Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configure the IPv6 LAN Settings 180 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings. The LAN Setup screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The LAN Setup screen displays the IPv6 settings. 8. Click the RADVD option arrow in the upper right. The RADVD screen for the LAN displays. 9. In the List of Prefixes to Advertise table, select the check box to the left of each advertisement prefix that you want to remove or click the Select All button to select all advertisement prefixes. 10. Click the Delete button. The selected advertisement prefixes are removed from the List of Prefixes to Advertise table. Manage IPv6 Multihome LAN IP Addresses The following sections provide information about managing IPv6 multihome LAN IP addresses: •IPv6 Multihome LAN IP Addresses •Add a Secondary LAN IPv6 Address •Change a Secondary LAN IPv6 Address •Remove One or More Secondary LAN IPv6 Addresses IPv6 Multihome LAN IP Addresses If you have computers using different IPv6 networks in the LAN (for example, 2000::2 or 2000::1000:10), you can add aliases to the LAN ports and give computers on those networks access to the Internet but you can do so only for the default VLAN. The IP address that is assigned as a secondary IP address must be unique and cannot be assigned to a VLAN. Make sure that any secondary LAN addresses are different from the primary LAN, WAN, and DMZ IP addresses and subnet addresses that are already configured on the VPN firewall. The following is an example of correctly configured IPv6 addresses: •WAN IP address. 2000::e246:9aff:fe1d:1a9c with a prefix length of 64 •DMZ IP address. 176::e246:9aff:fe1d:a1bc with a prefix length of 64 •Primary LAN IP address. fec0::1 with a prefix length of 10
Configure the IPv6 LAN Settings 181 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •Secondary LAN IP address. 2001:db8:3000::2192 with a prefix length of 10 Add a Secondary LAN IPv6 Address The following procedure describes how to add a secondary LAN IPv6 address. To add a secondary LAN IPv6 address: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings > LAN Multi-homing. The LAN Multi-homing screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The LAN Multi-homing screen displays the IPv6 settings. The following figure shows one example. The Available Secondary LAN IPs table displays the secondary LAN IP addresses added to the VPN firewall.
Configure the IPv6 LAN Settings 182 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. In the Add Secondary LAN IP Address section, enter the following settings: •IPv6 Address. Enter the secondary address that you want to assign to the LAN ports. •Prefix Length. Enter the prefix length for the secondary IP address. 9. Click the Add button. The secondary IP address is added to the Available Secondary LAN IPs table. 10. Repeat Step 8 and Step 9 for each secondary IP address that you want to add to the Available Secondary LAN IPs table. Note:You cannot configure secondary IP addresses in the DHCP server. The hosts on the secondary subnets must be manually configured with the IP addresses, gateway IP address, and DNS server IP addresses. Change a Secondary LAN IPv6 Address The following procedure describes how to change an existing secondary LAN IPv6 address. To change a secondary LAN IPv6 address: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings > LAN Multi-homing. The LAN Multi-homing screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The LAN Multi-homing screen displays the IPv6 settings.
Configure the IPv6 LAN Settings 183 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. In the Available Secondary LAN IPs table, click the Edit button for the secondary IP address that you want to change. The Edit LAN Multi-homing screen displays. 9. Modify the IP address or prefix length, or both: •IPv6 Address. Modify the secondary address that is assigned to the LAN ports. •Prefix Length. Modify the prefix length for the secondary IP address. 10. Click the Apply button. Your settings are saved. The modified secondary IP address displays in the Available Secondary LAN IPs table on the LAN Multi-homing screen. Remove One or More Secondary LAN IPv6 Addresses The following procedure describes how to remove one or more existing secondary LAN IPv6 addresses that you no longer need. To remove one or more secondary LAN IPv6 addresses: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > LAN Settings > LAN Multi-homing. The LAN Multi-homing screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The LAN Multi-homing screen displays the IPv6 settings. 8. In the Available Secondary LAN IPs table, select the check box to the left of each secondary IP address that you want to remove or click the Select All button to select all secondary IP addresses.
Configure the IPv6 LAN Settings 184 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Click the Delete button. The selected secondary IPv6 addresses are removed from the Available Secondary LAN IPs table. Manage the DMZ Port for IPv6 Traffic The following sections provide information about managing the DMZ port for IPv6 traffic: •IPv6 DMZ •Manage a Stateless DHCPv6 Server with Prefix Delegation for the DMZ •Manage a Stateful DHCPv6 Server and IPv6 Address Pools for the DMZ IPv6 DMZ The demilitarized zone (DMZ) is a network that, by default, has fewer firewall restrictions than the LAN. The DMZ can be used to host servers (such as a web server, FTP server, or email server) and provide public access to them. The rightmost LAN port on the VPN firewall can be dedicated as a hardware DMZ port to safely provide services to the Internet without compromising security on your LAN. By default, the DMZ port and both inbound and outbound DMZ traffic are disabled. Enabling the DMZ port and allowing traffic to and from the DMZ increases the traffic through the WAN ports. Using a DMZ port is also helpful with online games and videoconferencing applications that are incompatible with NAT. The VPN firewall is programmed to recognize some of these applications and to work correctly with them but other applications might not function well. In some cases, local computers can run the application correctly if those computers are used on the DMZ port. Note the following about the DMZ port: •The VPN firewall has a separate firewall security profile for the DMZ port. This security profile is also physically independent of the standard firewall security component that is used for the LAN. •When you enable the DMZ port for IPv4 traffic, IPv6 traffic, or both, the DMZ LED next to LAN port 4 (see Front Panel on page 18) lights green to indicate that the DMZ port is enabled. For information about how to define the DMZ WAN rules and LAN DMZ rules, see Add DMZ WAN Rules on page 233 and Add LAN DMZ Rules on page 242, respectively. The IPv6 clients in the DMZ can autoconfigure their own IPv6 address or obtain an IPv6 address through the VPN firewall’s DHCPv6 server for the LAN. For the IPv6 DMZ, the VPN firewall provides two DHCPv6 server options: •Stateless DHCPv6 server. The IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements, but
Configure the IPv6 LAN Settings 185 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 receive DNS server information from the DHCPv6 server (see Configure a Stateless DHCPv6 Server for the DMZ on page 185). For stateless DHCPv6, you also must configure the RADVD and advertisement prefixes for the DMZ (see Manage the IPv6 Router Advertisement Daemon for the DMZ on page 188). •Stateful DHCPv6 server. The IPv6 clients in the DMZ obtain an interface IP address, configuration information such as DNS server information, and other parameters from the DHCPv6 server (see Configure a Stateful DHCPv6 Server for the DMZ on page 198). The IP address is a dynamic address. For stateful DHCPv6, you also must configure IPv6 address pools for the DMZ (see Add an IPv6 DMZ Address Pool on page 200). Manage a Stateless DHCPv6 Server with Prefix Delegation for the DMZ The following sections provide information about managing a stateless DHCPv6 server with prefix delegation for the DMZ: •Stateless DHCPv6 Server and Prefix Delegation for the DMZ •Configure a Stateless DHCPv6 Server for the DMZ •Manage the IPv6 Router Advertisement Daemon for the DMZ Stateless DHCPv6 Server and Prefix Delegation for the DMZ For a stateless DHCPv6 server for the DMZ, the IPv6 clients in the DMZ generate their own IP address by using a combination of locally available information and router advertisements but receive DNS server information from the DHCPv6 server. For stateless DHCPv6, you also must configure the RADVD and advertisement prefixes for the DMZ (see Manage the IPv6 Router Advertisement Daemon for the DMZ on page 188). For more information about stateless DHCPv6 servers, see DHCPv6 LAN Server Concepts and Configuration Roadmap on page 153. Configure a Stateless DHCPv6 Server for the DMZ The following procedure describes how to configure a stateless DHCPv6 server for the DMZ. To configure a stateless DHCPv6 server for the DMZ: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays.
Configure the IPv6 LAN Settings 186 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > DMZ Setup. The DMZ Setup screen displays the IPv4 settings. 7. In the upper right, select the IPv6 radio button. The DMZ Setup screen displays the IPv6 settings. The following figure shows an example.
Configure the IPv6 LAN Settings 187 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Enter the settings as described in the following table. SettingDescription DMZ Port Setup Select the Ye s radio button to configure the DMZ port settings. Complete the following fields: • IPv6 Address. Enter the IP address of the DMZ port. Make sure that the DMZ port IP address, LAN port IP address, and WAN port IP address are in different subnets. The default IP address for the DMZ port is fdff::1. • Prefix Length. Enter the IPv6 prefix length, for example, 10 or 64. The default prefix length for the DMZ port is 64. Note:By default, the DMZ port is disabled. After you configure the DMZ port, you can select the No radio button to disable the DMZ port without losing the DMZ configuration. DHCPv6 for DMZ Connected Computers DHCP Status Enable the DHCPv6 server by selecting Enable DHCPv6 Server from the DHCP Status menu. The default menu selection is Disable DHCPv6 Server. DHCP Mode From the DHCP Mode menu, select Stateless. The IPv6 clients generate their own IP address by using a combination of locally available information and router advertisements but receive DNS server information from the DHCPv6 server. For stateless DHCPv6, you must configure the RADVD and advertisement prefixes (see Manage the IPv6 Router Advertisement Daemon for the DMZ on page 188). Domain Name Enter the domain name of the DHCP server. Server Preference Enter the DHCP server preference value. The possible values are 0–255, with 255 as the default setting. This is an optional setting that specifies the server’s preference value in a server advertise message. The client selects the server with the highest preference value as the preferred server.
Configure the IPv6 LAN Settings 188 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 9. Click the Apply button. Your settings are saved. Manage the IPv6 Router Advertisement Daemon for the DMZ Note:If you use a stateless DHCPv6 server for the DMZ, you must configure the Router Advertisement Deamon (RADVD) and advertisement prefixes for the DMZ. The Router Advertisement Daemon (RADVD) is an application that uses the Neighbor Discovery Protocol (NDP) to collect link-local advertisements of IPv6 addresses and IPv6 prefixes in the DMZ. The RADVD then distributes this information in the DMZ, which allows IPv6 clients to configure their own IPv6 address. The following sections provide information about managing the IPv6 RADVD for the DMZ: •IPv6 Router Advertisement Daemon for the DMZ •Configure the IPv6 Router Advertisement Daemon for the DMZ •Add an Advertisement Prefix for the DMZ •Change an Advertisement Prefix for the DMZ •Remove One or More Advertisement Prefixes for the DMZ DNS Server From the DNS Server menu, select a DNS server option: • Use DNS Proxy. The VPN firewall acts as a proxy for all DNS requests and communicates with the ISP DNS servers that you configure. For information about specifying the ISP DNS servers, see Manually Configure a Static IPv6 Internet Connection on page 94. • Use DNS from ISP. The VPN firewall uses the ISP DNS servers that you configure. For information about specifying the ISP DNS servers, see Manually Configure a Static IPv6 Internet Connection on page 94. • Use below. When you select this option, the Primary DNS Server and Secondary DNS Server fields become available for you to enter IP addresses: - Primary DNS Server. Enter the IP address of the primary DNS server for the DMZ. - Secondary DNS Server. Enter the IP address of the secondary DNS server for the DMZ. Lease/Rebind Time Enter the period after which the DHCP lease is renewed with the original DHCP server or rebound with another DHCP server to extend the existing DHCP lease. The default period is 86400 seconds (24 hours). SettingDescription
Configure the IPv6 LAN Settings 189 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 IPv6 Router Advertisement Daemon for the DMZ Hosts and routers in the DMZ use NDP to determine the link-layer addresses and related information of neighbors in the DMZ that can forward packets on their behalf. The VPN firewall periodically distributes router advertisements (RAs) throughout the DMZ to provide such information to the hosts and routers in the DMZ. RAs include IPv6 addresses, types of prefixes, prefix addresses, prefix lifetimes, the maximum transmission unit (MTU), and so on. In addition to configuring the RADVD, you also must configure the prefixes that are advertised in the DMZ RAs. The following table provides an overview of how information is obtained in the DMZ when you configure a stateless DHCPv6 server and the RADVD: When the Managed flag is set in the RADVD, the DHCPv6 server can assign IP addresses and the RADVD also assigns IP addresses in the sense that it provides information that allows IPv6 clients to configure their own IPv6 address. When the Other flag is set, the DHCPv6 server does not assign IP addresses but provides DNS server and other configuration information only. Configure the IPv6 Router Advertisement Daemon for the DMZ The following procedure describes how to configure the Router Advertisement Daemon (RADVD) for the DMZ. To configure the RADVD for the DMZ: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. Table 3. DHCPv6 and RADVD interaction in the DMZ Flags in the RADVDDHCPv6 Server ProvidesRADVD Provides Managed RA flag is set.• IP address assignmenta • DNS server and other configuration information a. Both the DHCPv6 server and the RADVD can assign IP addresses. • IP address assignmenta • Prefix • Prefix length • Gateway address Other RA flag is set. DNS server and other configuration information• IP address assignment • Prefix • Prefix length • Gateway address