Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configure the IPv4 LAN Settings 150 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Enter the settings as described in the following table. 9. Click the Apply button. SettingDescription RIP RIP Direction From the RIP Direction menu, select the direction in which the VPN firewall sends and receives RIP packets: • None. The VPN firewall neither advertises its route table nor accepts any RIP packets from other routers. This effectively disables RIP and is the default setting. • In Only. The VPN firewall accepts RIP information from other routers but does not advertise its routing table. • Out Only. The VPN firewall advertises its routing table but does not accept RIP information from other routers. • Both. The VPN firewall advertises its routing table and also processes RIP information received from other routers. RIP Version By default, the RIP version is set to Disabled. From the RIP Version menu, select the version: • RIP-1. Classful routing that does not include subnet information. This is the most commonly supported version. • RIP-2. Routing that supports subnet information. Both RIP-2B and RIP-2M send the routing data in RIP-2 format: - RIP-2B. Sends the routing data in RIP-2 format and uses subnet broadcasting. - RIP-2M. Sends the routing data in RIP-2 format and uses multicasting. Authentication for RIP-2B/2M Authentication for RP-2B or RIP-2M is disabled by default, that is, the No radio button is selected. To enable authentication for RP-2B or RIP-2M, select the Ye s radio button and enter the settings for the following fields. First Key Parameters MD5 Key Id The identifier for the key that is used for authentication. MD5 Auth Key The password that is used for MD5 authentication. Not Valid Before The beginning of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. Before this date and time, the MD5 key is not valid. Not Valid After The end of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. After this date and time, the MD5 key is no longer valid. Second Key Parameters MD5 Key Id The identifier for the key that is used for authentication. MD5 Auth Key The password that is used for MD5 authentication. Not Valid Before The beginning of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. Before this date and time, the MD5 key is not valid. Not Valid After The end of the lifetime of the MD5 key. Enter the month, date, year, hour, minute, and second. After this date and time, the MD5 key is no longer valid.
Configure the IPv4 LAN Settings 151 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Your settings are saved. IPv4 Static Route Example In this example, we assume the following: •The VPN firewall’s primary Internet access is through a cable modem to an ISP. •The VPN firewall is on a local LAN with IP address 192.168.1.100. •The VPN firewall connects to a remote network where you must access a device. •The LAN IP address of the remote network is 134.177.0.0. When you first configured the VPN firewall, two implicit static routes were created: •A default static route was created with your ISP as the gateway. •A second static route was created to the local LAN for all 192.168.1.x addresses. With this configuration, if you attempt to access a device on the 134.177.0.0 remote network, the VPN firewall forwards your request to the ISP. In turn, the ISP forwards your request to the remote network, where the request is likely to be denied by the remote network’s firewall. In this case, you must define a static route, informing the VPN firewall that the 134.177.0.0 IP address must be accessed through the local LAN IP address (192.168.1.100). The static route on the VPN firewall must be defined as follows: •The destination IP address and IP subnet mask must specify that the static route applies to all 134.177.x.x IP addresses. •The gateway IP address must specify that all traffic for the 134.177.x.x IP addresses must be forwarded to the local LAN IP address (192.168.1.100). •A metric value of 1 must work since the VPN firewall is on the local LAN. •The static route can be made private only as a precautionary security measure in case RIP is activated.
152 5 5. Configure the IPv6 LAN Settings This chapter describes how to configure the IPv6 LAN features of your VPN firewall. The chapter contains the following sections: •Manage the IPv6 LAN •Manage IPv6 Multihome LAN IP Addresses •Manage the DMZ Port for IPv6 Traffic •Manage Static IPv6 Routing
Configure the IPv6 LAN Settings 153 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Manage the IPv6 LAN The following sections provide information about managing the IPv6 LAN: •IPv6 LANs •DHCPv6 LAN Server Concepts and Configuration Roadmap •Configure a Stateless DHCPv6 Server Without Prefix Delegation for the LAN •Manage a Stateless DHCPv6 Server with Prefix Delegation for the LAN •Manage a Stateful DHCPv6 Server and IPv6 Address Pools for the LAN •Manage the IPv6 Router Advertisement Daemon for the LAN IPv6 LANs An IPv6 LAN typically functions with site-local and link-local unicast addresses. Each physical interface requires an IPv6 link-local address that is automatically derived from the MAC addresses of the IPv4 interface and that is used for address configuration and neighbor discovery. (Normally, you would not manually configure a link-local address.) The VPN firewall (or any other router) never forwards traffic with site-local or link-local addresses, that is, the traffic remains in the LAN subnet and is processed over the default VLAN only. A site-local address always starts with fec0 (hexadecimal); a link-local unicast address always starts with FE80 (hexadecimal). For more information about link-local unicast addresses, see Manage ISATAP Automatic Tunneling on page 103. Because each interface is automatically assigned a link-local IP address, it is not useful to assign another link-local IP address as the default IPv6 LAN address. The default IPv6 LAN address is a site-local address. You can change this address to any other IPv6 address for LAN use. To forward traffic from sources with a site local or link-local unicast address in the LAN, you must use a DHCPv6 server. (By default, the DHCPv6 server is disabled.) For information about the DHCPv6 server options that the VPN firewall provides, see DHCPv6 LAN Server Concepts and Configuration Roadmap on page 153. Note:Site-local addresses, that is, addresses that start with fec0, are depreciated. However, NETGEAR has implemented a site-local address as a temporary default IPv6 LAN address that you can replace with another LAN address. The firewall restricts external communication of this default site-local address. DHCPv6 LAN Server Concepts and Configuration Roadmap The IPv6 clients in the LAN can autoconfigure their own IPv6 address or obtain an IPv6 address through the VPN firewall’s DHCPv6 server.
Configure the IPv6 LAN Settings 154 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The VPN firewall provides three DHCPv6 options for the LAN. The following sections provide information about the DHCPv6 options for the LAN: •Concept: Stateless DHCPv6 Server Without Prefix Delegation for the LAN •Concept: Stateless DHCPv6 Server With Prefix Delegation for the LAN •Concept: Stateful DHCPv6 Server for the LAN Concept: Stateless DHCPv6 Server Without Prefix Delegation for the LAN The IPv6 clients in the LAN generate their own IP address by using a combination of locally available information and router advertisements from the Router Advertisement Daemon (RADVD), but receive DNS server information from the DHCPv6 server. In a stateless DHCPv6 server configuration without prefix delegation, the RADVD advertises the following advertisement prefixes: •If you enabled the ISP DHCPv6 server to assign a prefix through prefix delegation to the VPN firewall, the advertisement prefixes that are based on the ISPs assignment. •Advertisement prefixes that you add manually for the RADVD. For stateless DHCPv6 without prefix delegation, you must enable and configure the RADVD. To set up a stateless DHCPv6 server without prefix delegation in the LAN, complete these tasks: 1. Enable the ISP DHCPv6 server to assign a prefix through prefix delegation to the VPN firewall (see Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically on page 90). This task is optional (see also Step 4). 2. Configure the stateless DHCP server without prefix delegation (see Configure a Stateless DHCPv6 Server Without Prefix Delegation for the LAN on page 155). 3. Enable and configure the RADVD (see Manage the IPv6 Router Advertisement Daemon for the LAN on page 171). 4. If you did not enable the ISP DHCPv6 server to assign a prefix through prefix delegation to the VPN firewall, manually add advertisement prefixes to the RADVD (see View Automatically Added Advertisement Prefixes for the LAN and Manually Add Advertisement Prefixes on page 175). Note:If you do enable the ISP DHCPv6 server to assign a prefix through prefix delegation to the VPN firewall, you still can manually add advertisement prefixes to the RADVD. Concept: Stateless DHCPv6 Server With Prefix Delegation for the LAN As an option for a stateless DHCPv6 server, you can enable prefix delegation. Note that this is prefix delegation by the DHCPv6 server in the LAN, not by the ISP DHCPv6 sever in the WAN. After you specify a prefix and a prefix length for the DHCPv6 server, the VPN firewall’s stateless DHCPv6 server assigns prefixes to its IPv6 LAN clients through the RADVD.
Configure the IPv6 LAN Settings 155 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For stateless DHCPv6 with prefix delegation, you must enable and configure the RADVD, but you do not need to add advertisement prefixes to the RADVD because the DHCPv6 server assigns the prefixes that you specify for the DHCPv6 server. To set up a stateless DHCPv6 server with prefix delegation in the LAN, complete these tasks: 1. Configure the stateless DHCP server with prefix delegation (see Manage a Stateless DHCPv6 Server with Prefix Delegation for the LAN on page 158). 2. Specify prefixes and a prefix lengths for the DHCPv6 server (see Manually Add IPv6 LAN Prefixes for Prefix Delegation on page 163). 3. Enable and configure the RADVD (see Manage the IPv6 Router Advertisement Daemon for the LAN on page 171). Concept : Stateful DHCPv6 Server for the LAN The IPv6 clients in the LAN obtain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server (see ). The IP address is a dynamic address that the DHCPv6 server assigns from IPV6 address pools that you must configure. Enable RADVD for default route where configuring prefixes is optional. To set up a stateful DHCPv6 server in the LAN, complete these tasks: 1. Configure the stateful DHCPv6 server (see Manage a Stateful DHCPv6 Server and IPv6 Address Pools for the LAN on page 165). 2. Add one or more IPv6 address pools for the DHCPv6 server (see Add an IPv6 LAN Address Pool on page 168). Configure a Stateless DHCPv6 Server Without Prefix Delegation for the LAN With a stateless DHCPv6 server in the LAN, the IPv6 clients in the LAN generate their own IP address by using a combination of locally available information and router advertisements from the Router Advertisement Daemon (RADVD), but receive DNS server information from the DHCPv6 server. If you configure a stateless DHCPv6 server in the LAN, you also must enable the RADVD and configure advertisement prefixes (see Manage the IPv6 Router Advertisement Daemon for the LAN on page 171). For more information about a stateless DHCPv6 server for the LAN, see Concept: Stateless DHCPv6 Server Without Prefix Delegation for the LAN on page 154. To configure a stateless DHCPv6 server without prefix delegation and IPv6 settings for the LAN: 1. On your computer, launch an Internet browser.
Configure the IPv6 LAN Settings 156 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings. The LAN Setup screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings. The following figure shows some examples.
Configure the IPv6 LAN Settings 157 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Enter the settings as described in the following table. SettingDescription IPv6 LAN Setup IPv6 Address Enter the LAN IPv6 address. The default address is fc00::1. (For more information, see IPv6 LANs on page 153.) IPv6 Prefix Length Enter the IPv6 prefix length, for example, 10 or 64. The default prefix length is 64. DHCPv6 DHCP Status Enable the DHCPv6 server by selecting Enable DHCPv6 Server from the DHCP Status menu. The default menu selection is Disable DHCPv6 Server. DHCP Mode From the DHCP Mode menu, select Stateless. The IPv6 clients generate their own IP address by using a combination of locally available information and router advertisements but receive DNS server information from the DHCPv6 server. When you enable the stateless DHCP server for the LAN, you must also enable and configure the RADVD for the LAN. For more information, see Manage the IPv6 Router Advertisement Daemon for the LAN on page 171.
Configure the IPv6 LAN Settings 158 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Click the Apply button. Your settings are saved. Manage a Stateless DHCPv6 Server with Prefix Delegation for the LAN The following sections provide information about managing a stateless DHCPv6 server with prefix delegation for the LAN: •Stateless DHCPv6 Server and Prefix Delegation for the LAN •Configure a Stateless DHCPv6 Server with Prefix Delegation •Manually Add IPv6 LAN Prefixes for Prefix Delegation •Change an IPv6 LAN Prefix for Prefix Delegation •Remove One or More IPv6 LAN Prefixes for Prefix Delegation Prefix Delegation Leave the Prefix Delegation check box cleared. Prefix delegation is disabled in the LAN. This is the default setting. For information about using the stateless DHCPv6 server with prefix delegation, see Manage a Stateless DHCPv6 Server with Prefix Delegation for the LAN on page 158. Domain Name Enter the domain name of the DHCP server. Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message. The client selects the server with the highest preference value as the preferred server. DNS Servers From the DNS Server menu, select a DNS server option: • Use DNS Proxy. The VPN firewall acts as a proxy for all DNS requests and communicates with the ISP DNS servers that you configure. For information about specifying the ISP DNS servers, see Manually Configure a Static IPv6 Internet Connection on page 94. • Use DNS from ISP. The VPN firewall uses the ISP DNS servers that you configure. For information about specifying the ISP DNS servers, see Manually Configure a Static IPv6 Internet Connection on page 94. • Use below. When you select this option, the Primary DNS Server and Secondary DNS Server fields become available for you to enter IP addresses: - Primary DNS Server. Enter the IP address of the primary DNS server for the LAN. - Secondary DNS Server. Enter the IP address of the secondary DNS server for the LAN. Lease/Rebind Time Enter the period after which the DHCP lease is renewed with the original DHCP server or rebound with another DHCP server to extend the existing DHCP lease. The default period is 86400 seconds (24 hours). SettingDescription
Configure the IPv6 LAN Settings 159 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Stateless DHCPv6 Server and Prefix Delegation for the LAN As an option for a stateless DHCPv6 server, you can enable prefix delegation. Note that this is prefix delegation by the DHCPv6 server in the LAN, not by the ISP DHCPv6 sever in the WAN. After you specify a prefix and a prefix length for the DHCPv6 server, the VPN firewall’s stateless DHCPv6 server assigns prefixes to its IPv6 LAN clients through the RADVD. For stateless DHCPv6 with prefix delegation, you must enable and configure the RADVD (see Manage the IPv6 Router Advertisement Daemon for the LAN on page 171) but you do not need to add advertisement prefixes to the RADVD because the DHCPv6 server assigns the prefixes that you specify for the DHCPv6 server. For more information about stateless DHCPv6 servers, see DHCPv6 LAN Server Concepts and Configuration Roadmap on page 153. Configure a Stateless DHCPv6 Server with Prefix Delegation The following procedure describes how to configure a stateless DHCPv6 server with prefix delegation and IPv6 settings for the LAN. To configure a stateless DHCPv6 server with prefix delegation and IPv6 settings for the LAN: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. Note:If the VPN firewall cannot acquire a prefix from the ISP, the VPN firewall’s stateless DHCPv6 server cannot assign prefixes to its IPv6 LAN clients. 6. Verify that the VPN firewall allows the ISP DHCPv6 server to assign prefixes through prefix delegation (you can manually add prefixes to the RADVD): a.Select Network Configuration > WAN Settings > WAN Setup. The WAN Setup screen displays the IPv4 settings.