify the outbound minimum and maximum bandwidths.
• Both. The bandwidth profile is applied to both outbound and inbound traffic.
Specify both the outbound and inbound minimum and maximum bandwidths.
Inbound Minimum
Bandwidth
The inbound minimum allocated bandwidth in Kbps. There is no default setting.
Inbound Maximum
Bandwidth
The inbound maximum allowed bandwidth in Kbps. The maximum allowable
bandwidth is 100000 Kbps, and you cannot configure less than 100 Kbps. There is
no default setting.
Outbound Minimum
Bandwidth
The outbound minimum allocated bandwidth in Kbps. There is no default setting.
Firewall Protection
172
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 37. Add Bandwidth Profile screen settings (continued)
Setting
Description
Outbound Maximum The outbound maximum allowed bandwidth in Kbps. The maximum allowable
Bandwidth
bandwidth is 100000 Kbps, and you cannot configure less than 100 Kbps. There is
no default setting.
Type
From the Type drop-down list, select the type for the bandwidth profile:
• Group. The profile applies to all users, that is, all users share the available
bandwidth.
• Individual. The profile applies to an individual user, that is, each user can use the
available bandwidth.
4. Click Apply to save your settings. The new bandwidth profile is added to the List of
Bandwidth Profiles table.

To edit a bandwidth profile:
1. In the List of Bandwidth Profiles table, click the Edit table button to the right of the
bandwidth profile that you want to edit. The Edit Bandwidth Profile screen displays.
2. Modify the settings that you wish to change (see the previous table).
3. Click Apply to save your changes. The modified bandwidth profile is displayed in the List of
Bandwidth Profiles table.

To delete one or more bandwidth profiles:
1. In the List of Bandwidth Profiles table, select the check box to the left of each bandwidth
profile that you want to delete, or click the Select All table button to select all profiles.
2. Click the Delete table button to delete the selected profile or profiles.
Preconfigured Quality of Service Profiles
A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple
connections are scheduled for simultaneous transmission on the wireless VPN firewall. A
QoS profile becomes active only when it is associated with a nonblocking inbound or
outbound firewall rule or service, and traffic matching the firewall rule or service is processed
by the wireless VPN firewall. Priorities are defined by the Type of Service (ToS) in the Internet
Protocol Suite standards, RFC 1349.
You can assign a QoS profile to a firewall rule or service on the following screens:
•
Add LAN WAN Outbound Services screen for IPv4 (see Figure 63 on page 138)
•
Add LAN WAN Outbound Services screen for IPv6 (see Figure 64 on page 139)
•
Add DMZ WAN Outbound Services screen for IPv4 (see Figure 69 on page 145)
•
Add DMZ WAN Outbound Services screen for IPv6 (see Figure 70 on page 146)
•
Services screen (see Figure 90 on page 169)
Firewall Protection
173
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
These are the default QoS profiles that are preconfigured and that cannot be edited:
•
Normal-Service. Used when no special priority is given to the traffic. IP packets are
marked with a ToS value of 0.
•
Minimize-Cost. Used when data needs to be transferred over a link that has a lower cost.
IP packets are marked with a ToS value of 2.
•
Maximize-Reliability. Used when data needs to travel to the destination over a reliable
link and with little or no retransmission. IP packets are marked with a ToS value of 4.
•
Maximize-Throughput. Used when the volume of data transferred during an interval is
important even if the latency over the link is high. IP packets are marked with a ToS value
of 8.
•
Minimize-Delay. Used when the time required (latency) for the packet to reach the
destination needs to be low. IP packets are marked with a ToS value of 16.
Configure Content Filtering
To restrict internal LAN users from access to certain sites on the Internet, you can use the
content filtering and web component blocking features of the wireless VPN firewall. By
default, these features are disabled; all requested traffic from any website is allowed. If you
enable one or more of these features and users try to access a blocked site, they will see a
“Blocked by NETGEAR” message.
Note: Content filtering is supported for IPv4 users and groups only.
Several types of blocking are available:
•
Web component blocking. You can block the following web component types: proxy,
Java, ActiveX, and cookies. Even sites that are listed in the Trusted Domains table are
subject to web component blocking when the blocking of a particular web component is
enabled.
-
Proxy. A proxy server (or simply, proxy) allows computers to route connections to
other computers through the proxy, thus circumventing certain firewall rules. For
example, if connections to a specific IP address are blocked by a firewall rule, the
requests can be routed through a proxy that is not blocked by the rule, rendering the
restriction ineffective. Enabling this feature blocks proxy servers.
-
Java. Blocks Java applets from being downloaded from pages that contain them.
Java applets are small programs embedded in web pages that enable dynamic
functionality of the page. A malicious applet can be used to compromise or infect
computers. Enabling this setting blocks Java applets from being downloaded.
Firewall Protection
174
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
-
ActiveX. Similar to Java applets, ActiveX controls are installed on a Windows
computer running Internet Explorer. A malicious ActiveX control can be used to
compromise or infect computers. Enabling this setting blocks ActiveX applets from
being downloaded.
-
Cookies. Cookies are used to store session information by websites that usually
require login. However, several websites use cookies to store tracking information
and browsing habits. Enabling this option blocks cookies from being created by a
website.
Note: Many websites require that cookies be accepted in order for the site
to be accessed correctly. Blocking cookies might interfere with
useful functions provided by these websites.
•
Keyword blocking (domain name blocking). You can specify up to 32 words to block. If
any of these words appear in the website name (URL) or in a newsgroup name, the
website or newsgroup is blocked by the wireless VPN firewall.
You can apply the keywords to one or more LAN groups. Requests from the computers in
the groups are blocked where keyword blocking has been enabled. Blocking does not
occur for the computers in the groups where keyword blocking has been disabled.
You can bypass keyword blocking for trusted domains by adding the exact matching
domain to the Trusted Domains table. Access to the domains or keywords on this list by
computers in the groups where keyword blocking has been enabled will be allowed to
pass without any blocking.
Keyword application examples:

•
If the keyword “xxx” is specified, the URL http://www.companycom/xxx.html is
blocked, as is the newsgroup alt.pictures.xxx.
•
If the keyword “.com” is specified, only websites with other domain suffixes (such as
.edu, .org, or .gov) can be viewed.
•
If you wish to block all Internet browsing access, enter . (period) as the keyword.
To enable and configure content filtering:
1. Select Security > Content Filtering. The Block Sites screen displays. (The following
figure shows some examples.)
Firewall Protection
175
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 94.
2. In the Content Filtering section of the screen, select the Yes radio button.
Firewall Protection
176
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. In the Web Components section of the screen, select the components that you want to block
(by default, none of these components are blocked, that is, none of these check boxes are
selected):
• Proxy. Blocks proxy servers.
•
Java. Blocks Java applets from being downloaded.
•
ActiveX. Blocks ActiveX applets from being downloaded.
•
Cookies. Blocks cookies from being created by a website.
These components are explained in the introduction of this section on page 174.
4. Click Apply to enable content filtering and blocking of the selected web components. The
screen controls are activated.

To apply keyword blocking to LAN groups:
1. In the Apply Keyword Blocking to section of the screen, select the check boxes for the
groups to which you want to apply keyword blocking, or click the Select All button to
select all groups.
2. To activate keyword blocking for these groups, click the Enable button. To deactivate
keyword blocking for the selected groups, click the Disable button.
Note: If you changed the LAN group names on the Edit Group Names
screen (see Change Group Names in the Network Database on
page 68), the new names are displayed on the Block Sites screen.

To build your list of blocked keywords or blocked domain names:
1. In the Add Blocked Keyword section of the screen, in the Blocked Keyword field, enter a
keyword or domain name.
2. After each entry, click the Add table button. The keyword or domain name is added to the
Blocked Keywords table.
To edit an entry, click the Edit table button in the Action column adjacent to the entry.

To build your list of trusted domains:
1. In the Add Trusted Domain section of the screen, in the Trusted Domains field, enter a
domain name.
2. After each entry, click the Add table button. The domain name is added to the Trusted
Domains table.
To edit an entry, click the Edit table button in the Action column adjacent to the entry.
Firewall Protection
177
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Set a Schedule to Block or Allow Specific Traffic
Schedules define the time frames under which firewall rules can be applied. Three
schedules, Schedule 1, Schedule 2, and Schedule 3, can be defined, and you can select any
one of these when defining firewall rules.

To set a schedule:
1. Select Security > Services > Schedule 1. The Schedule 1 screen displays:
Figure 95.
2. In the Scheduled Days section, select one of the following radio buttons:
• All Days. The schedule is in effect all days of the week.
•
Specific Days. The schedule is in effect only on specific days. To the right of the radio
buttons, select the check box for each day that you want the schedule to be in effect.
3. In the Scheduled Time of Day section, select one of the following radio buttons:
• All Day. The schedule is in effect all hours of the selected day or days.
•
Specific Times. The schedule is in effect only during specific hours of the selected
day or days. To the right of the radio buttons, fill in the Start Time and End Time fields
(Hour, Minute, AM/PM) during which the schedule is in effect.
4. Click Apply to save your settings to Schedule 1.
Repeat these steps to set to a schedule for Schedule 2 and Schedule 3.
Firewall Protection
178
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Enable Source MAC Filtering
The Source MAC Filter screen enables you to permit or block traffic coming from certain
known computers or devices.
By default, the source MAC address filter is disabled. All the traffic received from computers
with any MAC address is allowed. When the source MAC address filter is enabled,
depending on the selected policy, traffic is either permitted or blocked if it comes from any
computers or devices whose MAC addresses are listed in MAC Addresses table.
Note: For additional ways of restricting outbound traffic, see Outbound
Rules (Service Blocking) on page 127.

To enable MAC filtering and add MAC addresses to be permitted or blocked:
1. Select Security > Address Filter. The Address Filter submenu tabs display, with the
Source MAC Filter screen in view. (The following figure shows one address in the MAC
Addresses table as an example.)
Figure 96.
2. In the MAC Filtering Enable section, select the Yes radio button.
3. In the same section, from the Policy for MAC Addresses listed below drop-down list, select
one of the following options:
• Block and Permit the rest. Traffic coming from all addresses in the MAC Addresses
table is blocked. Traffic from all other MAC addresses is permitted.
•
Permit and Block the rest. Traffic coming from all addresses in the MAC Addresses
table is permitted. Traffic from all other MAC addresses is blocked.
Firewall Protection
179
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Click Apply to save your settings. The MAC Address field in the Add Source MAC Address
section of the screen now becomes available.
5. Build your list of source MAC addresses to be permitted or blocked by entering the first MAC
address in the MAC Address field. A MAC address needs to be entered in the format
xx:xx:xx:xx:xx:xx, in which x is a numeric (0 to 9) or a letter between a and f (inclusive), for
example: aa:11:bb:22:cc:33.
WARNING:
If you select Permit and Block the rest from the drop-down list but
do not add the MAC address of the computer from which you are
accessing the web management interface, you are locked out of
the web management interface.
6. Click the Add table button. The MAC address is added to the MAC Addresses table.
7. Repeat the previous two steps to add more MAC addresses to the MAC Addresses table.

To remove one or more MAC addresses from the table:
1. Select the check box to the left of each MAC address that you want to delete, or click
the Select All table button to select all addresses.
2. Click the Delete table button.
Set Up IP/MAC Bindings
IP/MAC binding allows you to bind an IPv4 or IPv6 address to a MAC address and the other
way around. Some computers or devices are configured with static addresses. To prevent
users from changing their static IP addresses, the IP/MAC binding feature needs to be
enabled on the wireless VPN firewall. If the wireless VPN firewall detects packets with an IP
address that matches the IP address in the IP/MAC Bindings table but does not match the
related MAC address in the IP/MAC Bindings table (or the other way around), the packets are
dropped. If you have enabled the logging option for the IP/MAC binding feature, these
packets are logged before they are dropped. The wireless VPN firewall displays the total
number of dropped packets that violate either the IP-to-MAC binding or the MAC-to-IP
binding.
Note: You can bind IP addresses to MAC addresses for DHCP assignment
on the LAN Groups submenu. See Manage the Network Database
on page 65.
As an example, assume that three computers on the LAN are set up as follows, and that their
IPv4 and MAC addresses are added to the IP/MAC Bindings table:
•
Host 1. MAC address (00:01:02:03:04:05) and IP address (192.168.10.10)
•
Host 2. MAC address (00:01:02:03:04:06) and IP address (192.168.10.11)
Firewall Protection
180
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
Host 3. MAC address (00:01:02:03:04:07) and IP address (192.168.10.12)
There are three possible scenarios in relation to the addresses in the IP/MAC Bindings table:
•
Host 1 has not changed its IP and MAC addresses. A packet coming from Host 1 has IP
and MAC addresses that match those in the IP/MAC Bindings table.
•
Host 2 has changed its MAC address to 00:01:02:03:04:09. The packet has an IP
address that matches the IP address in the IP/MAC Bindings table but a MAC address
that does not match the MAC address in the IP/MAC Bindings table.
•
Host 3 has changed its IP address to 192.168.10.15. The packet has a MAC address that
matches the MAC address in the IP/MAC Bindings table but an IP address that does not
match the IP address in the IP/MAC Bindings table.
In this example, the wireless VPN firewall blocks the traffic coming from Host 2 and Host 3,
but allows the traffic coming from Host 1 to any external network. The total count of dropped
packets is displayed.
IPv4/MAC Bindings

To set up a binding between a MAC address and an IPv4 address:
1. Select Security > Address Filter > IP/MAC Binding. In the upper right of the screen,
the IPv4 radio button is selected by default. The IP/MAC Binding screen displays the
IPv4 settings. (The following figure shows a binding in the IP/MAC Binding table as an
example.)
Figure 97.
Firewall Protection
181
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. In the Email IP/MAC Violations section of the screen, specify if you want to enable email
logs for IP/MAC binding violations. (You have to do this only once.) Select one of the
following radio buttons:
• Yes. IP/MAC binding violations are emailed. Click the Firewall Logs & E-mail page
link to ensure that emailing of logs is enabled on the Firewall Logs & E-mail screen
(see Configure Logging, Alerts, and Event Notifications on page 338).
•
No. IP/MAC binding violations are not emailed.
3. Click Apply to save your changes.
4. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the
following table:
Table 38. IP/MAC Binding screen settings for IPv4
Setting
Description
Name
A descriptive name of the binding for identification and management purposes.
MAC Address
The MAC address of the computer or device that is bound to the IP address.
IP Address
The IPv4 address of the computer or device that is bound to the MAC address.
Log Dropped
Packets
To log the dropped packets, select Enable from the drop-down list. The default setting
is Disable.
5. Click the Add table button. The new IP/MAC rule is added to the IP/MAC Bindings table.

To edit an IP/MAC binding:
1. In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC
binding that you want to edit. The Edit IP/MAC Binding screen displays.
2. Modify the settings that you wish to change (see the previous table; you can change the
MAC address, IPv4 address, and logging status).
3. Click Apply to save your changes. The modified IP/MAC binding displays in the IP/MAC
Bindings table.

To remove one or more IP/MAC bindings from the table:
1. Select the check box to the left of each IP/MAC binding that you want to delete, or click
the Select All table button to select all bindings.
2. Click the Delete table button.

To change the IPv4 MAC polling interval from its default setting of 10 seconds:
1. On the IP/MAC Bindings screen for IPv4, to the right of the IP/MAC Binding tab, click the
Set Poll Interval option arrow. The IP MAC Binding Poll Interval pop-up screen
displays:
Firewall Protection
182
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 98.
2. Click the Stop button. Wait until the Poll Interval field becomes available.
3. Enter new poll interval in seconds.
4. Click the Set Interval button. Wait for the confirmation that the operation has succeeded
before you close the window.
IPv6/MAC Bindings

To set up a binding between a MAC address and an IPv6 address:
1. Select Security > Address Filter > IP/MAC Binding.
2. In the upper right of the screen, select the IPv6 radio button. The IP/MAC Binding screen
displays the IPv6 settings. (The following figure shows a binding in the IP/MAC Binding table
as an example.)
Figure 99.
Firewall Protection
183
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. In the Email IP/MAC Violations section of the screen, specify if you want to enable email
logs for IP/MAC binding violations. (You have to do this only once.) Select one of the
following radio buttons:
• Yes. IP/MAC binding violations are emailed. Click the Firewall Logs & E-mail page
link to ensure that emailing of logs is enabled on the Firewall Logs & E-mail screen
(see Configure Logging, Alerts, and Event Notifications on page 338).
•
No. IP/MAC binding violations are not emailed.
4. Click Apply to save your changes.
5. In the IP/MAC Bindings sections of the screen, enter the settings as explained in the
following table:
Table 39. IP/MAC Binding screen settings for IPv6
Setting
Description
Name
A descriptive name of the binding for identification and management purposes.
MAC Address
The MAC address of the computer or device that is bound to the IP address.
IP Address
The IPv6 address of the computer or device that is bound to the MAC address.
Log Dropped
Packets
To log the dropped packets, select Enable from the drop-down list. The default setting
is Disable.
6. Click the Add table button. The new IP/MAC rule is added to the IP/MAC Bindings table.

To edit an IP/MAC binding:
1. In the IP/MAC Bindings table, click the Edit table button to the right of the IP/MAC
binding that you want to edit. The Edit IP/MAC Binding screen displays.
2. Modify the settings that you wish to change (see the previous table; you can change the
MAC address, IPv6 address, and logging status).
3. Click Apply to save your changes. The modified IP/MAC binding displays in the IP/MAC
Bindings table.

To remove one or more IP/MAC bindings from the table:
1. Select the check box to the left of each IP/MAC binding that you want to delete, or click
the Select All table button to select all bindings.
2. Click the Delete table button.

To change the IPv6 MAC polling interval from its default setting of 10 seconds:
1. On the IP/MAC Bindings screen for IPv6, to the right of the IP/MAC Binding tab, click the
Set Poll Interval option arrow. The IP MAC Binding Poll Interval (IPv6) pop-up screen
displays:
Firewall Protection
184
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 100.
2. Click the Stop button. Wait until the Poll Interval field becomes available.
3. Enter new poll interval in seconds.
4. Click the Set Interval button. Wait for the confirmation that the operation has succeeded
before you close the window.
Configure Port Triggering
Port triggering allows some applications running on a LAN network to be available to external
applications that would otherwise be partially blocked by the firewall. Using the port-triggering
feature requires that you know the port numbers used by the application.
Note: Port triggering is supported for IPv4 devices only.
Once configured, port triggering operates as follows:
1. A computer makes an outgoing connection using a port number that is defined in the
Port Triggering Rules table.
2. The wireless VPN firewall records this connection, opens the additional incoming port or
ports that are associated with the rule in the port triggering table, and associates them with
the computer.
3. The remote system receives the computer’s request and responds using the incoming port
or ports that are associated with the rule in the port triggering table on the wireless VPN
firewall.
4. The wireless VPN firewall matches the response to the previous request and forwards the
response to the computer.
Without port triggering, the response from the external application would be treated as a new
connection request rather than a response to a request from the LAN network. As such, it
would be handled in accordance with the inbound port-forwarding rules, and most likely
would be blocked.
Firewall Protection
185
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note these restrictions on port triggering:
•
Only one computer can use a port-triggering application at any time.
•
After a computer has finished using a port-triggering application, there is a short time-out
period before the application can be used by another computer. This time-out period is
required so the wireless VPN firewall can determine that the application has terminated.
Note: For additional ways of allowing inbound traffic, see Inbound Rules
(Port Forwarding) on page 130.

To add a port-triggering rule:
1. Select Security > Port Triggering. The Port Triggering screen displays. (The following
figure shows a rule in the Port Triggering Rule table as an example.)
Figure 101.
2. In the Add Port Triggering Rule section, enter the settings as explained in the following table:
Table 40. Port Triggering screen settings
Setting
Description
Name
A descriptive name of the rule for identification and management purposes.
Enable
From the drop-down list, select Yes to enable the rule. (You can define a rule but not
enable it.) The default setting is No.
Protocol
From the drop-down list, select the protocol to which the rule applies:
• TCP. The rule applies to an application that uses the Transmission Control
Protocol (TCP).
• UDP. The rule applies to an application that uses the User Datagram Protocol
(UDP).
Firewall Protection
186
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 40. Port Triggering screen settings (continued)
Setting
Description
Outgoing (Trigger)
Port Range
Start Port
The start port (1–65535) of the range for triggering.
End Port
The end port (1–65535) of the range for triggering.
Incoming (Response) Start Port
Port Range
End Port
The start port (1–65535) of the range for responding.
The end port (1–65535) of the range for responding.
3. Click the Add table button. The new port-triggering rule is added to the Port Triggering Rules
table.

To edit a port-triggering rule:
1. In the Port Triggering Rules table, click the Edit table button to the right of the
port-triggering rule that you want to edit. The Edit Port Triggering Rule screen displays.
2. Modify the settings that you wish to change (see the previous table).
3. Click Apply to save your changes. The modified port-triggering rule is displayed in the Port
Triggering Rules table.

To remove one or more port-triggering rules from the table:
1. Select the check box to the left of each port-triggering rule that you want to delete, or
click the Select All table button to select all rules.
2. Click the Delete table button.

To display the status of the port-triggering rules:
Click the Status option arrow in the upper right of the Port Triggering screen. A pop-up
screen displays, showing the status of the port-triggering rules.
Figure 102.
Configure Universal Plug and Play
The Universal Plug and Play (UPnP) feature enables the wireless VPN firewall to
automatically discover and configure devices when it searches the LAN and WAN.
Note: UPnP is supported for IPv4 devices only.
Firewall Protection
187
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To configure UPnP:
1. Select Security > UPnP. The UPnP screen displays:
Figure 103.
The UPnP Portmap Table in the lower part of the screen shows the IP addresses and
other settings of UPnP devices that have accessed the wireless VPN firewall and that
have been automatically detected by the wireless VPN firewall:
•
Active. A Yes or No indicates if the UPnP device port that established a connection is
currently active.
•
Protocol. Indicates the network protocol such as HTTP or FTP that is used by the
device to connect to the VPN firewall.
•
Int. Port. Indicates if any internal ports are opened by the UPnP device.
•
Ext. Port. Indicates if any external ports are opened by the UPnP device.
•
IP Address. Lists the IP address of the UPnP device accessing the VPN firewall.
2. To enable the UPnP feature, select the Yes radio button. (The feature is disabled by default.)
To disable the feature, select No.
3. Fill in the following fields:
• Advertisement Period. Enter the period in seconds that specifies how often the
wireless VPN firewall should broadcast its UPnP information to all devices within its
range. The default setting is 30 seconds.
•
Advertisement Time to Live. Enter a number that specifies how many steps (hops)
each UPnP packet is allowed to propagate before being discarded. Small values will
limit the UPnP broadcast range. The default setting is 4 hops.
4. Click Apply to save your settings.
To refresh the contents of the UPnP Portmap Table, click Refresh.
Firewall Protection
188
6.
Virtual Private Networking
Using IPSec and L2TP Connections
6
This chapter describes how to use the IP security (IPSec) virtual private networking (VPN)
features of the wireless VPN firewall to provide secure, encrypted communications between your
local network and a remote network or computer. This chapter contains the following sections:
•
Use the IPSec VPN Wizard for Client and Gateway Configurations
•
Test the Connection and View Connection and Status Information
•
Manage IPSec VPN Policies
•
Configure Extended Authentication (XAUTH)
•
Assign IPv4 Addresses to Remote Users (Mode Config)
•
Configure Keep-Alives and Dead Peer Detection
•
Configure NetBIOS Bridging with IPSec VPN
•
Configure the L2TP Server
Use the IPSec VPN Wizard for Client and Gateway
Configurations
You can use the IPSec VPN Wizard to configure multiple gateway or client VPN tunnel
policies.
The following sections provide wizard and NETGEAR ProSafe VPN Client software
configuration procedures:
•
Create an IPv4 Gateway-to-Gateway VPN Tunnel with the Wizard on page 190
•
Create an IPv6 Gateway-to-Gateway VPN Tunnel with the Wizard on page 194
•
Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard on page 198
Note: Although the wireless VPN firewall supports IPv6, the NETGEAR
ProSafe VPN Client supports IPv4 only; an upcoming release of the
VPN Client will support IPv6.
189
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configuring a VPN tunnel connection requires that you specify all settings on both sides of
the VPN tunnel to match or mirror each other precisely, which can be a daunting task. The
VPN Wizard efficiently guides you through the setup procedure with a series of questions that
determine the IPSec keys and VPN policies it sets up. The VPN Wizard also configures the
settings for the network connection: security association (SA), traffic selectors, authentication
algorithm, and encryption. The settings that are used by the VPN Wizard are based on the
recommendations of the VPN Consortium (VPNC), an organization that promotes
multivendor VPN interoperability.
Create an IPv4 Gateway-to-Gateway VPN Tunnel with the
Wizard
Figure 104.

To set up an IPv4 gateway-to-gateway VPN tunnel using the VPN Wizard:
1. Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio
button is selected by default. The VPN Wizard screen displays the IPv4 settings. (The
following screen contains some examples that do not relate to other examples in this
manual.)
Virtual Private Networking Using IPSec and L2TP Connections
190
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 105.
To view the wizard default settings, click the VPN Wizard default values option arrow in
the upper right of the screen. A pop-up screen displays (see the following figure),
showing the wizard default values. The default values are the same for IPv4 and IPv6.
Virtual Private Networking Using IPSec and L2TP Connections
191
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 106.
2. Complete the settings as explained in the following table:
Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel
Setting
Description
About VPN Wizard
This VPN tunnel will connect
to the following peers
Select the Gateway radio button. The local WAN port’s IP address or
Internet name displays in the End Point Information section of the screen.
Connection Name and Remote IP Type
What is the new Connection
Name?
Enter a descriptive name for the connection. This name is used to help you
to manage the VPN settings; the name is not supplied to the remote VPN
endpoint.
What is the pre-shared key?
Enter a pre-shared key. The key needs to be entered both here and on the
remote VPN gateway. This key needs to have a minimum length of
8 characters and should not exceed 49 characters.
End Point Informationa
What is the Remote WAN’s IP Enter the IPv4 address or Internet name (FQDN) of the WAN interface on
Address or Internet Name?
the remote VPN tunnel endpoint.
What is the Local WAN’s IP
Address or Internet Name?
When you select the Gateway radio button in the About VPN Wizard
section of the screen, the IPv4 address of the wireless VPN firewall’s active
WAN interface is automatically entered.
Virtual Private Networking Using IPSec and L2TP Connections
192
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 41. IPSec VPN Wizard settings for an IPv4 gateway-to-gateway tunnel (continued)
Setting
Description
Secure Connection Remote Accessibility
What is the remote LAN IP
Address?
Enter the LAN IPv4 address of the remote gateway.
Note: The remote LAN IPv4 address needs to be in a different subnet from
the local LAN IP address. For example, if the local subnet is 192.168.1.x,
then the remote subnet could be 192.168.10.x but could not be
192.168.1.x. If this information is incorrect, the tunnel fails to connect.
What is the remote LAN
Subnet Mask?
Enter the LAN subnet mask for the remote gateway.
a. Both local and remote endpoints should be defined as either FQDNs or IP addresses. A combination of
an IP address and an FQDN is not supported.
Tip: To ensure that tunnels stay active, after completing the wizard, manually
edit the VPN policy to enable keep-alives, which periodically sends ping
packets to the host on the peer side of the network to keep the tunnel
alive. For more information, see Configure Keep-Alives on page 254.
Tip: For DHCP WAN configurations, first set up the tunnel with IP addresses.
After you have validated the connection, you can use the wizard to
create new policies using the FQDN for the WAN addresses.
3. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPN
Policies table on the VPN Policies screen for IPv4. By default, the VPN policy is enabled.
Figure 107.
4. Configure a VPN policy on the remote gateway that allows connection to the wireless VPN
firewall.
5. Activate the IPSec VPN connection:
a. Select VPN > Connection Status. The Connection Status submenu tabs display with
the IPSec VPN Connection Status screen in view:
Virtual Private Networking Using IPSec and L2TP Connections
193
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 108.
b. Locate the policy in the table, and click the Connect table button. The IPSec VPN
connection becomes active.
Note: When using FQDNs, if the Dynamic DNS service is slow to update
its servers when your DHCP WAN address changes, the VPN tunnel
will fail because the FQDNs do not resolve to your new address. If
you have the option to configure the update interval, set it to an
appropriately short time.
Create an IPv6 Gateway-to-Gateway VPN Tunnel with the
Wizard
Figure 109.

To set up an IPv6 gateway-to-gateway VPN tunnel using the VPN Wizard:
1. Select VPN > IPSec VPN > VPN Wizard.
2. In the upper right of the screen, select the IPv6 radio button. The VPN Wizard screen
displays the IPv6 settings. (The following screen contains some examples that do not relate
to other examples in this manual.)
Virtual Private Networking Using IPSec and L2TP Connections
194
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 110.
To view the wizard default settings, click the VPN Wizard default values option arrow in
the upper right of the screen. A pop-up screen displays (see the following figure),
showing the wizard default values. The default values are the same for IPv4 and IPv6.
Virtual Private Networking Using IPSec and L2TP Connections
195
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 111.
3. Complete the settings as explained in the following table:
Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel
Setting
Description
About VPN Wizard
This VPN tunnel will connect
to the following peers
Select the Gateway radio button. The local WAN port’s IP address or
Internet name displays in the End Point Information section of the screen.
Connection Name and Remote IP Type
What is the new Connection
Name?
Enter a descriptive name for the connection. This name is used to help you
to manage the VPN settings; the name is not supplied to the remote VPN
endpoint.
What is the pre-shared key?
Enter a pre-shared key. The key needs to be entered both here and on the
remote VPN gateway. This key needs to have a minimum length of
8 characters and should not exceed 49 characters.
End Point Informationa
What is the Remote WAN’s IP Enter the IPv6 address or Internet name (FQDN) of the WAN interface on
Address or Internet Name?
the remote VPN tunnel endpoint.
What is the Local WAN’s IP
Address or Internet Name?
When you select the Gateway radio button in the About VPN Wizard
section of the screen, the IPv6 address of the wireless VPN firewall’s active
WAN interface is automatically entered.
Virtual Private Networking Using IPSec and L2TP Connections
196
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 42. IPSec VPN Wizard settings for an IPv6 gateway-to-gateway tunnel (continued)
Setting
Description
Secure Connection Remote Accessibility
What is the remote LAN IP
Address?
Enter the LAN IPv6 address of the remote gateway.
Note: The remote LAN IPv6 address needs to be different from the local
LAN IPv6 address. For example, if the local LAN IPv6 address is FEC0::1,
then the remote LAN IPv6 address could be FEC0:1::1 but could not be
FEC0::1. If this information is incorrect, the tunnel fails to connect.
IPv6 Prefix Length
Enter the prefix length for the remote gateway.
a. Both local and remote endpoints should be defined as either FQDNs or IP addresses. A combination of
an IP address and an FQDN is not supported.
Tip: To ensure that tunnels stay active, after completing the wizard, manually
edit the VPN policy to enable keep-alives, which periodically sends ping
packets to the host on the peer side of the network to keep the tunnel
alive. For more information, see Configure Keep-Alives on page 254.
Tip: For DHCP WAN configurations, first set up the tunnel with IP addresses.
After you have validated the connection, you can use the wizard to
create new policies using the FQDN for the WAN addresses.
4. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPN
Policies table on the VPN Policies screen for IPv6. By default, the VPN policy is enabled.
Figure 112.
5. Configure a VPN policy on the remote gateway that allows connection to the wireless VPN
firewall.
6. Activate the IPSec VPN connection:
a. Select VPN > Connection Status. The Connection Status submenu tabs display with
the IPSec VPN Connection Status screen in view:
Virtual Private Networking Using IPSec and L2TP Connections
197
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 113.
b. Locate the policy in the table, and click the Connect table button. The IPSec VPN
connection becomes active.
Note: When using FQDNs, if the Dynamic DNS service is slow to update
its servers when your DHCP WAN address changes, the VPN tunnel
will fail because the FQDNs do not resolve to your new address. If
you have the option to configure the update interval, set it to an
appropriately short time.
Create an IPv4 Client-to-Gateway VPN Tunnel with the Wizard
Figure 114.
To configure a VPN client tunnel, follow the steps in the following sections:
•
Use the VPN Wizard to Configure the Gateway for a Client Tunnel on page 199.
•
Use the NETGEAR VPN Client Wizard to Create a Secure Connection on page 201 or
Manually Create a Secure Connection Using the NETGEAR VPN Client on page 206.
Virtual Private Networking Using IPSec and L2TP Connections
198
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Use the VPN Wizard to Configure the Gateway for a Client Tunnel

To set up a client-to-gateway VPN tunnel using the VPN Wizard:
1. Select VPN > IPSec VPN > VPN Wizard. In the upper right of the screen, the IPv4 radio
button is selected by default. The VPN Wizard screen displays the IPv4 settings. (The
following figure contains an example.)
Figure 115.
To display the wizard default settings, click the VPN Wizard default values option arrow
in the upper right of the screen. A pop-up screen displays (see Figure 106 on page 192),
showing the wizard default values. After you have completed the wizard, you can modify
these settings for the tunnel policy that you have set up.
Virtual Private Networking Using IPSec and L2TP Connections
199
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Complete the settings as explained in the following table:
Table 43. IPSec VPN Wizard settings for a client-to-gateway tunnel
Setting
Description
About VPN Wizard
This VPN tunnel will connect Select the VPN Client radio button. The default remote FQDN (remote.com)
and the default local FQDN (local.com) display in the End Point Information
to the following peers
section of the screen.
Connection Name and Remote IP Type
What is the new Connection Enter a descriptive name for the connection. This name is used to help you to
manage the VPN settings; the name is not supplied to the VPN client.
Name?
What is the pre-shared key? Enter a pre-shared key. The key needs to be entered both here and on the
remote VPN gateway, or the remote VPN client. This key needs to have a
minimum length of 8 characters and cannot exceed 49 characters.
End Point Informationa
What is the Remote
Identifier Information?
When you select the Client radio button in the About VPN Wizard section of
the screen, the default remote FQDN (remote.com) is automatically entered.
Use the default remote FQDN, or enter another FQDN.
Note: The remote ID on the wireless VPN firewall is the local ID on the VPN
client. It might be less confusing to configure an FQDN such as client.com as
the remote ID on the wireless VPN firewall and then enter client.com as the
local ID on the VPN client.
What is the Local Identifier
Information?
When you select the Client radio button in the About VPN Wizard section of
the screen, the default local FQDN (local.com) is automatically entered. Use
the default local FQDN, or enter another FQDN.
Note: The local ID on the wireless VPN firewall is the remote ID on the VPN
client. It might be less confusing to configure an FQDN such as router.com
as the local ID on the wireless VPN firewall and then enter router.com as the
remote ID on the VPN client.
Secure Connection Remote Accessibility
What is the remote LAN IP
Address?
These fields are masked out for VPN client connections.
What is the remote LAN
Subnet Mask?
a. Both local and remote endpoints should be defined as either FQDNs or IP addresses. A combination of
an IP address and an FQDN is not supported.
3. Click Apply to save your settings. The IPSec VPN policy is now added to the List of VPN
Policies table on the VPN Policies screen for IPv4. By default, the VPN policy is enabled.
Virtual Private Networking Using IPSec and L2TP Connections
200
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 116.
Note: When you are using FQDNs, if the Dynamic DNS service is slow to
update its servers when your DHCP WAN address changes, the
VPN tunnel will fail because the FQDNs do not resolve to your new
address. If you have the option to configure the update interval, set it
to an appropriately short time.
4. Optional step: Collect the information that you need to configure the VPN client. You can
print the following table to help you keep track of this information.
Table 44. Information required to configure the VPN client
Component
Enter the information that you collected
Example
Pre-shared key
I7!KL39dFG_8
Remote identifier information
remote.com
Local identifier information
local.com
Router’s LAN network IPv4 address
192.168.1.0
Router’s WAN IPv4 address
192.168.15.175
Use the NETGEAR VPN Client Wizard to Create a Secure Connection
The VPN client lets you set up the VPN connection manually (see Manually Create a Secure
Connection Using the NETGEAR VPN Client on page 206) or with the integrated
Configuration Wizard, which is the easier and preferred method. The Configuration Wizard
configures the default settings and provides basic interoperability so that the VPN client can
easily communicate with the wireless VPN firewall (or third-party VPN devices). The
Configuration Wizard does not let you enter the local and remote IDs, so you need to
manually enter this information.
Virtual Private Networking Using IPSec and L2TP Connections
201
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: Perform these tasks from a computer that has the NETGEAR
ProSafe VPN Client installed. The VPN Client supports IPv4 only; an
upcoming release of the VPN Client will support IPv6.

To use the Configuration Wizard to set up a VPN connection between the VPN client
and the wireless VPN firewall:
1. Right-click the VPN client icon in your Windows system tray, and select Configuration
Panel. The Configuration Panel screen displays:
Figure 117.
2. From the main menu on the Configuration Panel screen, select Configuration > Wizard.
The Choice of the remote equipment wizard screen (screen 1 of 3) displays:
Virtual Private Networking Using IPSec and L2TP Connections
202
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 118.
3. Select the A router or a VPN gateway radio button, and click Next. The VPN tunnel
parameters wizard screen (screen 2 of 3) displays:
Figure 119.
4. Specify the following VPN tunnel parameters:
• IP or DNS public (external) address of the remote equipment. Enter the remote IP
address or DNS name of the wireless VPN firewall. For example, enter
192.168.15.175.
•
Preshared key. Enter the pre-shared key that you already specified on the wireless
VPN firewall. For example, enter I7!KL39dFG_8.
•
IP private (internal) address of the remote network. Enter the remote private IP
address of the wireless VPN firewall. For example, enter 192.168.1.0. This IP address
enables communication with the entire 192.168.1.x subnet.
Virtual Private Networking Using IPSec and L2TP Connections
203
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5. Click Next. The Configuration Summary wizard screen (screen 3 of 3) displays:
Figure 120.
6. This screen is a summary screen of the new VPN configuration. Click Finish.
7. Specify the local and remote IDs:
a. In the tree list pane of the Configuration Panel screen, click Gateway (the default
name given to the authentication phase). The Authentication pane displays in the
Configuration Panel screen, with the Authentication tab selected by default.
b. Click the Advanced tab in the Authentication pane. The Advanced pane displays:
Figure 121.
Virtual Private Networking Using IPSec and L2TP Connections
204
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
c. Specify the settings that are explained in the following table.
Table 45. VPN client advanced authentication settings
Setting
Description
Advanced features
Aggressive Mode
Select this check box to enable aggressive mode as the mode of negotiation
with the wireless VPN firewall.
NAT-T
Select Automatic from the drop-down list to enable the VPN client and
wireless VPN firewall to negotiate NAT-T.
Local and Remote ID
As the type of ID, select DNS from the Local ID drop-down list because you
specified FQDN in the wireless VPN firewall configuration.
As the value of the ID, enter remote.com as the local ID for the VPN client.
Local ID
Note: The remote ID on the wireless VPN firewall is the local ID on the VPN
client. It might be less confusing to configure an FQDN such as client.com as
the remote ID on the wireless VPN firewall and then enter client.com as the
local ID on the VPN client.
Remote ID
As the type of ID, select DNS from the Remote ID drop-down list because
you specified an FQDN in the wireless VPN firewall configuration.
As the value of the ID, enter local.com as the remote ID for the wireless
VPN firewall.
Note: The local ID on the wireless VPN firewall is the remote ID on the VPN
client. It might be less confusing to configure an FQDN such as router.com
as the local ID on the wireless VPN firewall and then enter router.com as the
remote ID on the VPN client.
8. Configure the global parameters:
a. Click Global Parameters in the left column of the Configuration Panel screen. The
Global Parameters pane displays in the Configuration Panel screen:
Virtual Private Networking Using IPSec and L2TP Connections
205
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 122.
b. Specify the default lifetimes in seconds:
• Authentication (IKE), Default. The default lifetime value is 3600 seconds.
Change this setting to 28800 seconds to match the configuration of the wireless
VPN firewall.
•
Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change
this setting to 3600 seconds to match the configuration of the wireless VPN
firewall.
9. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
The VPN client configuration is now complete.
Instead of using the wizard on the VPN client, you can also manually configure the VPN
client, which is explained in the following section.
Manually Create a Secure Connection Using the NETGEAR VPN Client
Note: Perform these tasks from a computer that has the NETGEAR
ProSafe VPN Client installed.
To manually configure a VPN connection between the VPN client and the wireless VPN
firewall, create authentication settings (phase 1 settings), create an associated IPSec
configuration (phase 2 settings), and then specify the global parameters.
Virtual Private Networking Using IPSec and L2TP Connections
206
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure the Authentication Settings (Phase 1 Settings)

To create new authentication settings:
1. Right-click the VPN client icon in your Windows system tray, and select Configuration
Panel. The Configuration Panel screen displays:
Figure 123.
2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and
select New Phase 1.
Figure 124.
3. Change the name of the authentication phase (the default is Gateway):
a. Right-click the authentication phase name.
b. Select Rename.
c. Type vpn_client.
d. Click anywhere in the tree list pane.
Virtual Private Networking Using IPSec and L2TP Connections
207
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: This is the name for the authentication phase that is used only for the
VPN client, not during IKE negotiation. You can view and change this name in
the tree list pane. This name needs to be a unique name.
The Authentication pane displays in the Configuration Panel screen, with the
Authentication tab selected by default.
Figure 125.
4. Specify the settings that are explained in the following table.
Table 46. VPN client authentication settings
Setting
Description
Interface
Select Any from the drop-down list.
Remote Gateway
Enter the remote IP address or DNS name of the wireless VPN firewall. For example,
enter 192.168.15.175.
Preshared Key
Select the Preshared Key radio button. Enter the pre-shared key that you already
specified on the wireless VPN firewall. For example, enter I7!KL39dFG_8. Confirm
the key in the Confirm field.
IKE
Encryption
Select the 3DES encryption algorithm from the drop-down list.
Authentication
Select the SHA1 authentication algorithm from the drop-down list.
Key Group
Select the DH2 (1024) key group from the drop-down list.
Note: On the wireless VPN firewall, this key group is referred to as
Diffie-Hellman Group 2 (1024 bit).
Virtual Private Networking Using IPSec and L2TP Connections
208
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
6. Click the Advanced tab in the Authentication pane. The Advanced pane displays:
Figure 126.
7. Specify the settings that are explained in the following table.
Table 47. VPN client advanced authentication settings
Setting
Description
Advanced features
Aggressive Mode
Select this check box to enable aggressive mode as the mode of negotiation with
the wireless VPN firewall.
NAT-T
Select Automatic from the drop-down list to enable the VPN client and wireless
VPN firewall to negotiate NAT-T.
Local and Remote ID
Local ID
As the type of ID, select DNS from the Local ID drop-down list because you
specified FQDN in the wireless VPN firewall configuration.
As the value of the ID, enter remote.com as the local ID for the VPN client.
Note: The remote ID on the wireless VPN firewall is the local ID on the VPN
client. It might be less confusing to configure an FQDN such as client.com as the
remote ID on the wireless VPN firewall and then enter client.com as the local ID
on the VPN client.
Virtual Private Networking Using IPSec and L2TP Connections
209
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 47. VPN client advanced authentication settings (continued)
Setting
Description
Remote ID
As the type of ID, select DNS from the Remote ID drop-down list because you
specified an FQDN in the wireless VPN firewall configuration.
As the value of the ID, enter local.com as the remote ID for the wireless VPN
firewall.
Note: The local ID on the wireless VPN firewall is the remote ID on the VPN
client. It might be less confusing to configure an FQDN such as router.com as the
local ID on the wireless VPN firewall and then enter router.com as the remote ID
on the VPN client.
8. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
Create the IPSec Configuration (Phase 2 Settings)
Note: On the wireless VPN firewall, the IPSec configuration (phase 2
settings) is referred to as the IKE settings.

To create an IPSec configuration:
1. In the tree list pane of the Configuration Panel screen, right-click the vpn_client
authentication phase name, and then select New Phase 2.
2. Change the name of the IPSec configuration (the default is Tunnel):
a. Right-click the IPSec configuration name.
b. Select Rename.
c. Type netgear_platform.
d. Click anywhere in the tree list pane.
Note: This is the name for the IPSec configuration that is used only for the
VPN client, not during IPSec negotiation. You can view and change this name
in the tree list pane. This name needs to be a unique name.
The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected
by default:
Virtual Private Networking Using IPSec and L2TP Connections
210
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 127.
3. Specify the settings that are explained in the following table.
Table 48. VPN client IPSec configuration settings
Setting
Description
VPN Client address
Either enter 0.0.0.0 as the IP address, or enter a virtual IP address that is used by
the VPN client in the wireless VPN firewall’s LAN; the computer (for which the VPN
client opened a tunnel) appears in the LAN with this IP address.
Address Type
Select Subnet address from the drop-down list. This selection defines which
addresses the VPN client can communicate with after the VPN tunnel is
established.
Remote LAN address Enter 192.168.1.0 as the remote IP address (that is, LAN network address) of the
gateway that opens the VPN tunnel.
Subnet mask
Enter 255.255.255.0 as the remote subnet mask of the gateway that opens the VPN
tunnel.
ESP
Encryption
Select 3DES as the encryption algorithm from the drop-down list.
Authentication
Select SHA-1 as the authentication algorithm from the drop-down
list.
Mode
Select Tunnel as the encapsulation mode from the drop-down list.
PFS and Group
Select the PFS check box, and then select the DH2 (1024) key group from the
drop-down list.
Note: On the wireless VPN firewall, this key group is referred to as Diffie-Hellman
Group 2 (1024 bit).
Virtual Private Networking Using IPSec and L2TP Connections
211
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
Configure the Global Parameters

To specify the global parameters:
1. Click Global Parameters in the left column of the Configuration Panel screen. The
Global Parameters pane displays in the Configuration Panel screen:
Figure 128.
2. Specify the default lifetimes in seconds:
• Authentication (IKE), Default. The default lifetime value is 3600 seconds. Change
this setting to 28800 seconds to match the configuration of the wireless VPN firewall.
•
Encryption (IPSec), Default. The default lifetime value is 1200 seconds. Change this
setting to 3600 seconds to match the configuration of the wireless VPN firewall.
3. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
The wireless VPN firewall configuration is now complete.
Virtual Private Networking Using IPSec and L2TP Connections
212
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Test the Connection and View Connection and Status
Information
Both the NETGEAR ProSafe VPN Client and the wireless VPN firewall provide VPN
connection and status information. This information is useful for verifying the status of a
connection and troubleshooting problems with a connection.
Test the NETGEAR VPN Client Connection
There are many ways to establish a connection. The following procedures assume that you
use the default authentication phase name Gateway and the default IPSec configuration
name Tunnel. If you manually set up the connection and changed the names, use vpn_client
(or any other name that you have configured) as the authentication phase name and
netgear_platform (or any other name that you have configured) as the IPSec configuration
name.

To establish a connection, use one of the following three methods:
•
Use the Configuration Panel screen. In the tree list pane of the Configuration Panel
screen, perform one of the following tasks:
-
Click the Tunnel IPSec configuration name, and press Ctrl+O.
-
Right-click the Tunnel IPSec configuration name, and select Open tunnel.
Figure 129.
•
Use the Connection Panel screen. On the main menu of the Configuration Panel
screen, select Tools > Connection Panel to open the Connection Panel screen. Perform
one of the following tasks:
-
Double-click Gateway-Tunnel.
-
Right-click Gateway-Tunnel, and select Open tunnel.
-
Click Gateway-Tunnel, and press Ctrl+O.
Figure 130.
Virtual Private Networking Using IPSec and L2TP Connections
213
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
Use the system-tray icon. Right-click the system tray icon, and select Open tunnel
‘Tunnel’.
Figure 131.
Whichever way you choose to open the tunnel, when the tunnel opens successfully, the
Tunnel opened message displays above the system tray:
Figure 132.
Once launched, the VPN client displays an icon in the system tray that indicates whether or
not a tunnel is opened, using a color code:
Green icon:
at least one VPN tunnel opened
Purple icon:
no VPN tunnel opened
Figure 133.
Virtual Private Networking Using IPSec and L2TP Connections
214
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
NETGEAR VPN Client Status and Log Information

To view detailed negotiation and error information on the NETGEAR VPN client:
Right-click the VPN client icon in the system tray, and select Console. The VPN Client
Console Active screen displays:
Figure 134.
View the Wireless VPN Firewall IPSec VPN Connection Status
To view the status of current IPSec VPN tunnels, select VPN > Connection Status. The
Connection Status submenu tabs display with the IPSec VPN Connection Status screen in
view. (The following figure shows an IPSec SA as an example.)
Figure 135.
Virtual Private Networking Using IPSec and L2TP Connections
215
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The Active IPSec SA(s) table lists each active connection with the information that is
described in the following table. The default poll interval is 10 seconds. To change the poll
interval period, enter a new value in the Poll Interval field, and then click the Set Interval
button. To stop polling, click the Stop button.
Table 49. IPSec VPN Connection Status screen information
Item
Description
Policy Name
The name of the VPN policy that is associated with this SA.
Endpoint
The IP address on the remote VPN endpoint.
Tx (KB)
The amount of data that is transmitted over this SA.
Tx (Packets)
The number of IP packets that are transmitted over this SA.
State
The current status of the SA. Phase 1 is the authentication phase, and Phase 2 is key
exchange phase. If there is no connection, the status is IPSec SA Not Established.
Action
Click the Connect table button to build the connection, or click the Disconnect table
button to terminate the connection.
View the Wireless VPN Firewall IPSec VPN Log

To display the IPSec VPN log:
Select Monitoring > VPN Logs > IPSec VPN Logs. The IPSec VPN Logs screen displays:
Figure 136.
Virtual Private Networking Using IPSec and L2TP Connections
216
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Manage IPSec VPN Policies
After you have used the VPN Wizard to set up a VPN tunnel, a VPN policy and an IKE policy
are stored in separate policy tables. The name that you selected as the VPN tunnel
connection name during the VPN Wizard setup identifies both the VPN policy and IKE policy.
You can edit existing policies, or manually add new VPN and IKE policies directly in the policy
tables.
Manage IKE Policies
The Internet Key Exchange (IKE) protocol performs negotiations between the two VPN
gateways and provides automatic management of the keys that are used for IPSec
connections. It is important to remember that:
•
An automatically generated VPN policy (auto policy) needs to use the IKE negotiation
protocol.
•
A manually generated VPN policy (manual policy) cannot use the IKE negotiation
protocol.
IKE policies are activated when the following situations occur:
1. The VPN policy selector determines that some traffic matches an existing VPN policy:
• If the VPN policy is of an auto policy type, the IKE policy that is specified in the Auto
Policy Parameters section of the Add VPN Policy screen (see Figure 140 on
page 228) is used to start negotiations with the remote VPN gateway.
•
If the VPN policy is of a manual policy type, the settings that are specified in the
Manual Policy Parameters section of the Add VPN Policy screen (see Figure 140 on
page 228) are accessed, and the first matching IKE policy is used to start
negotiations with the remote VPN gateway:
-
If negotiations fail, the next matching IKE policy is used.
-
If none of the matching IKE policies are acceptable to the remote VPN gateway,
then a VPN tunnel cannot be established.
2. An IKE session is established, using the security association (SA) settings that are specified
in a matching IKE policy:
• Keys and other settings are exchanged.
•
An IPSec SA is established, using the settings that are specified in the VPN policy.
The VPN tunnel is then available for data transfer.
When you use the VPN Wizard to set up a VPN tunnel, an IKE policy is established and
populated in the List of IKE Policies, and is given the same name as the new VPN connection
name. You can also edit exiting policies or add new IKE policies from the IKE Policies screen.
Virtual Private Networking Using IPSec and L2TP Connections
217
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IKE Policies Screen

To access the IKE Policies screen:
Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies
screen in view. In the upper right of the screen, the IPv4 radio button is selected by default.
The IKE Policies screen displays the IPv4 settings. (The following figure shows some
examples.) To display the IPv6 settings on the IKE Policies screen, select the IPv6 radio
button.
Figure 137.
Each policy contains the data that are explained in the following table. These fields are
explained in more detail in Table 51 on page 221.
Table 50. IKE Policies screen information for IPv4 and IPv6
Item
Description
Name
The name that identifies the IKE policy. When you use the VPN Wizard to set up a VPN
policy, an accompanying IKE policy is automatically created with the same name that you
select for the VPN policy.
Note: The name is not supplied to the remote VPN endpoint.
Mode
The exchange mode: Main or Aggressive.
Local ID
The IKE/ISAKMP identifier of the wireless VPN firewall. The remote endpoint needs to
have this value as its remote ID.
Remote ID
The IKE/ISAKMP identifier of the remote endpoint, which needs to have this value as its
local ID.
Encr
The encryption algorithm that is used for the IKE security association (SA). This setting
needs to match the setting on the remote endpoint.
Auth
The authentication algorithm that is used for the IKE SA. This setting needs to match the
setting on the remote endpoint.
DH
The Diffie-Hellman (DH) group that is used when keys are exchanged. This setting needs
to match the setting on the remote endpoint.
Virtual Private Networking Using IPSec and L2TP Connections
218
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To delete one or more IKE polices:
1. Select the check box to the left of each policy that you want to delete, or click the Select
All table button to select all IKE policies.
2. Click the Delete table button.
For information about how to add or edit an IKE policy, see Manually Add or Edit an IKE
Policy on page 219.
Note: You cannot delete or edit an IKE policy for which the VPN policy is
active without first disabling or deleting the VPN policy.
Manually Add or Edit an IKE Policy

To manually add an IKE policy for IPv4 or IPv6:
1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies
screen for IPv4 in view (see Figure 137 on page 218).
2. Under the List of IKE Policies table, click the Add table button. The Add IKE Policy screen
displays the IPv4 settings (see the next screen).
3. Specify the IP version for which you want to add an IKE policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 4.
•
IPv6. Select the IPv6 radio button. The Add IKE Policy screen for IPv6 displays. This
screen is identical to the Add IKE Policy screen for IPv4 (see the next screen).
Virtual Private Networking Using IPSec and L2TP Connections
219
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 138.
Virtual Private Networking Using IPSec and L2TP Connections
220
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Complete the settings as explained in the following table:
Table 51. Add IKE Policy screen settings
Setting
Description
Mode Config Record
Do you want to use
Mode Config Record?
Specify whether or not the IKE policy uses a Mode Config record. For information
about how to define a Mode Config record, see Mode Config Operation on
page 238. Select one of the following radio buttons:
• Yes. IP addresses are assigned to remote VPN clients. You need to select a
Mode Config record from the drop-down list.
Because Mode Config functions only in Aggressive mode, selecting the Yes
radio button sets the tunnel exchange mode to Aggressive mode and disables
the Main mode. Mode Config also requires that both the local and remote
endpoints are defined by their FQDNs.
• No. Disables Mode Config for this IKE policy.
Note: You can use an IPv6 IKE policy to assign IPv4 addresses to clients through
a Mode Config record, but you cannot assign IPv6 addresses to clients.
Select Mode
Config Record
From the drop-down list, select one of the Mode Config
records that you defined on the Add Mode Config Record
screen (see Configure Mode Config Operation on the
Wireless VPN Firewall on page 238).
Note: Click the View Selected button to open the Selected
Mode Config Record Details pop-up screen.
General
Policy Name
A descriptive name of the IKE policy for identification and management purposes.
Note: The name is not supplied to the remote VPN endpoint.
Direction / Type
From the drop-down list, select the connection method for the wireless VPN
firewall:
• Initiator. The wireless VPN firewall initiates the connection to the remote
endpoint.
• Responder. The wireless VPN firewall responds only to an IKE request from the
remote endpoint.
• Both. The wireless VPN firewall can both initiate a connection to the remote
endpoint and respond to an IKE request from the remote endpoint.
Exchange Mode
From the drop-down list, select the mode of exchange between the wireless VPN
firewall and the remote VPN endpoint:
• Main. This mode is slower than the Aggressive mode but more secure.
• Aggressive. This mode is faster than the Main mode but less secure.
Note: If you specify either an FQDN or a user FQDN name as the local ID or
remote ID (see the Identifier sections later in this table), the Aggressive mode is
automatically selected.
Virtual Private Networking Using IPSec and L2TP Connections
221
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 51. Add IKE Policy screen settings (continued)
Setting
Description
Local
Identifier
From the drop-down list, select one of the following ISAKMP identifiers to be used
by the wireless VPN firewall, and then specify the identifier in the Identifier field:
• Local Wan IP. The WAN IP address of the wireless VPN firewall. When you
select this option, the Identifier field automatically shows the IP address of the
selected WAN interface.
• FQDN. The Internet address for the wireless VPN firewall.
• User FQDN. The email address for a local VPN client or the wireless VPN
firewall.
• DER ASN1 DN. A distinguished name (DN) that identifies the wireless VPN
firewall in the DER encoding and ASN.1 format.
Identifier
Depending on the selection of the Identifier drop-down list,
enter the IP address, email address, FQDN, or distinguished
name.
Remote
From the drop-down list, select one of the following ISAKMP identifiers to be used
by the remote endpoint, and then specify the identifier in the Identifier field:
• Remote Wan IP. The WAN IP address of the remote endpoint. When you select
this option, the Identifier field automatically shows the IP address of the selected
WAN interface.
• FQDN. The FQDN for a remote gateway.
• User FQDN. The email address for a remote VPN client or gateway.
• DER ASN1 DN. A distinguished name (DN) that identifies the remote endpoint
in the DER encoding and ASN.1 format.
Identifier
Identifier
Depending on the selection of the Identifier drop-down list,
enter the IP address, email address, FQDN, or distinguished
name.
IKE SA Parameters
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate the
security association (SA):
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES. This is the default algorithm.
• AES-128. Advanced Encryption Standard (AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
Authentication
Algorithm
From the drop-down list, select one of the following two algorithms to use in the
VPN header for the authentication process:
• SHA-1. Hash algorithm that produces a 160-bit digest. This is the default
setting.
• MD5. Hash algorithm that produces a 128-bit digest.
Virtual Private Networking Using IPSec and L2TP Connections
222
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 51. Add IKE Policy screen settings (continued)
Setting
Description
Authentication Method
Select one of the following radio buttons to specify the authentication method:
• Pre-shared key. A secret that is shared between the wireless VPN firewall and
the remote endpoint.
• RSA-Signature. Uses the active self-signed certificate that you uploaded on the
Certificates screen (see Manage VPN Self-Signed Certificates on page 309).
The pre-shared key is masked out when you select RSA-Signature.
Pre-shared key
Diffie-Hellman (DH)
Group
A key with a minimum length of 8 characters and no more
than 49 characters. Do not use a double quote (''), single
quote('), or space in the key.
The DH Group sets the strength of the algorithm in bits. The higher the group, the
more secure the exchange. From the drop-down list, select one of the following
three strengths:
• Group 1 (768 bit).
• Group 2 (1024 bit). This is the default setting.
• Group 5 (1536 bit).
Note: Ensure that the DH Group is configured identically on both sides.
SA-Lifetime (sec)
The period in seconds for which the IKE SA is valid. When the period times out,
the next rekeying occurs. The default is 28800 seconds (8 hours).
Enable Dead Peer
Detection
Select a radio button to specify whether or not Dead Peer Detection (DPD) is
enabled:
• Yes. This feature is enabled. When the wireless VPN firewall detects an IKE
connection failure, it deletes the IPSec and IKE SA and forces a reestablishment
of the connection. You need to specify the detection period in the Detection
Note: See also
Configure Keep-Alives Period field and the maximum number of times that the wireless VPN firewall
attempts to reconnect in the Reconnect after failure count field.
and Dead Peer
Detection on
• No. This feature is disabled. This is the default setting.
page 253.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle.
Reconnect after
failure count
The maximum number of DPD failures before the wireless
VPN firewall tears down the connection and then attempts to
reconnect to the peer. The default is 3 failures.
Virtual Private Networking Using IPSec and L2TP Connections
223
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 51. Add IKE Policy screen settings (continued)
Setting
Description
Extended Authentication
XAUTH Configuration
Select one of the following radio buttons to specify whether or not Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify
user account information:
Note: For more
• None. XAUTH is disabled. This the default setting.
information about
• Edge Device. The wireless VPN firewall functions as a VPN concentrator on
XAUTH and its
which one or more gateway tunnels terminate. The authentication modes that
authentication modes, are available for this configuration are User Database, RADIUS PAP, or RADIUS
see Configure XAUTH CHAP.
for VPN Clients on
• IPSec Host. The wireless VPN firewall functions as a VPN client of the remote
page 234.
gateway. In this configuration the wireless VPN firewall is authenticated by a
remote gateway with a user name and password combination.
Authentication
Type
For an Edge Device configuration, from the drop-down list,
select one of the following authentication types:
• User Database. XAUTH occurs through the wireless VPN
firewall’s user database. You can add users on the Add
User screen (see User Database Configuration on
page 235).
• Radius PAP. XAUTH occurs through RADIUS Password
Authentication Protocol (PAP). The local user database is
first checked. If the user account is not present in the local
user database, the wireless VPN firewall connects to a
RADIUS server. For more information, see RADIUS Client
and Server Configuration on page 235.
• Radius CHAP. XAUTH occurs through RADIUS Challenge
Handshake Authentication Protocol (CHAP). For more
information, see RADIUS Client and Server Configuration
on page 235.
Username
The user name for XAUTH.
Password
The password for XAUTH.
5. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table.

To edit an IKE policy:
1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies
screen for IPv4 in view (see Figure 137 on page 218).
2. Specify the IP version for which you want to edit an IKE policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
•
IPv6. Select the IPv6 radio button. The IKE Policies screen for IPv6 displays.
3. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy that
you want to edit. The Edit IKE Policy screen displays. This screen shows the same fields as
the Add IKE Policy screen (see Figure 138 on page 220).
4. Modify the settings that you wish to change (see the previous table).
Virtual Private Networking Using IPSec and L2TP Connections
224
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5. Click Apply to save your changes. The modified IKE policy is displayed in the List of IKE
Policies table.
Manage VPN Policies
You can create two types of VPN policies. When you use the VPN Wizard to create a VPN
policy, only the Auto method is available.
•
Manual. You manually enter all settings (including the keys) for the VPN tunnel on the
wireless VPN firewall and on the remote VPN endpoint. No third-party server or
organization is involved.
•
Auto. Some settings for the VPN tunnel are generated automatically through the use of
the IKE (Internet Key Exchange) Protocol to perform negotiations between the two VPN
endpoints (the local ID endpoint and the remote ID endpoint). You still need to manually
enter all settings on the remote VPN endpoint (unless the remote VPN endpoint also has
a VPN Wizard).
In addition, a certification authority (CA) can also be used to perform authentication (see
Manage Digital Certificates for VPN Connections on page 306). For gateways to use a CA to
perform authentication, each VPN gateway needs to have a certificate from the CA. For each
certificate, there is both a public key and a private key. The public key is freely distributed,
and is used by any sender to encrypt data intended for the receiver (the key owner). The
receiver then uses its private key to decrypt the data (without the private key, decryption is
impossible). The use of certificates for authentication reduces the amount of data entry that is
required on each VPN endpoint.
VPN Policies Screen
The VPN Policies screen allows you to add additional policies—either Auto or Manual—and
to manage the VPN policies already created. You can edit policies, enable or disable policies,
or delete them entirely. These are the rules for VPN policy use:
•
Traffic covered by a policy is automatically sent through a VPN tunnel.
•
When traffic is covered by two or more policies, the first matching policy is used. (In this
situation, the order of the policies is important. However, if you have only one policy for
each remote VPN endpoint, then the policy order is not important.)
•
The VPN tunnel is created according to the settings in the security association (SA).
•
The remote VPN endpoint needs to have a matching SA; otherwise, it refuses the
connection.
To access the VPN Policies screen, select VPN > IPSec VPN > VPN Policies. In the upper
right of the screen, the IPv4 radio button is selected by default. The VPN Policies screen
displays the IPv4 settings. (The following figure shows some examples.) To display the IPv6
settings on the IKE Policies screen, select the IPv6 radio button.
Virtual Private Networking Using IPSec and L2TP Connections
225
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 139.
Each policy contains the data that are explained in the following table. These fields are
explained in more detail in Table 53 on page 230.
Table 52. VPN Policies screen information for IPv4 and IPv6

Item
Description
! (Status)
Indicates whether the policy is enabled (green circle) or disabled (gray circle). To enable
or disable a policy, select the check box adjacent to the circle, and click the Enable or
Disable table button, as appropriate.
Name
The name that identifies the VPN policy. When you use the VPN Wizard to create a VPN
policy, the name of the VPN policy (and of the automatically created accompanying IKE
policy) is the connection name.
Type
Auto or Manual as described previously (Auto is used during VPN Wizard configuration).
Local
IP address (either a single address, range of address, or subnet address) on your LAN.
Traffic needs to be from (or to) these addresses to be covered by this policy. (The subnet
address is supplied as the default IP address when you are using the VPN Wizard.)
Remote
IP address or address range of the remote network. Traffic needs to be to (or from) these
addresses to be covered by this policy. (The VPN Wizard default requires the remote
LAN IP address and subnet mask.)
Auth
The authentication algorithm that is used for the VPN tunnel. This setting needs to match
the setting on the remote endpoint.
Encr
The encryption algorithm that is used for the VPN tunnel. This setting needs to match the
setting on the remote endpoint.
To delete one or more VPN polices:
1. Select the check box to the left of each policy that you want to delete, or click the Select
All table button to select all VPN policies.
2. Click the Delete table button.
Virtual Private Networking Using IPSec and L2TP Connections
226
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To enable or disable one or more VPN policies:
1. Select the check box to the left of each policy that you want to enable or disable, or click
the Select All table button to select all VPN Policies.
2. Click the Enable or Disable table button.
For information about how to add or edit a VPN policy, see Manually Add or Edit a VPN
Policy on this page.
Manually Add or Edit a VPN Policy

To manually add a VPN policy:
1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPV4
settings (see Figure 139 on page 226).
2. Under the List of VPN Policies table, click the Add table button. The Add New VPN Policy
screen displays the IPv4 settings (see the next screen, Figure 140 on page 228).
3. Specify the IP version for which you want to add a VPN policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 4.
•
IPv6. Select the IPv6 radio button. The Add New VPN Policy screen for IPv6 displays
(see Figure 141 on page 229).
Virtual Private Networking Using IPSec and L2TP Connections
227
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 140. Add New VPN Policy screen for IPv4
Virtual Private Networking Using IPSec and L2TP Connections
228
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 141. Add New VPN Policy screen for IPv6
Virtual Private Networking Using IPSec and L2TP Connections
229
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Complete the settings as explained in the following table. The only differences between IPv4
and IPv6 settings are the subnet mask (IPv4) and prefix length (IPv6).
Table 53. Add New VPN Policy screen settings for IPv4 and IPv6
Setting
Description
General
Policy Name
A descriptive name of the VPN policy for identification and management
purposes.
Note: The name is not supplied to the remote VPN endpoint.
Policy Type
From the drop-down list, select one of the following policy types:
• Auto Policy. Some settings (the ones in the Manual Policy Parameters
section of the screen) for the VPN tunnel are generated automatically.
• Manual Policy. All settings need to be specified manually, including the ones
in the Manual Policy Parameters section of the screen.
Remote Endpoint
Select a radio button to specify how the remote endpoint is defined:
• IP Address. Enter the IP address of the remote endpoint in the fields to the
right of the radio button.
• FQDN. Enter the FQDN of the remote endpoint in the field to the right of the
radio button.
Enable NetBIOS?
Select this check box to enable NetBIOS broadcasts to travel over the VPN
tunnel. For more information about NetBIOS, see Configure NetBIOS Bridging
with IPSec VPN on page 256. This feature is disabled by default.
Enable Auto Initiate
Select this check box to enable the VPN tunnel to autoestablish itself without the
presence of any traffic.
Note: The direction and type of the IKE policy that is associated with this VPN
policy need to be either Initiator or Both but cannot be Responder. For more
information, see Manually Add or Edit an IKE Policy on page 219.
Enable Keepalive
Note: See also
Configure Keep-Alives
and Dead Peer
Detection on page 253.
Select a radio button to specify if keep-alive is enabled:
• Yes. This feature is enabled: Periodically, the wireless VPN firewall sends
keep-alive requests (ping packets) to the remote endpoint to keep the tunnel
alive. You need to specify the ping IP address in the Ping IP Address field, the
detection period in the Detection Period field, and the maximum number of
keep-alive requests that the wireless VPN firewall sends in the Reconnect
after failure count field.
• No. This feature is disabled. This is the default setting.
Ping IP Address
The IP address that the wireless VPN firewall pings. The
address needs to be of a host that can respond to ICMP
ping requests.
Detection Period
The period in seconds between the keep-alive requests. The
default setting is 10 seconds.
Reconnect after
failure count
The maximum number of keep-alive requests before the
wireless VPN firewall tears down the connection and then
attempts to reconnect to the remote endpoint. The default
setting is 3 keep-alive requests.
Virtual Private Networking Using IPSec and L2TP Connections
230
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Traffic Selection
Local IP
From the drop-down list, select the address or addresses that are part of the
VPN tunnel on the wireless VPN firewall:
• Any. All computers and devices on the network. Note that you cannot select
Any for both the wireless VPN firewall and the remote endpoint.
• Single. A single IP address on the network. Enter the IP address in the Start
IP Address field.
• Range. A range of IP addresses on the network. Enter the starting IP address
in the Start IP Address field and the ending IP address in the End IP Address
field.
• Subnet. A subnet on the network. Enter the starting IP address in the Start IP
Address field. In addition:
- Subnet Mask. For IPv4 addresses on the IPv4 screen only, enter the
subnet mask.
- IPv6 Prefix Length. For IPv6 addresses on the IPv6 screen only, enter the
prefix length.
Remote IP
From the drop-down list, select the address or addresses that are part of the
VPN tunnel on the remote endpoint. The selections are the same as for the
Local IP drop-down list.
Manual Policy Parameters
Note: These fields apply only when you select Manual Policy as the policy type. When you specify the
settings for the fields in this section, a security association (SA) is created.
SPI-Incoming
The Security Parameters Index (SPI) for the inbound policy. Enter a
hexadecimal value between 3 and 8 characters (for example, 0x1234).
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate
the security association (SA):
• 3DES. Triple DES. This is the default algorithm.
• None. No encryption algorithm.
• DES. Data Encryption Standard (DES).
• AES-128. Advanced Encryption Standard (AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
Key-In
The encryption key for the inbound policy. The length of the key depends on the
selected encryption algorithm:
• 3DES. Enter 24 characters.
• None. Key is not applicable.
• DES. Enter 8 characters.
• AES-128. Enter 16 characters.
• AES-192. Enter 24 characters.
• AES-256. Enter 32 characters.
Virtual Private Networking Using IPSec and L2TP Connections
231
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Key-Out
The encryption key for the outbound policy. The length of the key depends on
the selected encryption algorithm:
• 3DES. Enter 24 characters.
• None. Key is not applicable.
• DES. Enter 8 characters.
• AES-128. Enter 16 characters.
• AES-192. Enter 24 characters.
• AES-256. Enter 32 characters.
SPI-Outgoing
The Security Parameters Index (SPI) for the outbound policy. Enter a
hexadecimal value between 3 and 8 characters (for example, 0x1234).
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in
the VPN header for the authentication process:
• SHA-1. Hash algorithm that produces a 160-bit digest. This is the default
setting.
• MD5. Hash algorithm that produces a 128-bit digest.
Key-In
The integrity key for the inbound policy. The length of the key depends on the
selected integrity algorithm:
• MD5. Enter 16 characters.
• SHA-1. Enter 20 characters.
Key-Out
The integrity key for the outbound policy. The length of the key depends on the
selected integrity algorithm:
• MD5. Enter 16 characters.
• SHA-1. Enter 20 characters.
Auto Policy Parameters
Note: These fields apply only when you select Auto Policy as the policy type.
SA Lifetime
The lifetime of the security association (SA) is the period or the amount of
transmitted data after which the SA becomes invalid and needs to be
renegotiated. From the drop-down list, select how the SA lifetime is specified:
• Seconds. In the SA Lifetime field, enter a period in seconds. The minimum
value is 300 seconds. The default setting is 3600 seconds.
• KBytes. In the SA Lifetime field, enter a number of kilobytes. The minimum
value is 1920000 KB.
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate
the security association (SA):
• 3DES. Triple DES. This is the default algorithm.
• None. No encryption algorithm.
• DES. Data Encryption Standard (DES).
• AES-128. Advanced Encryption Standard (AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
Virtual Private Networking Using IPSec and L2TP Connections
232
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 53. Add New VPN Policy screen settings for IPv4 and IPv6 (continued)
Setting
Description
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in
the VPN header for the authentication process:
• SHA-1. Hash algorithm that produces a 160-bit digest. This is the default
setting.
• MD5. Hash algorithm that produces a 128-bit digest.
PFS Key Group
Select this check box to enable Perfect Forward Secrecy (PFS), and then select
a Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the
strength of the algorithm in bits. The higher the group, the more secure the
exchange. From the drop-down list, select one of the following three strengths:
• Group 1 (768 bit).
• Group 2 (1024 bit). This is the default setting.
• Group 5 (1536 bit).
Select IKE Policy
Select an existing IKE policy that defines the characteristics of the Phase-1
negotiation. To display the selected IKE policy, click the View Selected button.
5. Click Apply to save your settings. The VPN policy is added to the List of VPN Policies table.

To edit a VPN policy:
1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4
settings (see Figure 139 on page 226).
2. Specify the IP version for which you want to edit a VPN policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
•
IPv6. Select the IPv6 radio button. The VPN Policies screen for IPv6 displays.
3. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. This screen shows the same fields
as the Add New VPN Policy screen (for IPv4, see Figure 140 on page 228; for IPv6 see
Figure 141 on page 229).
4. Modify the settings that you wish to change (see the previous table).
5. Click Apply to save your changes. The modified VPN policy is displayed in the List of VPN
Policies table.
Configure Extended Authentication (XAUTH)
When many VPN clients connect to a wireless VPN firewall, you might want to use a unique
user authentication method beyond relying on a single common pre-shared key for all clients.
Although you could configure a unique VPN policy for each user, it is more efficient to
authenticate users from a stored list of user accounts. XAUTH provides the mechanism for
requesting individual authentication information from the user. A local user database or an
external authentication server, such as a RADIUS server, provides a method for storing the
authentication information centrally in the local network.
Virtual Private Networking Using IPSec and L2TP Connections
233
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
You can enable XAUTH when you manually add or edit an IKE policy. Two types of XAUTH
are available:
•
Edge Device. The wireless VPN firewall is used as a VPN concentrator on which one or
more gateway tunnels terminate. You need to specify the authentication type that should
be used during verification of the credentials of the remote VPN gateways: the user
database, RADIUS-PAP, or RADIUS-CHAP.
•
IPSec Host. Authentication by the remote gateway through a user name and password
that are associated with the IKE policy. The user name and password that are used to
authenticate the wireless VPN firewall need to be specified on the remote gateway.
Note: If a RADIUS-PAP server is enabled for authentication, XAUTH first
checks the local user database for the user credentials. If the user
account is not present, the wireless VPN firewall then connects to a
RADIUS server.
Configure XAUTH for VPN Clients
Once the XAUTH has been enabled, you need to establish user accounts in the user
database to be authenticated against XAUTH, or you need to enable a RADIUS-CHAP or
RADIUS-PAP server.
Note: You cannot modify an existing IKE policy to add XAUTH while the
IKE policy is in use by a VPN policy. The VPN policy needs to be
disabled before you can modify the IKE policy.

To enable and configure XAUTH:
1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies
for IPv4 screen in view (see Figure 137 on page 218).
2. Specify the IP version for which you want to edit an IKE policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
•
IPv6. Select the IPv6 radio button. The IKE Policies screen for IPv6 displays.
3. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy for
which you want to enable and configure XAUTH. The Edit IKE Policy screen displays. This
screen shows the same fields as the Add IKE Policy screen (see Figure 138 on page 220).
4. In the Extended Authentication section on the screen, complete the settings as explained in
the following table:
Virtual Private Networking Using IPSec and L2TP Connections
234
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 54. Extended authentication settings for IPv4 and IPv6
Setting
Description
Select one of the following radio buttons to specify whether or not Extended Authentication (XAUTH) is
enabled, and, if enabled, which device is used to verify user account information:
• None. XAUTH is disabled. This the default setting.
• Edge Device. The wireless VPN firewall functions as a VPN concentrator on which one or more gateway
tunnels terminate. The authentication modes that are available for this configuration are User Database,
RADIUS PAP, and RADIUS CHAP.
• IPSec Host. The wireless VPN firewall functions as a VPN client of the remote gateway. In this
configuration the wireless VPN firewall is authenticated by a remote gateway with a user name and
password combination.
Authentication For an Edge Device configuration, from the drop-down list, select one of the following
authentication types:
Type
• User Database. XAUTH occurs through the wireless VPN firewall’s user database. You
can add users on the Add User screen (see User Database Configuration on page 235).
• Radius PAP. XAUTH occurs through RADIUS Password Authentication Protocol (PAP).
The local user database is first checked. If the user account is not present in the local
user database, the wireless VPN firewall connects to a RADIUS server. For more
information, see RADIUS Client and Server Configuration on page 235.
• Radius CHAP. XAUTH occurs through RADIUS Challenge Handshake Authentication
Protocol (CHAP). For more information, see RADIUS Client and Server Configuration on
page 235.
Username
The user name for XAUTH.
Password
The password for XAUTH.
5. Click Apply to save your settings.
User Database Configuration
When XAUTH is enabled in an Edge Device configuration, users need to be authenticated
either by a local user database account or by an external RADIUS server. Whether or not you
use a RADIUS server, you might want some users to be authenticated locally. These users
need to be added to the List of Users table on the Users screen, as described in Configure
User Accounts on page 296.
RADIUS Client and Server Configuration
Remote Authentication Dial In User Service (RADIUS, RFC 2865) is a protocol for managing
authentication, authorization, and accounting (AAA) of multiple users in a network. A
RADIUS server stores a database of user information and can validate a user at the request
of a gateway or server in the network when a user requests access to network resources.
During the establishment of a VPN connection, the VPN gateway can interrupt the process
with an XAUTH request. At that point, the remote user needs to provide authentication
information such as a user name and password or some encrypted response using his or her
user name and password information. The gateway then attempts to verify this information
Virtual Private Networking Using IPSec and L2TP Connections
235
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
first against a local user database (if RADIUS-PAP is enabled) and then by relaying the
information to a central authentication server such as a RADIUS server.
Note: Even though you can configure RADIUS servers with IPv4
addresses only, the servers can be used for authentication,
authorization, and accounting of both IPv4 and IPv6 users.

To configure primary and backup RADIUS servers:
1. Select VPN > IPSec VPN > RADIUS Client. The RADIUS Client screen displays:
Figure 142.
2. Complete the settings as explained in the following table:
Table 55. RADIUS Client screen settings
Setting
Description
Primary RADIUS Server
To enable and configure the primary RADIUS server, select the Yes radio button, and then enter the
settings for the three fields to the right. The default setting is that the No radio button is selected.
Primary Server IP Address
The IPv4 address of the primary RADIUS server.
Secret Phrase
A shared secret phrase to authenticate the transactions between the client
and the primary RADIUS server. The same secret phrase needs to be
configured on both the client and the server.
Virtual Private Networking Using IPSec and L2TP Connections
236
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 55. RADIUS Client screen settings (continued)
Setting
Description
Primary Server NAS
Identifier
The primary Network Access Server (NAS) identifier that needs to be present
in a RADIUS request.
Note: The wireless VPN firewall functions as an NAS, allowing network
access to external users after verification of their authentication information.
In a RADIUS transaction, the NAS needs to provide some NAS identifier
information to the RADIUS server. Depending on the configuration of the
RADIUS server, the wireless VPN firewall’s IP address might be sufficient as
an identifier, or the server might require a name, which you need to enter in
this field.
Backup RADIUS Server
To enable and configure the backup RADIUS server, select the Yes radio button, and then enter the
settings for the three fields to the right. The default setting is that the No radio button is selected.
Backup Server IP Address
The IPv4 address of the backup RADIUS server.
Secret Phrase
A shared secret phrase to authenticate the transactions between the client
and the backup RADIUS server. The same secret phrase needs to be
configured on both the client and the server.
Backup Server NAS
Identifier
The backup Network Access Server (NAS) identifier that needs to be present
in a RADIUS request.
Note: See the note earlier in this table for the Primary Server NAS Identifier.
Connection Configuration
Time out period
The period in seconds that the wireless VPN firewall waits for a response from
a RADIUS server. The default setting is 30 seconds.
Maximum Retry Counts
The maximum number of times that the wireless VPN firewall attempts to
connect to a RADIUS server. The default setting is 4 retry counts.
3. Click Apply to save your settings.
Note: You can select the RADIUS authentication protocol (PAP or CHAP)
on the Edit IKE Policy screen or Add IKE Policy screen (see
Configure XAUTH for VPN Clients on page 234).
Assign IPv4 Addresses to Remote Users (Mode Config)
To simplify the process of connecting remote VPN clients to the wireless VPN firewall, use
the Mode Config feature to automatically assign IPv4 addresses to remote users, including a
network access IP address, subnet mask, WINS server, and DNS address. Remote users
are given IP addresses available in a secured network space so that remote users appear as
seamless extensions of the network.
Virtual Private Networking Using IPSec and L2TP Connections
237
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
You can use the Mode Config feature in combination with an IPv6 IKE policy to assign IPv4
addresses to clients, but you cannot assign IPv6 addresses to clients.
Mode Config Operation
After the IKE Phase 1 negotiation is complete, the VPN connection initiator (which is the
remote user with a VPN client) requests the IP configuration settings such as the IP address,
subnet mask, WINS server, and DNS address from the wireless VPN firewall. The Mode
Config feature allocates an IP address from the configured IP address pool and activates a
temporary IPSec policy, using the information that is specified in the Traffic Tunnel Security
Level section of the Mode Config record (on the Add Mode Config Record screen that is
shown in Figure 144 on page 239).
Note: After configuring a Mode Config record, you need to manually
configure an IKE policy and select the newly created Mode Config
record from the Select Mode Config Record drop-down list (see
Configure Mode Config Operation on the Wireless VPN Firewall on
page 238). You do not need to make changes to any VPN policy.
Note: An IP address that is allocated to a VPN client is released only after
the VPN client has gracefully disconnected or after the SA liftetime
for the connection has timed out.
Configure Mode Config Operation on the Wireless VPN
Firewall
To configure Mode Config on the wireless VPN firewall, first create a Mode Config record,
and then select the Mode Config record for an IKE policy.

To configure Mode Config on the wireless VPN firewall:
1. Select VPN > IPSec VPN > Mode Config. The Mode Config screen displays:
Figure 143.
Virtual Private Networking Using IPSec and L2TP Connections
238
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
As an example, the screen shows two Mode Config records with the names EMEA Sales
and NA Sales:
•
For EMEA Sales, a first pool (172.16.100.1 through 172.16.100.99) and second pool
(172.16.200.1 through 172.16.200.99) are shown.
•
For NA Sales, a first pool (172.25.100.50 through 172.25.100.99), a second pool
(172.25.210.1 through 172.25.210.99), and a third pool (172.25.220.80 through
172.25.220.99) are shown.
2. Under the List of Mode Config Records table, click the Add table button. The Add Mode
Config Record screen displays:
Figure 144.
Virtual Private Networking Using IPSec and L2TP Connections
239
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Complete the settings as explained in the following table:
Table 56. Add Mode Config Record screen settings
Setting
Description
Client Pool
Record Name
A descriptive name of the Mode Config record for identification and management
purposes.
First Pool
Assign at least one range of IP pool addresses in the First Pool fields to enable the
wireless VPN firewall to allocate these to remote VPN clients. The Second Pool and
Third Pool fields are optional. To specify any client pool, enter the starting IP
address for the pool in the Starting IP field, and enter the ending IP address for the
pool in the Ending IP field.
Second Pool
Third Pool
Note: No IP pool should be within the range of the local network IP addresses. Use
a different range of private IP addresses such as 172.16.xxx.xx.
WINS Server
If there is a WINS server on the local network, enter its IP address in the Primary
field. You can enter the IP address of a second WINS server in the Secondary field.
DNS Server
Enter the IP address of the DNS server that is used by remote VPN clients in the
Primary field. You can enter the IP address of a second DNS server in the
Secondary field.
Traffic Tunnel Security Level
Note: Generally, the default settings work well for a Mode Config configuration.
PFS Key Group
Select this check box to enable Perfect Forward Secrecy (PFS), and then select a
Diffie-Hellman (DH) group from the drop-down list. The DH Group sets the strength
of the algorithm in bits. The higher the group, the more secure the exchange. From
the drop-down list, select one of the following three strengths:
• Group 1 (768 bit)
• Group 2 (1024 bit). This is the default setting.
• Group 5 (1536 bit)
SA Lifetime
The lifetime of the security association (SA) is the period or the amount of
transmitted data after which the SA becomes invalid and needs to be renegotiated.
From the drop-down list, select how the SA lifetime is specified:
• Seconds. In the SA Lifetime field, enter a period in seconds. The minimum value
is 300 seconds. The default setting is 3600 seconds.
• KBytes. In the SA Lifetime field, enter a number of kilobytes. The minimum value
is 1920000 KB.
Encryption Algorithm
From the drop-down list, select one of the following five algorithms to negotiate the
security association (SA):
• None. No encryption.
• DES. Data Encryption Standard (DES).
• 3DES. Triple DES. This is the default algorithm.
• AES-128. Advanced Encryption Standard (AES) with a 128-bit key size.
• AES-192. AES with a 192-bit key size.
• AES-256. AES with a 256-bit key size.
Virtual Private Networking Using IPSec and L2TP Connections
240
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 56. Add Mode Config Record screen settings (continued)
Setting
Description
Integrity Algorithm
From the drop-down list, select one of the following two algorithms to be used in the
VPN header for the authentication process:
• SHA-1. Hash algorithm that produces a 160-bit digest. This is the default setting.
• MD5. Hash algorithm that produces a 128-bit digest.
Local IP Address
The local IP address to which remote VPN clients have access. If you do not
specify a local IP address, the wireless VPN firewall’s default LAN IP address is
used (by default, 192.168.1.1).
Local Subnet Mask
The local subnet mask. Typically, this is 255.255.255.0.
Note: If you do not specify a local IP address, you do not need to specify a subnet
either.
4. Click Apply to save your settings. The new Mode Config record is added to the List of Mode
Config Records table.
Continue the Mode Config configuration procedure by configuring an IKE policy.
5. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies
screen in view (see Figure 137 on page 218).
6. Under the List of IKE Policies table, click the Add table button. The Add IKE Policy screen
displays the IPv4 settings (see the next screen).
7. Specify the IP version for which you want to add an IKE policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 8.
•
IPv6. Select the IPv6 radio button. The Add IKE Policy screen for IPv6 displays. This
screen is identical to the Add IKE Policy screen for IPv4 (see the next screen).
Note: You can configure an IPv6 IKE policy to assign IPv4 addresses to
clients, but you cannot assign IPv6 addresses to clients.
Virtual Private Networking Using IPSec and L2TP Connections
241
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 145.
8. On the Add IKE Policy screen, complete the settings as explained in the following table.
Virtual Private Networking Using IPSec and L2TP Connections
242
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: The IKE policy settings that are explained in the following table are
specifically for a Mode Config configuration. Table 51 on page 221
explains the general IKE policy settings.
Table 57. Add IKE Policy screen settings for a Mode Config configuration
Setting
Description
Mode Config Record
Do you want to use
Mode Config Record?
Select the Yes radio button.
Note: Because Mode Config functions only in Aggressive mode, selecting the Yes
radio button sets the tunnel exchange mode to Aggressive mode. Mode Config
also requires that both the local and remote endpoints are defined by their FQDNs.
Select Mode
Config Record
From the drop-down list, select the Mode Config record that
you created in Step 4 on page 241. This example uses NA
Sales.
General
Policy Name
A descriptive name of the IKE policy for identification and management purposes.
This example uses ModeConfigNA_Sales.
Note: The name is not supplied to the remote VPN endpoint.
Direction / Type
Responder is automatically selected when you select the Mode Config record in
the Mode Config Record section of the screen. This ensures that the wireless VPN
firewall responds to an IKE request from the remote endpoint but does not initiate
one.
Exchange Mode
Aggressive mode is automatically selected when you select the Mode Config
record in the Mode Config Record section of the screen.
Local
Identifier Type
From the drop-down list, select FQDN.
Note: Mode Config requires that the wireless VPN firewall (that is, the local
endpoint) is defined by an FQDN.
Identifier
Enter an FQDN for the wireless VPN firewall. This example
uses router.com.
Remote
Identifier Type
From the drop-down list, select FQDN.
Note: Mode Config requires that the remote endpoint is defined by an FQDN.
Identifier
Enter the FQDN for the remote endpoint. This needs to be an
FQDN that is not used in any other IKE policy. This example
uses client.com.
Virtual Private Networking Using IPSec and L2TP Connections
243
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 57. Add IKE Policy screen settings for a Mode Config configuration (continued)
Setting
Description
IKE SA Parameters
Note: Generally, the default settings work well for a Mode Config configuration.
Encryption Algorithm
To negotiate the security association (SA), from the drop-down list, select the
3DES algorithm.
Authentication
Algorithm
From the drop-down list, select the SHA-1 algorithm to be used in the VPN header
for the authentication process.
Authentication Method Select Pre-shared key as the authentication method, and enter a key in the
Pre-shared key field.
Pre-shared key
A key with a minimum length of 8 characters and no more than
49 characters. Do not use a double quote (''), single quote('),
or space in the key. This example uses H8!spsf3#JYK2!.
Diffie-Hellman (DH)
Group
The DH Group sets the strength of the algorithm in bits. From the drop-down list,
select Group 2 (1024 bit).
SA-Lifetime (sec)
The period in seconds for which the IKE SA is valid. When the period times out, the
next rekeying occurs. The default setting is 28800 seconds (8 hours). However, for
a Mode Config configuration, NETGEAR recommends 3600 seconds (1 hour).
Enable Dead Peer
Detection
Select a radio button to specify whether or not Dead Peer Detection (DPD) is
enabled:
• Yes. This feature is enabled. When the wireless VPN firewall detects an IKE
connection failure, it deletes the IPSec and IKE SA and forces a reestablishment
of the connection. You need to specify the detection period in the Detection
Period field and the maximum number of times that the wireless VPN firewall
attempts to reconnect in the Reconnect after failure count field.
• No. This feature is disabled. This is the default setting.
Note: See also
Configure
Keep-Alives and
Dead Peer Detection
on page 253.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle. The default setting is 10 seconds. This
example uses 30 seconds.
Reconnect after
failure count
The maximum number of DPD failures before the wireless
VPN firewall tears down the connection and then attempts to
reconnect to the peer. The default setting is 3 failures.
Virtual Private Networking Using IPSec and L2TP Connections
244
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 57. Add IKE Policy screen settings for a Mode Config configuration (continued)
Setting
Description
Extended Authentication
Select one of the following radio buttons to specify whether or not Extended
Authentication (XAUTH) is enabled, and, if enabled, which device is used to verify
user account information:
Note: For more
• None. XAUTH is disabled. This the default setting.
information about
• Edge Device. The wireless VPN firewall functions as a VPN concentrator on
XAUTH and its
which one or more gateway tunnels terminate. The authentication modes that
authentication
are available for this configuration are User Database, RADIUS PAP, and
modes, see Configure RADIUS CHAP.
XAUTH for VPN
• IPSec Host. The wireless VPN firewall functions as a VPN client of the remote
Clients on page 234.
gateway. In this configuration the wireless VPN firewall is authenticated by a
remote gateway with a user name and password combination.
XAUTH Configuration
Authentication
Type
For an Edge Device configuration, from the drop-down list,
select one of the following authentication types:
• User Database. XAUTH occurs through the wireless VPN
firewall’s user database. You can add users on the Add User
screen (see User Database Configuration on page 235).
• Radius PAP. XAUTH occurs through RADIUS Password
Authentication Protocol (PAP). The local user database is
first checked. If the user account is not present in the local
user database, the wireless VPN firewall connects to a
RADIUS server. For more information, see RADIUS Client
and Server Configuration on page 235.
• Radius CHAP. XAUTH occurs through RADIUS Challenge
Handshake Authentication Protocol (CHAP). For more
information, see RADIUS Client and Server Configuration on
page 235.
Username
The user name for XAUTH.
Password
The password for XAUTH.
9. Click Apply to save your settings. The IKE policy is added to the List of IKE Policies table.
Configure the ProSafe VPN Client for Mode Config Operation
When the Mode Config feature is enabled, the following information is negotiated between
the VPN client and the wireless VPN firewall during the authentication phase:
•
Virtual IP address of the VPN client
•
DNS server address (optional)
•
WINS server address (optional)
The virtual IP address that is issued by the wireless VPN firewall is displayed in the VPN
Client Address field on the VPN client’s IPSec pane.
Virtual Private Networking Using IPSec and L2TP Connections
245
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: Perform these tasks from a computer that has the NETGEAR
ProSafe VPN Client installed.
To configure the VPN client for Mode Config operation, create authentication settings
(phase 1 settings), create an associated IPSec configuration (phase 2 settings), and then
specify the global parameters.
Configure the Mode Config Authentication Settings (Phase 1 Settings)

To create new authentication settings:
1. Right-click the VPN client icon in your Windows system tray, and select Configuration
Panel. The Configuration Panel screen displays:
Figure 146.
2. In the tree list pane of the Configuration Panel screen, right-click VPN Configuration, and
select New Phase 1.
Figure 147.
Virtual Private Networking Using IPSec and L2TP Connections
246
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Change the name of the authentication phase (the default is Gateway):
a. Right-click the authentication phase name.
b. Select Rename.
c. Type GW_ModeConfig.
d. Click anywhere in the tree list pane.
Note: This is the name for the authentication phase that is used only for the
VPN client, not during IKE negotiation. You can view and change this name in
the tree list pane. This name needs to be a unique name.
The Authentication pane displays in the Configuration Panel screen, with the
Authentication tab selected by default:
Figure 148.
4. Specify the settings that are explained in the following table.
Table 58. VPN client authentication settings (Mode Config)
Setting
Description
Interface
Select Any from the drop-down list.
Remote Gateway
Enter the remote IP address or DNS name of the wireless VPN firewall. For example,
enter 192.168.15.175.
Preshared Key
Select the Preshared Key radio button. Enter the pre-shared key that you already
specified on the wireless VPN firewall. For example, enter H8!spsf3#JYK2!. Confirm
the key in the Confirm field.
Virtual Private Networking Using IPSec and L2TP Connections
247
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 58. VPN client authentication settings (Mode Config) (continued)
Setting
Description
IKE
Encryption
Select the 3DES encryption algorithm from the drop-down list.
Authentication
Select the SHA1 authentication algorithm from the drop-down list.
Key Group
Select the DH2 (1024) key group from the drop-down list.
Note: On the wireless VPN firewall, this key group is referred to as
Diffie-Hellman Group 2 (1024 bit).
5. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
6. Click the Advanced tab in the Authentication pane. The Advanced pane displays:
Figure 149.
7. Specify the settings that are explained in the following table.
Table 59. VPN client advanced authentication settings (Mode Config)
Setting
Description
Advanced features
Mode Config
Select this check box to enable Mode Config.
Aggressive Mode
Select this check box to enable aggressive mode as the mode of negotiation with
the wireless VPN firewall.
Virtual Private Networking Using IPSec and L2TP Connections
248
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 59. VPN client advanced authentication settings (Mode Config) (continued)
Setting
Description
NAT-T
Select Automatic from the drop-down list to enable the VPN client and wireless
VPN firewall to negotiate NAT-T.
Local and Remote ID
As the type of ID, select DNS from the Local ID drop-down list because you
specified FQDN in the wireless VPN firewall configuration.
As the value of the ID, enter client.com as the local ID for the VPN client.
Local ID
Note: The remote ID on the wireless VPN firewall is the local ID on the VPN
client.
As the type of ID, select DNS from the Remote ID drop-down list because you
specified an FQDN in the wireless VPN firewall configuration.
As the value of the ID, enter router.com as the remote ID for the wireless VPN
firewall.
Remote ID
Note: The local ID on the wireless VPN firewall is the remote ID on the VPN
client.
8. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
Create the Mode Config IPSec Configuration (Phase 2 Settings)
Note: On the wireless VPN firewall, the IPSec configuration (phase 2
settings) is referred to as the IKE settings.

To create an IPSec configuration:
1. In the tree list pane of the Configuration Panel screen, right-click the GW_ModeConfig
authentication phase name, and then select New Phase 2.
2. Change the name of the IPSec configuration (the default is Tunnel):
a. Right-click the IPSec configuration name.
b. Select Rename.
c. Type Tunnel_ModeConfig.
d. Click anywhere in the tree list pane.
Note: This is the name for the IPSec configuration that is used only for the
VPN client, not during IPSec negotiation. You can view and change this name
in the tree list pane. This name needs to be a unique name.
The IPSec pane displays in the Configuration Panel screen, with the IPSec tab selected
by default:
Virtual Private Networking Using IPSec and L2TP Connections
249
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 150.
3. Specify the settings that are explained in the following table.
Table 60. VPN client IPSec configuration settings (Mode Config)
Setting
Description
VPN Client
address
This field is masked out because Mode Config is selected. After an IPSec connection is
established, the IP address that is issued by the wireless VPN firewall displays in this field
(see Figure 155 on page 254).
Address Type
Select Subnet address from the drop-down list.
Remote host
address
The address that you need to enter depends on whether or not you have specified a LAN
IP network address in the Local IP Address field on the Add Mode Config Record screen
of the wireless VPN firewall:
• If you left the Local IP Address field blank, enter the wireless VPN firewall’s default LAN
IP address as the remote host address that opens the VPN tunnel. For example, enter
192.168.1.1.
• If you specified a LAN IP network address in the Local IP Address field, enter the
address that you specified as the remote host address that opens the VPN tunnel.
Subnet mask
Enter 255.255.255.0 as the remote subnet mask of the wireless VPN firewall that opens
the VPN tunnel. This is the LAN IP subnet mask that you specified in the Local Subnet
Mask field on the Add Mode Config Record screen of the wireless VPN firewall. If you left
the Local Subnet Mask field blank, enter the wireless VPN firewall’s default IP subnet
mask.
Virtual Private Networking Using IPSec and L2TP Connections
250
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 60. VPN client IPSec configuration settings (Mode Config) (continued)
Setting
Description
ESP
Encryption
Select 3DES as the encryption algorithm from the drop-down list.
Authentication
Select SHA-1 as the authentication algorithm from the drop-down list.
Mode
Select Tunnel as the encapsulation mode from the drop-down list.
PFS and Group
Select the PFS check box, and then select the DH2 (1024) key group from the drop-down
list.
Note: On the wireless VPN firewall, this key group is referred to as Diffie-Hellman
Group 2 (1024 bit).
4. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
Configure the Mode Config Global Parameters

To specify the global parameters:
1. Click Global Parameters in the left column of the Configuration Panel screen. The
Global Parameters pane displays in the Configuration Panel screen:
Figure 151.
2. Specify the following default lifetimes in seconds to match the configuration on the wireless
VPN firewall:
• Authentication (IKE), Default. Enter 3600 seconds.
•
Encryption (IPSec), Default. Enter 3600 seconds.
Virtual Private Networking Using IPSec and L2TP Connections
251
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Select the Dead Peer Detection (DPD) check box, and configure the following DPD settings
to match the configuration on the wireless VPN firewall:
• Check Interval. Enter 30 seconds.
•
Max. number of entries. Enter 3 retries.
•
Delay between entries. Leave the default delay setting of 15 seconds.
4. Click Apply to use the new settings immediately, and click Save to keep the settings for
future use.
The Mode Config configuration of the VPN client is now complete.
Test the Mode Config Connection

To test the Mode Config connection from the VPN client to the wireless VPN firewall:
1. Right-click the system tray icon, and select Open tunnel ‘Tunnel_ModeConfig’.
Figure 152.
When the tunnel opens successfully, the Tunnel opened message displays above the
system tray, and the VPN client displays a green icon in the system tray.
Figure 153.
2. Verify that the wireless VPN firewall issued an IP address to the VPN client. This IP
address displays in the VPN Client address field on the IPSec pane of the VPN client.
(The following figure shows the upper part of the IPSec pane only.)
Virtual Private Networking Using IPSec and L2TP Connections
252
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 154.
3. From the client computer, ping a computer on the wireless VPN firewall LAN.
Modify or Delete a Mode Config Record
Note: Before you modify or delete a Mode Config record, make sure it is
not used in an IKE policy.

To edit a Mode Config record:
1. On the Mode Config screen (see Figure 143 on page 238), click the Edit button in the
Action column for the record that you want to modify. The Edit Mode Config Record
screen displays. This screen is identical to the Add Mode Config Record screen (see
Figure 144 on page 239).
2. Modify the settings as explained in Table 56 on page 240.
3. Click Apply to save your settings.

To delete one or more Mode Config records:
1. On the Mode Config screen (see Figure 143 on page 238), select the check box to the
left of each record that you want to delete, or click the Select All table button to select
all records.
2. Click the Delete table button.
Configure Keep-Alives and Dead Peer Detection
In some cases, you might not want a VPN tunnel to be disconnected when traffic is idle, for
example, when client-server applications over the tunnel cannot tolerate the tunnel
establishment time. If you require a VPN tunnel to remain connected, you can use the
keep-alive and Dead Peer Detection (DPD) features to prevent the tunnel from being
disconnected and to force a reconnection if the tunnel disconnects for any reason.
For DPD to function, the peer VPN device on the other end of the tunnel also needs to
support DPD. Keep-alive, though less reliable than DPD, does not require any support from
the peer device.
Virtual Private Networking Using IPSec and L2TP Connections
253
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure Keep-Alives
The keep-alive feature maintains the IPSec SA by sending periodic ping requests to a host
across the tunnel and monitoring the replies.

To configure the keep-alive feature on a configured VPN policy:
1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays the IPv4
settings (see Figure 139 on page 226).
2. Specify the IP version for which you want to edit a VPN policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
•
IPv6. Select the IPv6 radio button. The VPN Policies screen for IPv6 displays.
3. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. (The following figure shows only the
top part with the General section of the Edit VPN Policy screen for IPv6.)
Figure 155.
Virtual Private Networking Using IPSec and L2TP Connections
254
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Enter the settings as explained in the following table:
Table 61. Keep-alive settings
Setting
Description
General
Enable Keepalive
Select the Yes radio button to enable the keep-alive feature. Periodically, the
wireless VPN firewall sends keep-alive requests (ping packets) to the remote
endpoint to keep the tunnel alive. You need to specify the ping IP address in the
Ping IP Address field, the detection period in the Detection Period field, and the
maximum number of keep-alive requests that the wireless VPN firewall sends in
the Reconnect after failure count field.
Ping IP Address
The IP address that the wireless VPN firewall pings. The
address should be of a host that can respond to ICMP ping
requests.
Detection Period The period in seconds between the keep-alive requests. The
default setting is 10 seconds.
Reconnect after
failure count
The maximum number of keep-alive requests before the
wireless VPN firewall tears down the connection and then
attempts to reconnect to the remote endpoint. The default
setting is 3 keep-alive requests.
5. Click Apply to save your settings.
Configure Dead Peer Detection
The Dead Peer Detection (DPD) feature lets the wireless VPN firewall maintain the IKE SA
by exchanging periodic messages with the remote VPN peer.

To configure DPD on a configured IKE policy:
1. Select VPN > IPSec VPN. The IPSec VPN submenu tabs display with the IKE Policies
screen for IPv4 in view (see Figure 137 on page 218).
2. Specify the IP version for which you want to edit an IKE policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
•
IPv6. Select the IPv6 radio button. The IKE Policies screen for IPv6 displays.
3. In the List of IKE Policies table, click the Edit table button to the right of the IKE policy that
you want to edit. The Edit IKE Policy screen displays. (The following figure shows only the
IKE SA Parameters section of the screen).
Virtual Private Networking Using IPSec and L2TP Connections
255
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 156.
4. In the IKE SA Parameters section of the screen, locate the DPD fields, and complete the
settings as explained the following table:
Table 62. Dead Peer Detection settings
Setting
Description
IKE SA Parameters
Enable Dead Peer
Detection
Select the Yes radio button to enable DPD. When the wireless VPN firewall
detects an IKE connection failure, it deletes the IPSec and IKE SA and forces a
reestablishment of the connection. You need to specify the detection period in
the Detection Period field and the maximum number of times that the wireless
VPN firewall attempts to reconnect in the Reconnect after failure count field.
Detection Period
The period in seconds between consecutive
DPD R-U-THERE messages, which are sent only when the
IPSec traffic is idle. The default setting is 10 seconds.
Reconnect after
failure count
The maximum number of DPD failures before the wireless
VPN firewall tears down the connection and then attempts
to reconnect to the peer. The default setting is 3 failures.
5. Click Apply to save your settings.
Configure NetBIOS Bridging with IPSec VPN
Windows networks use the Network Basic Input/Output System (NetBIOS) for several basic
network services such as naming and neighborhood device discovery. Because VPN routers
do not usually pass NetBIOS traffic, these network services do not function for hosts on
opposite ends of a VPN connection. To solve this problem, you can configure the wireless
VPN firewall to bridge NetBIOS traffic over the VPN tunnel.
Virtual Private Networking Using IPSec and L2TP Connections
256
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To enable NetBIOS bridging on a configured VPN tunnel:
1. Select VPN > IPSec VPN > VPN Policies. The VPN Policies screen displays (see
Figure 139 on page 226).
2. Specify the IP version for which you want to edit a VPN policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
•
IPv6. Select the IPv6 radio button. The VPN Policies screen for IPv6 displays.
3. In the List of VPN Policies table, click the Edit table button to the right of the VPN policy that
you want to edit. The Edit VPN Policy screen displays. (The following figure shows only the
top part with the General section of the Edit VPN Policy screen for IPv6.)
Figure 157.
4. Select the Enable NetBIOS? check box.
5. Click Apply to save your settings.
Configure the L2TP Server
As an alternate solution to IPSec VPN tunnels, you can configure a Layer 2 Tunneling
Protocol (L2TP) server on the wireless VPN firewall to allow users to access L2TP clients
over L2TP tunnels. A maximum of 25 simultaneous L2TP user sessions are supported. (The
very first IP address of the L2TP address pool is used for distribution to the wireless VPN
firewall.)
An L2TP Access Concentrator (LAC) typically initiates a tunnel to fullfil a connection request
from an L2TP user; the L2TP server accommodates the tunnel request. After an L2TP tunnel
Virtual Private Networking Using IPSec and L2TP Connections
257
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
is established, the L2TP user can connect to an L2TP client that is located behind the
wireless VPN firewall.
Note: IPSec VPN provides stronger authentication and encryption than
L2TP. (Packets that traverse the L2TP tunnel are not encapsulated
by IPSec.)
You need to enable the L2TP server on the wireless VPN firewall, specify an L2TP server
address pool, and create L2TP user accounts. For information about how to create L2TP
user accounts, see Configure User Accounts on page 296.

To enable the L2TP server and configure the L2TP server pool:
1. Select VPN > L2TP Server. The L2TP Server screen displays. (The following figure
contains an example.)
Figure 158.
2. To enable the L2TP server, select the Enable check box.
3. Enter the settings as explained in the following table:
Table 63. L2TP Sever screen settings
Setting
Description
Starting IP Address
The first IP address of the pool. This address is used for distribution to the wireless
VPN firewall.
Ending IP Address
The last IP address of the pool. A maximum of 26 contiguous addresses is
supported. (The first address of the pool cannot be assigned to a user.)
Idle Timeout
The period after which an idle user is automatically logged out of the L2TP server.
The default idle time-out period is 10 minutes.
4. Click Apply to save your settings.
Virtual Private Networking Using IPSec and L2TP Connections
258
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
View the Active L2TP Users
To view the active L2TP tunnel users, select VPN > Connection Status > L2TP Active
Users. The L2TP Active Users screen displays:
Figure 159.
The List of L2TP Active Users table lists each active connection with the information that is
described in the following table.
Table 64. L2TP Active Users screen information
Item
Description
Username
The name of the L2TP user that you have defined (see Configure User Accounts on
page 296).
Remote IP
The client’s IP address on the remote LAC.
L2TP IP
The IP address that is assigned by the L2TP server on the wireless VPN firewall.
Action
Click the Disconnect table button to terminate the L2TP connection.
Virtual Private Networking Using IPSec and L2TP Connections
259
7.
Virtual Private Networking
Using SSL Connections
7
The wireless VPN firewall provides a hardware-based SSL VPN solution designed specifically to
provide remote access for mobile users to their corporate resources, bypassing the need for a
preinstalled VPN client on their computers. Using the familiar Secure Sockets Layer (SSL)
protocol, commonly used for e-commerce transactions, the wireless VPN firewall can
authenticate itself to an SSL-enabled client, such as a standard web browser. Once the
authentication and negotiation of encryption information are completed, the server and client can
establish an encrypted connection. With support for up to 5 dedicated SSL VPN tunnels, the
wireless VPN firewall allows users to easily access the remote network for a customizable,
secure, user portal experience from virtually any available platform.
This chapter contains the following sections:
•
SSL VPN Portal Options
•
Overview of the SSL Configuration Process
•
Configure Domains, Groups, and Users
•
Configure Applications for Port Forwarding
•
Configure the SSL VPN Client
•
Use Network Resource Objects to Simplify Policies
•
Configure User, Group, and Global Policies
•
Access the New SSL Portal Login Screen
SSL VPN Portal Options
The wireless VPN firewall’s SSL VPN portal can provide two levels of SSL service to the
remote user:
•
SSL VPN tunnel. The wireless VPN firewall can provide the full network connectivity of a
VPN tunnel using the remote user’s browser instead of a traditional IPSec VPN client.
The SSL capability of the user’s browser provides authentication and encryption,
establishing a secure connection to the wireless VPN firewall. Upon successful
connection, an ActiveX-based SSL VPN client is downloaded to the remote computer to
allow the remote user to virtually join the corporate network.
The SSL VPN client provides a point-to-point (PPP) connection between the client and
the wireless VPN firewall, and a virtual network interface is created on the user’s
260
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
computer. The wireless VPN firewall assigns the computer an IP address and DNS server
IP addresses, allowing the remote computer to access network resources in the same
manner as if it were connected directly to the corporate network, subject to any policy
restrictions that you configure.
•
SSL port forwarding. Like an SSL VPN tunnel, port forwarding is a web-based client
that is installed transparently and then creates a virtual, encrypted tunnel to the remote
network. However, port forwarding differs from an SSL VPN tunnel in several ways:
-
Port forwarding supports only TCP connections, not UDP connections or connections
using other IP protocols.
-
Port forwarding detects and reroutes individual data streams on the user’s computer
to the port-forwarding connection rather than opening up a full tunnel to the corporate
network.
-
Port forwarding offers more fine-grained management than an SSL VPN tunnel. You
define individual applications and resources that are available to remote users.
The SSL VPN portal can present the remote user with one or both of these SSL service
levels, depending on how you set up the configuration.
Overview of the SSL Configuration Process
To configure and activate SSL connections, perform the following six basic steps in the order
that they are presented:
1. Create a new SSL portal (see Create the Portal Layout on page 262).
When remote users log in to the wireless VPN firewall, they see a portal page that you
can customize to present the resources and functions that you choose to make available.
2. Create authentication domains, user groups, and user accounts (see Configure Domains,
Groups, and Users on page 266).)
a. Create one or more authentication domains for authentication of SSL VPN users.
When remote users log in to the wireless VPN firewall, they need to specify a domain
to which their login account belongs. The domain determines the authentication
method that is used and the portal layout that is presented, which in turn determines
the network resources to which the users are granted access. Because you need to
assign a portal layout when creating a domain, the domain is created after you have
created the portal layout.
b. Create one or more groups for your SSL VPN users.
When you define the SSL VPN policies that determine network resource access for
your SSL VPN users, you can define global policies, group policies, or individual
policies. Because you need to assign an authentication domain when creating a
group, the group is created after you have created the domain.
c. Create one or more SSL VPN user accounts.
Because you need to assign a group when creating a SSL VPN user account, the
user account is created after you have created the group.
Virtual Private Networking Using SSL Connections
261
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. For port forwarding, define the servers and services (see Configure Applications for Port
Forwarding on page 267).
Create a list of servers and services that can be made available through user, group, or
global policies. You can also associate fully qualified domain names (FQDNs) with these
servers. The wireless VPN firewall resolves the names to the servers using the list you
have created.
4. For SSL VPN tunnel service, configure the virtual network adapter (see Configure the SSL
VPN Client on page 269).
For the SSL VPN tunnel option, the wireless VPN firewall creates a virtual network
adapter on the remote computer that then functions as if it were on the local network.
Configure the portal’s SSL VPN client to define a pool of local IP addresses to be issued
to remote clients, as well as DNS addresses. Declare static routes or grant full access to
the local network, subject to additional policies.
5. To simplify policies, define network resource objects (see Use Network Resource Objects to
Simplify Policies on page 273).
Network resource objects are groups of IP addresses, IP address ranges, and services.
By defining resource objects, you can more quickly create and configure network policies.
6. Configure the SSL VPN policies (see Configure User, Group, and Global Policies on
page 276).
Policies determine access to network resources and addresses for individual users,
groups, or everyone.
Create the Portal Layout
The Portal Layouts screen that you can access from the SSL VPN configuration menu allows
you to create a custom screen that remote users see when they log in to the portal. Because
the log-in screen is completely customizable, it provides an ideal way to communicate remote
access instructions, support information, technical contact information, or VPN-related news
updates to remote users. The log-in screen is also well suited as a starting screen for
restricted users; if mobile users or business partners are permitted to access only a few
resources, the log-in screen that you create presents only the resources that are relevant to
these users.
You apply portal layouts by selecting one from the available portal layouts in the configuration
of a domain. When you have completed your portal layout, you can apply the portal layout to
one or more authentication domains (see Configure Domains on page 289). You can also
make the new portal the default portal for the SSL VPN gateway by selecting the default radio
button adjacent to the portal layout name.
The wireless VPN firewall’s default portal address is https://<IP_address>/portal/SSL-VPN, in
which the IP address can be either an IPv4 or an IPv6 address. Both types of addresses are
supported simultaneously. The default domain geardomain is assigned to the default
SSL-VPN portal.
Virtual Private Networking Using SSL Connections
262
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
You can define individual layouts for the SSL VPN portal. The layout configuration includes
the menu layout, theme, portal pages to display, and web cache control options. The default
portal layout is the SSL-VPN portal. You can add additional portal layouts. You can also make
any portal the default portal for the wireless VPN firewall by clicking the Default button in the
Action column of the List of Layouts table, to the right of the desired portal layout.

To create a new SSL VPN portal layout:
1. Select VPN > SSL VPN > Portal Layouts. The Portal Layouts screen displays the IPv4
settings. (The following figure shows an additional layout in the List of Layouts table as an
example.)
2. Specify the IP version for which you want to add a portal layout:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
Figure 160. Portal Layouts screen for IPv4
•
IPv6. Select the IPv6 radio button. The Portal Layouts screen displays the IPv6
settings. (The following figure shows an additional layout in the List of Layouts table as an
example.)
Figure 161. Portal Layouts screen for IPv6
Virtual Private Networking Using SSL Connections
263
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The List of Layouts table displays the following fields:
•
Layout Name. The descriptive name of the portal.
•
Description. The banner message that is displayed at the top of the portal (see
Figure 171 on page 283).
•
Use Count. The number of authentication domains that use the portal.
•
Portal URL:
•
-
Portal URL (IPv4). The IPv4 URL at which the portal can be accessed. The IPv4
address in the URL is the public WAN address of the wireless VPN firewall (see
Configure the IPv4 Internet Connection and WAN Settings on page 26). Both the
IPv4 URL and the IPv6 URL can be active simultaneously.
-
Portal URL (IPv6). The IPv6 URL at which the portal can be accessed. The IPv6
address in the URL is the public WAN address of the wireless VPN firewall (see
Configure the IPv6 Internet Connection and WAN Settings on page 35). Both the
IPv6 URL and the IPv4 URL can be active simultaneously.
Action. The table buttons, which allow you to edit the portal layout or set it as the
default.
3. Under the List of Layouts table, click the Add table button. The Add Portal Layout screen
displays. (The following figure shows an example.)
Figure 162.
Virtual Private Networking Using SSL Connections
264
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Complete the settings as explained in the following table:
Table 65. Add Portal Layout screen settings
Setting
Description
Portal Layout and Theme Name
Portal Layout Name
A descriptive name for the portal layout. This name is part of the path of the SSL
VPN portal URL.
Note: Custom portals are accessed at a different URL than the default portal. For
example, if your SSL VPN portal is hosted at https://vpn.company.com, and you
create a portal layout named CustomerSupport, then users access the website at
https://vpn.company.com/portal/CustomerSupport.
Note: Only alphanumeric characters, hyphens (-), and underscores (_) are
accepted in the Portal Layout Name field. If you enter other types of characters or
spaces, the layout name is truncated before the first nonalphanumeric character.
Note: Unlike most other URLs, this name is case-sensitive.
Portal Site Title
The title that displays at the top of the user’s web browser window, for example,
Company Customer Support.
Banner Title
The banner title of a banner message that users see before they log in to the
portal, for example, Welcome to Customer Support.
Note: For an example, see Figure 171 on page 283. The banner title text is
displayed in the orange header bar.
Banner Message
The text of a banner message that users see before they log in to the portal, for
example, In case of login difficulty, call 123-456-7890. Enter a plain text message,
or include HTML and JavaScript tags. The maximum length of the login screen
message is 4096 characters.
Note: You can enlarge the field (that is, the text box) by manipulating the lower
right corner of the field (see the blue circle in the previous figure).
Note: For an example, see Figure 171 on page 283. The banner message text is
displayed in the gray header bar.
Select this check box to show the banner title and banner message text on the
Display banner
message on login page login screen as shown in Figure 171 on page 283.
HTTP meta tags for
cache control
(recommended)
Select this check box to apply cache control directives for the HTTP meta tags to
this portal layout. Cache control directives include:
<meta http-equiv=”pragma” content=”no-cache”>
<meta http-equiv=”cache-control” content=”no-cache”>
<meta http-equiv=”cache-control” content=”must-revalidate”>
Note: NETGEAR strongly recommends enabling HTTP meta tags for security
reasons and to prevent out-of-date web pages, themes, and data being stored in
a user’s web browser cache.
Virtual Private Networking Using SSL Connections
265
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 65. Add Portal Layout screen settings (continued)
Setting
Description
ActiveX web cache
cleaner
Select this check box to enable ActiveX cache control to be loaded when users
log in to the SSL VPN portal. The web cache cleaner prompts the user to delete
all temporary Internet files, cookies, and browser history when the user logs out or
closes the web browser window. The ActiveX web cache control is ignored by web
browsers that do not support ActiveX.
SSL VPN Portal Pages to Display
VPN Tunnel page
To provide full network connectivity, select this check box.
Port Forwarding
To specific defined network services, select this check box to provide access.
Note: Any pages that are not selected are not visible from the SSL VPN portal;
however, users can still access the hidden pages unless you create SSL VPN
access policies to prevent access to these pages.
5. Click Apply to save your settings. The new portal layout is added to the List of Layouts
table. For information about how to display the new portal layout, see Access the New SSL
Portal Login Screen on page 282.

To edit a portal layout:
1. On the Portal Layouts screen (for IPv4, see Figure 160 on page 263; for IPv6, see
Figure 161 on page 263), click the Edit button in the Action column for the portal layout
that you want to modify. The Edit Portal Layout screen displays. This screen is identical
to the Add Portal Layout screen (see the previous figure).
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more portal layouts:
1. On the Portal Layouts screen (for IPv4, see Figure 160 on page 263; for IPv6, see
Figure 161 on page 263), select the check box to the left of each portal layout that you
want to delete, or click the Select All table button to select all layouts. (You cannot
delete the SSL-VPN default portal layout.)
2. Click the Delete table button.
Configure Domains, Groups, and Users
Remote users connecting to the wireless VPN firewall through an SSL VPN portal need to be
authenticated before they are granted access to the network. The login screen that is
presented to the user requires three items: a user name, a password, and a domain
selection. The domain determines both the authentication method and the portal layout that
are used.
You need to create name and password accounts for the SSL VPN users. When you create a
user account, you need to specify a group. Groups are used to simplify the application of
Virtual Private Networking Using SSL Connections
266
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
access policies. When you create a group, you need to specify a domain. Therefore, you
should create any domains first, then groups, and then user accounts.
For information about how to configure domains, groups, and users, see Configure
Authentication Domains, Groups, and Users on page 289.
Configure Applications for Port Forwarding
Port forwarding provides access to specific defined network services. To define these
services, you need to specify the internal server addresses and port numbers for TCP
applications that are intercepted by the port-forwarding client on the user’s computer. This
client reroutes the traffic to the wireless VPN firewall.
Add Servers and Port Numbers
To configure port forwarding, you need to define the IP addresses of the internal servers and
the port number for TCP applications that are available to remote users.

To add a server and a port number:
1. Select VPN > SSL VPN > Port Forwarding. The Port Forwarding screen displays. (The
following figure shows an example.)
Figure 163.
2. In the Add New Application for Port Forwarding section of the screen, specify information in
the following fields:
• IP Address. The IP address of an internal server or host computer that a remote user
has access to.
Virtual Private Networking Using SSL Connections
267
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
TCP Port. The TCP port number of the application that is accessed through the SSL
VPN tunnel. The following table lists some commonly used TCP applications and port
numbers.
Table 66. Port-forwarding applications/TCP port numbers
TCP Application
Port Number
FTP data (usually not needed)
20
FTP Control Protocol
21
SSH
22a
Telnet
23a
SMTP (send mail)
25
HTTP (web)
80
POP3 (receive mail)
110
NTP (Network Time Protocol)
123
Citrix
1494
Terminal Services
3389
VNC (virtual network computing)
5900 or 5800
a. Users can specify the port number together with the host name or IP
address.
3. Click the Add table button. The new application entry is added to the List of Configured
Applications for Port Forwarding table. Remote users can now securely access network
applications once they have logged in to the SSL VPN portal and launched port forwarding.

To delete an application from the List of Configured Applications for Port Forwarding
table:
1. Select the check box to the left of the application that you want to delete.
2. Click the Delete table button in the Action column.
Add a New Host Name
After you have configured port forwarding by defining the IP addresses of the internal servers
and the port number for TCP applications that are available to remote users, you then can
also specify host-name-to-IP-address resolution for the network servers as a convenience for
users. Host name resolution allows users to access TCP applications at familiar addresses
such as mail.example.com or ftp.customer.com rather than by IP addresses.

To add servers and host names for client name resolution:
1. Select VPN > SSL VPN > Port Forwarding. The Port Forwarding screen displays (see
Figure 163 on page 267).
Virtual Private Networking Using SSL Connections
268
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. In the Add New Host Name for Port Forwarding section of the screen, specify information in
the following fields:
• Local Server IP Address. The IP address of an internal server or host computer that
you want to name.
•
Fully Qualified Domain Name. The full server name.
Note: If the server or host computer that you want to name does not
display in the List of Configured Applications for Port Forwarding
table, you need to add it before you can rename it.
3. Click the Add table button. The new application entry is added to the List of Configured Host
Names for Port Forwarding table.

To delete a name from the List of Configured Host Names for Port Forwarding table:
1. Select the check box to the left of the name that you want to delete.
2. Click the Delete table button in the Action column.
Configure the SSL VPN Client
The SSL VPN client on the wireless VPN firewall assigns IP addresses to remote VPN tunnel
clients. Because the VPN tunnel connection is a point-to-point connection, you can assign IP
addresses from the local subnet to the remote VPN tunnel clients.
The following are some additional considerations:
•
So that the virtual (PPP) interface address of a VPN tunnel client does not conflict with
addresses on the local network, configure an IP address range that does not directly
overlap with addresses on your local network. For example, if 192.168.1.1 through
192.168.1.100 are assigned to devices on the local network, then start the client address
range at 192.168.1.101, or choose an entirely different subnet altogether.
•
The VPN tunnel client cannot contact a server on the local network if the VPN tunnel
client’s Ethernet interface shares the same IP address as the server or the wireless VPN
firewall. (For example, if your computer has a network interface IP address of 10.0.0.45,
then you cannot contact a server on the remote network that also has the IP address
10.0.0.45.)
•
Select whether you want to enable full-tunnel or split-tunnel support based on your
bandwidth:
•
-
A full tunnel sends all of the client’s traffic across the VPN tunnel.
-
A split tunnel sends only traffic that is destined for the local network based on the
specified client routes. All other traffic is sent to the Internet. A split tunnel allows you
to manage bandwidth by reserving the VPN tunnel for local traffic only.
If you enable split-tunnel support and you assign an entirely different subnet to the VPN
tunnel clients from the subnet that is used by the local network, you need to add a client
Virtual Private Networking Using SSL Connections
269
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
route to ensure that a VPN tunnel client connects to the local network over the VPN
tunnel.
Configure the Client IP Address Range
First determine the address range to be assigned to VPN tunnel clients, and then define the
address range.

To define the client IP address range:
1. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen displays the
IPv4 settings (the following screen shows an example).
2. Specify the IP version for which you want to configure the SSL VPN client:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
Figure 164. SSL VPN Client screen for IPv4
•
IPv6. Select the IPv6 radio button. The SSL VPN Client screen displays the IPv6
settings (the following screen shows some examples).
Virtual Private Networking Using SSL Connections
270
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 165. SSL VPN Client screen for IPv6
3. Complete the settings as explained in the following table:
Table 67. SSL VPN Client screen settings for IPv4 and IPv6
Setting
Description
Client IP Address Range
Enable Full Tunnel Support Select this check box to enable full-tunnel support. If you leave this check box
cleared (which is the default setting), full-tunnel support is disabled but
split-tunnel support is enabled, and you need to add client routes (see Add
Routes for VPN Tunnel Clients on page 272).
Note: When full-tunnel support is enabled, client routes are not operable.
DNS Suffix
A DNS suffix to be appended to incomplete DNS search strings. This setting
is optional.
Primary DNS Server
The IP address of the primary DNS server that is assigned to the VPN tunnel
clients. This setting is optional.
Note: If you do not assign a DNS server, the DNS settings remain
unchanged in the SSL VPN client after a VPN tunnel has been established.
Secondary DNS Server
The IP address of the secondary DNS server that is assigned to the VPN
tunnel clients. This setting is optional.
Virtual Private Networking Using SSL Connections
271
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 67. SSL VPN Client screen settings for IPv4 and IPv6 (continued)
Setting
Description
Client Address
Range Begin
The first IP address of the IPv4 address range that you
want to assign to the VPN tunnel clients. By default, the
first IPv4 address is 192.168.251.1.
Client Address
Range End
The last IP address of the IPv4 address range that you
want to assign to the VPN tunnel clients. By default, the
last IPv4 address is 192.168.251.254.
Client IPv6
Address Range
Begin
The first IP address of the IPv6 address range that you
want to assign to the VPN tunnel clients. By default, the
first IPv6 address is 4000::1.
Client IPv6
Address Range
End
The last IP address of the IPv6 address range that you
want to assign to the VPN tunnel clients. By default, the
last IPv6 address is 4000::200.
IPv4 screen only
IPv6 screen only
4. Click Apply to save your settings. VPN tunnel clients are now able to connect to the wireless
VPN firewall and receive a virtual IP address in the client address range.
Add Routes for VPN Tunnel Clients
The VPN tunnel clients assume that the following networks are located across the
VPN-over-SSL tunnel:
•
The subnet that contains the client IP address (that is, PPP interface), as determined by
the class of the address (Class A, B, or C).
•
Subnets that are specified in the Configured Client Routes table on the SSL VPN Client
screen.
If the assigned client IP address range is in a different subnet from the local network, or if the
local network has multiple subnets, or if you select split-tunnel operation, you need to define
client routes.

To add an SSL VPN tunnel client route:
1. Select VPN > SSL VPN > SSL VPN Client. The SSL VPN Client screen for IPv4
displays (see Figure 164 on page 270).
2. Specify the IP version for which you want to add a route:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
•
IPv6. Select the IPv6 radio button. The SSL VPN Client screen displays the IPv6
settings (see Figure 165 on page 271).
Virtual Private Networking Using SSL Connections
272
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. In the Add Routes for VPN Tunnel Clients section of the screen, specify information in the
following fields:
• Destination Network. The destination network IPv4 or IPv6 address of a local
network or subnet. For example, for an IPv4 route, enter 192.168.4.20.
•
Subnet Mask / Prefix Length. For an IPv4 route, the address of the appropriate
subnet mask; for an IPv6 route, the prefix length.
4. Click the Add table button. The new client route is added to the Configured Client Routes
table.
If VPN tunnel clients are already connected, disconnect and then reconnect the clients on the
SSL VPN Connection Status screen (see View the SSL VPN Connection Status on
page 285). Doing so allows the clients to receive new addresses and routes.

To change the specifications of an existing route and to delete an old route:
1. Add a new route to the Configured Client Routes table.
2. In the Configured Client Routes table, to the right of the route that is out-of-date, click the
Delete table button.
If an existing route is no longer needed, you can delete it.
Use Network Resource Objects to Simplify Policies
Network resources are groups of IP addresses, IP address ranges, and services. By defining
resource objects, you can more quickly create and configure network policies. You do not
need to redefine the same set of IP addresses or address ranges when you configure the
same access policies for multiple users.
Defining network resources is optional; smaller organizations can choose to create access
policies using individual IP addresses or IP networks rather than predefined network
resources. But for most organizations, NETGEAR recommends that you use network
resources. If your server or network configuration changes, you can perform an update
quickly by using network resources instead of individually updating all of the user and group
policies.
Add New Network Resources
The resource name and service are independent of the IP version. However, the resource
definition (see Edit Network Resources to Specify Addresses on page 274) is dependant on
the IP version because you can assign either an IPv4 or an IPv6 address or network.

To define a network resource:
1. Select VPN > SSL VPN > Resources. The Resources screen displays. (The following
figure shows some resources in the List of Resources table as an example.)
Virtual Private Networking Using SSL Connections
273
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 166.
2. In the Add New Resource section of the screen, specify information in the following fields:
• Resource Name. A descriptive name of the resource for identification and
management purposes.
•
Service. From the Service drop-down list, select the type of service to which the
resource applies:
-
VPN Tunnel. The resource applies only to a VPN tunnel.
-
Port Forwarding. The resource applies only to port forwarding.
-
All. The resource applies both to a VPN tunnel and to port forwarding.
3. Click the Add table button. The new resource is added to the List of Resources table.

To delete one or more network resources:
1. Select the check box to the left of each network resource that you want to delete, or
click the Select All table button to select all network resources.
2. Click the Delete table button.
Edit Network Resources to Specify Addresses

To edit network resources:
1. Select VPN > SSL VPN > Resources. The Resources screen displays (see the
previous figure, which shows some examples).
2. In the List of Resources table, to the right of the new resource in the Action column, click the
Edit table button. A new screen that lets you edit the resource displays the IPv4 settings.
(The following figure shows some examples.)
Virtual Private Networking Using SSL Connections
274
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Specify the IP version for which you want to add a portal layout:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 4.
•
IPv6. Select the IPv6 radio button. The screen that lets you edit the resource displays
the IPv6 settings. This screen is identical to the screen for IPv4 (see the next screen,
which shows some examples).
Figure 167.
4. Complete the settings as explained in the following table:
Table 68. Resources screen settings to edit a resource
Setting
Description
Add Resource Addresses
Resource Name
The unique identifier for the resource. You cannot modify the resource name
after you have created it on the first Resources screen.
Service
The SSL service that is assigned to the resource. You cannot modify the
service after you have assigned it to the resource on the first Resources
screen.
Virtual Private Networking Using SSL Connections
275
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 68. Resources screen settings to edit a resource (continued)
Setting
Description
Object Type
From the drop-down list, select one of the following options:
• IP Address. The object is an IPv4 or IPv6 address. You need to enter the IP
address or the FQDN in the IP Address / Name field.
• IP Network. The object is an IPv4 or IPv6 network. You need to enter the
network IP and the network mask length (for IPv4) or prefix length (for IPv6)
in the Mask Length field.
IP Address / Name Applicable only when you select IP Address as the object
type. Enter the IP address or FQDN for the location that is
permitted to use this resource.
Network Address
Applicable only when you select IP Network as the object
type. Enter the network IP address for the locations that
are permitted to use this resource. You also need to enter
the mask length (IPv4 only) or prefix length (IPv6 only):
IPv4 screen only:
Mask Length
Enter the network mask (0–31) for the locations that are
permitted to use this resource.
IPv6 screen only:
Prefix Length
Enter the prefix length for the locations that are permitted
to use this resource.
Port Range / Port Number A port or a range of ports (0–65535) to apply the policy to. The policy is applied
to all TCP and UDP traffic that passes on those ports. Leave the fields blank to
apply the policy to all traffic.
5. Click Apply to save your settings. The new configuration is added to the Defined Resource
Addresses table.
To delete a configuration from the Defined Resource Addresses table, click the Delete table
button to the right of the configuration that you want to delete.
Configure User, Group, and Global Policies
You can define and apply user, group, and global policies to predefined network resource
objects, IP addresses, address ranges, or all IP addresses, and to different SSL VPN
services. A specific hierarchy is invoked over which policies take precedence. The wireless
VPN firewall policy hierarchy is defined as follows:
•
User policies take precedence over group policies.
•
Group policies take precedence over global policies.
•
If two or more user, group, or global policies are configured, the most specific policy takes
precedence.
For example, a policy that is configured for a single IP address takes precedence over a
policy that is configured for a range of addresses. And a policy that applies to a range of IP
addresses takes precedence over a policy that is applied to all IP addresses. If two or more
Virtual Private Networking Using SSL Connections
276
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IP address ranges are configured, then the smallest address range takes precedence. Host
names are treated the same as individual IP addresses.
Network resources are prioritized just like other address ranges. However, the prioritization is
based on the individual address or address range, not the entire network resource.
For example, assume the following global policy configuration:
•
Policy 1. A Deny rule has been configured to block all services to the IP address range
10.0.0.0–10.0.0.255.
•
Policy 2. A Deny rule has been configured to block FTP access to 10.0.1.2–10.0.1.10.
•
Policy 3. A Permit rule has been configured to allow FTP access to the predefined
network resource with the name FTP Servers. The FTP Servers network resource
includes the following addresses: 10.0.0.5–10.0.0.20 and the FQDN ftp.company.com,
which resolves to 10.0.1.3.
Assuming that no conflicting user or group policies have been configured, if a user attempted
to access FTP servers at the following addresses, the actions listed would occur:
•
10.0.0.1. The user would be blocked by Policy 1.
•
10.0.1.5. The user would be blocked by Policy 2.
•
10.0.0.10. The user would be granted access by Policy 3. The IP address range
10.0.0.5–10.0.0.20 is more specific than the IP address range that is defined in Policy 1.
•
ftp.company.com. The user would be granted access by Policy 3. A single host name is
more specific than the IP address range that is configured in Policy 2.
Note: The user would not be able to access ftp.company.com using its IP
address 10.0.1.3. The wireless VPN firewall’s policy engine does not
perform reverse DNS lookups.
View Policies

To view the existing SSL VPN policies:
1. Select VPN > SSL VPN. The SSL VPN submenu tabs display, with the Policies screen
in view. (The following figure shows some examples.)
Virtual Private Networking Using SSL Connections
277
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 168.
2. Make your selection from the following Query options:
• To view all global policies, select the Global radio button.
•
To view group policies, select the Group radio button, and then select the relevant
group’s name from the drop-down list.
•
To view user policies, select the User radio button, and then select the relevant user’s
name from the drop-down list.
3. Click the Display action button. The List of SSL VPN Policies table displays the list for your
selected Query option.
Add an IPv4 or IPv6 SSL VPN Policy

To add an SSL VPN policy:
1. Select VPN > SSL VPN. The SSL VPN submenu tabs display, with the Policies screen
in view (see the previous figure).
2. Under the List of SSL VPN Policies table, click the Add table button. The Add SSL VPN
Policy screen displays the IPv4 settings (see the next screen).
3. Specify the IP version for which you want to add an SSL VPN policy:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 4.
Virtual Private Networking Using SSL Connections
278
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
.
Figure 169. Add SSL VPN Policy screen for IPv4
•
IPv6. Select the IPv6 radio button. The Add SSL VPN Policy screen displays the IPv6
settings:
.
Figure 170. Add SSL VPN Policy screen for IPv6
Virtual Private Networking Using SSL Connections
279
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. Complete the settings as explained in the following table:
Table 69. Add SSL VPN Policy screen settings
Setting
Description
Policy For
Select one of the following radio buttons to specify the type of SSL VPN policy:
• Global. The new policy is global and includes all groups and users.
• Group. The new policy needs to be limited to a single group. From the drop-down list, select a group
name. For information about how to create groups, see Configure Groups on page 293.
• User. The new policy needs to be limited to a single user. From the drop-down list, select a user name.
For information about how to create user accounts, see Configure User Accounts on page 296.
Add SSL VPN Policies
Apply
Policy to?
Select one of the following radio buttons to specify how the policy is applied. When you select
a radio button, the fields and drop-down lists that apply to your selection (see explanations
later in this table) unmask onscreen.
• Network Resource. The policy is applied to a network resource that you have defined on
the Resources screen (see Use Network Resource Objects to Simplify Policies on
page 273).
• IP Address. The policy is applied to a single IP address.
• IP Network. The policy is applied to a network address.
• All Addresses. The policy is applied to all addresses.
Network
Resource
IP Address
Policy Name
A descriptive name of the SSL VPN policy for identification and
management purposes.
Defined
Resources
From the drop-down list, select a network resource that you
have defined on the Resources screen (see Use Network
Resource Objects to Simplify Policies on page 273).
Permission
From the drop-down list, select Permit or Deny to specify
whether the policy permits or denies access.
Policy Name
A descriptive name of the SSL VPN policy for identification and
management purposes.
IP Address
The IPv4 or IPv6 address to which the SSL VPN policy is
applied.
Port Range /
Port Number
A port (fill in the Begin field) or a range of ports (fill in the Begin
and End fields) to which the SSL VPN policy is applied. Ports
can be 0 through 65535. The policy is applied to all TCP and
UDP traffic that passes on those ports. Leave the fields blank to
apply the policy to all traffic.
Service
From the drop-down list, select the service to which the SSL
VPN policy is applied:
• VPN Tunnel. The policy is applied only to a VPN tunnel.
• Port Forwarding. The policy is applied only to port
forwarding.
• All. The policy is applied both to a VPN tunnel and to port
forwarding.
Virtual Private Networking Using SSL Connections
280
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 69. Add SSL VPN Policy screen settings (continued)
Setting
Description
Apply
Policy to?
(continued)
IP Address
(continued)
Permission
From the drop-down list, select Permit or Deny to specify
whether the policy permits or denies access.
IP Network
Policy Name
A descriptive name of the SSL VPN policy for identification and
management purposes.
IP Address
The network IPv4 or IPv6 network address to which the SSL
VPN policy is applied.
IPv4 screen
only
Subnet
Mask
IPv6 screen
only
IPv6 Prefix The IPv6 prefix length that apples to the network
Length
to which the SSL VPN policy is applied.
Port Range /
Port Number
A port (fill in the Begin field) or a range of ports (fill in the Begin
and End fields) to which the SSL VPN policy is applied. Ports
can be 0 through 65535. The policy is applied to all TCP and
UDP traffic that passes on those ports. Leave the fields blank to
apply the policy to all traffic.
Service
From the drop-down list, select the service to which the SSL
VPN policy is applied:
• VPN Tunnel. The policy is applied only to a VPN tunnel.
• Port Forwarding. The policy is applied only to port
forwarding.
• All. The policy is applied both to a VPN tunnel and to port
forwarding.
Permission
From the drop-down list, select Permit or Deny to specify
whether the policy permits or denies access.
Policy Name
A descriptive name of the SSL VPN policy for identification and
management purposes.
Port Range /
Port Number
A port (fill in the Begin field) or a range of ports (fill in the Begin
and End fields) to which the SSL VPN policy is applied. Ports
can be 0 through 65535. The policy is applied to all TCP and
UDP traffic that passes on those ports. Leave the fields blank to
apply the policy to all traffic.
Service
From the drop-down list, select the service to which the SSL
VPN policy is applied:
• VPN Tunnel. The policy is applied only to a VPN tunnel.
• Port Forwarding. The policy is applied only to port
forwarding.
• All. The policy is applied both to a VPN tunnel and to port
forwarding.
Permission
From the drop-down list, select Permit or Deny to specify
whether the policy permits or denies access.
All
Addresses
The IPv4 network subnet mask to which the SSL
VPN policy is applied.
5. Click Apply to save your settings. The policy is added to the List of SSL VPN Policies table
on the Policies screen. The new policy goes into effect immediately.
Virtual Private Networking Using SSL Connections
281
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: If you have configured SSL VPN user policies, make sure that
secure HTTP remote management is enabled (see Configure
Remote Management Access on page 322). If secure HTTP remote
management is not enabled, all SSL VPN user connections are
disabled.

To edit an SSL VPN policy:
1. On the Policies screen (see Figure 168 on page 278), click the Edit button in the Action
column for the SSL VPN policy that you want to modify. The Edit SSL VPN Policy
screen displays. This screen is identical to the Add SSL VPN Policy screen (see
previous screen).
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more SSL VPN policies:
1. On the Policies screen (see Figure 168 on page 278), select the check box to the left of
each SSL VPN policy that you want to delete, or click the Select All table button to
select all policies.
2. Click the Delete table button.
Access the New SSL Portal Login Screen
All screens that you can access from the SSL VPN menu of the web management interface
display a user portal link in the upper right of the screen, above the menu bars (
).
When you click the User Portal link, the SSL VPN default portal opens (see Figure 172 on
page 284). This user portal is not the same as the new SSL portal login screen that you
defined with the help of the SSL VPN Wizard.

To open the new SSL portal login screen:
1. Select VPN > SSL VPN > Portal Layouts. The Portal Layouts screen displays (for IPv4,
see Figure 160 on page 263; for IPv6, see Figure 161 on page 263).
2. In the Portal URL field of the List of Layouts table, select the URL that ends with the portal
layout name that you defined with the help of the SSL VPN Wizard. The new SSL portal
login screen displays:
Virtual Private Networking Using SSL Connections
282
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 171.
3. Enter the user name and password that you just created with the help of the SSL VPN
Wizard.
4. Click Login. The User Portal screen displays. The format of the User Portal screen depends
on the settings that you selected on the Add Portal Layout screen (see Create the Portal
Layout on page 262):
• Figure 172, shows the User Portal screen with both a VPN Tunnel and a Port
Forwarding menu option.
•
Figure 173, show the User Portal screen with a Port Forwarding menu option only.
The VPN Tunnel menu option is not displayed.
Virtual Private Networking Using SSL Connections
283
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 172.
Figure 173.
The User Portal screen displays a simple menu that, depending on the resources
allocated, provides the SSL user with the following menu selections:
•
VPN Tunnel. Provides full network connectivity.
•
Port Forwarding. Provides access to the network services that you defined as
described in Configure Applications for Port Forwarding on page 267.
Virtual Private Networking Using SSL Connections
284
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
Change Password. Allows the user to change his or her password.
•
Support. Provides access to the NETGEAR website.
Note: The first time that a user attempts to connect through the VPN
tunnel, the NETGEAR SSL VPN tunnel adapter is installed; the first
time that a user attempts to connect through the port-forwarding
tunnel, the NETGEAR port-forwarding engine is installed.
View the SSL VPN Connection Status
To view the status of current SSL VPN tunnels, select VPN > Connection Status > SSL VPN
Connection Status. The SSL VPN Connection Status screen displays:
Figure 174.
The active user’s name, group, and IP address are listed in the table with a time stamp
indicating the time and date that the user connected.
To disconnect an active user, click the Disconnect table button to the right of the user’s table
entry.
View the SSL VPN Log

To display the SSL VPN log:
Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays:
Virtual Private Networking Using SSL Connections
285
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 175.
Virtual Private Networking Using SSL Connections
286
8.
Manage Users, Authentication, and
VPN Certificates
8
This chapter describes how to manage users, authentication, and security certificates for IPSec
VPN and SSL VPN. This chapter contains the following sections:
•
The Wireless VPN Firewall’s Authentication Process and Options
•
Configure Authentication Domains, Groups, and Users
•
Manage Digital Certificates for VPN Connections
The Wireless VPN Firewall’s Authentication Process and
Options
Users are assigned to a group, and a group is assigned to a domain. Therefore, you should
first create any domains, then groups, then user accounts.
Note: Do not confuse the authentication groups with the LAN groups that
are discussed in Manage IPv4 Groups and Hosts (IPv4 LAN
Groups) on page 64.
You need to create name and password accounts for all users who need to be able to
connect to the wireless VPN firewall. This includes administrators, guests, and SSL VPN
clients. Accounts for IPSec VPN clients are required only if you have enabled extended
authentication (XAUTH) in your IPSec VPN configuration.
Users connecting to the wireless VPN firewall need to be authenticated before being allowed
to access the wireless VPN firewall or the VPN-protected network. The login screen that is
presented to the user requires three items: a user name, a password, and a domain
selection. The domain determines the authentication method that is used and, for SSL
connections, the portal layout that is presented.
Note: IPSec VPN users always belong to the default domain
(geardomain) and are not assigned to groups.
287
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Except in the case of IPSec VPN users, when you create a user account, you need to specify
a group. When you create a group, you need to specify a domain.
The following table summarizes the external authentication protocols and methods that the
wireless VPN firewall supports.
Table 70. External authentication protocols and methods
Authentication
Description
Protocol or Method
PAP
Password Authentication Protocol (PAP) is a simple protocol in which the client sends a
password in clear text.
CHAP
Challenge Handshake Authentication Protocol (CHAP) executes a three-way handshake
in which the client and server trade challenge messages, each responding with a hash of
the other’s challenge message that is calculated using a shared secret value.
RADIUS
A network-validated PAP or CHAP password-based authentication method that functions
with Remote Authentication Dial In User Service (RADIUS).
MIAS
A network-validated PAP or CHAP password-based authentication method that functions
with Microsoft Internet Authentication Service (MIAS), which is a component of Microsoft
Windows 2003 Server.
WiKID
WiKID Systems is a PAP or CHAP key-based two-factor authentication method that
functions with public key cryptography. The client sends an encrypted PIN to the WiKID
server and receives a one-time passcode with a short expiration period. The client logs in
with the passcode. See Appendix B, Two-Factor Authentication, for more on WiKID
authentication.
NT Domain
A network-validated domain-based authentication method that functions with a Microsoft
Windows NT Domain authentication server. This authentication method has been
superseded by Microsoft Active Directory authentication but is supported to authenticate
legacy Windows clients.
Active Directory
A network-validated domain-based authentication method that functions with a Microsoft
Active Directory authentication server. Microsoft Active Directory authentication servers
support a group and user structure. Because the Active Directory supports a multilevel
hierarchy (for example, groups or organizational units), this information can be queried to
provide specific group policies or bookmarks based on Active Directory attributes.
Note: A Microsoft Active Directory database uses an LDAP organization schema.
LDAP
A network-validated domain-based authentication method that functions with a
Lightweight Directory Access Protocol (LDAP) authentication server. LDAP is a standard
for querying and updating a directory. Because LDAP supports a multilevel hierarchy (for
example, groups or organizational units), this information can be queried to provide
specific group policies or bookmarks based on LDAP attributes.
Manage Users, Authentication, and VPN Certificates
288
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Configure Authentication Domains, Groups, and Users
This section contains the following subsections:
•
Configure Domains
•
Configure Groups
•
Configure User Accounts
•
Set User Login Policies
•
Change Passwords and Other User Settings
Configure Domains
The domain determines the authentication method to be used for associated users. For SSL
connections, the domain also determines the portal layout that is presented, which in turn
determines the network resources to which the associated users have access. The default
domain of the wireless VPN firewall is named geardomain. You cannot delete the default
domain.
Create Domains

To create a domain:
1. Select Users > Domains. The Domains screen displays. (The following figure shows
the wireless VPN firewall’s default domain—geardomain—and, as an example, other
domains in the List of Domains table.)
Figure 176.
Manage Users, Authentication, and VPN Certificates
289
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The List of Domains table displays the domains with the following fields:
•
Check box. Allows you to select the domain in the table.
•
Domain Name. The name of the domain. The name of the default domain
(geardomain) to which the default SSL-VPN portal is assigned is appended by an
asterisk.
•
Authentication Type. The authentication method that is assigned to the domain.
•
Portal Layout Name. The SSL portal layout that is assigned to the domain.
•
Action. The Edit table button, which provides access to the Edit Domain screen.
2. Under the List of Domains table, click the Add table button. The Add Domain screen
displays:
Figure 177.
3. Complete the settings as explained in the following table:
Table 71. Add Domain screen settings
Setting
Description
Domain Name
A descriptive (alphanumeric) name of the domain for identification and
management purposes.
Authentication Type
From the drop-down list, select the authentication method that the wireless VPN
firewall applies:
• Local User Database (default). Users are authenticated locally on the wireless
VPN firewall. This is the default setting. You do not need to complete any other
fields on this screen.
• Radius-PAP. RADIUS Password Authentication Protocol (PAP). Complete the
following fields:
- Authentication Server
- Authentication Secret
Manage Users, Authentication, and VPN Certificates
290
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 71. Add Domain screen settings (continued)
Setting
Description
Authentication Type
(continued)
• Radius-CHAP. RADIUS Challenge Handshake Authentication Protocol (CHAP).
Complete the following fields:
- Authentication Server
Note: If you select
- Authentication Secret
any type of RADIUS
• Radius-MSCHAP. RADIUS Microsoft CHAP. Complete the following fields:
authentication, make
- Authentication Server
sure that one or more
- Authentication Secret
RADIUS servers are
configured (see
• Radius-MSCHAPv2. RADIUS Microsoft CHAP version 2. Complete the following
RADIUS Client and
fields:
Server Configuration
- Authentication Server
on page 235).
- Authentication Secret
• WIKID-PAP. WiKID Systems PAP. Complete the following fields:
- Authentication Server
- Authentication Secret
• WIKID-CHAP. WiKID Systems CHAP. Complete the following fields:
- Authentication Server
- Authentication Secret
• MIAS-PAP. Microsoft Internet Authentication Service (MIAS) PAP. Complete the
following fields:
- Authentication Server
- Authentication Secret
• MIAS-CHAP. Microsoft Internet Authentication Service (MIAS) CHAP. Complete
the following fields:
- Authentication Server
- Authentication Secret
• NT Domain. Microsoft Windows NT Domain. Complete the following fields:
- Authentication Server
- Workgroup
• Active Directory. Microsoft Active Directory. Complete the following fields, and
make a selection from the LDAP Encryption drop-down list:
- Authentication Server
- Active Directory Domain
• LDAP. Lightweight Directory Access Protocol (LDAP). Complete the following
fields, and make a selection from the LDAP Encryption drop-down list:
- Authentication Server
- LDAP Base DN
The portal that is assigned to this domain and that is presented to the user to enter
credentials. The default portal is SSL-VPN.
Select Portal
Authentication Server The server IP address or server name of the authentication server for any type of
authentication other than authentication through the local user database.
Authentication Secret
The authentication secret or password that is required to access the authentication
server for RADIUS, WiKID, or MIAS authentication.
Workgroup
The workgroup that is required for Microsoft NT Domain authentication.
Manage Users, Authentication, and VPN Certificates
291
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 71. Add Domain screen settings (continued)
Setting
Description
LDAP Base DN
The LDAP distinguished name (DN) that is required to access the LDAP
authentication server. This should be a user in the LDAP directory who has read
access to all the users that you would like to import into the wireless VPN firewall.
The Bind DN field accepts two formats:
• A display name in the DN format. For example:
cn=Jamie Hanson,cn=users,dc=test,dc=com.
• A Windows login account name in email format. For example:
[email protected] This last type of bind DN can be used only for a Windows
LDAP server.
Active Directory
Domain
The Active Directory domain name that is required for Microsoft Active Directory
authentication.
4. Click Apply to save your settings. The domain is added to the List of Domains table.
5. If you use local authentication, make sure that it is not disabled: in the Local Authentication
section of the Domain screen (see Figure 176 on page 289), select the No radio button.
Note: A combination of local and external authentication is supported.
WARNING:
If you disable local authentication, make sure that there is at least
one external administrative user; otherwise, access to the
wireless VPN firewall is blocked.
6. If you do change local authentication, click Apply in the Domain screen to save your
settings.

To delete one or more domains:
1. In the List of Domains table, select the check box to the left of each domain that you
want to delete, or click the Select All table button to select all domains.
2. Click the Delete table button.
Note: You cannot delete the geardomain default domain.
Manage Users, Authentication, and VPN Certificates
292
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Edit Domains

To edit a domain:
1. Select Users > Domains. The Domains screen displays (see Figure 176 on page 289).
2. In the Action column of the List of Domains table, click the Edit table button for the domain
that you want to edit. The Edit Domains screen displays. This screen is very similar to the
Add Domains screen (see the previous figure).
3. Modify the settings as explained in the previous table. (You cannot modify the Domain Name
and Authentication Type fields.)
4. Click Apply to save your changes. The modified domain is displayed in the List of Domains
table.
Note: You cannot edit the geardomain default domain.
Configure Groups
The use of groups simplifies the configuration of VPN policies when different sets of users
have different restrictions and access controls. It also simplifies the configuration of web
access exception rules. Like the default domain of the wireless VPN firewall, the default
group is also named geardomain. The default group geardomain is assigned to the default
domain geardomain. You cannot delete the default domain geardomain, nor its associated
default group geardomain.
IMPORTANT:
When you create a new domain on the Domains screen (see the
previous section), a group with the same name as the new domain
is created automatically. You cannot delete such a group. However,
when you delete the domain with which it is associated, the group
is deleted automatically.
Note: IPSec VPN users always belong to the default domain (geardomain)
and are not assigned to groups.
Note: Groups that are defined on the Groups screen are used for setting
SSL VPN policies. These groups should not be confused with LAN
groups that are defined on the IPv4 LAN Groups screen and that are
used to simplify firewall policies. For information about LAN groups,
see Manage IPv4 Groups and Hosts (IPv4 LAN Groups) on page 64.
Manage Users, Authentication, and VPN Certificates
293
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Create Groups

To create a VPN group:
1. Select Users > Groups. The Groups screen displays. (The following figure shows the
wireless VPN firewall’s default group—geardomain—and, as an example, several other
groups in the List of Groups table.)
Figure 178.
The List of Groups table displays the VPN groups with the following fields:
•
Check box. Allows you to select the group in the table.
•
Name. The name of the group. The name of the default group (geardomain) that is
assigned to the default domain (also geardomain) is appended by an asterisk.
Note: When you create a new domain on the Domains screen, a group with
the same name as the new domain is created automatically. You cannot delete
such a group on the Groups screen. However, when you delete the domain with
which the group is associated, the group is deleted automatically.
•
Domain. The name of the domain to which the group is assigned.
•
Action. The Edit table button, which provides access to the Edit Group screen.
2. Under the List of Groups table, click the Add table button. The Add Group screen displays:
Manage Users, Authentication, and VPN Certificates
294
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 179.
3. Complete the settings as explained in the following table:
Table 72. Add Group screen settings
Setting
Description
Name
A descriptive (alphanumeric) name of the group for identification and management
purposes.
Domain
The drop-down list shows the domains that are listed on the Domain screen. From the
drop-down list, select the domain with which the group is associated. For information
about how to configure domains, see Configure Domains on page 289.
Idle Timeout
The period after which an idle user is automatically logged out of the wireless VPN
firewall’s web management interface. The default idle time-out period is 10 minutes.
4. Click Apply to save your changes. The new group is added to the List of Groups table.

To delete one or more groups:
1. In the List of Groups table, select the check box to the left of each group that you want
to delete, or click the Select All table button to select all groups.
2. Click the Delete table button.
Note: You can delete only groups that you created on the Groups screen.
Groups that were automatically created when you created a domain
cannot be deleted on the Groups screen. See the Important note at
the beginning of this section.
Edit Groups
For groups that were automatically created when you created a domain, you can modify only
the idle time-out settings but not the group name or associated domain.
For groups that you created on the Add Groups screen, you can modify the domain and the
idle time-out settings but not the group name.
Manage Users, Authentication, and VPN Certificates
295
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To edit a VPN group:
1. Select Users > Groups. The Groups screen displays (see Figure 178 on page 294).
2. In the Action column of the List of Groups table, click the Edit table button for the group that
you want to edit. The Edit Groups screen displays. This screen is identical to the Add
Groups screen.
3. Modify the settings as explained in the previous table.
4. Click Apply to save your changes. The modified group is displayed in the List of Groups
table.
Configure User Accounts
When you create a user account, you need to assign the user to a user group. When you
create a group, you need to assign the group to a domain that specifies the authentication
method. Therefore, you should first create any domains, then groups, and then user
accounts.
Note: IPSec VPN users always belong to the default domain (geardomain)
and default group (also geardomain) and do not need to be assigned
a user account.
There are two default user accounts:
•
A user with the name admin and the password password. This is a user who has
read/write access, is associated with the domain geardomain, and is denied login from
the WAN interface by default. The user name is appended by an asterisk. You cannot
delete this user account.
•
A user with the name guest and the password password. This is a user who has
read-only access, is associated with the domain geardomain, and is denied login from the
WAN interface by default. The user name is appended by an asterisk. You cannot delete
this user account.
You can create five different types of user accounts by applying one of the predefined user
types:
•
SSL VPN user. A user who can log in only to the SSL VPN portal.
•
Administrator. A user who has full access and the capacity to change the wireless VPN
firewall configuration (that is, read-write access).
•
Guest user. A user who can only view the wireless VPN firewall configuration (that is,
read-only access).
•
IPSec VPN user. A user who can make an IPSec VPN connection only through a
NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see
Configure Extended Authentication (XAUTH) on page 233).
•
L2TP user. A user who can connect over an L2TP connection to an L2TP client that is
located behind the wireless VPN firewall.
Manage Users, Authentication, and VPN Certificates
296
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To create a user account:
1. Select Users > Users. The Users screen displays. (The following figure shows the
wireless VPN firewall’s default users—admin and guest—and, as an example, several
other users in the List of Users table.)
Figure 180.
The List of Users table displays the users and has the following fields:
•
Check box. Allows you to select the user in the table.
•
Name. The name of the user. If the user name is appended by an asterisk, the user is
a default user that came preconfigured with the wireless VPN firewall and cannot be
deleted.
•
Group. The group to which the user is assigned.
•
Type. The type of access credentials that are assigned to the user.
•
Authentication Domain. The authentication domain to which the user is assigned.
•
Action. The Edit table button, which provides access to the Edit User screen; the
Policies table button, which provides access to the policy screens.
2. Under the List of Users table, click the Add table button. The Add Users screen displays:
Manage Users, Authentication, and VPN Certificates
297
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 181.
3. Enter the settings as explained in the following table:
Table 73. Add Users screen settings
Setting
Description
User Name
A descriptive (alphanumeric) name of the user for identification and management
purposes.
User Type
From the drop-down list, select one of the predefined user types that determines the
access credentials:
• Administrator. User who has full access and the capacity to change the wireless
VPN firewall configuration (that is, read/write access).
• SSL VPN User. User who can log in only to the SSL VPN portal.
• Guest User. User who can only view the wireless VPN firewall configuration (that is,
read-only access).
• IPSEC VPN User. A user who can make an IPSec VPN connection only through a
NETGEAR ProSafe VPN Client, and only when the XAUTH feature is enabled (see
Configure Extended Authentication (XAUTH) on page 233).
• L2TP User. A user who can connect over an L2TP connection to an L2TP client that
is located behind the wireless VPN firewall.
Select Group
The drop-down list shows the groups that are listed on the Group screen. From the
drop-down list, select the group to which the user is assigned. For information about
how to configure groups, see Configure Groups on page 293.
Note: The user is assigned to the domain that is associated with the selected group.
Password
The password that the user needs to enter to gain access to the wireless VPN firewall.
Confirm Password This field needs to be identical to the password that you entered in the Password field.
Idle Timeout
The period after which an idle user is automatically logged out of the web management
interface. The default idle time-out period is 5 minutes.
4. Click Apply to save your settings. The user is added to the List of Users table.
Manage Users, Authentication, and VPN Certificates
298
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To delete one or more user accounts:
1. In the List of Users table, select the check box to the left of each user account that you
want to delete, or click the Select All table button to select all accounts. You cannot
delete a default user account.
2. Click the Delete table button.
Note: You cannot delete the default admin or guest user.
Set User Login Policies
You can restrict the ability of defined users to log in to the wireless VPN firewall’s web
management interface. You can also require or prohibit logging in from certain IP addresses
or from particular browsers. This section consists of the following subsections:
•
Configure Login Policies
•
Configure Login Restrictions Based on IPv4 Addresses
•
Configure Login Restrictions Based on IPv6 Addresses
•
Configure Login Restrictions Based on Web Browser
Configure Login Policies

To configure user login policies:
1. Select Users > Users. The Users screen displays (see Figure 180 on page 297).
2. In the Action column of the List of Users table, click the Policies table button for the user for
which you want to set login policies. The policies submenu tabs display, with the Login
Policies screen in view:
Figure 182.
3. Make the following optional selections:
• To prohibit the user from logging in to the wireless VPN firewall, select the Disable
Login check box.
Manage Users, Authentication, and VPN Certificates
299
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
To prohibit the user from logging in from the WAN interface, select the Deny Login
from WAN Interface check box. In this case, the user can log in only from the LAN
interface.
Note: For security reasons, the Deny Login from WAN Interface check box
is selected by default for guests and administrators. The Disable
Login check box is disabled (masked out) for administrators.
4. Click Apply to save your settings.
Configure Login Restrictions Based on IPv4 Addresses

To restrict logging in based on IPv4 addresses:
1. Select Users > Users. The Users screen displays (see Figure 180 on page 297).
2. In the Action column of the List of Users table, click the Policies table button for the user for
which you want to set login policies. The policies submenu tabs display, with the Login
Policies screen in view.
3. Click the By Source IP Address submenu tab. In the upper right of the screen, the IPv4
radio button is selected by default. The By Source IP Address screen displays the IPv4
settings. (The following figure shows an IP address in the Defined Addresses table as an
example.)
Figure 183.
Manage Users, Authentication, and VPN Certificates
300
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
4. In the Defined Addresses Status section of the screen, select one of the following radio
buttons:
• Deny Login from Defined Addresses. Deny logging in from the IP addresses in the
Defined Addresses table.
•
Allow Login only from Defined Addresses. Allow logging in from the IP addresses
in the Defined Addresses table.
5. Click Apply to save your settings.
6. In the Add Defined Addresses section of the screen, add an address to the Defined
Addresses table by entering the settings as explained in the following table:
Table 74. Defined addresses settings for IPv4
Setting
Description
Source Address Type Select the type of address from the drop-down list:
• IP Address. A single IPv4 address.
• IP Network. A subnet of IPv4 addresses. You need to enter a netmask length in
the Mask Length field.
Network Address / IP
Address
Depending on your selection from the Source Address Type drop-down list, enter
the IP address or the network address.
Mask Length
For a network address, enter the netmask length (0–32).
Note: By default, a single IPv4 address is assigned a netmask length of 32.
7. Click the Add table button. The address is added to the Defined Addresses table.
8. Repeat Step 6 and Step 7 for any other addresses that you want to add to the Defined
Addresses table.

To delete one or more IPv4 addresses:
1. In the Defined Addresses table, select the check box to the left of each address that you
want to delete, or click the Select All table button to select all addresses.
2. Click the Delete table button.
Configure Login Restrictions Based on IPv6 Addresses

To restrict logging in based on IPv6 addresses:
1. Select Users > Users. The Users screen displays (see Figure 180 on page 297).
2. In the Action column of the List of Users table, click the Policies table button for the user for
which you want to set login policies. The policies submenu tabs display, with the Login
Policies screen in view.
3. Click the By Source IP Address submenu tab.
4. In the upper right of the screen, select the IPv6 radio button. The By Source IP Address
screen displays the IPv6 settings. (The following figure shows an IP address in the Defined
Addresses table as an example.)
Manage Users, Authentication, and VPN Certificates
301
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 184.
5. In the Defined Addresses Status section of the screen, select one of the following radio
buttons:
• Deny Login from Defined Addresses. Deny logging in from the IP addresses in the
Defined Addresses table.
•
Allow Login only from Defined Addresses. Allow logging in from the IP addresses
in the Defined Addresses table.
6. Click Apply to save your settings.
7. In the Add Defined Addresses section of the screen, add an address to the Defined
Addresses table by entering the settings as explained in the following table:
Table 75. Defined addresses settings for IPv6
Setting
Description
Source Address Type Select the type of address from the drop-down list:
• IP Address. A single IPv6 address.
• IP Network. A subnet of IPv6 addresses. You need to enter a netmask length in
the Mask Length field.
Network Address / IP
Address
Depending on your selection from the Source Address Type drop-down list, enter
the IP address or the network address.
Prefix Length
For a network address, enter the prefix length (0–64).
Note: By default, a single IPv6 address is assigned a prefix length of 64.
8. Click the Add table button. The address is added to the Defined Addresses table.
Manage Users, Authentication, and VPN Certificates
302
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
9. Repeat Step 7 and Step 8 for any other addresses that you want to add to the Defined
Addresses table.

To delete one or more IPv6 addresses:
1. In the Defined Addresses table, select the check box to the left of each address that you
want to delete, or click the Select All table button to select all addresses.
2. Click the Delete table button.
Configure Login Restrictions Based on Web Browser

To restrict logging in based on the user’s browser:
1. Select Users > Users. The Users screen displays (see Figure 180 on page 297).
2. In the Action column of the List of Users table, click the Policies table button for the user for
which you want to set login policies. The policies submenu tabs display, with the Login
Policies screen in view.
3. Click the By Client Browser submenu tab. The By Client Browser screen displays. (The
following figure shows a browser in the Defined Browsers table as an example.)
Figure 185.
4. In the Defined Browsers Status section of the screen, select one of the following radio
buttons:
• Deny Login from Defined Browsers. Deny logging in from the browsers in the
Defined Browsers table.
•
Allow Login only from Defined Browsers. Allow logging in from the browsers in the
Defined Browsers table.
5. Click Apply to save your settings.
Manage Users, Authentication, and VPN Certificates
303
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
6. In the Add Defined Browser section of the screen, add a browser to the Defined Browsers
table by selecting one of the following browsers from the drop-down list:
• Internet Explorer.
•
Opera.
•
Netscape Navigator.
•
Firefox. Mozilla Firefox.
•
Mozilla. Other Mozilla browsers.
7. Click the Add table button. The browser is added to the Defined Browsers table.
8. Repeat Step 6 and Step 7 for any other browsers that you want to add to the Defined
Browsers table.

To delete one or more browsers:
1. In the Defined Browsers table, select the check box to the left of each browser that you
want to delete, or click the Select All table button to select all browsers.
2. Click the Delete table button.
Change Passwords and Other User Settings
For any user, you can change the password, user type, and idle time-out settings. Only
administrators have read/write access. All other users have read-only access.
Note: The default administrator and default guest passwords for the web
management interface are both password. NETGEAR recommends
that you change the password for the administrator account to a
more secure password, and that you configure a separate secure
password for the guest account.
Note: The ideal password should contain no dictionary words from any
language, and should be a mixture of letters (both uppercase and
lowercase), numbers, and symbols. Your password can be up to
32 characters.
Note: After a factory defaults reset, the password and time-out value are
changed back to password and 5 minutes, respectively.
Manage Users, Authentication, and VPN Certificates
304
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To modify user settings, including passwords:
1. Select Users > Users. The Users screen displays (see Figure 180 on page 297).
2. In the Action column of the List of Users table, click the Edit table button for the user for
which you want to modify the settings. The Edit Users screen displays:
Figure 186.
3. Change the settings as explained in the following table:
Note: Once established, you cannot change the user name or the group. If
you need to change the user name or the group, delete the user
account and recreate it with the correct name or group.
Table 76. Edit User screen settings
Setting
Description
Select User
Type
From the drop-down list, select one of the predefined user types that determines the
access credentials:
• SSL VPN User. User who can log in only to the SSL VPN portal.
• Administrator. User who has full access and the capacity to change the wireless VPN
firewall configuration (that is, read/write access).
• Guest (readonly). User who can only view the wireless VPN firewall configuration (that
is, read-only access).
• IPSEC VPN User. You cannot change an existing user from the IPSEC VPN User type
to another type or from another type to the IPSEC VPN User type.
• L2TP User. You cannot change an existing user from the L2TP User type to another
type. However, you can change an existing user from another type to the L2TP User
type.
Manage Users, Authentication, and VPN Certificates
305
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 76. Edit User screen settings (continued)
Setting
Description
Check to Edit
Password
Select this check box to make the password fields accessible to modify the password.
Idle Timeout
Enter Your Password
Enter the password with which you have logged in.
New Password
Enter the new password.
Confirm New Password
Reenter the new password for confirmation.
The period after which an idle user is automatically logged out of the web management
interface. The default idle time-out period is 5 minutes.
4. Click Apply to save your settings.
Manage Digital Certificates for VPN Connections
The wireless VPN firewall uses digital certificates (also known as X509 certificates) during
the Internet Key Exchange (IKE) authentication phase to authenticate connecting IPSec VPN
gateways or clients, or to be authenticated by remote entities:
•
On the wireless VPN firewall, you can enter a digital certificate on the IKE Policies screen,
on which the certificate is referred to as an RSA signature (see Figure 138 on page 220
and Authentication Method on page 223).
•
On the VPN Client, you can enter a digital certificate on the Authentication pane in the
Configuration Panel screen (see Figure 125 on page 208).
Digital certificates are extended for secure web access connections over HTTPS (that is, SSL
connections).
Digital certificates either can be self-signed or can be issued by certification authorities (CAs)
such as an internal Windows server or an external organization such as Verisign or Thawte.
However, if the digital certificate contains the extKeyUsage extension, the certificate needs to
be used for one of the purposes defined by the extension. For example, if the digital
certificate contains the extKeyUsage extension that is defined for SNMPv2, the same
certificate cannot be used for secure web management. The extKeyUsage would govern the
certificate acceptance criteria on the wireless VPN firewall when the same digital certificate is
being used for secure web management.
On the wireless VPN firewall, the uploaded digital certificate is checked for validity and
purpose. The digital certificate is accepted when it passes the validity test and the purpose
matches its use. The check for the purpose needs to correspond to its use for IPSec VPN,
SSL VPN, or both. If the defined purpose is for IPSec VPN and SSL VPN, the digital
certificate is uploaded to both the IPSec VPN certificate repository and the SSL VPN
certificate repository. However, if the defined purpose is for IPSec VPN only, the certificate is
uploaded only to the IPSec VPN certificate repository.
Manage Users, Authentication, and VPN Certificates
306
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The wireless VPN firewall uses digital certificates to authenticate connecting VPN gateways
or clients, and to be authenticated by remote entities. A digital certificate that authenticates a
server, for example, is a file that contains the following elements:
•
A public encryption key to be used by clients for encrypting messages to the server.
•
Information identifying the operator of the server.
•
A digital signature confirming the identity of the operator of the server. Ideally, the
signature is from a trusted third party whose identity can be verified.
You can obtain a digital certificate from a well-known commercial certification authority (CA)
such as Verisign or Thawte, or you can generate and sign your own digital certificate.
Because a commercial CA takes steps to verify the identity of an applicant, a digital certificate
from a commercial CA provides a strong assurance of the server’s identity. A self-signed
digital certificate triggers a warning from most browsers because it provides no protection
against identity theft of the server.
The wireless VPN firewall contains a self-signed digital certificate from NETGEAR. This
certificate can be downloaded from the wireless VPN firewall login screen for browser import.
However, NETGEAR recommends that you replace this digital certificate with a digital
certificate from a well-known commercial CA prior to deploying the wireless VPN firewall in
your network.
VPN Certificates Screen
To display the Certificates screen, select VPN > Certificates. Because of the large size of
this screen, and because of the way the information is presented, the Certificates screen is
divided and presented in this manual in three figures (Figure 187 on page 308, Figure 189 on
page 310, and Figure 191 on page 313).
The Certificates screen lets you to view the currently loaded digital certificates, upload a new
digital certificate, and generate a certificate signing request (CSR). The wireless VPN firewall
typically holds two types of digital certificates:
•
CA certificates. Each CA issues its own digital certificate to validate communication with
the CA and to verify the validity of digital certificates that are signed by the CA.
•
Self-signed certificates. The digital certificates that are issued to you by a CA to identify
your device.
The Certificates screen contains four tables that are explained in detail in the following
sections:
•
Trusted Certificates (CA Certificate) table. Contains the trusted digital certificates that
were issued by CAs and that you uploaded (see Manage VPN CA Certificates on this
page).
•
Active Self Certificates table. Contains the self-signed certificates that were issued by
CAs and that you uploaded (see Manage VPN Self-Signed Certificates on page 309).
•
Self Certificate Requests table. Contains the self-signed certificate requests that you
generated. These requests might or might not have been submitted to CAs, and CAs
might or might not have issued digital certificates for these requests. Only the self-signed
Manage Users, Authentication, and VPN Certificates
307
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
certificates in the Active Self Certificates table are active on the wireless VPN firewall
(see Manage VPN Self-Signed Certificates on page 309).
•
Certificate Revocation Lists (CRL) table. Contains the lists with digital certificates that
have been revoked and are no longer valid, that were issued by CAs, and that you
uploaded. Note, however, that the table displays only the active CAs and their critical
release dates. (see Manage the VPN Certificate Revocation List on page 313).
Manage VPN CA Certificates

To view and upload trusted certificates:
Select VPN > Certificates. The Certificates screen displays. (The following figure shows the
top section of the screen with the trusted certificate information and an example certificate in
the Trusted Certificates [CA Certificate] table.)
Figure 187. Certificates, screen 1 of 3
The Trusted Certificates (CA Certificate) table lists the digital certificates of CAs and contains
the following fields:

•
CA Identity (Subject Name). The organization or person to whom the digital certificate is
issued.
•
Issuer Name. The name of the CA that issued the digital certificate.
•
Expiry Time. The date after which the digital certificate becomes invalid.
To upload a digital certificate of a trusted CA on the wireless VPN firewall:
1. Download a digital certificate file from a trusted CA and store it on your computer.
2. In the Upload Trusted Certificates section of the screen, click the Browse button and
navigate to the trusted digital certificate file that you downloaded on your computer.
3. Click the Upload table button. If the verification process on the wireless VPN firewall
approves the digital certificate for validity and purpose, the digital certificate is added to the
Trusted Certificates (CA Certificates) table.
Manage Users, Authentication, and VPN Certificates
308
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To delete one or more digital certificates:
1. In the Trusted Certificates (CA Certificate) table, select the check box to the left of each
digital certificate that you want to delete, or click the Select All table button to select all
digital certificates.
2. Click the Delete table button.
Manage VPN Self-Signed Certificates
Instead of obtaining a digital certificate from a CA, you can generate and sign your own digital
certificate. However, a self-signed digital certificate triggers a warning from most browsers
because it provides no protection against identity theft of the server. (The following figure
shows an image of a browser security alert.)
There can be three reasons why a security alert is generated for a security certificate:
•
The security certificate was issued by a company you have not chosen to trust.
•
The date of the security certificate is invalid.
•
The name on the security certificate is invalid or does not match the name of the site.
When a security alert is generated, the user can decide whether or not to trust the host.
Figure 188.
Generate a CSR and Obtain a Self-Signed Certificate from a CA
To use a self-signed certificate, you first need to request the digital certificate from a CA, and
then download and activate the digital certificate on the wireless VPN firewall. To request a
self-signed certificate from a CA, you need to generate a certificate signing request (CSR) for
and on the wireless VPN firewall. The CSR is a file that contains information about your
company and about the device that holds the certificate. Refer to the CA for guidelines about
the information that you need to include in your CSR.
Manage Users, Authentication, and VPN Certificates
309
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To generate a new CSR file, obtain a digital certificate from a CA, and upload it to the
wireless VPN firewall:
1. Select VPN > Certificates. The Certificates screen displays. The following figure shows
the middle section of the screen with the Active Self Certificates section, Generate Self
Certificate Request section, and Self Certificate Requests section. (The Self Certificate
Requests table contains an example certificate.)
Figure 189. Certificates, screen 2 of 3
2. In the Generate Self Certificate Request section of the screen, enter the settings as
explained in the following table:
Table 77. Generate self-signed certificate request settings
Setting
Description
Name
A descriptive name of the domain for identification and management purposes.
Subject
The name that other organizations see as the holder (owner) of the certificate. In
general, use your registered business name or official company name for this
purpose.
Note: Generally, all of your certificates should have the same value in the
Subject field.
Manage Users, Authentication, and VPN Certificates
310
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 77. Generate self-signed certificate request settings (continued)
Setting
Description
Hash Algorithm
From the drop-down list, select one of the following hash algorithms:
• MD5. A 128-bit (16-byte) message digest, slightly faster than SHA-1.
• SHA-1. A 160-bit (20-byte) message digest, slightly stronger than MD5.
Signature Algorithm
Although this seems to be a drop-down list, the only possible selection is RSA. In
other words, RSA is the default to generate a CSR.
Signature Key Length
From the drop-down list, select one of the following signature key lengths in bits:
• 512
• 1024
• 2048
Note: Larger key sizes might improve security, but might also decrease
performance.
Optional Fields
IP Address
Enter your fixed (static) IP address. If your IP address is
dynamic, leave this field blank.
Domain Name
Enter your Internet domain name, or leave this field blank.
E-mail Address
Enter the email address of a technical contact in your
company.
3. Click the Generate table button. A new SCR is created and added to the Self Certificate
Requests table.
4. In the Self Certificate Requests table, click the View table button in the Action column to
view the new SCR. The Certificate Request Data screen displays:
Figure 190.
Manage Users, Authentication, and VPN Certificates
311
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
5. Copy the contents of the Data to supply to CA text field into a text file, including all of the
data contained from “-----BEGIN CERTIFICATE REQUEST-----” to “-----END CERTIFICATE
REQUEST-----.”
6. Submit your SCR to a CA:
a. Connect to the website of the CA.
b. Start the SCR procedure.
c. When prompted for the requested data, copy the data from your saved text file
(including “-----BEGIN CERTIFICATE REQUEST-----” and “-----END CERTIFICATE
REQUEST-----”).
d. Submit the CA form. If no problems ensue, the digital certificate is issued by the CA.
7. Download the digital certificate file from the CA, and store it on your computer.
8. Return to the Certificates screen (see Figure 189 on page 310) and locate the Self
Certificate Requests section.
9. Select the check box next to the self-signed certificate request.
10. Click the Browse button and navigate to the digital certificate file from the CA that you just
stored on your computer.
11. Click the Upload table button. If the verification process on the wireless VPN firewall
approves the digital certificate for validity and purpose, the digital certificate is added to the
Active Self Certificates table.

To delete one or more SCRs:
1. In the Self Certificate Requests table, select the check box to the left of each SCR that
you want to delete, or click the Select All table button to select all SCRs.
2. Click the Delete table button.
View and Manage Self-Signed Certificates
The Active Self Certificates table on the Certificates screen (see Figure 189 on page 310)
shows the digital certificates issued to you by a CA and available for use. For each
self-signed certificate, the table lists the following information:

•
Name. The name that you used to identify this digital certificate.
•
Subject Name. The name that you used for your company and that other organizations
see as the holder (owner) of the certificate.
•
Serial Number. This is a serial number maintained by the CA. It is used to identify the
digital certificate with the CA.
•
Issuer Name. The name of the CA that issued the digital certificate.
•
Expiry Time. The date on which the digital certificate expires. You should renew the
digital certificate before it expires.
To delete one or more self-signed certificates:
1. In the Active Self Certificates table, select the check box to the left of each self-signed
certificate that you want to delete, or click the Select All table button to select all
self-signed certificates.
Manage Users, Authentication, and VPN Certificates
312
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Click the Delete table button.
Manage the VPN Certificate Revocation List
A Certificate Revocation List (CRL) file shows digital certificates that have been revoked and
are no longer valid. Each CA issues its own CRLs. It is important that you keep your CRLs
up-to-date. You should obtain the CRL for each CA regularly.

To view the currently loaded CRLs and upload a new CRL:
1. Select VPN > Certificates. The Certificates screen displays. The following figure shows
the bottom section of the screen with the Certificate Revocation Lists (CRL) table.
(There is one example certificate in the table.)
Figure 191. Certificates, screen 3 of 3
The Certificate Revocation Lists (CRL) table lists the active CAs and their critical release
dates:
•
CA Identity. The official name of the CA that issued the CRL.
•
Last Update. The date when the CRL was released.
•
Next Update. The date when the next CRL will be released.
2. In the Upload CRL section, click the Browse button and navigate to the CLR file that you
previously downloaded from a CA.
3. Click the Upload table button. If the verification process on the wireless VPN firewall
approves the CRL, the CRL is added to the Certificate Revocation Lists (CRL) table.
Note: If the table already contains a CRL from the same CA, the old CRL
is deleted when you upload the new CRL.

To delete one or more CRLs:
1. In the Certificate Revocation Lists (CRL) table, select the check box to the left of each
CRL that you want to delete, or click the Select All table button to select all CRLs.
2. Click the Delete table button.
Manage Users, Authentication, and VPN Certificates
313
9.
Network and System Management
9
This chapter describes the tools for managing the network traffic to optimize its performance and
the system management features of the wireless VPN firewall. This chapter contains the
following sections:
•
Performance Management
•
System Management
Performance Management
Performance management consists of controlling the traffic through the wireless VPN firewall
so that the necessary traffic gets through when there is a bottleneck. You can either reduce
unnecessary traffic or reschedule some traffic to low-peak times to prevent bottlenecks from
occurring in the first place. The wireless VPN firewall has the necessary features and tools to
help the network manager accomplish these goals.
Bandwidth Capacity
The maximum bandwidth capacity of the wireless VPN firewall in each direction is as follows:
•
LAN side. 8000 Mbps (eight LAN ports at 1000 Mbps each).
•
WAN side. 1000 Mbps (one active WAN port at 1000 Mbps).
In practice, the WAN-side bandwidth capacity is much lower when DSL or cable modems are
used to connect to the Internet: The typical traffic rate is 1.5 Mbps. As a result, and
depending on the traffic that is being carried, the WAN side of the wireless VPN firewall is the
limiting factor for the data rate for most installations.
Features That Reduce Traffic
You can adjust the following features of the wireless VPN firewall in such a way that the
traffic load on the WAN side decreases:
•
LAN WAN outbound rules (also referred to as service blocking)
•
DMZ WAN outbound rules (also referred to as service blocking)
314
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
Content filtering
•
Source MAC filtering
LAN WAN Outbound Rules and DMZ WAN Outbound Rules (Service Blocking)
You can control specific outbound traffic (from LAN to WAN and from the DMZ to WAN). The
LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for outbound
traffic. If you have not defined any rules, only the default rule is listed. The default rule allows
all outgoing traffic. Any outbound rule that you create restricts outgoing traffic and therefore
decreases the traffic load on the WAN side.
WARNING:
This feature is for advanced administrators. Incorrect
configuration might cause serious problems.
Each rule lets you specify the desired action for the connections that are covered by the rule:
•
BLOCK always
•
BLOCK by schedule, otherwise allow
•
ALLOW always
•
ALLOW by schedule, otherwise block
The following section summarizes the various criteria that you can apply to outbound rules in
order to reduce traffic. For more information about outbound rules, see Outbound Rules
(Service Blocking) on page 127. For detailed procedures on how to configure outbound rules,
see Configure LAN WAN Rules on page 135 and Configure DMZ WAN Rules on page 142.
When you define outbound firewall rules, you can further refine their application according to
the following criteria:
•
Services. You can specify the services or applications to be covered by an outbound
rule. If the desired service or application does not display in the list, you need to define it
using the Services screen (see Outbound Rules (Service Blocking) on page 127 and Add
Customized Services on page 168).
•
LAN users. You can specify which computers on your network are affected by an
outbound rule. There are several options:
-
Any. The rule applies to all computers and devices on your LAN.
-
Single address. The rule applies to the address of a particular computer.
-
Address range. The rule applies to a range of addresses.
-
Groups. The rule applies to a group of computers. (You can configure groups for LAN
WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs and
Devices table is an automatically maintained list of all known computers and network
devices and is generally referred to as the network database, which is described in
Manage the Network Database on page 65. Computers and network devices are
entered into the network database by various methods, which are described in
Manage IPv4 Groups and Hosts (IPv4 LAN Groups) on page 64.
Network and System Management
315
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
WAN users. You can specify which Internet locations are covered by an outbound rule,
based on their IP address:
-
Any. The rule applies to all Internet IP address.
-
Single address. The rule applies to a single Internet IP address.
-
Address range. The rule applies to a range of Internet IP addresses.
•
Schedule. You can configure three different schedules to specify when a rule is applied.
Once a schedule is configured, it affects all rules that use this schedule. You specify the
days of the week and time of day for each schedule. For more information, see Set a
Schedule to Block or Allow Specific Traffic on page 178.
•
QoS profile. You can apply QoS profiles to outbound rules to regulate the priority of
traffic. For information about QoS profiles, see Preconfigured Quality of Service Profiles
on page 173.
•
Bandwidth profile. You can define bandwidth profiles and then apply them outbound
LAN WAN rules to limit traffic. (You cannot apply bandwidth profiles to DMZ WAN rules.)
For information about how to define bandwidth profiles, see Create Bandwidth Profiles on
page 171.
Content Filtering
If you want to reduce traffic by preventing access to certain sites on the Internet, you can use
the wireless VPN firewall’s content-filtering feature. By default, this feature is disabled; all
requested traffic from any website is allowed with the exception of web content categories
that are mentioned in Configure Content Filtering on page 174.
The wireless VPN firewall provides the following methods to filter web content in order to
reduce traffic:
•
Keyword blocking. You can specify words that, should they appear in the website name
(URL) or newsgroup name, cause that site or newsgroup to be blocked by the wireless
VPN firewall.
•
Web object blocking. You can block the following web component types: embedded
objects (ActiveX and Java), proxies, and cookies.
To further narrow down the content filtering, you can configure groups to which the
content-filtering rules apply and trusted domains for which the content-filtering rules do not
apply.
Source MAC Filtering
If you want to reduce outgoing traffic by preventing Internet access by certain computers on
the LAN, you can use the source MAC filtering feature to drop the traffic received from the
computers with the specified MAC addresses. By default, this feature is disabled; all traffic
received from computers with any MAC address is allowed. See Enable Source MAC
Filtering on page 179 for the procedure on how to use this feature.
Network and System Management
316
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Features That Increase Traffic
The following features of the wireless VPN firewall tend to increase the traffic load on the
WAN side:
•
LAN WAN inbound rules (also referred to as port forwarding)
•
DMZ WAN inbound rules (also referred to as port forwarding)
•
Port triggering
•
Enabling the DMZ port
•
Configuring exposed hosts
•
Configuring VPN tunnels
LAN WAN Inbound Rules and DMZ WAN Inbound Rules (Port Forwarding)
The LAN WAN Rules screen and the DMZ WAN Rules screen list all existing rules for
inbound traffic (from WAN to LAN and from WAN to the DMZ). If you have not defined any
rules, only the default rule is listed. The default rule blocks all access from outside except
responses to requests from the LAN side. Any inbound rule that you create allows additional
incoming traffic and therefore increases the traffic load on the WAN side.
WARNING:
This feature is for advanced administrators. Incorrect
configuration might cause serious problems.
Each rule lets you specify the desired action for the connections covered by the rule:
•
BLOCK always
•
BLOCK by schedule, otherwise allow
•
ALLOW always
•
ALLOW by schedule, otherwise block
The following section summarizes the various criteria that you can apply to inbound rules and
that might increase traffic. For more information about inbound rules, see Inbound Rules
(Port Forwarding) on page 130. For detailed procedures on how to configure inbound rules,
see Configure LAN WAN Rules on page 135 and Configure DMZ WAN Rules on page 142.
When you define inbound firewall rules, you can further refine their application according to
the following criteria:
•
Services. You can specify the services or applications to be covered by an inbound rule.
If the desired service or application does not display in the list, you need to define it using
the Services screen (see Inbound Rules (Port Forwarding) on page 130 and Add
Customized Services on page 168).
•
WAN destination IP address. You can specify the destination IP address for incoming
traffic. Traffic is directed to the specified address only when the destination IP address of
the incoming packet matches the IP address of the selected WAN interface.
Network and System Management
317
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
•
LAN users. You can specify which computers on your network are affected by an
inbound rule. There are several options:
-
Any. The rule applies to all computers and devices on your LAN.
-
Single address. The rule applies to the address of a particular computer.
-
Address range. The rule applies to a range of addresses.
-
Groups. The rule is applied to a group of computers. (You can configure groups for
LAN WAN outbound rules but not for DMZ WAN outbound rules.) The Known PCs
and Devices table is an automatically maintained list of all known computers and
network devices and is generally referred to as the network database, which is
described in Manage the Network Database on page 65. Computers and network
devices are entered into the network database by various methods, which are
described in Manage IPv4 Groups and Hosts (IPv4 LAN Groups) on page 64.
WAN users. You can specify which Internet locations are covered by an inbound rule,
based on their IP address:
-
Any. The rule applies to all Internet IP address.
-
Single address. The rule applies to a single Internet IP address.
-
Address range. The rule applies to a range of Internet IP addresses.
•
Schedule. You can configure three different schedules to specify when a rule is applied.
Once a schedule is configured, it affects all rules that use this schedule. You specify the
days of the week and time of day for each schedule. For more information, see Set a
Schedule to Block or Allow Specific Traffic on page 178.
•
Bandwidth profile. You can define bandwidth profiles and then apply them to inbound
LAN WAN rules to limit traffic. (You cannot apply bandwidth profiles to DMZ WAN rules.)
For information about how to define bandwidth profiles, see Create Bandwidth Profiles on
page 171.
Port Triggering
Port triggering allows some applications running on a LAN network to be available to external
applications that would otherwise be partially blocked by the firewall. Using the port-triggering
feature requires that you know the port numbers used by the application. Without port
triggering, the response from the external application would be treated as a new connection
request rather than a response to a request from the LAN network. As such, it would be
handled in accordance with the inbound port-forwarding rules, and most likely would be
blocked.
For the procedure on how to configure port triggering, see Configure Port Triggering on
page 185.
DMZ Port
The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions
when compared to the LAN. The DMZ can be used to host servers (such as a web server,
FTP server, or email server) and provide public access to them. The eighth LAN port on the
wireless VPN firewall (the rightmost LAN port) can be dedicated as a hardware DMZ port to
Network and System Management
318
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
safely provide services to the Internet without compromising security on your LAN. By
default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the
DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN
ports.
For information about how to enable the DMZ port, see Enable and Configure the DMZ Port
for IPv4 and IPv6 Traffic on page 82. For the procedures about how to configure DMZ traffic
rules, see Configure DMZ WAN Rules on page 142.
Exposed Hosts
Specifying an exposed host allows you to set up a computer or server that is available to
anyone on the Internet for services that you have not yet defined. For an example of how to
set up an exposed host, see IPv4 LAN WAN or IPv4 DMZ WAN Inbound Rule: Specifying an
Exposed Host on page 159.
VPN and L2TP Tunnels
The wireless VPN firewall supports site-to-site IPSec VPN tunnels, dedicated SSL VPN
tunnels, and L2TP tunnels. Each tunnel requires extensive processing for encryption and
authentication, thereby increasing traffic through the WAN ports.
For information about IPSec VPN tunnels, see Chapter 6, Virtual Private Networking
Using IPSec and L2TP Connections. For information about SSL VPN tunnels, see Chapter 7,
Virtual Private Networking Using SSL Connections.
Use QoS and Bandwidth Assignment to Shift the Traffic Mix
By setting the QoS priority and assigning bandwidth profiles to firewall rules, you can shift the
traffic mix to aim for optimum performance of the wireless VPN firewall.
Set QoS Priorities
The QoS priority settings determine the quality of service for the traffic passing through the
wireless VPN firewall. You can assign a QoS priority to LAN WAN and DMZ WAN outbound
firewall rules. The QoS is set individually for each firewall rule. You can change the mix of
traffic through the WAN ports by granting some services a higher priority than others:
•
You can accept the default priority defined by the service itself by not changing its QoS
priority.
•
You can change the priority to a higher or lower value than its default setting to give the
service higher or lower priority than it otherwise would have.
For more information about QoS profiles, see Preconfigured Quality of Service Profiles on
page 173.
Network and System Management
319
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Assign Bandwidth Profiles
When you set the QoS priority, the WAN bandwidth does not change. You change the WAN
bandwidth that is assigned to a service or application by applying a bandwidth profile to a
LAN WAN inbound or outbound rule. The purpose of bandwidth profiles is to provide a
method for allocating and limiting traffic, thus allocating LAN users sufficient bandwidth while
preventing them from consuming all the bandwidth on your WAN links.
For more information about bandwidth profiles, see Create Bandwidth Profiles on page 171.
Monitoring Tools for Traffic Management
The wireless VPN firewall includes several tools that can be used to monitor the traffic
conditions of the firewall and content-filtering engine and to monitor the users’ access to the
Internet and the types of traffic that they are allowed to have. See Chapter 10, Monitor
System Access and Performance, for a description of these tools.
System Management
System management tasks are described in the following sections:
•
Change Passwords and Administrator and Guest Settings
•
Configure Remote Management Access
•
Use a Simple Network Management Protocol Manager
•
Manage the Configuration File
•
Update the Firmware
•
Configure Date and Time Service
Change Passwords and Administrator and Guest Settings
The default administrator and default guest passwords for the web management interface are
both password. NETGEAR recommends that you change the password for the administrator
account to a more secure password, and that you configure a separate secure password for
the guest account.
Note: For general information about user accounts, passwords, and login
settings, see Configure User Accounts on page 296 and Set User
Login Policies on page 299.
Network and System Management
320
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To modify the administrator and guest passwords and idle time-out settings:
1. Select Users > Users. The Users screen displays. (The following figure shows the
wireless VPN firewall’s default users—admin and guest—and, as an example, several
other users in the List of Users table.)
Figure 192.
2. In the Action column of the List of Users table, click the Edit table button for the user with
the name admin. The Edit Users screen displays:
Figure 193.
You cannot modify the administrator user name, user type, or group assignment.
3. Select the Check to Edit Password check box. The password fields become available.
4. Enter the old password, enter the new password, and then confirm the new password.
Network and System Management
321
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: The ideal password should contain no dictionary words from any
language, and should be a mixture of letters (both uppercase and
lowercase), numbers, and symbols. Your password can be up to
32 characters.
5. As an option, you can change the idle time-out for an administrator login session. Enter a
new number of minutes in the Idle Timeout field. (The default setting is 5 minutes.)
6. Click Apply to save your settings.
7. Repeat Step 1 through Step 6 for the user with the name guest.
Note: After a factory defaults reset, the password and time-out value are
changed back to password and 5 minutes, respectively.
You can also change the administrator login policies:
•
Disable login. Deny login access.
Note: You obviously do not want to deny login access to yourself if you are
logged in as an administrator.
•
Deny login access from a WAN interface. By default, the administrator cannot log in from
a WAN interface. You can change this setting to allow login access from a WAN interface.
•
Deny or allow login access from specific IP addresses. By default, the administrator can
log in from any IP address.
Note: For enhanced security, restrict access to as few external IP
addresses as practical.
•
Deny or allow login access from specific browsers. By default, the administrator can log in
from any browser.
In general, these policy settings work well for an administrator. However, you can change the
administrator login policies as explained in Set User Login Policies on page 299.
Configure Remote Management Access
An administrator can configure, upgrade, and check the status of the wireless VPN firewall
over the Internet through a Secure Sockets Layer (SSL) VPN connection.
Network and System Management
322
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: When remote management is enabled and administrative access
through a WAN interface is granted (see Configure Login Policies on
page 299), the wireless VPN firewall’s web management interface is
accessible to anyone who knows its IP address and default
password. Because a malicious WAN user can reconfigure the
wireless VPN firewall and misuse it in many ways, NETGEAR highly
recommends that you change the admin and guest default
passwords before continuing (see Change Passwords and
Administrator and Guest Settings on page 320).

To configure the wireless VPN firewall for remote management:
1. Select Administration > Remote Management. The Remote Management screen
displays the IPv4 settings (see the next screen).
2. Specify the IP version for which you want to configure remote management:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default. Go to Step 3.
Figure 194. Remote Management screen for IPv4
Network and System Management
323
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
IPv6. Select the IPv6 radio button. The Remote Management screen displays the
IPv6 settings:
Figure 195. Remote Management screen for IPv6
Network and System Management
324
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
3. Enter the settings as explained in the following table:
Table 78. Remote Management screen settings for IPv4 and IPv6
Setting
Description
Secure HTTP Management
Allow Secure HTTP To enable secure HTTP management, select the Yes radio button, which is the
Management?
default setting. To disable secure HTTP management, select the No radio button.
Specify the addresses through which access is allowed by selecting one of the
following radio buttons:
• Everyone. There are no IP address restrictions.
• IP address range. Only users who use devices in the specified IP address range
can securely manage over an HTTP connection. In the From fields, type the start IP
address of the range; in the To fields, type the end IP address of the range.
• Only this PC. Only a user who uses the device with the specified IP address can
securely manage over an HTTP connection. Type the IP address in the fields.
Allow Secure HTTP Port Number
Management?
(continued)
Enter the port number through which access is allowed. The default
port number is 443.
Note: The URL through which you can securely manage over an
HTTP connection displays below the Port Number field.
Telnet Management
Allow Telnet
Management?
To enable Telnet management, select the Yes radio button. To disable Telnet
management, select the No radio button, which is the default setting.
Specify the addresses through which access is allowed by selecting one of the
following radio buttons:
• Everyone. There are no IP address restrictions.
• IP address range. Only users who use devices in the specified IP address range
can manage over a Telnet connection. In the From fields, type the start IP address
of the range; in the To fields, type the end IP address of the range.
• Only this PC. Only a user who uses the device with the specified IP address can
manage over a Telnet connection. Type the IP address in the fields.
WARNING:
If you are remotely connected to the wireless VPN firewall and you
select the No radio button to disable secure HTTP management,
you and all other SSL VPN users are disconnected when you click
Apply.
4. Click Apply to save your changes.
Network and System Management
325
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
About Remote Access
When remote management is enabled, you need to use an SSL connection to access the
wireless VPN firewall from the Internet. You need to enter https:// (not http://) and type the
wireless VPN firewall’s WAN IP address and port number in your browser. For example, if the
wireless VPN firewall’s WAN IP address is 192.168.15.175 and the port number is 443, type
the following in your browser: https://192.168.15.175:443.
The wireless VPN firewall’s remote login URL is:
https://<IP_address>:<port_number> or
https://<FullyQualifiedDomainName>:<port_number>
The IP address can be an IPv4 or IPv6 address.
With respect to security, note the following:
•
For enhanced security, restrict access to as few external IP addresses as practical. See
Set User Login Policies on page 299 for instructions on restricting administrator access
by IP address.
•
To maintain security, the wireless VPN firewall rejects a login that uses http://address
rather than the SSL https://address.
•
The first time that you remotely connect to the wireless VPN firewall with a browser
through an SSL connection, you might get a warning message regarding the SSL
certificate. If you are using a Windows computer with Internet Explorer 7.0 or later, simply
click Yes to accept the certificate.
Tip: If you are using a Dynamic DNS service such as TZO, you can identify
the WAN IP address of your wireless VPN firewall by running tracert
from the Windows Run menu option. Trace the route to your registered
FQDN. For example, enter tracert wireless VPN
firewall.mynetgear.net, and the WAN IP address that your ISP
assigned to the wireless VPN firewall is displayed.
Use a Simple Network Management Protocol Manager
Simple Network Management Protocol (SNMP) forms part of the Internet Protocol Suite as
defined by the Internet Engineering Task Force (IETF). SNMP is used in network
management systems to monitor network-attached devices for conditions that warrant
administrative attention.
SNMP exposes management data in the form of variables on the managed systems, which
describe the system configuration. These variables can then be queried (and sometimes set)
by managing applications.
SNMP lets you monitor and manage your wireless VPN firewall from an SNMP manager. It
provides a remote means to monitor and control network devices, and to manage
configurations, statistics collection, performance, and security.
Network and System Management
326
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To configure the SNMP settings:
1. Select Administration > SNMP. The SNMP screen displays. (The following figure
contains an example.)
Figure 196.
The SNMP Configuration table shows the following columns:
•
IP Address. The IP address of the SNMP manager.
•
Subnet Mask. The subnet mask of the SNMP manager.
•
Port. The trap port number of the SNMP manager.
•
Community. The trap community string of the SNMP manager.
2. To specify a new SNMP configuration, in the Create New SNMP Configuration Entry section
of the screen, enter the settings as explained in the following table:
Table 79. SNMP screen settings
Setting
Description
IP Address
Enter the IP address of the new SNMP manager.
Subnet Mask
Enter the subnet mask of the new SNMP manager.
Note the following:
• If you want to narrow down the number of devices that can access the wireless
VPN firewall through the host IP address and receive traps, enter an IP address
with a subnet mask of 255.255.255.252.
• If you want to allow a subnet to access the wireless VPN firewall through the host
IP address and receive traps, enter an IP address with a subnet mask of
255.0.0.0. The traps are received at the IP address, but almost the entire subnet
has access through the community string.
Port
Enter the port number of the new SNMP manager. The default port number is 162.
Community
Enter the community string that allows the SNMP manager access to the MIB
objects of the wireless VPN firewall for the purpose of reading only.
3. Click Add to add the new SNMP configuration to the SNMP Configuration table.
Network and System Management
327
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To edit an SNMP configuration:
1. On the SNMP screen (see the previous figure), click the Edit button in the Action
column for the SNMP configuration that you want to modify. The Edit SNMP screen
displays:
Figure 197.
2. Modify the settings as explained in the previous table.
3. Click Apply to save your settings.

To delete one or more SNMP configurations:
1. On the SNMP screen (see Figure 196 on page 327), select the check box to the left of
each SNMP configuration that you want to delete, or click the Select All table button to
select all SNMP configurations.
2. Click the Delete table button.

To configure the SNMP system information:
1. On the SNMP screen (see Figure 196 on page 327), click the SNMP System Info option
arrow in the upper right of the screen. The SNMP SysConfiguration screen displays:
Figure 198.
Network and System Management
328
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Enter the settings as explained in the following table:
Table 80. SNMP SysConfiguration screen settings
Setting
Description
SysContact
Enter the SNMP system contact information that is available to the SNMP manager.
This setting is optional.
SysLocation
Enter the physical location of the wireless VPN firewall. This setting is optional.
SysName
Enter the name of the wireless VPN firewall for SNMP identification purposes. The
default name is FVS318N.
3. Click Apply to save your changes.
Manage the Configuration File
The configuration settings of the wireless VPN firewall are stored in a configuration file on the
wireless VPN firewall. This file can be saved (backed up) to a computer, retrieved (restored)
from the computer, cleared to factory default settings, or upgraded to a new version.
Once the wireless VPN firewall is installed and works correctly, make a backup of the
configuration file to a computer. If necessary, you can later restore the wireless VPN firewall
settings from this file.
The Backup & Restore Settings screen lets you:
•
Back up and save a copy of the current settings (see Back Up Settings on page 330)
•
Restore saved settings from the backed-up file (see Restore Settings on page 331)
•
Revert to the factory default settings (see Revert to Factory Default Settings on
page 331)
•
Update the firmware (see Update the Firmware on page 332)
To display the Settings Backup and Firmware Upgrade screen, select Administration >
Settings Backup & Upgrade.
Network and System Management
329
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 199.
Back Up Settings
The backup feature saves all wireless VPN firewall settings to a file. Back up your settings
periodically, and store the backup file in a safe place.
Tip: You can use a backup file to export all settings to another wireless VPN
firewall that has the same language and management software versions.
Remember to change the IP address of the second wireless VPN firewall
before deploying it to eliminate IP address conflicts on the network.

To back up settings:
1. On the Settings Backup and Firmware Upgrade screen (see the previous figure), next to
Save a copy of current settings, click the Backup button to save a copy of your current
settings. A screen displays, showing the file name of the backup file (FVS318N.cfg).
2. Select Save file, and then click OK.
3. Open the folder in which you have saved the backup file, and then verify that it has been
saved successfully.
Note the following:
•
If your browser is not configured to save downloaded files automatically, locate the folder
in which you want to save the file, specify the file name, and save the file.
•
If your browser is configured to save downloaded files automatically, the file is saved to
your browser’s download location on the hard disk.
Network and System Management
330
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Restore Settings
WARNING:
Restore only settings that were backed up from the same software
version. Restoring settings from a different software version can
corrupt your backup file or the wireless VPN firewall system
software.

To restore settings from a backup file:
1. On the Settings Backup and Firmware Upgrade screen (see the previous figure), next to
Restore saved settings from file, click Browse.
2. Locate and select the previously saved backup file (by default, FVS318N.cfg).
3. After you have selected the file, click the Restore button. A warning message might display,
and you might have to confirm that you want to restore the configuration.
The wireless VPN firewall reboots. During the reboot process, the Settings Backup and
Firmware Upgrade screen might remain visible, or a status message with a counter might
show the number of seconds left until the reboot process is complete. The reboot process
takes about 165 seconds. (If you can see the unit: The reboot process is complete when the
Test LED on the front panel goes off.)
WARNING:
Once you start restoring settings, do not interrupt the process. Do
not try to go online, turn off the wireless VPN firewall, shut down
the computer, or do anything else to the wireless VPN firewall until
the settings have been fully restored.
Revert to Factory Default Settings

To reset the wireless VPN firewall to the original factory defaults settings:
Use one of the following two methods:
•
Using a sharp object, press and hold the factory default Reset button on the rear panel of
the wireless VPN firewall (see Rear Panel on page 18) for about 8 seconds until the Test
LED turns on and begins to blink (about 30 seconds). To restore the factory default
settings when you do not know the administration password or IP address, you need to
use the factory default Reset button method.
•
On the Settings Backup and Firmware Upgrade screen (see the previous figure), next to
Revert to factory defaults settings, click the Default button, and confirm your selection.
The wireless VPN firewall reboots. If you use the software Default button, the Settings
Backup and Firmware Upgrade screen might remain visible during the reboot process, or a
status message with a counter might show the number of seconds left until the reboot
Network and System Management
331
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
process is complete. The reboot process takes about 165 seconds. (If you can see the unit:
The reboot process is complete when the Test LED on the front panel goes off.)
WARNING:
When you press the hardware factory default Reset button or click
the software Default button, the wireless VPN firewall settings are
erased. All firewall rules, VPN policies, LAN and WAN settings,
and other settings are lost. Back up your settings if you intend on
using them.
Note: After you reboot with factory default settings, the wireless VPN
firewall’s password is password, and the LAN IP address is
192.168.1.1.
Update the Firmware
You can install a different version of the wireless VPN firewall firmware from the Settings
Backup and Firmware Upgrade screen. To view the current version of the firmware that the
wireless VPN firewall is running, from the main menu, select Monitoring. The Router Status
screen displays, showing the firmware version in the System Info section of the screen. After
you have updated the firmware, the new firmware version is displayed.

To download a firmware version and upgrade the firmware:
1. Go to the NETGEAR website at http://support.netgear.com.
2. Navigate to the FVS318N support page, and click the Downloads tab.
3. Click the desired firmware version to reach the download page. Be sure to read the release
notes on the download page before upgrading the wireless VPN firewall’s software.
4. On the Settings Backup and Firmware Upgrade screen of the wireless VPN firewall (see the
previous figure), in the Router Upgrade section, click Browse.
5. Locate and select the downloaded firmware file.
6. Click Upload. The upgrade process starts.
During the upgrade process, the Settings Backup and Firmware Upgrade screen remains
visible and a status bar shows the progress of the upgrade process. The upgrade process
can take up to 10 minutes. When the status bar shows that the upgrade process is
complete, it can take another 10 minutes before the wireless VPN firewall reboots.
Network and System Management
332
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
WARNING:
After you have started the firmware installation process, do not
interrupt the process. Do not try to go online, turn off the wireless
VPN firewall, or do anything else to the wireless VPN firewall until
the wireless VPN firewall has fully rebooted.
7. When the reboot process is complete, log in to the wireless VPN firewall again. (If you can
see the unit: The reboot process is complete when the Test LED on the front panel goes off.)
8. Select Monitoring. The Router Status screen displays, showing the new firmware
version in the System Info section of the screen.
Note: In some cases, such as a major upgrade, it might be necessary to
erase the configuration and manually reconfigure your wireless VPN
firewall after upgrading it. See the firmware release notes that
NETGEAR makes available.
Configure Date and Time Service
Configure date, time, and NTP server designations on the System Date & Time screen.
Network Time Protocol (NTP) is a protocol that is used to synchronize computer clock times
in a network of computers. Setting the correct system time and time zone ensures that the
date and time recorded in the wireless VPN firewall logs and reports are accurate.

To set time, date, and NTP servers:
1. Select Administration > Time Zone. The Time Zone screen displays:
Figure 200.
Network and System Management
333
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The bottom of the screen display the current weekday, date, time, time zone, and year (in
the example in the previous figure: Current Time: Tue Mar 6 22:48:17 GMT-0800 2012).
2. Enter the settings as explained in the following table:
Table 81. Time Zone screen settings
Setting
Description
Date/Time
From the drop-down list, select the local time zone in which the wireless VPN
firewall operates. The correct time zone is required in order for scheduling to
work correctly.
Automatically Adjust for
Daylight Savings Time
If daylight saving time is supported in your region, select the Automatically
Adjust for Daylight Savings Time check box. By default, the check box is
disabled.
Force IPv6 address
resolution for servers
Select this check box to force the use of IPv6 addresses and FQDN (domain
name) resolution in the Server 1 Name / IP Address and Server 2 Name / IP
Address fields when you have selected the Use Custom NTP Servers radio
button.
NTP Server (default or
custom)
From the drop-down list, select an NTP server:
• Use Default NTP Servers. The wireless VPN firewall regularly updates its
RTC by contacting a default NETGEAR NTP server on the Internet.
• Use Custom NTP Servers. The wireless VPN firewall regularly updates its
RTC by contacting one of two custom NTP servers (primary and backup),
both of which you need to specify in the fields that become available with this
selection.
Note: If you select the Use Custom NTP Servers option but leave either the
Server 1 or Server 2 field blank, both fields are set to the default NETGEAR
NTP servers.
Note: A list of public NTP servers is available at
http://support.ntp.org/bin/view/Servers/WebHome.
Server 1 Name / IP Address
Enter the IP address or host name of the primary
NTP server.
Server 2 Name / IP Address
Enter the IP address or host name of the backup
NTP server.
3. Click Apply to save your settings.
Note: If you select the default NTP servers or if you enter a custom server
FQDN, the wireless VPN firewall determines the IP address of the
NTP server by performing a DNS lookup. Before the wireless VPN
firewall can perform this lookup, you need to configure a DNS server
address on the Broadband ISP Settings screen (see Manually
Configure an IPv4 Internet Connection on page 31.)
Network and System Management
334
10.
Monitor System Access and Performance
10
This chapter describes the system-monitoring features of the wireless VPN firewall. You can be
alerted to important events such WAN traffic limits reached, login failures, and attacks. You can
also view status information about the firewall, WAN ports, LAN ports, active VPN users and
tunnels, and more. In addition, the diagnostics utilities are described. This chapter contains the
following sections:
•
Enable the WAN Traffic Meter
•
Configure Logging, Alerts, and Event Notifications
•
View Status Screens
•
Diagnostics Utilities
Note: All log and report functions that are part of the Firewall Logs &
E-mail screen and some of the functions that are part of the
Diagnostics screen require that you configure the email notification
server—see Configure Logging, Alerts, and Event Notifications on
page 338.
Enable the WAN Traffic Meter
If your ISP charges by traffic volume over a given period of time, or if you want to study traffic
types over a period of time, you can activate the traffic meter for the WAN port.

To monitor traffic limits on each of the WAN ports:
1. Select Monitoring > Traffic Meter. The Broadband Traffic Meter screen displays.
The Internet Traffic Statistics section in the lower part of the screen displays statistics on
Internet traffic through the WAN port. If you have not enabled the traffic meter, these
statistics are not available.
335
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 201.
2. Enter the settings as explained in the following table:
Monitor System Access and Performance
336
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 82. Broadband Traffic Meter screen settings
Setting
Description
Enable Traffic Meter
Do you want to
enable Traffic
Metering on
Broadband?
Select one of the following radio buttons to configure traffic metering:
• Yes. Traffic metering is enabled, and the traffic meter records the volume of
Internet traffic passing through the WAN interface. Complete the fields that are
shown on the right side of the screen (see explanations later in this table).
• No. Traffic metering is disabled. This is the default setting.
Select one of the following radio buttons to specify if or how the wireless VPN
firewall applies restrictions when the traffic limit is reached:
• No Limit. No restrictions are applied when the traffic limit is reached.
• Download only. Restrictions are applied to incoming traffic when the traffic limit is
reached. Fill in the Monthly Limit field.
• Both Directions. Restrictions are applied to both incoming and outgoing traffic
when the traffic limit is reached. Fill in the Monthly Limit field.
Monthly Limit
Enter the monthly traffic volume limit in MB. The default setting is
0 MB.
Increase this
month limit by
Select this check box to temporarily increase a previously
specified monthly traffic volume limit, and enter the additional
allowed volume in MB. The default setting is 0 MB.
Note: When you click Apply to save these settings, this field is
reset to 0 MB so that the increase is applied only once.
This month limit
This is a nonconfigurable field that displays the total monthly
traffic volume limit that is applicable to this month. This total is
the sum of the monthly traffic volume and the increased traffic
volume.
Traffic Counter
Restart Traffic
Counter
Select one of the following radio buttons to specify when the traffic counter restarts:
• Restart Traffic Counter Now. Select this option, and click Apply at the bottom of
the screen to restart the traffic counter immediately.
• Restart Traffic Counter at a Specific Time. Restart the traffic counter at a
specific time and day of the month. Fill in the time fields, and select AM or PM and
the day of the month from the drop-down lists.
Send e-mail report
before restarting
counter
An email report is sent immediately before the counter restarts. Ensure that emailing
of logs is enabled on the Email and Syslog screen (see Configure Logging, Alerts,
and Event Notifications on page 338).
Monitor System Access and Performance
337
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 82. Broadband Traffic Meter screen settings (continued)
Setting
Description
When Limit is reached
Block Traffic
Select one of the following radio buttons to specify which action the wireless VPN
firewall performs when the traffic limit has been reached:
• Block All Traffic. All incoming and outgoing Internet and email traffic is blocked.
• Block All Traffic Except E-Mail. All incoming and outgoing Internet traffic is
blocked, but incoming and outgoing email traffic is still allowed.
Send e-mail alert
An email alert is sent when traffic is blocked. Ensure that emailing of logs is enabled
on the Email and Syslog screen (see Configure Logging, Alerts, and Event
Notifications on page 338).
3. Click Apply to save your settings.
To display a report of the Internet traffic by type, click the Traffic by Protocol option arrow in
the upper right of the Broadband Traffic Meter screen. The Traffic by Protocol screen displays
in a pop-up screen. The incoming and outgoing volume of traffic for each protocol and the
total volume of traffic are displayed. Traffic counters are updated in MBs; the counter starts
only when traffic passed is at least 1 MB. In addition, the pop-up screen displays the traffic
meter’s start and end dates.
Figure 202.
Configure Logging, Alerts, and Event Notifications
You can configure the wireless VPN firewall to log routing events such as dropped and
accepted packets, to log system events such as a change of time by an NTP server, secure
login attempts, and reboots, and to log other events. You can also schedule logs to be sent to
the administrator and enable logs to be sent to a syslog server on the network.
Monitor System Access and Performance
338
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To configure and activate logs:
1. Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen
displays:
Figure 203.
Monitor System Access and Performance
339
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Enter the settings as explained in the following table:
Table 83. Firewall Logs & E-mail screen settings
Setting
Description
Log Options
Log Identifier
Enter the name of the log identifier. The identifier is appended to log messages to identify
the device that sent the log messages. The default identifier is FVS318N.
Routing Logs
In the Accepted Packets and Dropped Packets columns, select check boxes to specify which traffic is
logged:
• LAN to WAN
• LAN to DMZ
• DMZ to WAN
• WAN to LAN
• DMZ to LAN
• WAN to DMZ
System Logs Option
Select the check boxes to specify which system events are logged:
• Change of Time by NTP. Logs a message when the system time changes after a request from an NTP
server.
• Login Attempts. Logs a message when a login is attempted. Both successful and failed login attempts
are logged.
• Secure Login Attempts. Logs a message when a secure login is attempted. Both successful and failed
secure login attempts are logged.
• Reboots. Logs a message when the wireless VPN firewall has been rebooted through the web
management interface. (No message is logged when the factory default Reset button has been pressed.)
• All Unicast Traffic. All incoming unicast packets are logged.
• All Broadcast/Multicast Traffic. All incoming broadcast and multicast packets are logged.
• WAN Status. WAN link status-related events are logged.
• Resolved DNS Names. All resolved DNS names are logged.
• VPN. All VPN negotiation messages are logged.
• DHCP Server. All DHCP server events are logged.
Other Event Logs
Source MAC
Filter
Select this check box to log packets from MAC addresses that match the source MAC
address filter settings.
Session Limit
Select this check box to log packets that are dropped because the session limit has been
exceeded.
Bandwidth
Limit
Select this check box to log packets that are dropped because the bandwidth limit has been
exceeded.
Monitor System Access and Performance
340
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 83. Firewall Logs & E-mail screen settings (continued)
Setting
Description
Enable E-mail Logs
Do you want
logs to be
emailed to
you?
Select the Yes radio button to enable the wireless VPN firewall to email logs to a specified
email address. Complete the fields that are shown on the right side of the screen.
Select the No radio button to prevent the logs from being emailed, which is the default
setting.
E-Mail Server Address The IP address or Internet name of your ISP’s outgoing email
SMTP server.
Note: If you leave this field blank, the wireless VPN firewall cannot
send email logs and alerts.
Return E-Mail Address The email address of the sender for email identification purposes.
For example, enter [email protected]
Send to E-Mail
Address
The email address to which the logs are sent. Typically, this is the
email address of the administrator.
Custom SMTP Port
Enter the port number of the SMTP server for the outgoing email.
Select one of the following radio buttons to specify SMTP server authentication for the
outgoing email:
• No Authentication. The SMTP server does not require authentication.
• Login Plain. The SMTP server requires authentication with regular login. Specify the
user name and password to be used for authentication.
• CRAM-MD5. The SMTP server requires authentication with CRAM-MD5 login. Specify
the user name and password to be used for authentication.
Username
The user name for SMTP server authentication.
Password
The password for SMTP server authentication.
Respond to Identd
from SMTP Server
To respond to Ident protocol messages, select the Respond to
Identd from SMTP Server check box. The Ident protocol is a
relatively weak scheme to verify the sender of an email. (A
common daemon program for providing the Ident service is
Identd.)
Send e-mail logs by Schedule
Unit
Enter a schedule for sending the logs. From the Unit drop-down list, select one of the
following:
• Never. No logs are sent.
• Hourly. The logs are sent every hour.
• Daily. The logs are sent daily. Specify the time.
• Weekly. The logs are sent weekly. Specify the day and time.
Day
From the Day drop-down list, select the day on which the logs are sent.
Time
From the Time drop-down, list select the hour on which the logs are sent, and then select
either the a.m. or p.m. radio button.
Monitor System Access and Performance
341
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 83. Firewall Logs & E-mail screen settings (continued)
Setting
Description
Enable SysLogs
Do you want
to enable
syslog?
To enable the wireless VPN firewall to send logs to a specified syslog server, select the Yes
radio button. Complete the fields that are shown on the right side of the screen.
To prevent the logs from being sent, select the No radio button, which is the default setting.
SysLog Server
The IP address or FQDN of the syslog server.
SysLog Severity
All the logs with a severity that is equal to and above the severity
that you specify are logged on the specified syslog server. For
example, if you select LOG_CRITICAL as the severity, then the
logs with the severities LOG_CRITICAL, LOG_ALERT, and
LOG_EMERG are logged.
Select one of the following syslog severities from the drop-down
list:
• LOG DEBUG. Debug-level messages.
• LOG INFO. Informational messages.
• LOG NOTICE. There are normal but significant conditions.
• LOG WARNING. There are warning conditions.
• LOG ERROR. There are error conditions.
• LOG CRITICAL. There are critical conditions.
• LOG ALERT. An action has to be taken immediately.
• LOG EMERG. The wireless VPN firewall is unusable.
3. Click Apply to save your settings.
Note: Enabling routing and other event logs might generate a significant
volume of log messages. NETGEAR recommends that you enable
firewall logs for debugging purposes only.
How to Send Syslogs over a VPN Tunnel between Sites

To send syslogs from one site to another over a gateway-to-gateway VPN tunnel:
1. At Site 1, set up a syslog server that is connected to Gateway 1.
2. Set up a VPN tunnel between Gateway 1 at Site 1 and Gateway 2 at Site 2.
3. Change the remote IP address in the VPN policy on Gateway 1 to the WAN IP address of
Gateway 2.
4. Change the local IP address in the VPN policy on Gateway 2 to the WAN IP address of
Gateway 2.
5. At Site 2, specify that Gateway 2 should send the syslogs to the syslog server at Site 1.
Monitor System Access and Performance
342
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
This section describes steps 2 through 4, using the topology that is described in the following
table:
Type of Address
Gateway 1 at Site 1 Gateway 2 at Site 2
WAN IP address
10.0.0.1
10.0.0.2
LAN IP address
192.168.10.0
192.168.20.0
LAN subnet mask
255.255.255.0
255.255.255.0
LAN IP address syslog server
192.168.10.2
Not applicable
Configure Gateway 1 at Site 1

To create a gateway-to-gateway VPN tunnel to Gateway 2, using the IPSec VPN wizard:
1. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays.
2. Configure a gateway-to-gateway VPN tunnel using the following information:
• Connection name. Any name of your choice
•
Pre-shared key. Any key of your choice
•
Remote WAN IP address. 10.0.0.2
•
Local WAN IP address. 10.0.0.1
•
Remote LAN IP Address. 192.168.20.0
•
Remote LAN subnet mask. 255.255.255.0
3. Click Apply to save the settings.

To change the remote IP address in the VPN policy:
1. Select VPN > IPSec VPN > VPN Policies. The VPN Policy screen displays.
2. Next to the policy name for the Gateway 1–to–Gateway 2 autopolicy, click Edit. The Edit
VPN Policy screen displays.
3. In the General section of the screen, clear the Enable NetBIOS check box.
4. In the Traffic Selector section of the screen, make the following changes:
• From the Remote IP drop-down list, select Single.
•
In the Start IP fields, type 10.0.0.2, which is the WAN IP address of Gateway 2.
5. Click Apply to save the settings.
Configure Gateway 2 at Site 2

To create a gateway-to-gateway VPN tunnel to Gateway 1, using the IPSec VPN wizard:
1. Select VPN > IPSec VPN > VPN Wizard. The VPN Wizard screen displays.
2. Configure a gateway-to-gateway VPN tunnel using the following information:
• Connection name. Any name of your choice
•
Pre-shared key. The same key as you configured on Gateway 1
Monitor System Access and Performance
343
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
Remote WAN IP address. 10.0.0.1
•
Local WAN IP address. 10.0.0.2
•
Remote LAN IP Address. 192.168.10.0
•
Remote LAN subnet mask. 255.255.255.0
3. Click Apply to save the settings.

To change the local IP address in the VPN policy:
1. Select VPN > IPSec VPN > VPN Policies. The VPN Policy screen displays.
2. Next to the policy name for the Gateway 2–to–Gateway 1 autopolicy, click Edit. The Edit
VPN Policy screen displays.
3. In the General section of the screen, clear the Enable NetBIOS check box.
4. In the Traffic Selector section of the screen, make the following changes:
• From the Local IP drop-down list, select Single.
•
In the Start IP fields, type 10.0.0.2, which is the WAN IP address of Gateway 2.
5. Click Apply to save the settings.

To specify the syslog server that is connected to Gateway 1:
1. Select Monitoring > Firewall Logs & E-mail. The Firewall Logs & E-mail screen
displays.
2. Enable the syslog server and specify its IP address at Site 1. Enter 192.168.10.2 as the IP
address.
3. Click Apply to save the settings.
Note: The VPN tunnel should be established automatically, and the
syslogs should be sent to the syslog server at Site 1. You can use
the IPSec VPN Connection Status screen to verify the connection.
Monitor System Access and Performance
344
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
View Status Screens
The wireless VPN firewall provides real-time information in a variety of status screens that
are described in the following sections:
•
View the System Status
•
View the VPN Connection Status and L2TP Users
•
View the VPN Logs
•
View the Port Triggering Status
•
View the WAN Port Status
•
View the Attached Devices and the DHCP Log
•
View the Status of a Wireless Profile
View the System Status
When you start up the wireless VPN firewall, the default screen that displays is the Router
Status screen.
The Router Status screen and Detailed Status screen provide real-time information about the
following important components of the wireless VPN firewall:
•
Firmware version
•
Both IPv4 and IPv6 WAN and LAN port information
•
Wireless information
•
Interface statistics
•
VLAN status, including port memberships
The Tunnel Status screen provides real-time information about the IPv6 tunnels.
These status screens are described in the following sections:
•
Router Status Screen
•
Router Statistics Screen
•
Detailed Status Screen
•
Tunnel Status Screen
Router Status Screen

To view the Router Status screen:
Select Monitoring > Router Status. The Router Status screen displays:
Monitor System Access and Performance
345
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 204.
The following table explains the fields of the Router Status screen:
Table 84. Router Status screen information
Item
Description
System Info
System Name
The NETGEAR system name.
Firmware Version
The currently installed firmware version.
Monitor System Access and Performance
346
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 84. Router Status screen information (continued)
Item
Description
LAN (VLAN) Information
For each of the LAN ports, the screen shows the IP address and subnet mask. For more detailed information,
see Table 86 on page 350.
LAN IPv4/IPv6 Information
MAC Address
The MAC address of the wireless VPN firewall.
IPv6 Address
The IPv6 address that is assigned to the wireless VPN firewall. For information
about configuring the IPv6 address, see Configure the IPv6 Internet
Connection and WAN Settings on page 35.
DHCP Server
The status of the IPv4 DHCP server (Enabled or Disabled). For information
about configuring the IPv4 DHCP server, see Configure a VLAN Profile on
page 56.
DHCP Relay
The status of the IPv4 DHCP relay (Enabled or Disabled). For information
about configuring the IPv4 DHCP relay, see Configure a VLAN Profile on
page 56.
DHCPv6 Server
The status of the DHCPv6 server (Enabled or Disabled). For information about
configuring the DHCPv6 server, see Manage the IPv6 LAN on page 70.
Wireless Information
Wireless Status
The status of the wireless access point (Enabled or Disabled).
WAN Information
WAN (IPv4)
The screen shows the IPv4 address, subnet mask, gateway, and status of the
port (UP or Down). For more detailed information, see Table 86 on page 350.
WAN (IPv6)
The screen shows the IPv6 address, gateway, and status of the port (UP or
Down). For more detailed information, see Table 86 on page 350.
Router Statistics Screen

To view the Router Statistics screen:
1. Select Monitoring > Router Status. The Router Status screen displays (see the
previous figure).
2. Click the Show Statistics option arrow in the upper right of the Router Status screen. The
Router Statistics screen displays:
Monitor System Access and Performance
347
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 205.
The following table explains the fields of the Router Statistics screen.
To change the poll interval period, enter a new value (in seconds) in the Poll Interval field,
and then click Set interval. To stop polling, click Stop.
Table 85. Router Statistics screen information
Item
Description
System up Time. The period since the last time that the wireless VPN firewall was started up.
Router Statistics
For the broadband (WAN) interface and for all LAN interfaces combined, the following statistics are
displayed:
Tx Pkts
The number of packets transmitted on the port in bytes.
Rx Pxts
The number of packets received on the port in bytes.
Collisions
The number of signal collisions that have occurred on the port. A collision occurs
when the port attempts to send data at the same time as a port on the other router or
computer that is connected to this port.
Tx B/s
The number of bytes transmitted per second on the port.
Rx B/s
The number of bytes received per second on the port.
Up Time
The period that the port has been active since it was restarted.
Detailed Status Screen
To view the Detailed Status screen, select Monitoring > System Status > Detailed Status.
The Detailed Status screen displays:
Monitor System Access and Performance
348
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 206.
Monitor System Access and Performance
349
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The following table explains the fields of the Detailed Status screen:
Table 86. Detailed Status screen information
Item
Description
LAN Port Configuration
The following fields are shown for each of the LAN ports.
VLAN Profile
The name of the VLAN profile that you assigned to this port on the LAN Setup screen
(see Assign and Manage VLAN Profiles on page 53). If the VLAN is not enabled on
this port, the default profile (with VLAN ID 1) is assigned automatically.
VLAN ID
The VLAN ID that you assigned to this port on the Add VLAN Profile screen (see
Configure a VLAN Profile on page 56). If the default VLAN profile is used, the VLAN ID
is 1, which means that all tagged and untagged traffic can pass on this port.
MAC Address
The MAC address for this port.
Note: All LAN ports that are part of the default VLAN share the same MAC address
unless you have specified that each VLAN needs to be assigned a unique MAC
address (see Configure VLAN MAC Addresses and LAN Advanced Settings on
page 61).
Note: LAN ports that have an IPv4 address that differs from the default VLAN can
share the same MAC address as the default VLAN.
Note: LAN port 8 can be assigned as the DMZ port, in which case its VLAN ID is 4094.
For information about configuring the DMZ port, see Enable and Configure the DMZ
Port for IPv4 and IPv6 Traffic on page 82.
IP Address
The IP address for this port. If the port is part of the default VLAN, the IP address is the
default LAN IP address (192.168.1.1). For information about configuring VLAN
profiles, see Configure a VLAN Profile on page 56.
Subnet Mask
The subnet mask for this port. If the port is part of the default VLAN, the subnet mask
is the default LAN IP subnet mask (255.255.255.0). For information about configuring
VLAN profiles, see Configure a VLAN Profile on page 56.
DHCP Status
The status of the IPv4 DHCP server for the VLAN (Enabled or Disabled). For
information about enabling DHCP for VLANs, see Configure a VLAN Profile on
page 56.
WAN Configuration
MAC Address
The default MAC address for the port or the MAC address that you have specified on
the Broadband Advanced Options screen for the port. For information about
configuring the MAC address, see Configure Advanced WAN Options and Other Tasks
on page 47.
IP Address
The IPv4 address and subnet mask of the WAN port. For information about configuring
the IPv4 address of the WAN port, see Configure the IPv4 Internet Connection and
WAN Settings on page 26.
Monitor System Access and Performance
350
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 86. Detailed Status screen information (continued)
Item
Description
IPv6 Address
The IPv6 address of the WAN port. For information about configuring the IPv4 address
of the WAN port, see Configure the IPv6 Internet Connection and WAN Settings on
page 35.
WAN State
The WAN state can be either UP or DOWN, depending on whether or not the port is
connected to the Internet.
NAT (IPv4 only)
The NAT state can be either Enabled or Disabled, depending on whether or not NAT is
enabled (see Network Address Translation on page 27) or classical routing is enabled
(see Classical Routing on page 27).
IPv4 Connection Type
The connection type can be Static IP, DHCP, PPPoE, or PPTP, depending on whether
the WAN address is obtained dynamically through a DHCP server or assigned
statically by you. For information about connection types, see Configure the IPv4
Internet Connection and WAN Settings on page 26.
IPv6 Connection Type
The connection type can be Static IPv6 or Dynamic IP (DHCPv6), depending on
whether the WAN address is obtained dynamically through a DHCP server or
assigned statically by you. For information about connection types, see Configure the
IPv6 Internet Connection and WAN Settings on page 35.
IPv4 Connection State
The IPv4 connection state can be either Connected or Not Connected, depending on
whether or not the WAN interface is connected to the Internet over an IPv4 address.
For information about configuring the IPv4 address of the WAN port, see Configure the
IPv4 Internet Connection and WAN Settings on page 26.
IPv6 Connection State
The IPv6 connection state can be either Connected or Not Connected, depending on
whether or not the WAN interface is connected to the Internet over an IPv6 address.
For information about configuring the IPv6 address of the WAN port, see Configure the
IPv6 Internet Connection and WAN Settings on page 35.
Link State
The link state can be either LINK UP or LINK DOWN, depending on whether or not the
WAN port is physically connected to a modem, dish, or router. For information about
connecting a WAN port, see the ProSafe Wireless-N 8-Port Gigabit VPN Firewall
FVS318N Installation Guide.
WAN Mode
This is a fixed field that states:
Use only single WAN port: Dedicated WAN.
Gateway
The IP address of the gateway.
Primary DNS Server
The IP address of the primary DNS server.
Secondary DNS Server The IP address of the secondary DNS
server.
Gateway (IPv6)
The IP address of the gateway.
Primary DNS Server
(IPv6)
The IP address of the primary DNS server.
Secondary DNS Server The IP address of the secondary DNS
server.
(IPv6)
These IPv4 settings are either obtained
dynamically from your ISP or specified
by you on the Broadband ISP Settings
(IPv4) screen (see Manually Configure
an IPv4 Internet Connection on
page 31).
These IPv6 settings are either obtained
dynamically from your ISP or specified
by you on the Broadband ISP Settings
(IPv6) screen (see Configure a Static
IPv6 Internet Connection on page 39).
Monitor System Access and Performance
351
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 86. Detailed Status screen information (continued)
Item
Description
Wireless Configuration
Wireless Status
The wireless status can be Enabled or Disabled, depending on whether or not the
default wireless profile is enabled. For information about enabling the default wireless
profile, see Configure and Enable Wireless Profiles on page 112.
SSID
The SSID of the default profile. For information about how to configure the SSID, see
Configure and Enable Wireless Profiles on page 112.
Mode
The wireless mode of the radio. For information about how to configure the wireless
mode, see Configure the Basic Radio Settings on page 105.
Security Settings
The security settings of the default profile. For information about how to configure the
security profile, see Configure and Enable Wireless Profiles on page 112.
Region
The region that is assigned to the radio. For information about how to configure the
region, see Configure the Basic Radio Settings on page 105.
Channel
The active channel on the radio. For information about how to configure the channel,
see Configure the Basic Radio Settings on page 105.
AP MAC Address
The MAC address of the radio or default wireless profile. If the default wireless profile
point is disabled, the MAC address is not displayed.
Tunnel Status Screen
The IPv6 Tunnel Status screen displays the status of all active 6to4 and ISATAP tunnels and
their IPv6 addresses.

To view the status of the tunnels and IPv6 addresses:
Select Monitoring > Router Status > Tunnel Status. The Tunnel Status screen displays:
Figure 207.
Monitor System Access and Performance
352
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
The IPv6 Tunnel Status table shows the following fields:
•
Tunnel Name. The tunnel name for the 6to4 tunnel is always sit0-WAN1 (SIT stands for
simple Internet transition); the tunnel name for an ISATAP tunnel is isatapx-LAN, in which
x is an integer.
•
IPv6 Address. The IPv6 address of the local tunnel endpoint.
View the VPN Connection Status and L2TP Users
The Connection Status screens displays a list of IPSec VPN connections, SSL VPN
connections, and L2TP users who are currently logged in to the wireless VPN firewall.

To view the active IPSec VPN connections:
Select VPN > Connection Status. The Connection Status submenu tabs display with the
IPSec VPN Connection Status screen in view:
Figure 208.
The policy name, the endpoint’s IP address, the amount of data and number of packets
transmitted, and the state of the connection are listed in the table.
To disconnect an active connection, click the Disconnect table button to the right of the
policy’s table entry.

To view the active SSL VPN connections:
Select VPN > Connection Status > SSL VPN Connection Status. The SSL VPN
Connection Status screen displays:
The active user’s user name, group, and IP address are listed in the table with a time stamp
indicating the time and date that the user connected.
To disconnect an active user, click the Disconnect table button to the right of the user’s table
entry.
Monitor System Access and Performance
353
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To view the active L2TP tunnel users:
Select VPN > Connection Status > L2TP Active Users. The L2TP Active Users screen
displays:
Figure 209.
The active user name, client’s IP address on the remote LAC, and IP address that is
assigned by the L2TP server on the wireless VPN firewall are listed in the table.
To disconnect an active user, click the Disconnect table button to the right of the user’s table
entry.
View the VPN Logs

To display the IPSec VPN log:
Select Monitoring > VPN Logs. The Log tabs display with the IPSec VPN Logs screen in
view.
Figure 210.
Monitor System Access and Performance
354
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To display the SSL VPN log:
Select Monitoring > VPN Logs > SSL VPN Logs. The SSL VPN Logs screen displays:
Figure 211.
View the Port Triggering Status

To view the status of the port-triggering feature:
1. Select Security > Port Triggering. The Port Triggering screen displays. (The following
figure shows one rule in the Port Triggering Rules table as an example.)
Figure 212.
Monitor System Access and Performance
355
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Click the Status option arrow in the upper right of the Port Triggering screen. The Port
Triggering Status screen displays in a pop-up screen.
Figure 213.
The Port Triggering Status screen displays the information that is described in the
following table:
Table 87. Port Triggering Status screen information
Item
Description
#
The sequence number of the rule onscreen.
Rule
The name of the port-triggering rule that is associated with this entry.
LAN IP Address
The IP address of the computer or device that is currently using this rule.
Open Ports
The incoming ports that are associated with this rule. Incoming traffic using one of
these ports is sent to the IP address that is listed in the LAN IP Address field.
Time Remaining
The time remaining before this rule is released and made available for other
computers or devices. This timer is restarted when incoming or outgoing traffic is
received.
View the WAN Port Status
You can view the status of the IPv4 and IPv6 WAN connections, the DNS servers, and the
DHCP servers.
IPv4 WAN Port Status

To view the IPv4 status of the WAN port:
1. Select Network Configuration > WAN Settings > Broadband ISP Settings (IPv4).
The Broadband ISP Settings (IPv4) screen displays (see Figure 10 on page 29).
2. Click the Broadband Status option arrow in the upper right of the screen to display the
Connection Status pop-up screen. (The following figure shows a static IP address
configuration.)
Monitor System Access and Performance
356
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 214.
The type of connection determines the information that is displayed on the Connection
Status screen. The screen can display the information that is described in the following
table:
Table 88. Connection Status screen information for an IPv4 connection
Item
Description
Connection Time
The period that the wireless VPN firewall has been connected through the WAN port.
Connection Type
The connection type can be either DHCP or Static IP.
Connection Status
The connection status can be either Connected or Disconnected.
IP Address
The addresses that were automatically detected or that you configured on the
Broadband ISP Settings (IPv4) screen.
Subnet Mask
Gateway
DNS Server
DHCP Server
Note: For more information, see Let the Wireless VPN Firewall Automatically Detect
and Configure an IPv4 Internet Connection on page 28 and Manually Configure an
IPv4 Internet Connection on page 31.
DHCP only. The DHCP server that was automatically detected. This field displays
only if your ISP does not require a login and the IP address is acquired dynamically
from your ISP. You have configured these ISP settings on the Broadband ISP
Settings screen.
Note: For more information, see Let the Wireless VPN Firewall Automatically Detect
and Configure an IPv4 Internet Connection on page 28 and Manually Configure an
IPv4 Internet Connection on page 31.
Lease Obtained
DHCP only. The time when the DHCP lease was obtained.
Lease Duration
DHCP only. The period that the DHCP lease remains in effect.
Click Disconnect to disconnect the connection.
Monitor System Access and Performance
357
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
IPv6 WAN Port Status

To view the IPv6 status of the WAN port:
1. Select Network Configuration > WAN Settings > Broadband ISP Settings (IPv6).
The Broadband ISP Settings (IPv6) screen displays (see Figure 17 on page 38).
2. Click the Status option arrow in the upper right of the screen to display the Connection
Status pop-up screen. (The following figure shows a dynamic IP address configuration.)
Figure 215.
The type of connection determines the information that is displayed on the Connection
Status screen. The screen can display the information that is described in the following
table:
Table 89. Connection Status screen information for an IPv6 connection
Item
Description
Connection Time
The period that the wireless VPN firewall has been connected through the WAN
port.
IPv6 Connection Type
The connection type can be either Dynamic IP (DHCP) or Static.
IPv6 Connection Status The connection status can be either Connected or Disconnected.
IP Address
The IPv6 addresses that were automatically detected or that you configured on
the Broadband ISP Settings (IPv6) screen.
Gateway
Note: The Gateway and DNS Server (IPv6) fields apply only to a static IPv6
connection.
DNS Server (IPv6)
Note: For more information, see Use a DHCPv6 Server to Configure an IPv6
Internet Connection on page 37 and Configure a Static IPv6 Internet Connection
on page 39.
Click Disconnect to disconnect the connection.
Monitor System Access and Performance
358
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
View the Attached Devices and the DHCP Log
The LAN Groups screen shows the network database, which is the Known PCs and Devices
table, which contains all IP devices that wireless VPN firewall has discovered on the local
network. The LAN Setup screen lets you access the DHCP log.
View the Attached Devices

To view the attached devices on the LAN Groups screen:
Select Network Configuration > LAN Setup > LAN Groups. The LAN Groups screen
displays. (The following figure shows some examples in the Known PCs and Devices table.)
Figure 216.
The Known PCs and Devices table contains a list of all known computers and network
devices that are assigned dynamic IP addresses by the wireless VPN firewall, have been
discovered by other means, or were manually added. Collectively, these entries make up the
network database. For information about how to edit the Known PCs and Devices table or
manually add entries to the table, see Manage the Network Database on page 65.
For each attached computer or device, the Known PCs and Devices table displays the
following fields:
•
Check box. Allows you to select the computer or device in the table.
•
Name. The name of the computer or device. For computers that do not support the
NetBIOS protocol, the name is displayed as Unknown (you can edit the entry manually to
add a meaningful name). If the computer or device was assigned an IP address by the
DHCP server, then the name is appended by an asterisk.
•
IP Address. The current IP address of the computer or device. For DHCP clients of the
wireless VPN firewall, this IP address does not change. If a computer or device is
assigned a static IP address, you need to update this entry manually after the IP address
on the computer or device has changed.
Monitor System Access and Performance
359
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
MAC Address. The MAC address of the computer’s or device’s network interface.
•
Group. Each computer or device can be assigned to a single LAN group. By default, a
computer or device is assigned to Group 1. You can select a different LAN group from the
Group drop-down list in the Add Known PCs and Devices section or on the Edit Groups
and Hosts screen.
•
Action. The Edit table button, which provides access to the Edit Groups and Hosts
screen.
Note: If the wireless VPN firewall is rebooted, the data in the Known PCs
and Devices table is lost until the wireless VPN firewall rediscovers
the devices.
View the DHCP Log

To review the most recent entries in the DHCP log:
1. Select Network Configuration > LAN Setup. The LAN Setup screen displays the IPv4
settings. (see Figure 29 on page 56).
2. Click the DHCP Log option arrow to the right of the LAN Setup tab. The DHCP Log displays
in a pop-up screen:
Figure 217.
To view the most recent entries, click Refresh Log. To delete all the existing log entries,
click Clear Log. Click the LAN Setup option arrow in the upper right to display the LAN
Setup (IPv4) screen, from which you can modify the DHCP settings (see Configure a
VLAN Profile on page 56).
Monitor System Access and Performance
360
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
View the Status of a Wireless Profile

To view the status of a specific wireless profile:
1. Select Network Configuration > Wireless Settings > Wireless Profiles. The Wireless
Profiles screen displays.
2. Click the Status button in the Status column for the wireless profile for which you want to
display the status information. The Access Point screen displays:
Figure 218.
Note: On the Access Point screen, the wireless profile is stated in the AP
Name column: the first wireless profile is indicated by ap1, the
second by ap2, and so on.
The following table explains the fields of the Access Point Status screen.
To change the poll interval period, enter a new value in the Poll Interval field, and then
click Set interval. To stop polling, click Stop.
Table 90. Access Point screen fields
Item
Description
AP Statistics
AP Name
The names for the four wireless profiles are ap1, ap2, ap3, and ap4.
Radio
The radio to which the client is connected. By default, the radio is always 1, indicating the
2.4 GHz radio.
Packet
The number of received (rx) and transmitted (tx) packets on the access point in bytes.
Bytes
The number of received (rx) and transmitted (tx) bytes on the access point.
Errors
The number of received (rx) and transmitted (tx) errors on the access point.
Monitor System Access and Performance
361
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 90. Access Point screen fields (continued)
Item
Description
Dropped
The number of received (rx) and transmitted (tx) dropped packets on the access point.
Multicast
The number of received (rx) and transmitted (tx) multicast packets on the access point.
Collisions
The number of signal collisions that have occurred on the access point. A collision occurs
when the access point attempts to send data at the same time as a wireless station that is
connected to the access point.
Connected Clients
MAC Address
The MAC address of the client.
Radio
The radio to which the client is connected. By default, the radio is always 1, indicating the
2.4 GHz radio.
Security
The type of security that the client is using (Open, WEP, WPA, WPA2, or WPA+WPA2).
Encryption
The type of encryption that the client is using (CCMP, TKIP, or TKIP + CCMP).
Authentication
The type of authentication that the client is using (Open, PSK, RADIUS, or PSK+RADIUS).
Time
Connected
The period in minutes since the connection was established between the access point and
the client.
Diagnostics Utilities
The wireless VPN firewall provides diagnostic tools that help you analyze the status of the
network and traffic conditions. Two types of tools are available:
•
Network diagnostic tools. These tools include a ping utility, traceroute utility, and DNS
lookup utility, and the option to display the routing tables.
•
Packet capture tool. This tools lets you capture packets per interface in real time for a
short period, and then download the packet information.
Note: For normal operation, diagnostic tools are not required.

To display the Diagnostics screen:
1. Select Monitoring > Diagnostics. The Diagnostics screen displays the IPv4 settings (see
the next screen).
Monitor System Access and Performance
362
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
2. Specify the IP version for which you want to display the Diagnostics screen:
• IPv4. In the upper right of the screen, the IPv4 radio button is already selected by
default.
Figure 219.
•
IPv6. Select the IPv6 radio button. The Diagnostics screen displays the IPv6 settings:
Figure 220.
The various tasks that you can perform on the Diagnostics screen are explained in the
following sections.
Monitor System Access and Performance
363
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Send a Ping Packet
Use the ping utility to send a ping packet request in order to check the connection between
the wireless VPN firewall and a specific IP address or FQDN. If the request times out (no
reply is received), it usually means that the destination is unreachable. However, some
network devices can be configured not to respond to a ping. The ping results are displayed
on a new screen.

To send a ping:
1. In the Ping or Trace an IP Address section of the screen, in the IP Address / Domain
Name field on the Diagnostics screen for IPv4, enter the IP address or domain name
that you want to ping; in the Domain Name field on the Diagnostics screen for IPv6,
enter the domain name that you want to ping (you cannot enter an IP address).
2. If the specified address is reached through a VPN tunnel, select the Ping through VPN
tunnel? check box.
3. Click the Ping button. The results of the ping are displayed in a new screen. To return to the
Diagnostics screen, click Back on the browser menu bar.
Trace a Route
A traceroute lists all routers between the source (the wireless VPN firewall) and the
destination IP address.

To send a traceroute:
1. In the Ping or Trace an IP Address section of the screen, in the IP Address / Domain
Name field on the Diagnostics screen for IPv4, enter the IP address or domain name
that you want to trace; in the Domain Name field on the Diagnostics screen for IPv6,
enter the domain name that you want to trace (you cannot enter an IP address).
2. Click the Traceroute button. The results of the traceroute are displayed in a new screen. To
return to the Diagnostics screen, click Back on the browser menu bar.
Look Up a DNS Address
A Domain Name Server (DNS) converts the Internet name (for example, www.netgear.com)
to an IP address. If you need the IP address of a web, FTP, mail, or other server on the
Internet, request a DNS lookup to find the IP address.

To look up a DNS address:
1. In the Perform a DNS Lookup section of the screen, in the Internet Name field, enter a
domain name.
2. Click the Lookup button. The results of the lookup action are displayed in a new screen. To
return to the Diagnostics screen, click Back on the browser menu bar.
Monitor System Access and Performance
364
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Display the Routing Tables
Displaying the internal routing table can assist NETGEAR technical support in diagnosing
routing problems.

To display the routing table:
On the Diagnostics screen for IPv4, in the Router Options section of the screen, click the
Display button next to Display the IPv4 Routing Table. The routing table is shown in the
Route Display screen that displays as a pop-up screen.
On the Diagnostics screen for IPv6, in the Router Options section of the screen, click the
Display button next to Display the IPv6 Routing Table. The routing table is shown in the
Route Display screen that displays as a pop-up screen.
Capture Packets in Real Time
Capturing packets can assist NETGEAR technical support in diagnosing packet transfer
problems. You can also use a traffic analyzer to do your own problem diagnoses.

To capture packets in real time:
1. In Router Options section of the screen, next to Capture Packets, click the Packet
Trace button. The Capture Packets pop-up screen displays:
Figure 221.
2. From the Select Network drop-down list, select the physical or virtual interface for which you
want to capture packets.
3. Click Start. After a few seconds, the packet-tracing process starts, which is indicated by a
message onscreen.
4. When you want to stop the packet-tracing process, click Stop. After a few seconds, the
packet-tracing process stops, which is indicated by a message onscreen.
5. Click Download. Select a location to save the captured packets. (The default file name is
pkt.cap.) The file is downloaded to the location that you specify.
6. When the download is complete, browse to the download location you specified, and verify
that the file has been downloaded successfully.
7. Optional step: Send the file to NETGEAR technical support for analysis.
Monitor System Access and Performance
365
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Reboot the Wireless VPN Firewall Remotely
You can perform a remote reboot, for example, when the wireless VPN firewall seems to
have become unstable or is not operating normally.
Rebooting breaks any existing connections either to the wireless VPN firewall (such as your
management session) or through the wireless VPN firewall (for example, LAN users
accessing the Internet). However, connections to the Internet are automatically reestablished
when possible.

To reboot the wireless VPN firewall:
In Router Options section of the screen, next to Reboot the Router, click the Reboot button.
The wireless VPN firewall reboots. The Diagnostics screen might remain visible during the
reboot process, or a status message with a counter might show the number of seconds left
until the reboot process is complete. The reboot process takes about 165 seconds.
Monitor System Access and Performance
366
11.
Troubleshooting
11
This chapter provides troubleshooting tips and information for the wireless VPN firewall. After
each problem description, instructions are provided to help you diagnose and solve the problem.
For the common problems listed, go to the section indicated.
•
Is the wireless VPN firewall on?
Go to Basic Functioning on page 368.
•
Have I connected the wireless VPN firewall correctly?
Go to Basic Functioning on page 368.
•
I cannot access the wireless VPN firewall’s web management interface.
Go to Troubleshoot the Web Management Interface on page 369.
•
A time-out occurs.
Go to When You Enter a URL or IP Address, a Time-Out Error Occurs on page 370.
•
I cannot access the Internet or the LAN.
Go to Troubleshoot the ISP Connection on page 370.
•
I have problems with the IPv6 connection.
Go to Troubleshooting the IPv6 Connection on page 372
•
I have problems with the LAN connection.
Go to Troubleshoot a TCP/IP Network Using a Ping Utility on page 375.
•
I want to clear the configuration and start over again.
Go to Restore the Default Configuration and Password on page 376.
•
The date or time is not correct.
Go to Address Problems with Date and Time on page 377.
•
I need more information.
Go to Access the Knowledge Base and Documentation on page 378.
367
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Note: The wireless VPN firewall’s diagnostic tools are explained in
Diagnostics Utilities on page 362.
Basic Functioning

After you turn on power to the wireless VPN firewall, verify that the following sequence
of events occurs:
1. When power is first applied, verify that the Power LED is on.
2. After approximately 2 minutes, verify that:
a. The Test LED is no longer lit.
b. The left LAN port LEDs are lit for any local ports that are connected.
c. The left WAN port LEDs are lit for any WAN ports that are connected.
If a port’s left LED is lit, a link has been established to the connected device. If a port is
connected to a 1000 Mbps device, verify that the port’s right LED is green. If the port
functions at 100 Mbps, the right LED is amber. If the port functions at 10 Mbps, the right
LED is off.
If any of these conditions do not occur, see the appropriate following section.
Power LED Not On
If the Power and other LEDs are off when your wireless VPN firewall is turned on, make sure
that the power cord is correctly connected to your wireless VPN firewall and that the power
supply adapter is correctly connected to a functioning power outlet.
If the error persists, you have a hardware problem and should contact NETGEAR technical
support.
Test LED Never Turns Off
When the wireless VPN firewall is powered on, the Test LED turns on for approximately
2 minutes and then turns off when the wireless VPN firewall has completed its initialization. If
the Test LED remains on, there is a fault within the wireless VPN firewall.

If all LEDs are still on more than several minutes minute after power-up, do the
following:
•
Turn the power off, and then turn it on again to see if the wireless VPN firewall recovers.
•
Reset the wireless VPN firewall’s configuration to factory default settings. Doing so sets
the wireless VPN firewall’s IP address to 192.168.1.1. This procedure is explained in
Restore the Default Configuration and Password on page 376.
If the error persists, you might have a hardware problem and should contact NETGEAR
technical support.
Troubleshooting
368
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
LAN or WAN Port LEDs Not On

If either the LAN LEDs or WAN LEDs do not light when the Ethernet connection is
made, check the following:
•
Make sure that the Ethernet cable connections are secure at the wireless VPN firewall
and at the hub, router, or workstation.
•
Make sure that power is turned on to the connected hub, router, or workstation.
•
Be sure that you are using the correct cables:
When connecting the wireless VPN firewall’s WAN ports to one or two devices that
provide the Internet connections, use the cables that are supplied with the devices.
These cables could be standard straight-through Ethernet cables or Ethernet crossover
cables.
Troubleshoot the Web Management Interface

If you cannot access the wireless VPN firewall’s web management interface from a
computer on your local network, check the following:
•
Check the Ethernet connection between the computer and the wireless VPN firewall as
described in the previous section (LAN or WAN Port LEDs Not On).
•
If your computer’s IP address is shown as 169.254.x.x:
Windows and Mac operating systems generate and assign an IP address if the computer
cannot reach a DHCP server. These autogenerated addresses are in the range of
169.254.x.x. If your IP address is in this range, check the connection from the computer
to the wireless VPN firewall and reboot your computer.
•
If your wireless VPN firewall’s IP address has been changed and you do not know the
current IP address, reset the wireless VPN firewall’s configuration to factory default
settings. This sets the wireless VPN firewall’s IP address to 192.168.1.1. This procedure
is explained in Restore the Default Configuration and Password on page 376.
Tip: If you do not want to revert to the factory default settings and lose your
configuration settings, you can reboot the wireless VPN firewall and use
a sniffer to capture packets sent during the reboot. Look at the ARP
packets to locate the wireless VPN firewall’s LAN interface address.
•
Make sure that you are using the SSL https://address login rather than the http://address
login.
•
Make sure that your browser has Java, JavaScript, or ActiveX enabled. If you are using
Internet Explorer, click Refresh to be sure that the Java applet is loaded.
•
Try quitting the browser and launching it again.
•
Clear the browser’s cache.
Troubleshooting
369
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
Make sure that you are using the correct login information. The factory default login name
is admin, and the password is password. Make sure that Caps Lock is off when entering
this information.
Note: To be able to configure the wireless VPN firewall, your computer’s IP
address does not need to be on the same subnet as the wireless
VPN firewall.
If the wireless VPN firewall does not save changes you have made in the web management
interface, check the following:
•
When entering configuration settings, be sure to click the Apply button before moving to
another menu or tab, or your changes are lost.
•
Click the Refresh or Reload button in the web browser. The changes might have
occurred, but the web browser might be caching the old configuration.
When You Enter a URL or IP Address, a Time-Out Error
Occurs

A number of things could be causing this situation. Try the following troubleshooting
steps:
•
Check whether other computers on the LAN work correctly. If they do, ensure that your
computer’s TCP/IP settings are correct. If you use a fixed (static) IP address, check the
subnet mask, default gateway, DNS, and IP addresses on the Broadband ISP Settings
screen. For more information, see Manually Configure an IPv4 Internet Connection on
page 31.
•
If the computer is configured correctly, but still not working, ensure that the wireless VPN
firewall is connected and turned on. Connect to the web management interface, and
check the wireless VPN firewall’s settings. If you cannot connect to the wireless VPN
firewall, see the information in the previous section (Troubleshoot the Web Management
Interface on page 369).
•
If the wireless VPN firewall is configured correctly, check your Internet connection (for
example, your modem, dish, or router) to make sure that it is working correctly.
Troubleshoot the ISP Connection
If your wireless VPN firewall is unable to access the Internet, you should first determine
whether the wireless VPN firewall is able to obtain a WAN IP address from the ISP. Unless
you have been assigned a static IP address, your wireless VPN firewall requests an IP
address from the ISP. You can determine whether the request was successful using the web
management interface.
Troubleshooting
370
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

To check the WAN IP address:
1. Launch your browser and navigate to an external site such as www.netgear.com.
2. Access the web management interface of the wireless VPN firewall’s configuration at
https://192.168.1.1.
3. Select Network Configuration > WAN Settings > Broadband ISP Settings. The
Broadband ISP Settings screen for IPv4 displays.
4. Take one of the following actions:
- For IPv4. Click the Broadband Status option arrow. The Connection Status pop-up
screen for IPv4 displays (see Figure 11 on page 30).
-
For IPv6. In the upper right of the screen, select the IPv6 radio button. The ISP
Broadband Settings screen displays the IPv6 settings. Then, click the Status option
arrow. The Connection Status pop-up screen for IPv6 displays (see Figure 18 on
page 39).
5. Check that an IP address is shown for the WAN port. If an IP address with zeros only is
shown, or if no IP address is shown, your wireless VPN firewall has not obtained an IP
address from your ISP, or for IPv6, has not generated an IP address.

If your wireless VPN firewall is unable to obtain an IP address from the ISP, you might
need to force your modem, dish, or router to recognize your new wireless VPN firewall
by performing the following procedure:
1. Turn off the power to the modem, dish, or router.
2. Turn off the power to your wireless VPN firewall.
3. Wait 5 minutes, and then turn on the power to the modem, dish, or router.
4. When the LEDs of the modem, dish, or router indicate that synchronization with the ISP has
occurred, turn on the power to your wireless VPN firewall.
If your wireless VPN firewall is still unable to obtain an IP address from the ISP, the problem
might be one of the following:
•
Your ISP might require a login program.
For IPv4 connections, ask your ISP whether they require PPP over Ethernet (PPPoE) or
some other type of login.
•
For IPv4 connections, if your ISP requires a login, you might have incorrectly set the login
name and password.
•
For IPv4 connections, your ISP might check for your computer’s host name. On the
Broadband ISP Settings screen for IPv4, in the Account Name field, enter the host name,
system name, or account name that was assigned to you by your ISP. You might also
have to enter the assigned domain name or workgroup name in the Domain Name field,
and you might have to enter additional information. For more information, see Manually
Configure an IPv4 Internet Connection on page 31.
•
Your ISP allows only one Ethernet MAC address to connect to the Internet, and might
check for your computer’s MAC address. In this case, do one of the following:
-
Inform your ISP that you have bought a new network device, and ask them to use the
wireless VPN firewall’s MAC address.
Troubleshooting
371
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
-
Configure your wireless VPN firewall to spoof your computer’s MAC address. You can
do this in the Router’s MAC Address section on the Broadband Advanced Options
screen. For more information, see Configure Advanced WAN Options and Other
Tasks on page 47.
If your wireless VPN firewall can obtain an IP address, but an attached computer is unable to
load any web pages from the Internet:
•
Your computer might not recognize any DNS server addresses.
A DNS server is a host on the Internet that translates Internet names (such as
www.netgear.com) to numeric IP addresses. Typically your ISP provides the addresses of
one or two DNS servers for your use. You can configure your computer manually with
DNS addresses, as explained in your operating system documentation.
•
Your computer might not have the wireless VPN firewall configured as its TCP/IP
gateway.
Troubleshooting the IPv6 Connection
If you have difficulty connecting over an IPv6 connection, there might be an incorrect
configuration on the wireless VPN firewall or the computer from which you are trying to
connect to the wireless VPN firewall:
Check the wireless VPN firewall:
•
By default, the wireless VPN firewall is set to IPv4-only mode. Make sure that the wireless
VPN firewall is set to IPv4/IPv6 mode (see Configure the IPv6 Routing Mode on page 36).
•
Make sure that the ISP settings are correct (see Configure a Static IPv6 Internet
Connection on page 39). The wireless VPN firewall cannot receive a valid IPv6 address if
the Internet connection is not correctly configured.
•
Make sure that the wireless VPN firewall can provide IPv6 addresses to the computers on
the LAN (see Manage the IPv6 LAN on page 70). Check the settings on the LAN Setup
(IPv6) screen, and if applicable for your type of configuration, on the RADVD screen.
Check the computer:
•
Make sure that the operating system supports IPv6. Normally, the following operating
systems support IPv6:
-
Windows 7, all 32- and 64-bit versions
-
Windows Vista, all 32- and 64-bit versions
-
Windows XP Professional SP3 (32- and 64-bit)
-
Windows Server 2008, all versions
-
Windows Server 2008 R2, all versions
-
Windows Server 2003, all versions
-
Windows Server 2003 R2, all versions
-
Linux and other UNIX-based systems with a correctly configured kernel
-
MAC OS X
Troubleshooting
372
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
•
Make sure that IPv6 is enabled on the computer. On a computer that runs a
Windows-based operating system, do the following (note that the steps might differ on the
various Windows operating systems):
a. Open the Network Connections screen or the Network and Sharing Center screen.
For example, on the Windows taskbar, click Start, then select Control Panel, and
then Network Connections.
b. Click or double-click Local Area Connection for the connection to the wireless VPN
firewall. The Local Area Connection Properties screen displays:
Figure 222.
•
c. Make sure that Internet Protocol Version 6 (TCP/IPv6) displays, as is shown on the
previous screen.
Make sure that the computer has an IPv6 address. If the computer has a link-local
address only, it cannot reach the wireless VPN firewall or the Internet. On a computer that
runs a Windows-based operating system, do the following (note that the steps might differ
on the various Windows operating systems):
a. Open the Network Connections screen or the Network and Sharing Center screen.
For example, on the Windows taskbar, click Start, then select Control Panel, and
then Network Connections.
b. Click or double-click Local Area Connection for the connection to the wireless VPN
firewall.
Troubleshooting
373
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
c. Click or double-click View status of this connection. The Local Area Connection
Status screen displays:
Figure 223.
d. Make sure that Internet access shows for the IPv6 connection. (The previous screen
shows that there is no Internet access.)
e. Click Details. The Network Connection Details screen displays:
Figure 224.
Troubleshooting
374
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
f.
Make sure that an IPv6 address shows. The previous screen does not show an IPv6
address for the computer but only a link-local IPv6 address and an IPv6 default
gateway address, both of which start, in this case, with FE80.
Troubleshoot a TCP/IP Network Using a Ping Utility
Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request
packet to the designated device. The device then responds with an echo reply. You can
easily troubleshoot a TCP/IP network by using the ping utility in your computer or
workstation.
Test the LAN Path to Your Wireless VPN Firewall
You can ping the wireless VPN firewall from your computer to verify that the LAN path to the
wireless VPN firewall is set up correctly.

To ping the wireless VPN firewall from a computer running Windows 95 or later:
1. From the Windows taskbar, click Start and select Run.
2. In the field provided, type ping followed by the IP address of the wireless VPN firewall, for
example:
ping 192.168.1.1
3. Click OK. A message similar to the following should display:
Pinging <IP address> with 32 bytes of data
If the path is working, you will see this message:
Reply from <IP address>: bytes=32 time=NN ms TTL=xxx
If the path is not working, you will see this message:
Request timed out
If the path is not functioning correctly, you could have one of the following problems:
•
•
Wrong physical connections
-
Make sure that the LAN port LED is on. If the LED is off, follow the instructions in
LAN or WAN Port LEDs Not On on page 369.
-
Check that the corresponding Link LEDs are on for your network interface card
and for the hub ports (if any) that are connected to your workstation and wireless
VPN firewall.
Wrong network configuration
-
Verify that the Ethernet card driver software and TCP/IP software are both
installed and configured on your computer or workstation.
-
Verify that the IP address for your wireless VPN firewall and your workstation are
correct and that the addresses are on the same subnet.
Troubleshooting
375
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Test the Path from Your Computer to a Remote Device
After verifying that the LAN path works correctly, test the path from your computer to a remote
device. From the Windows Run dialog box, type:
ping -n 10 <IP address>
in which <IP address> is the IP address of a remote device such as your ISP’s DNS
server.
If the path is functioning correctly, replies as in the previous section are displayed. If you do
not receive replies:
•
Check that your computer has the IP address of your wireless VPN firewall listed as the
default gateway. If the IP configuration of your computer is assigned by DHCP, this
information is not visible in your computer’s Network Control Panel.
•
Check to see that the network address of your computer (the portion of the IP address
that is specified by the netmask) is different from the network address of the remote
device.
•
Check that the modem, dish, or router is connected and functioning.
•
For IPv4 connections, if your ISP assigned a host name, system name, or account name
to your computer, enter that name in the Account Name field on the Broadband ISP
Settings (IPv4) screen. You might also have to enter the assigned domain name or
workgroup name in the Domain Name field, and you might have to enter additional
information. For more information, see Manually Configure an IPv4 Internet Connection
on page 31.
•
Your ISP could be rejecting the Ethernet MAC addresses of all but one of your computers.
Many broadband ISPs restrict access by allowing traffic only from the MAC address of
your broadband modem, but some ISPs additionally restrict access to the MAC address
of a single computer connected to that modem. If this is the case, you need to configure
your wireless VPN firewall to clone or spoof the MAC address from the authorized
computer. You can do this in the Router’s MAC Address section on the WAN Advanced
Options screen. For more information, see Configure Advanced WAN Options and Other
Tasks on page 47.
Restore the Default Configuration and Password

To reset the wireless VPN firewall to the original factory default settings, you can use
one of the following two methods:
•
Press the factory default Reset button on the rear panel of the wireless VPN firewall (see
Rear Panel on page 18) and hold the button for about 8 seconds until the Test LED turns
on and begins to blink (about 30 seconds). To restore the factory default settings when
you do not know the administration password or IP address, you need to use the factory
default Reset button method.
•
Use the Default button on the Settings Backup and Firmware Upgrade screen:
a. Select Administration > Settings Backup and Firmware Upgrade:
Troubleshooting
376
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 225.
b. Click the Default button.
The wireless VPN firewall reboots. During the reboot process, the Settings Backup and
Firmware Upgrade screen might remain visible, or a status message with a counter might
show the number of seconds left until the reboot process is complete. The reboot process
takes about 165 seconds. (If you can see the unit: The reboot process is complete when
the Test LED on the front panel goes off.)
WARNING:
When you press the hardware factory default Reset button or click
the software Default button, the wireless VPN firewall settings are
erased. All firewall rules, VPN policies, LAN and WAN settings,
and other settings are lost. Back up your settings if you intend on
using them.
Note: After you reboot with factory default settings, the wireless VPN
firewall’s password is password, and the LAN IPv4 address is
192.168.1.1.
Address Problems with Date and Time
The System Date & Time screen displays the current date and time of day (see Configure
Date and Time Service on page 333). The wireless VPN firewall uses the Network Time
Protocol (NTP) to obtain the current time from one of several network time servers on the
Internet. Each entry in the log is stamped with the date and time of day.
Troubleshooting
377
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Problems with the date and time function can include:
•
Date shown is January 1, 2000. Cause: The wireless VPN firewall has not yet
successfully reached a network time server. Check that your Internet access settings are
configured correctly. If you have just completed configuring the wireless VPN firewall, wait
at least 5 minutes, and check the date and time again.
•
Time is off by 1 hour. Cause: The wireless VPN firewall does not automatically sense
daylight saving time. Go to the Time Zone screen, and select or clear the Automatically
Adjust for Daylight Savings Time check box.
Access the Knowledge Base and Documentation

To access NETGEAR’s knowledge base for the wireless VPN firewall:
Select Support > Knowledge Base.

To access NETGEAR’s documentation library for your wireless VPN firewall model:
Select Support > Documentation.
Troubleshooting
378
A.
Default Settings and Technical
Specifications
A
This appendix provides the default settings and the physical and technical specifications of the
wireless VPN firewall in the following sections:
•
Factory Default Settings
•
Physical and Technical Specifications
Factory Default Settings
You can use the factory default Reset button located on the rear panel to reset all settings to
their factory defaults. This is called a hard reset (for more information, see Revert to Factory
Default Settings on page 331):
•
To perform a hard reset, press and hold the factory default Reset button for
approximately 8 seconds (until the Test LED blinks rapidly). The wireless VPN firewall
returns to the factory configuration settings that are shown in the following table.
•
Pressing the factory default Reset button for a shorter period of time simply causes the
wireless VPN firewall to reboot.
The following table shows the default configuration settings for the wireless VPN firewall:
Table 91. Wireless VPN firewall factory default configuration settings
Feature
Default Behavior
Login settings
User login URL
https://192.168.1.1
Administrator user name (case-sensitive)
admin
Administrator login password (case-sensitive)
password
Guest user name (case-sensitive)
guest
Guest login password (case-sensitive)
password
WAN settings
WAN IPv4 mode
NAT
WAN IPv6 mode
IPv4 only mode
379
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 91. Wireless VPN firewall factory default configuration settings (continued)
Feature
Default Behavior
WAN MAC address
Use default MAC address of the
wireless VPN firewall
WAN MTU size
1500 bytes
1492 bytes for PPPoE connections
Port speed
AutoSense
IPv4 LAN, DMZ, and routing settings
LAN IPv4 address for the default VLAN
192.168.1.1
LAN IPv4 subnet mask for the default VLAN
255.255.255.0
VLAN 1 membership
All ports
LAN DHCP server for the default VLAN
Enabled
LAN DHCP IPv4 starting address for the default VLAN
192.168.1.100
LAN DHCP IPv4 ending address for the default VLAN
192.168.1.254
DMZ port for IPv4
Disabled
DMZ IPv4 address (Port 8)
172.16.2.1
DMZ IPv4 subnet mask (Port 8)
255.255.255.0
DMZ DHCP server
Enabled
DMZ DHCP IPv4 starting address
176.16.2.100
DMZ DHCP IPv4 ending address
176.16.2.254
RIP direction
None
RIP version
Disabled
RIP authentication
Disabled
IPv6 LAN and DMZ settings
LAN IPv6 address
FEC0::1
LAN IPv6 prefix length
64
LAN DHCPv6 server
Disabled
DMZ port for IPv6
Disabled
DMZ IPv6 address (Port 8)
176::1
DMZ IPv6 prefix length (Port 8)
64
DMZ DHCPv6 server
Disabled
Default Settings and Technical Specifications
380
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 91. Wireless VPN firewall factory default configuration settings (continued)
Feature
Default Behavior
Firewall and security settings
Inbound LAN WAN rules (communications coming in from All traffic is blocked, except for traffic
the Internet)
in response to requests from the LAN.
Outbound LAN WAN rules (communications from the LAN All traffic is allowed.
to the Internet)
Inbound and outbound DMZ WAN rules
None
Inbound and outbound LAN DMZ rules
None
Respond to ping on WAN (Internet) ports
Disabled
Stealth mode
Enabled
TCP flood
Enabled
UDP flood
Enabled
Respond to ping on LAN ports
Disabled
IPv4 VPN pass-through for IPSec in NAT mode
Enabled
IPv4 VPN pass-through for PPTP in NAT mode
Enabled
IPv4 VPN pass-through for L2TP in NAT mode
Enabled
IPv6 VPN pass-through for IPSec
Enabled
Multicast pass-through for IGMP
Disabled
Jumbo frames
Disabled
Session limits
Disabled
TCP time-out
1800 seconds
UDP time-out
120 seconds
ICMP time-out
60 seconds
SIP ALG
Disabled
Source MAC filtering
Disabled
IP/MAC bindings
Disabled
Port triggering rules
None
UPnP
Disabled
Bandwidth profiles
None
Content filtering
Disabled
Default Settings and Technical Specifications
381
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 91. Wireless VPN firewall factory default configuration settings (continued)
Feature
Default Behavior
Proxy server blocking
Disabled
Java applets blocking
Disabled
ActiveX controls blocking
Disabled
Cookies blocking
Disabled
Blocked keywords
None
Trusted domains
All
Wireless radio and access point settings
Wireless radio
Enabled
Region
Nonconfigurable: set for the region in
which you purchased the wireless
VPN firewall.
Country
The selection is limited to the
countries in the region in which you
purchased the wireless VPN firewall.
The default settings are:
• Africa. Algeria
• Asia. Azerbaijan
• Europe. Albania
• Middle East. Bahrain
• North America, Latin America, and
The Caribbean. United States
• Oceania. Australia
Operating frequency
Nonconfigurable: Set at 2.4 GHz
Default security profile
default1
Default network name (SSID)
FVS318N_1
Broadcast SSID
Enabled
Security
Open
Encryption
None
Authentication
None
Transmission rate
Best1
Default transmit power
Full
802.11 wireless mode
802.11ng (for most countries)
80211b/g/n radio frequency channel
Auto
80211n channel spacing
20 MHz
Default Settings and Technical Specifications
382
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 91. Wireless VPN firewall factory default configuration settings (continued)
Feature
Default Behavior
Beacon interval
100 ms
DTIM interval
2
RTS threshold
2346 bytes
Fragmentation threshold
2346 bytes
Preamble mode
Long
Protection mode
None
Power save
Disabled
VPN IPsec Wizard: IKE policy settings for IPv4 and IPv6 gateway-to-gateway tunnels
Exchange mode
Main
ID type
Local WAN IP address
Local WAN ID
Local WAN IP address
Remote WAN ID
Not applicable
Encryption algorithm
3DES
Authentication algorithm
SHA-1
Authentication method
Pre-shared Key
Key group
DH-Group 2 (1024 bit)
Life time
8 hours
VPN IPsec Wizard: VPN policy settings for IPv4 and IPv6 gateway-to-gateway tunnels
Encryption algorithm
3DES
Authentication algorithm
SHA-1
Life time
1 hour
Key group
DH-Group 2 (1024 bit)
NetBIOS
Enabled
VPN IPsec Wizard: IKE policy settings for IPv4 gateway-to-client tunnels
Exchange mode
Aggressive
ID type
FQDN
Local WAN ID
remote.com
Remote WAN ID
local.com
Encryption algorithm
3DES
Default Settings and Technical Specifications
383
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 91. Wireless VPN firewall factory default configuration settings (continued)
Feature
Default Behavior
Authentication algorithm
SHA-1
Authentication method
Pre-shared Key
Key group
DH-Group 2 (1024 bit)
Life time
8 hours
VPN IPsec Wizard: VPN policy settings for IPv4 gateway-to-client tunnels
Encryption algorithm
3DES
Authentication algorithm
SHA-1
Life time
1 hour
Key group
DH-Group 2 (1024 bit)
NetBIOS
Disabled
RADIUS settings
Primary RADIUS server
Disabled and none configured
Secondary RADIUS server
Disabled and none configured
RADIUS time-out period
30 seconds
RADIUS maximum retry count
4
SSL VPN settings
SSL VPN IPv4 client address range
192.168.251.1–192.168.251.254
SSL VPN IPv6 client address range
4000::1–4000::200
User, group, and domain settings
default domain
geardomain
default group
geardomain
admin, password
default users, default passwords
guest, password
Default Settings and Technical Specifications
384
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 91. Wireless VPN firewall factory default configuration settings (continued)
Feature
Default Behavior
Administrative and monitoring settings
Secure HTTP management
Enabled
Telnet management
Disabled
Traffic meter
Disabled
SNMP
Disabled
Time zone
GMT
Time zone adjusted for daylight saving time
Disabled
Routing logs
Disabled
System Logs
Disabled
Other event logs
Disabled
Email logs
Disabled
Syslogs
Disabled
IPSec VPN logs
Enabled
SSL VPN logs
Enabled
1. The maximum wireless signal rate derived from IEEE Standard 802.11 specifications. The actual throughput varies. Network conditions and
environmental factors, including volume of network traffic, building materials and construction, and network overhead, lower actual data
throughput rate.
Physical and Technical Specifications
The following table shows the physical and technical specifications for the wireless VPN
firewall:
Table 92. Wireless VPN firewall physical and technical specifications
Feature
Specification
Network protocol and standards compatibility
Data and Routing Protocols
TCP/IP, RIP-1, RIP-2, PPP over Ethernet (PPPoE),
DHCP, DHCPv6
Power plug (localized to the country of sale)
North America
120V, 60 Hz, input
United Kingdom, Australia
240V, 50 Hz, input
Europe
230V, 50 Hz, input
Input, for all regions
12VDC @ 1A output
Default Settings and Technical Specifications
385
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 92. Wireless VPN firewall physical and technical specifications (continued)
Feature
Specification
Dimensions and weight
Dimensions (W x H x D)
19 x 12.5 x 3.5 cm (7.5 X 4.9 X 1.4 in)
Weight
0.59 kg (1.3 lb)
Environmental specifications
Operating temperatures
0º to 40ºC
32º to 104ºF
Storage temperatures
–20º to 70ºC
–4º to 158ºF
Operating humidity
90% maximum relative humidity, noncondensing
Storage humidity
95% maximum relative humidity, noncondensing
Electromagnetic emissions
Meets requirements of
FCC Part 15 Class B
VCCI Class B
EN 55 022 (CISPR 22), Class B
Wired compliance
See Appendix C, Notification of Compliance (Wired).
Wireless compliance
See Appendix D, Notification of Compliance (Wireless).
Interface specifications
LAN
8 LAN autosensing 10/100/1000BASE-T, RJ-45, one of
which is a configurable DMZ interface
WAN
1 WAN autosensing 10/100/1000BASE-T, RJ-45
1 administrative console port
RS-232
The following table shows the IPSec VPN specifications for the wireless VPN firewall:
Table 93. Wireless VPN firewall IPSec VPN specifications
Setting
Specification
Network Management
Web-based configuration and status monitoring
Number of concurrent users supported
12
IPSec authentication algorithm
SHA-1, MD5
Default Settings and Technical Specifications
386
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 93. Wireless VPN firewall IPSec VPN specifications (continued)
Setting
Specification
IPSec encryption algorithm
DES, 3DES, AES-128, AES-192, AES-256
IPSec key exchange
IKE, manual key, pre-shared key, X.509 certificate
IPSec authentication types
Local user database, RADIUS PAP, RADIUS CHAP
IPSec certificates supported
CA certificates, self-signed certificate
The following table shows the SSL VPN specifications for the wireless VPN firewall:
Table 94. Wireless VPN firewall SSL VPN specifications
Setting
Specification
Network Management
Web-based configuration and status monitoring
Number of concurrent users supported
5
SSL versions
SSLv3, TLS1.0
SSL encryption algorithm
DES, 3DES, ARC4, AES-128, AES-192, AES-256
SSL message integrity
MD5, SHA-1, MAC-MD5/SHA-1, HMAC-MD5/SHA-1
SSL authentication types
Local user database, RADIUS-PAP, RADIUS-CHAP,
RADIUS-MSCHAP, RADIUS-MSCHAPv2, WiKID-PAP,
WiKID-CHAP, MIAS-PAP, MIAS-CHAP, NT domain, Active Directory,
LDAP
SSL certificates supported
CA certificates, self-signed certificate
The following table shows the wireless specifications for the wireless VPN firewall:
Table 95. Wireless VPN firewall wireless specifications
Setting
Specification
802.11bg data rates
1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 Mbps, and auto-rate capable
802.11ng/n data rates
Data rates for a channel width of 20 MHz and a (short) guard interval of 400 ms:
Best (automatic), 7.2 Mbps, 14.4 Mbps, 21.7 Mbps, 28.9 Mbps, 43.3 Mbps,
57.8 Mbps, 65 Mbps, 72.2 Mbps, 14.44 Mbps, 28.88 Mbps, 43.33 Mbps,
57.77 Mbps, 86.66 Mbps, 115.56 Mbps, 130 Mbps, 144.44 Mbps
Data rates for a channel width of 40 MHz and a (short) guard interval of 400 ms:
Best (automatic), 15 Mbps, 30 Mbps, 45 Mbps, 60 Mbps, 90 Mbps, 120 Mbps,
135 Mbps, 150 Mbps, 30 Mbps, 60 Mbps, 90 Mbps, 120 Mbps, 180 Mbps,
240 Mbps, 270 Mbps, 300 Mbps
802.11b/bg/ng/n
operating frequencies
•
•
•
•
2.412–2.462
2.457–2.462
2.457–2.472
2.412–2.472
GHz
GHz
GHz
GHz
(US)
(Spain)
(France)
(Europe ETSI)
Default Settings and Technical Specifications
387
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Table 95. Wireless VPN firewall wireless specifications (continued)
Setting
Specification
802.11 b/bg/ng/n
encryption
64-bits and 128-bits WEP, TKIP, CCMP data encryption
Network management
Web-based configuration and status monitoring
Default Settings and Technical Specifications
388
B.
Two-Factor Authentication
B
This appendix provides an overview of two-factor authentication, and an example of how to
implement the WiKID solution. This appendix contains the following sections:
•
Why Do I Need Two-Factor Authentication?
•
NETGEAR Two-Factor Authentication Solutions
Why Do I Need Two-Factor Authentication?
In today’s market, online identity theft and online fraud continue to be one of the fast-growing
cybercrime activities used by many unethical hackers and cybercriminals to steal digital
assets for financial gains. Many companies and corporations are losing millions of dollars
and running into risks of revealing their trade secrets and other proprietary information as a
result of these cybercrime activities. Security threats and hackers have become more
sophisticated, and user names, encrypted passwords, and the presence of firewalls are no
longer enough to protect the networks from being compromised. IT professionals and
security experts have recognized the need to go beyond the traditional authentication
process by introducing and requiring additional factors in the authentication process.
NETGEAR has also recognized the need to provide more than just a firewall to protect the
networks. NETGEAR has implemented a more robust authentication system known as
two-factor authentication (2FA or T-FA) to help address the fast-growing network security
issues.
What Are the Benefits of Two-Factor Authentication?
•
Stronger security. Passwords cannot efficiently protect the corporate networks because
attackers can easily guess simple passwords or users cannot remember complex and
unique passwords. One-time passcode (OTP) strengthens and replaces the need to
remember complex password.
•
No need to replace existing hardware. Two-factor authentication can be added to
existing NETGEAR products through a firmware upgrade.
•
Quick to deploy and manage. The WiKID solution integrates seamlessly with the
NETGEAR SSL and VPN firewall products.
•
Proven regulatory compliance. Two-factor authentication has been used as a
mandatory authentication process for many corporations and enterprises worldwide.
389
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
What Is Two-Factor Authentication?
Two-factor authentication is a security solution that enhances and strengthens security by
implementing multiple factors of the authentication process that challenge and confirm the
users’ identities before they can gain access to the network. There are several factors that
are used to validate the users to make sure that you are who you say you are. These factors
are:
•
Something you know—for example, your password or your PIN.
•
Something you have—for example, a token with generated passcode that is 6 to 8 digits
in length.
•
Something you are—for example, biometrics such as fingerprints or retinal prints.
This appendix focuses on and discusses only the first two factors, something you know and
something you have. This security method can be viewed as a two-tiered authentication
approach because it typically relies on what you know and what you have. A common
example of two-factor authentication is a bank (ATM) card that has been issued by a bank
institute:
•
The PIN to access your account is something you know.
•
The ATM card is something you have.
You need to have both of these factors to gain access to your bank account. Similar to the
way ATM cards work, access to the corporate networks and data can also be strengthened
using a combination of multiple factors such as a PIN and a token (hardware or software) to
validate the users and reduce the incidence of online identity theft.
NETGEAR Two-Factor Authentication Solutions
NETGEAR has implemented 2 two-factor authentication solutions from WiKID. WiKID is the
software-based token solution. So instead of using only Windows Active Directory or LDAP
as the authentication server, administrators now have the option to use WiKID to perform
two-factor authentication on NETGEAR SSL and VPN firewall products.
The WiKID solution is based on a request-response architecture where a one-time passcode
(OTP), which is time-synchronized with the authentication server, is generated and sent to
the user after the validity of a user credential has been confirmed by the server.
The request-response architecture is capable of self-service initialization by end users,
dramatically reducing implementation and maintenance costs.
Here is an example of how WiKID works:

To use WiKID (for end users):
1. Launch the WiKID token software, enter the PIN that has been provided (something the
user knows), and then click Continue to receive the OTP from the WiKID authentication
server:
Two-Factor Authentication
390
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 226.
2. A one-time passcode (something the user has) is generated.
Figure 227.
Note: The one-time passcode is time-synchronized to the authentication
server so that the OTP can be used only once and needs to be used
before the expiration time. If a user does not use this passcode
before it expires, the user needs to go through the request process
again to generate a new OTP.
3. Proceed to the 2 Factor Authentication login screen, and enter the one-time passcode as the
login password.
Two-Factor Authentication
391
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Figure 228.
Two-Factor Authentication
392
C.
Notification of Compliance (Wired)
N ETGE A R Wire d P ro d uct s
C
Regulatory Compliance Information
This section includes user requirements for operating this product in accordance with National
laws for usage of radio spectrum and operation of radio devices. Failure of the end-user to
comply with the applicable requirements may result in unlawful operation and adverse action
against the end-user by the applicable National regulatory authority.
This product's firmware limits operation to only the channels allowed in a particular Region or
Country. Therefore, all options described in this user's guide may not be available in your
version of the product.
FCC Requirements for Operation in the United States
FCC Information to User
This product does not contain any user serviceable components and is to be used with
approved antennas only. Any product changes or modifications will invalidate all applicable
regulatory certifications and approvals
This device complies with Part 15 of the FCC Rules. Operation is subject to the following two
conditions: (1) This device may not cause harmful interference, and (2) this device must
accept any interference received, including interference that may cause undesired operation.
FCC Guidelines for Human Exposure
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled
environment. This equipment should be installed and operated with minimum distance of
20 cm between the radiator and your body. This transmitter must not be co-located or
operating in conjunction with any other antenna or transmitter.
FCC Declaration Of Conformity
We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole
responsibility that the ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies
with Part 15 of FCC Rules.
Operation is subject to the following two conditions:
•
This device may not cause harmful interference, and
•
This device must accept any interference received, including interference that may cause
undesired operation.
393
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
FCC Radio Frequency Interference Warnings & Instructions
This equipment has been tested and found to comply with the limits for a Class B digital
device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide
reasonable protection against harmful interference in a residential installation. This
equipment uses and can radiate radio frequency energy and, if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications.
However, there is no guarantee that interference will not occur in a particular installation.
If this equipment does cause harmful interference to radio or television reception, which can
be determined by turning the equipment off and on, the user is encouraged to try to correct
the interference by one or more of the following methods:
•
Reorient or relocate the receiving antenna.
•
Increase the separation between the equipment and the receiver.
•
Connect the equipment into an electrical outlet on a circuit different from that which the
radio receiver is connected.
•
Consult the dealer or an experienced radio/TV technician for help.
Modifications made to the product, unless expressly approved by NETGEAR, Inc., could void
the user's right to operate the equipment.
Canadian Department of Communications Radio Interference Regulations
This digital apparatus, ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N, does not
exceed the Class B limits for radio-noise emissions from digital apparatus as set out in the Radio
Interference Regulations of the Canadian Department of Communications.
This Class [B] digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe [B] est conforme à la norme NMB-003 du Canada.
European Union
The ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with essential
requirements of EU EMC Directive 2004/108/EC and Low Voltage Directive 2006/95/EC as
supported by applying the following test methods and standards:
•
EN55022: 2006 / A1: 2007
•
EN55024: 1998 / A1: 2001 / A2 : 2003
•
EN60950-1: 2005 2nd Edition
•
EN 61000-3-2:2006
•
EN 61000-3-3:1995 w/A1: 2001+A2: 2005
GPL License Agreement
GPL may be included in this product; to view the GPL license agreement, go to
ftp://downloads.netgear.com/files/GPLnotice.pdf.
For GNU General Public License (GPL) related information, please visit
http://support.netgear.com/app/answers/detail/a_id/2649.
Notification of Compliance (Wired)
394
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Additional Copyrights
AES
Copyright (c) 2001, Dr. Brian Gladman, [email protected], Worcester, UK.
All rights reserved.
TERMS
Redistribution and use in source and binary forms, with or without modification, are permitted
subject to the following conditions:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions, and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. The copyright holder’s name must not be used to endorse or promote any products
derived from this software without his specific prior written permission.
This software is provided “as is” with no express or implied warranties of correctness or fitness
for purpose.
Open SSL
Copyright (c) 1998–2000 The OpenSSL Project. All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted
provided that the following conditions are met:
1. Redistributions of source code must retain the above copyright notice, this list of
conditions, and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright notice, this list of
conditions, and the following disclaimer in the documentation and/or other materials
provided with the distribution.
3. All advertising materials mentioning features or use of this software must display the
following acknowledgment: “This product includes software developed by the OpenSSL
Project for use in the OpenSSL Toolkit (http://www.openssl.org/).
4. The names “OpenSSL Toolkit” and “OpenSSL Project” must not be used to endorse or
promote products derived from this software without prior written permission. For written
permission, contact [email protected]
5. Products derived from this software may not be called “OpenSSL” nor may “OpenSSL”
appear in their names without prior written permission of the OpenSSL Project.
6. Redistributions of any form whatsoever must retain the following acknowledgment: “This
product includes software developed by the OpenSSL Project for use in the OpenSSL
Toolkit (http://www.openssl.org/).
THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT “AS IS,” AND ANY
EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR ITS
CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,
EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,
PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY
OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
This product includes cryptographic software written by Eric Young ([email protected]). This
product includes software written by Tim Hudson ([email protected]).
Notification of Compliance (Wired)
395
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
MD5
Copyright (C) 1990, RSA Data Security, Inc. All rights reserved.
License to copy and use this software is granted provided that it is identified as the “RSA Data
Security, Inc. MD5 Message-Digest Algorithm” in all material mentioning or referencing this
software or this function. License is also granted to make and use derivative works provided
that such works are identified as “derived from the RSA Data Security, Inc. MD5
Message-Digest Algorithm” in all material mentioning or referencing the derived work.
RSA Data Security, Inc. makes no representations concerning either the merchantability of
this software or the suitability of this software for any particular purpose. It is provided “as is”
without express or implied warranty of any kind.
These notices must be retained in any copies of any part of this documentation and/or
software.
PPP
Copyright (c) 1989 Carnegie Mellon University. All rights reserved.
Redistribution and use in source and binary forms are permitted provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any
documentation, advertising materials, and other materials related to such distribution and use
acknowledge that the software was developed by Carnegie Mellon University. The name of
the University may not be used to endorse or promote products derived from this software
without specific prior written permission.
THIS SOFTWARE IS PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
Zlib
zlib.h. Interface of the zlib general purpose compression library version 1.1.4, March 11th,
2002. Copyright (C) 1995–2002 Jean-loup Gailly and Mark Adler.
This software is provided “as is,” without any express or implied warranty. In no event will the
authors be held liable for any damages arising from the use of this software. Permission is
granted to anyone to use this software for any purpose, including commercial applications,
and to alter it and redistribute it freely, subject to the following restrictions:
1. The origin of this software must not be misrepresented; you must not claim that you wrote
the original software. If you use this software in a product, an acknowledgment in the
product documentation would be appreciated but is not required.
2. Altered source versions must be plainly marked as such, and must not be misrepresented
as being the original software.
3. This notice may not be removed or altered from any source distribution.
Jean-loup Gailly: [email protected]; Mark Adler: [email protected]
The data format used by the zlib library is described by RFCs (Request for Comments) 1950
to 1952 in the files rfc1950.txt (zlib format), rfc1951.txt (deflate format), and rfc1952.txt (gzip
format). For more information, see http://www.ietf.org/rfc/.
Notification of Compliance (Wired)
396
D.
Notification of Compliance (Wireless)
NETG EAR Wireless Routers, G ateways, APs
D
Regulatory Compliance Information
Note: This section includes user requirements for operating this product in accordance with National laws for usage
of radio spectrum and operation of radio devices. Failure of the end-user to comply with the applicable
requirements may result in unlawful operation and adverse action against the end-user by the applicable National
regulatory authority.
Note: This product's firmware limits operation to only the channels allowed in a particular Region or Country.
Therefore, all options described in this user's guide may not be available in your version of the product.
Europe – EU Declaration of Conformity
Marking by the above symbol indicates compliance with the Essential Requirements of the R&TTE Directive of the
European Union (1999/5/EC). This equipment meets the following conformance standards:
EN300 328 (2.4Ghz), EN301 489-17 EN60950-1
For complete DoC, visit the NETGEAR EU Declarations of Conformity website at:
http://support.netgear.com/app/answers/detail/a_id/11621/.
EDOC in Languages of the European Community
Language
Statement
Cesky [Czech]
NETGEAR Inc. tímto prohlašuje, že tento Radiolan je ve shode se základními požadavky a
dalšími príslušnými ustanoveními smernice 1999/5/ES.
Dansk [Danish]
Undertegnede NETGEAR Inc. erklærer herved, at følgende udstyr Radiolan overholder de
væsentlige krav og øvrige relevante krav i direktiv 1999/5/EF.
Deutsch
[German]
Hiermit erklärt NETGEAR Inc., dass sich das Gerät Radiolan in Übereinstimmung mit den
grundlegenden Anforderungen und den übrigen einschlägigen Bestimmungen der Richtlinie
1999/5/EG befindet.
Eesti [Estonian]
Käesolevaga kinnitab NETGEAR Inc. seadme Radiolan vastavust direktiivi 1999/5/EÜ
põhinõuetele ja nimetatud direktiivist tulenevatele teistele asjakohastele sätetele.
English
Hereby, NETGEAR Inc., declares that this Radiolan is in compliance with the essential
requirements and other relevant provisions of Directive 1999/5/EC.
397
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Español [Spanish] Por medio de la presente NETGEAR Inc. declara que el Radiolan cumple con los requisitos
esenciales y cualesquiera otras disposiciones aplicables o exigibles de la Directiva
1999/5/CE.
Ελληνική [Greek]
ΜΕ ΤΗΝ ΠΑΡΟΥΣΑ NETGEAR Inc. ΔΗΛΩΝΕΙ ΟΤΙ Radiolan ΣΥΜΜΟΡΦΩΝΕΤΑΙ ΠΡΟΣ
ΤΙΣ ΟΥΣΙΩΔΕΙΣ ΑΠΑΙΤΗΣΕΙΣ ΚΑΙ ΤΙΣ ΛΟΙΠΕΣ ΣΧΕΤΙΚΕΣ ΔΙΑΤΑΞΕΙΣ ΤΗΣ ΟΔΗΓΙΑΣ
1999/5/ΕΚ.
Français [French] Par la présente NETGEAR Inc. déclare que l'appareil Radiolan est conforme aux exigences
essentielles et aux autres dispositions pertinentes de la directive 1999/5/CE.
Italiano [Italian]
Con la presente NETGEAR Inc. dichiara che questo Radiolan è conforme ai requisiti
essenziali ed alle altre disposizioni pertinenti stabilite dalla direttiva 1999/5/CE.
Latviski [Latvian]
Ar šo NETGEAR Inc. deklarē, ka Radiolan atbilst Direktīvas 1999/5/EK būtiskajām
prasībām un citiem ar to saistītajiem noteikumiem.
Lietuvių
[Lithuanian]
Šiuo NETGEAR Inc. deklaruoja, kad šis Radiolan atitinka esminius reikalavimus ir kitas
1999/5/EB Direktyvos nuostatas.
Nederlands
[Dutch]
Hierbij verklaart NETGEAR Inc. dat het toestel Radiolan in overeenstemming is met de
essentiële eisen en de andere relevante bepalingen van richtlijn 1999/5/EG.
Malti [Maltese]
Hawnhekk, NETGEAR Inc., jiddikjara li dan Radiolan jikkonforma mal-htigijiet essenzjali u
ma provvedimenti ohrajn relevanti li hemm fid-Dirrettiva 1999/5/EC.
Magyar
[Hungarian]
Alulírott, NETGEAR Inc. nyilatkozom, hogy a Radiolan megfelel a vonatkozó alapvetõ
követelményeknek és az 1999/5/EC irányelv egyéb elõírásainak.
Polski [Polish]
Niniejszym NETGEAR Inc. oświadcza, że Radiolan jest zgodny z zasadniczymi wymogami
oraz pozostałymi stosownymi postanowieniami Dyrektywy 1999/5/EC.
Português
[Portuguese]
NETGEAR Inc. declara que este Radiolan está conforme com os requisitos essenciais e
outras disposições da Directiva 1999/5/CE.
Slovensko
[Slovenian]
NETGEAR Inc. izjavlja, da je ta Radiolan v skladu z bistvenimi zahtevami in ostalimi
relevantnimi določili direktive 1999/5/ES.
Slovensky
[Slovak]
NETGEAR Inc. týmto vyhlasuje, že Radiolan spĺňa základné požiadavky a všetky príslušné
ustanovenia Smernice 1999/5/ES.
Suomi [Finnish]
NETGEAR Inc. vakuuttaa täten että Radiolan tyyppinen laite on direktiivin 1999/5/EY
oleellisten vaatimusten ja sitä koskevien direktiivin muiden ehtojen mukainen.
Svenska
[Swedish]
Härmed intygar NETGEAR Inc. att denna Radiolan står I överensstämmelse med de
väsentliga egenskapskrav och övriga relevanta bestämmelser som framgår av direktiv
1999/5/EG.
Notification of Compliance (Wireless)
398
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Íslenska
[Icelandic]
Hér með lýsir NETGEAR Inc. yfir því að Radiolan er í samræmi við grunnkröfur og aðrar
kröfur, sem gerðar eru í tilskipun 1999/5/EC.
Norsk
[Norwegian]
NETGEAR Inc. erklærer herved at utstyret Radiolan er i samsvar med de grunnleggende
krav og øvrige relevante krav i direktiv 1999/5/EF.
This device is a 2.4 GHz wideband transmission system (transceiver), intended for use in all EU member states and
EFTA countries, except in France and Italy where restrictive use applies.
In Italy the end-user should apply for a license at the national spectrum authorities in order to obtain authorization to
use the device for setting up outdoor radio links and/or for supplying public access to telecommunications and/or
network services.
This device may not be used for setting up outdoor radio links in France and in some areas the RF output power may
be limited to 10 mW EIRP in the frequency range of 2454 - 2483.5 MHz. For detailed information the end-user should
contact the national spectrum authority in France.
FCC Requirements for Operation in the United States
FCC Information to User
This product does not contain any user serviceable components and is to be used with approved antennas only.
Any product changes or modifications will invalidate all applicable regulatory certifications and approvals.
FCC Guidelines for Human Exposure
This equipment complies with FCC radiation exposure limits set forth for an uncontrolled environment. This
equipment should be installed and operated with minimum distance of 20 cm between the radiator and your body.
This transmitter must not be co-located or operating in conjunction with any other antenna or transmitter.
FCC Declaration of Conformity
We, NETGEAR, Inc., 350 East Plumeria Drive, San Jose, CA 95134, declare under our sole responsibility that the
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N complies with Part 15 Subpart B of FCC CFR47 Rules.
Operation is subject to the following two conditions:
• This device may not cause harmful interference, and
• This device must accept any interference received, including interference that may cause undesired operation.
FCC Radio Frequency Interference Warnings & Instructions
This equipment has been tested and found to comply with the limits for a Class B digital device, pursuant to Part 15
of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference in a
residential installation. This equipment uses and can radiate radio frequency energy and, if not installed and used in
accordance with the instructions, may cause harmful interference to radio communications. However, there is no
guarantee that interference will not occur in a particular installation. If this equipment does cause harmful
interference to radio or television reception, which can be determined by turning the equipment off and on, the user
is encouraged to try to correct the interference by one or more of the following methods:
• Reorient or relocate the receiving antenna.
• Increase the separation between the equipment and the receiver.
• Connect the equipment into an electrical outlet on a circuit different from that which the radio receiver is
connected.
• Consult the dealer or an experienced radio/TV technician for help.
FCC Caution
• Any changes or modifications not expressly approved by the party responsible for compliance could void the
user’s authority to operate this equipment.
• This device complies with Part 15 of the FCC Rules. Operation is subject to the following two conditions: (1) This
device may not cause harmful interference, and (2) this device must accept any interference received, including
interference that may cause undesired operation.
Notification of Compliance (Wireless)
399
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
• For product available in the USA market, only channel 1~11 can be operated. Selection of other channels is not
possible.
• This device and its antenna(s) must not be co-located or operation in conjunction with any other antenna or
transmitter.
Canadian Department of Communications Radio Interference Regulations
This digital apparatus (ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N) does not exceed the Class B limits
for radio-noise emissions from digital apparatus as set out in the Radio Interference Regulations of the Canadian
Department of Communications.
This Class [B] digital apparatus complies with Canadian ICES-003.
Cet appareil numérique de la classe [B] est conforme à la norme NMB-003 du Canada
Industry Canada
This device complies with RSS-210 of the Industry Canada Rules. Operation is subject to the following two conditions:
(1) This device may not cause harmful interference, and (2) this device must accept any interference received,
including interference that may cause undesired operation.
IMPORTANT NOTE: Radiation Exposure Statement:
This equipment complies with IC radiation exposure limits set forth for an uncontrolled environment. This equipment
should be installed and operated with minimum distance 20cm between the radiator & your body.
Caution:
Ce dispositif est conforme à la norme CNR-210 d'Industrie Canada applicable aux appareils radio exempts de licence.
Son fonctionnement est sujet aux deux conditions suivantes: (1) le dispositif ne doit pas produire de brouillage
préjudiciable, et (2) ce dispositif doit accepter tout brouillage reçu, y compris un brouillage susceptible de provoquer un
fonctionnement indésirable.
NOTE IMPORTANTE: Déclaration d'exposition aux radiations:
Cet équipement est conforme aux limites d'exposition aux rayonnements IC établies pour un environnement non
contrôlé. Cet équipement doit être installé et utilisé avec un minimum de 20 cm de distance entre la source de
rayonnement et votre corps.
GPL License Agreement
GPL may be included in this product; to view the GPL license agreement go to
ftp://downloads.netgear.com/files/GPLnotice.pdf.
For GNU General Public License (GPL) related information, please visit
http://support.netgear.com/app/answers/detail/a_id/2649.
Interference Reduction Table
The following table shows the Recommended Minimum Distance between NETGEAR equipment and household
appliances to reduce interference (in feet and meters).
Household Appliance
Recommended Minimum Distance (in feet and meters)
Microwave ovens
30 feet / 9 meters
Baby Monitor - Analog
20 feet / 6 meters
Baby Monitor - Digital
40 feet / 12 meters
Cordless phone - Analog
20 feet / 6 meters
Notification of Compliance (Wireless)
400
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Household Appliance
Recommended Minimum Distance (in feet and meters)
Cordless phone - Digital
30 feet / 9 meters
Bluetooth devices
20 feet / 6 meters
ZigBee
20 feet / 6 meters
Notification of Compliance (Wireless)
401
Index
Numerics
administrative default settings 385
administrator
default name and password 21
receiving logs by email 341
settings (admin) 320
user account 298
advertisement prefixes, IPv6
DMZ, configuring for 93
LAN, configuring for 79
advertisement, UPnP information 188
AES (Advanced Encryption Standard)
IKE policy settings 222
Mode Config settings 240
VPN policy settings 231–232
ALG (Application Level Gateway) 167
antennas
external orientation 104
rear panel 18
Application Level Gateway (ALG) 167
ARP (Address Resolution Protocol)
broadcasting, configuring 62
requests 64
arrows, option (web management interface) 23
attached devices
monitoring with SNMP 326
viewing 359
attack checks 162–165
authentication
for IPSec VPN
pre-shared key 192, 196, 200, 223
RSA signature 223
for SSL VPN 291
network 110
See also
AD (Active Directory)
LDAP (Lightweight Directory Access Protocol)
MIAS (Microsoft Internet Authentication Service)
RADIUS authentication
WiKID
authentication domain 289, 297
authentication, authorization, and accounting (AAA)
235
Auto Uplink, autosensing Ethernet connections 13
10BASE-T, 100BASE-T, and 1000BASE-T speeds 49
2.4-GHz wireless mode 106
20- and 40-MHz channel spacing 106
3322.org 45–47
64-bit and 128-bit WEP 116
6to4 tunnels
configuring globally 41
DMZ, configuring for 94
LAN, configuring for 80
802.11b/bg/ng/n data rates and frequencies 387
802.11b/bg/ng/n modes 106
A
AAA (authentication, authorization, and accounting)
235
access
remote management 322
restricting by MAC address 117
access point, default settings 382
account name, PPTP and PPPoE 32
action buttons (web management interface) 23
Active LED 17
active users, IPSec VPN, SSL VPN, and L2TP
353–354
ActiveX
blocking 175
web cache cleaner, SSL VPN 266
AD (Active Directory)
configuration 291
description 288
address autoconfiguration, IPv6 37
address pools, Mode Config operation 240
address reservation 69
Address Resolution Protocol (ARP)
broadcasting, configuring 62
requests 64
addresses (IPv4 and IPv6)
requirements and errors 24
See also
IPv4 addresses
IPv6 addresses
402
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
self-signed 307–309
signature key length 311
trusted 307–308
certification authority (CA) 225, 306–313
channel spacing, wireless 106
channels and frequencies, selecting 106
CHAP (Challenge Handshake Authentication Protocol)
288
See also
MIAS (Microsoft Internet Authentication Service)
RADIUS authentication
WiKID
classical routing (IPv4), configuring 27
Clear to Send (CTS) packets and self-protection 123
client identifier 34
clients, wireless
separating 115
viewing 120, 362
collision detection and collision avoidance, CSMA 123
community strings, SNMP 327
compatibility, protocols and standards 385
compliance, regulatory
wired products 393–396
wireless products 397–400
concatenating IPv6 addresses 43
configuration file, managing 329–331
configuration manager (web management interface)
login 20
menu 23
configuration settings, defaults 379–385
connection reset, PPPoE broadband connection 33
connection type and state (WAN), viewing 351
connectivity, testing
Internet 50
wireless 124
console port 18
content filtering, configuring 175
cookies, blocking 175
Counter Mode with Cipher Block Chaining Message
Authentication Code Protocol (CCMP) 108, 115
counter, WAN traffic 337
country, wireless radio 105
CRL (certificate revocation list) 308, 313
crossover cable 13, 369
CSMA (Carrier Sense Multiple Access) 123
CSR (certificate signing request) 309
CTS (Clear to Send) packets and self-protection 123
custom services, firewall 168
autodetecting IPv4 Internet settings 29
autoinitiating VPN tunnels 230
autosensing port speed 49
B
b mode, wireless 106
backing up configuration file 330
bandwidth capacity 314
bandwidth limits, logging dropped packets 340
bandwidth profiles
creating 171–173
shifting traffic mix 320
basic service set (BSS) 110
basic service set identifier (BSSID) 109
beacon interval 123
blocking
instant messaging (rule example) 160
sites to reduce traffic 316
TCP flood 163
traffic, action when reaching limit 338
UDP flood 164
broadband
advanced settings (IPv4 and IPv6) 48
classical routing (IPv4), configuring 27
IPv4 connection status 30, 35, 356
IPv6 connection status 39, 41, 358
IPv6 mode, configuring 36
NAT (IPv4), configuring 27
broadcasting wireless network names (SSIDs) 108, 114
browsers
user login policies 304
web management interface 20
BSS (basic service set) 110
BSSID (basic service set identifier) 109
buttons (web management interface) 23
C
CA (certification authority) 225, 306–313
cache control, SSL VPN 265
capturing packets 365
Carrier Sense Multiple Access (CSMA) 123
CCMP (Counter Mode with Cipher Block Chaining
Message Authentication Code Protocol) 108, 115
certificate revocation list (CRL) 308, 313
certificate signing request (CSR) 309
certificates
commercial CAs 307
CRL 308, 313
CSR 309
overview 306
403
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
D
DMZ (demilitarized zone)
configuring 82–95
increasing traffic 318
port 12, 17
DNS (Domain Name Server)
automatic configuration of computers 13
dynamic 45–47
looking up an address 364
Mode Config address allocation 240
proxy 13, 86
proxy, VLANs 55, 60
server IPv4 addresses
broadband settings 34
DMZ settings 85
LAN/VLAN settings 59
SSL VPN settings 271
server IPv6 addresses
broadband settings 40
DMZ settings 89
LAN settings 74
SSL VPN settings 271
documentation, online 378
domain name blocking 175
Domain Name Server. See DNS.
domain name, PPTP and PPPoE connections 32
domains for authentication 289, 297
DoS (denial of service)
attack check settings 163–164
default protection 12, 131
DPD (Dead Peer Detection) 223, 255
DTIM (Delivery Traffic Indication Message) interval 123
duplex, half and full 49
Dynamic DNS (DDNS), configuring 45–47
Dynamic Host Configuration Protocol. See DHCP.
dynamically assigned IPv4 addresses 34
DynDNS.org 45–47
Data Encryption Standard. See DES.
data rates, 802.11b/bg/ng/n 387
database, local users 290
date and daylight saving time
settings 334
troubleshooting settings 378
DC power plug receptacle 18
DDNS (Dynamic DNS), configuring 45–47
Dead Peer Detection (DPD) 223, 255
defaults
configuration settings 379–385
configuration, restoring 376
factory 331, 376
firewall IPv4 address and subnet mask 58
IPSec VPN Wizard 191, 195
login time-out 21
MTU 48
password 21, 376
PVID 52
user name 21
delegating, IPv6 prefixes
LAN DHCPv6 server 71, 76
WAN DHCPv6 client 38
demilitarized zone. See DMZ.
denial of service. See DoS.
DES (Data Encryption Standard) and 3DES 222,
231–232, 240
DH (Diffie-Hellman) groups 218, 223, 233, 240
DHCP (Dynamic Host Configuration Protocol)
automatic configuration of devices 13
DNS servers, IPv4 addresses 59, 85
domain name 59, 85
LDAP server 60, 86
lease time 59, 85
log, monitoring 360
relay 86
relay, VLANs 55, 59
server 85
server, VLANs 54, 58
WINS server 59, 85
DHCPv6, stateless and stateful
DMZ, configuring 88
LAN, configuring 73
WAN, configuring 38
diagnostics tools 362
Diffie-Hellman (DH) groups 218, 223, 233, 240
digital certificates. See certificates.
dimensions 386
dipole antenna 18
direction, bandwidth profiles 172
E
e-commerce 260
edge devices, configuring 234–235
electromagnetic emissions 386
emailing
IP/MAC binding violations 182–184
logs 341
traffic meter reports and alerts 337–338
encryption
WEP 116
WPA, WPA2, and mixed mode 115
environmental specifications 386
ESS (extended service set) 110
Ethernet ports 15
404
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
event logs 340
examples of firewall rules 155–162
exchange mode, IKE policies 218, 221
exposed hosts
increasing traffic 319
specifying (rule example) 159
extended authentication (XAUTH)
configuring 233–235
IKE policies 224
extended service set (ESS) 110
gateway, ISP
IPv4 address 34
IPv6 address 40
generating keys, WEP 116
global addresses, IPv6 43
global IPv6 tunnels
DMZ, configuring for 94
LAN, configuring for 80
group and global policies, configuring for SSL VPN 276
groups
LAN groups 66–69
VPN policies 293
guests, user account 296–298
GUI (graphical user interface)
description 22
troubleshooting 369
F
factory default settings
list of 379–385
reverting to 331
FE80 and FEC0 IPv6 addresses 70
firewall
attack checks 162–165
bandwidth profiles 171–173
custom services 168
default settings 381
inbound rules. See inbound rules.
outbound rules. See outbound rules.
overview 12
QoS profiles 173
rules
See also inbound rules.
See also outbound rules.
numbers and types supported 127
order of precedence 134
scheduling 178
firmware, upgrading 332
flags, router advertisements
DMZ, configuring for 93
LAN, configuring for 79
FQDNs (fully qualified domain names)
DDNS requirements 45
IPSec VPN, configuring endpoints 192, 196, 200,
222
SSL VPN, configuring port forwarding 262
fragmentation length 123
frames, jumbo 165
frequencies 802.11b/bg/ng 387
frequencies and channels, selecting 106
front panel, ports and LEDs 15
FTP access, allowing from DMZ (rule example) 161
full tunnel, SSL VPN 269
fully qualified domain names. See FQDNs.
H
hardware
front panel ports and LEDs 16
rear panel, components 18
Help button (web management interface) 24
hosts
exposed, increasing traffic 319
exposed, specifying (rule example) 159
name resolution 268
public web server (rule example) 155
HTTP management 325
humidity, operating and storage 386
I
ICMP (Internet Control Message Protocol)
time-out 167
type 169
idle time-out, broadband connection 33
IGP (Interior Gateway Protocol) 97
IKE policies
exchange mode 218, 221
ISAKMP identifier 218, 222
managing 217
Mode Config operation 221, 241
XAUTH 224
inbound rules
default 127
examples 155–160
increasing traffic 317
IPv4
DMZ-to-WAN rules 147
LAN-to-DMZ rules 154
LAN-to-WAN rules 140
G
g mode, wireless 106
405
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
LAN, secondary 62–64
MAC bindings 181
port forwarding, SSL VPN 267
reserved 69
secondary LAN 62
SSL VPN
clients, configuring 272
policies, configuring 280
resources, configuring 276
static or permanent 30, 34
subnet mask, default 58
subnet mask, DMZ port 85
VPN tunnels 192, 200, 222, 231
IPv4 DMZ, configuring 83–86
IPv4 gateway 34
IPv4 Internet connection
autodetecting 28
manually configuring 31
setting up 25
IPv4 ISP, logging in 31
IPv4 routing modes 26
IPv6 addresses
autoconfiguration 37, 73, 88
concatenating 43
DHCPv6, stateless and stateful
DMZ, configuring 88
LAN, configuring 73
WAN, configuring 38
DMZ address pools 90
DMZ advertisement prefixes 93
DMZ port 88
DNS servers 40, 74, 89
errors 24
FE80 and FEC0 70
LAN address pools 75
LAN advertisement prefixes 79
LAN setup 73
LAN, secondary 81–82
link-local address 70
MAC bindings 183
private address 43
route destination 101
secondary LAN 81
SSL VPN
clients, configuring 272
policies, configuring 280
resources, configuring 276
static or permanent 40
tunnel addresses, viewing 45
unique global address 43
VPN tunnels 196, 222, 231
IPv6 connection, troubleshooting 372
IPv6 DMZ, configuring 86–95
IPv6 gateway 102
IPv6
DMZ-to-WAN rules 149
LAN-to-DMZ rules 154
LAN-to-WAN rules 141
order of precedence 134
overview 130
scheduling 178
settings 132–133
inbound traffic, bandwidth 172
increasing traffic
overview 317–319
port forwarding 131
infrastructure mode 107
installation, verifying 50
instant messaging, blocking (rule example) 160
interface specifications 386
interference (wireless) 104
Interior Gateway Protocol (IGP) 97
Internet connection
configuring 25
default settings 379
testing 50
Internet Control Message Protocol (ICMP)
time-out 167
type 169
Internet Key Exchange. See IKE policies.
Internet service provider (ISP)
connection, troubleshooting 370
gateway IPv4 address 34
gateway IPv6 address 40
Intra-Site Automatic Tunnel Addressing Protocol
(ISATAP) tunnels
configuring globally 43
DMZ, configuring for 94
LAN, configuring for 80
IP buttons (web management interface) 23
IP/MAC bindings 180–184
IPSec hosts, XAUTH 234–235
IPSec VPN Wizard
client-to-gateway tunnels, setting up 199
default settings 191, 195
description 14
gateway-to-gateway tunnels, setting up 190, 194
IPSec VPN. See VPN tunnels.
IPv4 addresses
autogenerated 369
default 58
DHCP, address pool 85
DMZ port 84
DNS servers 34, 59, 85
dynamically assigned 34
errors 24
ISATAP tunnel address 44
406
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
L
IPv6 Internet connection
manually configuring 39
setting up 26
IPv6 mode, configuring 36
IPv6 prefix length
DMZ address 88
DMZ advertisements 94
DMZ DHCPv6 address pools 90
IPSec VPN policies 231
ISP address 40
LAN address 73
LAN advertisements 80
LAN DHCPv6 address pools 75
LAN prefix delegation 76
secondary LAN IP address 82
SSL VPN policies 281
static routes 101
IPv6 prefix lifetimes
DMZ advertisements 94
LAN advertisements 80
IPv6 prefixes
6to4 tunnel 42
DMZ advertisements 94
ISATAP tunnels 44
LAN advertisements 80
IPv6 tunnel status and addresses, viewing 45
IPv6 tunnels
configuring globally 41–45
DMZ, configuring for 94
LAN, configuring for 80
ISAKMP identifier 218, 222
ISATAP (Intra-Site Automatic Tunnel Addressing
Protocol) tunnels
configuring globally 43
DMZ, configuring for 94
LAN, configuring for 80
ISP (Internet service provider)
connection, troubleshooting 370
gateway IPv4 address 34
gateway IPv6 address 40
L2TP (Layer 2 Tunneling Protocol) server 257
L2TP Access Concentrator (LAC) 257
L2TP users 298, 305
LAC (L2TP Access Concentrator) 257
LAN
address pools (IPv6) 74, 89
bandwidth capacity 314
default settings 380
groups, assigning and managing 66–69
IPv4 settings, configuring 53
IPv6 settings, configuring 72
Known PCs and Devices table 66
network database 64–68
port status, viewing 350
prefixes (IPv6) 71, 76
secondary IPv4 addresses 62
secondary IPv6 addresses 81
testing the LAN path 375
LAN groups, keyword blocking 177
LAN LEDs 17, 369
LAN ports 11, 15
LAN security checks 164
Layer 2 Tunneling Protocol (L2TP) server 257
LDAP (Lightweight Directory Access Protocol)
description 288
domain authentication 291
server, DHCP 60, 86
VLANs 55
lease and rebind time, DHCPv6 74, 89
LEDs (front panel)
explanation of 16
troubleshooting 368–369
lifetime, router
DMZ, configuring for 93
LAN, configuring for 79
Lightweight Directory Access Protocol. See LDAP.
limit, traffic meter (or counter) 337
limits, sessions 166
link-local addresses, IPv6 70
link-local advertisements, IPv6
DMZ, configuring for 90
LAN, configuring for 77
local area network. See LAN.
local IPv6 tunnels
DMZ, configuring for 94
LAN, configuring for 80
local user database 290
location of wireless VPN firewall 19
lock, security 18
login attempts 340
login default settings 379
J
Java, blocking 174
jumbo frames 165
K
keep-alives, VPN tunnels 230, 254
key generation, WEP 116
keyword blocking 175
knowledge base 378
407
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
login policies, user 299–304
login time-out
changing 304, 320
default 21
logs, configuring 340
long preamble 123
looking up DNS address 364
losing wireless connection 119
multicast pass-through 164
multihome LAN addresses
IPv4, configuring 62–64
IPv6, configuring 81–82
N
n and ng modes, wireless 106
names, changing
DDNS host and domain 47
ISP login 31
known PCs and devices 66
LAN groups 68
PPTP and PPPoE accounts 32
wireless profiles and SSIDs 113
NAS (Network Access Server) 237
NAT (Network Address Translation)
configuring 27
description 13
firewall, use with 125
mapping, one-to-one
description 27
rule example 157
status, viewing 351
navigation menu (web management interface) 22
NBMA (nonbroadcast multiple access) 78, 92
NDP (Neighbor Discovery Protocol) 77, 90
NetBIOS, VPN tunnels 230, 257
Network Access Server (NAS) 237
Network Address Translation. See NAT.
network resources, SSL VPN, configuring 273–276
networks
authentication 110
database 64–68, 359
diagnostic tools 362
newsgroup 175
nonbroadcast multiple access (NBMA) 78, 92
NT domain 288, 291
NTP (Network Time Protocol)
servers, settings 334
troubleshooting 377
M
MAC addresses
blocked, adding 179
configuring 35, 41, 49
format 49, 180
IP bindings 180–184
restricting wireless access by 108, 117
spoofing 372
VLANs, unique 61
main navigation menu (web management interface) 22
managed RA flags
DMZ, configuring for 93
LAN, configuring for 79
management default settings 385
maximum transmission unit (MTU)
default 48
IPv6 DMZ packets 93
IPv6 LAN packets 79
MD5
IKE polices 222
Mode Config setting 241
RIP-2 99
self-signed certificate requests 311
VPN policies 232
Media Access Control. See MAC addresses.
menu (web management interface) 22
Message-Digest algorithm 5. See MD5.
metering WAN traffic 335
metric
static IPv4 routes 96
static IPv6 routes 102
MIAS (Microsoft Internet Authentication Service)
description 288
MIAS-CHAP and MIAS-PAP 291
Mode Config operation
configuring 238–245
record 221
mode, wireless 106
monitoring default settings 385
MTU (maximum transmission unit)
default 48
IPv6 DMZ packets 93
IPv6 LAN packets 79
O
On/Off switch 18
one-time passcode (OTP) 389–391
online documentation 378
online games, DMZ port 83
open system (no wireless security) 114
operating frequency, radio 105
option arrows (web management interface) 23
Oray.net 45–47
408
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
order of precedence, firewall rules 134
OTP (one-time passcode) 389–391
outbound rules
default 127
examples 160–162
IPv4
DMZ-to-WAN rules 145
LAN-to-DMZ rules 152
LAN-to-WAN rules 137
IPv6
DMZ-to-WAN rules 146
LAN-to-DMZ rules 153
LAN-to-WAN rules 139
order of precedence 134
overview 127
QoS profile 129
reducing traffic 315
scheduling 178
service blocking 127
settings 128–130
outbound traffic, bandwidth 172
troubleshooting TCP/IP 375
using the ping utility 364
placement of wireless VPN firewall 19, 104
plug and play (UPnP), configuring 187
Point-to-Point Tunneling Protocol (PPTP) settings 30, 32
policies
IKE
exchange mode 218, 221
ISAKMP identifier 218, 222
managing 217
Mode Config operation 221, 241
XAUTH 224
IPSec VPN
automatically generated 225
groups, configuring 293
managing 217
manually generated 225
SSL VPN
managing 276
settings 280
policy hierarchy 276
pools, Mode Config operation 240
port filtering
reducing traffic 315
rules 127
port forwarding
firewall rules 127, 130
increasing traffic 131
reducing traffic 317
port membership, VLANs 58
port numbers
customized services 168
port triggering 185
SSL VPN port forwarding 268
port ranges
port triggering 187
SSL VPN policies 280–281
SSL VPN resources 276
port speed 49
port triggering
configuring 185–187
increasing traffic 318
status monitoring 187, 355
Port VLAN Identifier (PVID) 52
portals, SSL VPN
accessing 282
configuring 262–266
options for 260
ports
console 18
LAN and WAN and their LEDs 15
Power LED 16, 368
P
package contents, wireless VPN firewall 15
packets
accepted and dropped 340
capturing 365
transmitted, received, and collided 348
PAP (Password Authentication Protocol) 288
See also
MIAS (Microsoft Internet Authentication Service)
RADIUS authentication
WiKID
partition, WLAN 115
passphrase, WEP, WPA, WPA2, and mixed mode 115
pass-through, multicast 164
passwords
changing 304, 320
default 21
restoring 376
Perfect Forward Secrecy (PFS) 233, 240
performance management 314
permanent addresses
IPv4 address 30, 34
IPv6 address 40
PFS (Perfect Forward Secrecy) 233, 240
PIN method, WPS 122
pinging
checking connections 364
responding on Internet ports 163
responding on LAN ports 164
409
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
power plug receptacle and Power On/Off switch 18
power specifications 385
PPP connection 260
PPPoE (PPP over Ethernet)
description 13
settings 30, 33
PPTP (Point-to-Point Tunneling Protocol) settings 30, 32
preamble type 123
preference, router (IPv6)
DMZ, configuring for 93
LAN, configuring for 79
prefix delegation (IPv6)
LAN DHCPv6 server 71, 76
WAN DHCPv6 client 38
prefix length, IPv6
DMZ address 88
DMZ advertisements 94
DMZ DHCPv6 address pools 90
IPSec VPN policies 231
ISP address 40
LAN address 73
LAN advertisements 80
LAN DHCPv6 address pools 75
LAN prefix delegation 76
secondary LAN IP address 82
SSL VPN policies 281
static routes 101
prefix lifetimes, IPv6
DMZ advertisements 94
LAN advertisements 80
prefixes, IPv6
6to4 tunnel 42
DMZ advertisements 94
ISATAP tunnel 44
LAN advertisements 80
pre-shared key
client-to-gateway VPN tunnel 200
gateway-to-gateway VPN tunnel 192, 196
IKE policy settings 223
WPA, WPA2, and mixed mode 115
private addresses, IPv6 43
profiles
bandwidth 171–173
QoS 173
VLANs 53–60
wireless security 109, 112–116
protection from common attacks 162–165
protocols
compatibilities 385
RIP 13
service numbers 168
traffic volume by protocol 338
PSK. See pre-shared key.
public web server, hosting (rule example) 155
Push ’N’ Connect 120
Push button configuration (PBC) method, WPS 122
PVID (Port VLAN Identifier) 52
Q
QoS (Quality of Service)
profiles 173
shifting traffic mix 319
question mark icon (web management interface) 24
R
radio, configuring
advanced settings 122
basic settings 105
RADIUS authentication
CHAP and PAP
domain authentication 291
XAUTH 224, 234–235
description 288
MSCHAP(v2), domain authentication 291
RADIUS servers
configuring 236–237
edge devices 235
RADVD (Router Advertisement Deamon)
DMZ, configuring for 90
LAN, configuring for 77
range guidelines, wireless equipment 104
RAs (router advertisements)
DMZ, configuring for 92
LAN, configuring for 78
read-only and read-write access 296
rebooting 366
reducing traffic 314–316
region, wireless radio 105
regulatory compliance
wired products 393–396
wireless products 397–400
relay gateway 59, 86
Remote Authentication Dial In User Service
See RADIUS authentication.
See RADIUS servers.
remote management access 322
remote users, assigning addresses (Mode Config) 237
Request to Send (RTS) threshold 123
reserved IPv4 addresses, configuring 69
resources, SSL VPN, configuring 273–276
restoring configuration file 331
restricting wireless access by MAC address 108
RFC 1349 173
RFC 1700 168
410
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
RFC 2865 235
RIP (Routing Information Protocol), configuring 97–99
roaming 110
Router Advertisement Deamon (RADVD)
DMZ, configuring for 90
LAN, configuring for 77
router advertisements (RAs) and router lifetime (IPv6)
DMZ, configuring for 92
LAN, configuring for 78
Routing Information Protocol (RIP), configuring 97–99
routing logs 340
routing modes
IPv4 26
IPv6 (IPv4-only and IPv4/IPv6) 36
routing table
adding static IPv4 routes 95
adding static IPv6 routes 100
displaying 365
RSA signatures 223
RTS (Request to Send) threshold 123
rules
See inbound rules.
See outbound rules.
Session Initiation Protocol (SIP) 167
session limits
configuring 166
logging dropped packets 340
severities, syslog 342
SHA-1
IKE policies 222
Mode Config operation 241
self certificate requests 311
VPN policies 232
shared key, WEP 116
short preamble 123
shutting down 366
signature key length 311
Simple Network Management Protocol (SNMP)
configuring 326–329
description 14
SIP (Session Initiation Protocol) 167
sit0-WAN1 (6to4 tunnel) 42
SLA ID (site level aggregation identifier)
DMZ advertisements 94
LAN advertisements 80
sniffer 369
SNMP (Simple Network Management Protocol)
configuring 326–329
description 14
software, upgrading 332
source MAC filtering
configuring MAC addresses 179
logging matched packets 340
reducing traffic 316
spacing, channels 106
specifications, physical and technical 385
speed, ports 49
SPI (Security Parameters Index) 231
SPI (stateful packet inspection) 12, 125
split tunnel, SSL VPN 269
spoofing MAC addresses 372
SSIDs (service set identifiers)
assigning a name and broadcasting 114
broadcasting and security 108
SSL VPN
ActiveX web cache cleaner 266
ActiveX-based client 260
authentication 291
cache control 265
client IP address range and routes 270–273
configuration steps 261
connection status 285
FQDNs, configuring port forwarding 262
logs 285
network resources, configuring 273–276
overview 12
S
SA (security association)
IKE policies 218, 222
IPSec VPN Wizard 190
Mode Config operation 240
VPN connection status 216
VPN policies 231, 232
samples of firewall rules 155–162
scheduling firewall rules 178
secondary LAN addresses
IPv4, configuring 62–64
IPv6, configuring 81–82
Secure Hash Algorithm 1. See SHA-1.
secure HTTP management 325
security association. See SA.
security checks, LAN 164
security lock receptacle 18
Security Parameters Index (SPI) 231
security profiles, wireless
creating and configuring 112–116
description 107–111
separation, wireless 115
server preference, DHCPv6 74, 88
service blocking
reducing traffic 315
rules, firewall 127
service numbers, common protocols 168
411
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
Telnet management 325
temperatures, operating and storage 386
Temporal Key Integrity Protocol (TKIP) 108, 115
Test LED 16, 368
testing
Internet connectivity 50
wireless connectivity 124
time settings
configuring 334
troubleshooting 377
time-out error, troubleshooting 370
time-out, session 167
timer, wireless profiles 115
tips, firewall and content filtering 126
TKIP (Temporal Key Integrity Protocol) 108, 115
ToS (Type of Service), QoS profile 129
tracert, using with DDNS 326
tracing a route (traceroute) 364
trademarks 2
traffic
action when reaching limit 338
bandwidth 171–173
diagnostic tools 362
increasing 317–319
managing 314
reducing 314–316
volume by protocol 338
traffic meter (or counter) 335
Transmission Control Protocol (TCP) 186
transmit power and rate, radio 106
troubleshooting
basic functioning 368
browsers 369
configuration settings, using sniffer 369
date and time settings 377
defaults 370
IP addresses, requirements 24
IPv6 connection 372
ISP connection 370
LEDs 368–369
NTP 377
testing your setup 376
time-out error 370
web management interface 369
trusted certificates 307–308
trusted domains, building a list of 177
tunnels, IPv6
configuring globally 41–45
DMZ, configuring for 94
LAN, configuring for 80
two-factor authentication
authentication, overview 389
description 288
policies
managing 276
settings 280
port forwarding
configuring 267–269
description 261
portals
accessing 282
configuring 262–266
options 260
resources, configuring 273–276
specifications 387
tunnel description 260
user account 296–298
user portal 283
stateful packet inspection (SPI) 12, 125
stateless and stateful IPv6 addresses, autoconfiguration
37, 73, 88
static addresses
IPv4 address 30, 34
IPv6 address 40
static routes
IPv4 routes
configuring 95–100
routing table 95
IPv6 routes
configuring 100–102
routing table 100
statistics, viewing 347
status screens 345–362
stealth mode 163
submenu tabs (web management interface) 23
SYN flood 163
syslog server 342
system
date and time settings, configuring 333
logs 340
status, viewing 345–352
updating firmware 332
T
table buttons (web management interface) 23
tabs, submenu (web management interface) 23
TCP (Transmission Control Protocol) 186
TCP flood, blocking 163
TCP time-out 167
TCP/IP network, troubleshooting 375
technical specifications 385
technical support 2, 365
Telnet and RTelnet, restricting access (rule example)
160
412
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
WiKID-PAP and WiKID-CHAP 291
Type of Service (ToS), QoS profile 129
TZO.com 45–47
configuring manually 206
Mode Config tunnel, opening 252
Mode Config, configuring 245
tunnel, opening 213
VPN IPSec Wizard. See IPSec VPN Wizard.
VPN tunnels
active users 353–354
autoinitiating 230
client policy, creating 202
client-to-gateway, using IPSec VPN Wizard 199
connection status 215
DPD (Dead Peer Detection) 255
FQDNs, configuring endpoints 192, 196, 200, 222
gateway-to-gateway, using IPSec VPN Wizard 190,
194
IKE policies
exchange mode 218, 221
ISAKMP identifier 218, 222
managing 217
Mode Config operation 221, 241
XAUTH 224
increasing traffic 319
IP addresses
client-to-gateway (wizard) 200
gateway-to-gateway (wizard) 192, 196
local and remote 222, 231
IPSec VPN
logs 216
specifications 386
IPSec VPN policies
automatically generated 225
groups, configuring 293
managing 217
manually generated 225
IPSec VPN user account 296–298
keep-alives 230, 254
NetBIOS 230, 257
pass-through (IPSec, PPTP, L2TP) 164
pre-shared key
client-to-gateway tunnel 200
gateway-to-gateway tunnel 192, 196
IKE policy settings 223
RSA signature 223
sending syslogs 342
testing connections 213
XAUTH 233–235
VPNC (Virtual Private Network Consortium) 14, 190
U
UDP (User Datagram Protocol) 186
UDP flood, blocking 164
UDP time-out 167
unicast packets, IPv6
DMZ, configuring for 92
LAN, configuring for 78
Universal Plug and Play (UPnP), configuring 187
unsolicited multicast packets, IPv6
DMZ, configuring for 92
LAN, configuring for 78
upgrading firmware 332
UPnP (Universal Plug and Play), configuring 187
user accounts, configuring 296
User Datagram Protocol (UDP) 186
user name, default 21
user passwords, changing 304
user policies, configuring for SSL VPN 276
user portal 283
user types 296–299, 305
users
active VPN and L2TP 353–354
administrative (admin) settings 320
assigned groups 298
login policies, configuring 299–304
login time-out 304
V
vendor class identifier (VCI) 34
videoconferencing
DMZ port 83
from restricted address (rule example) 156
violations, IP/MAC binding 182–184
virtual LAN. See VLANs.
Virtual Private Network Consortium (VPNC) 14, 190
VLANs
advantages 52
description 51
DHCP options 54–55
identifiers (IDs) 110
MAC addresses 61
port-based 52
profiles, configuring 56–61
VoIP (voice over IP) sessions 167
VPN client
Configuration Wizard, using 202
W
WAN
bandwidth capacity 314
connection type and state, viewing 351
default settings 379
413
ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N
X
DHCPv6 client, prefix delegation 38
WAN LEDs 17, 369
WAN ports 15
WAN traffic meter (or counter) 335
web component blocking 174
web management interface
description 22
troubleshooting 369
weight 386
WEP (wired equivalent privacy)
configuring 114–116
types of encryption 108
Wi-Fi Multimedia (WMM) 123
Wi-Fi protected access (WPA), WPA2, and mixed mode
configuring 114–116
types of encryption 108
Wi-Fi Protected Setup (WPS) 120
WiKID
authentication, overview 389
description 288
WiKID-PAP and WiKID-CHAP 291
WINS server
DHCP 59, 85
Mode Config operation 240
wired equivalent privacy (WEP)
configuring 114–116
types of encryption 108
wireless clients
separating 115
viewing 120, 362
wireless connection
losing 119
testing 124
wireless equipment, placement and range 104
wireless mode 106
wireless network name (SSID)
broadcasting 114
broadcasting and security 108
wireless radio
advanced settings, configuring 122
basic settings, configuring 105
wireless security 107–117
wireless separation 115
wireless specifications 387
wireless status, viewing 352
WLAN partition 115
WMM (Wi-Fi Multimedia) 123
WPA (Wi-Fi protected access), WPA2, and mixed mode
configuring 114–116
types of encryption 108
WPS (Wi-Fi Protected Setup) 120
XAUTH (extended authentication)
configuring 233–235
IKE policies 224
414
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement