Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Diagnostics and Troubleshooting 619 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 c. Click or double-click View status of this connection. The Local Area Connection Status screen displays. d. Make sure that Internet access shows for the IPv6 connection. The previous figure shows that there is no Internet access. e. Click the Details button. The Network Connection Details screen displays.
Diagnostics and Troubleshooting 620 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 f. Make sure that an IPv6 address shows. The previous figure does not show an IPv6 address for the computer but only a link-local IPv6 address and an IPv6 default gateway address, both of which start, in this case, with fe80. Troubleshoot a TCP/IP Network Using a Ping Utility Most TCP/IP terminal devices and firewalls contain a ping utility that sends an echo request packet to the designated device. The device then responds with an echo reply. You can easily troubleshoot a TCP/IP network by using the ping utility in your computer or workstation. The following sections provide information about troubleshooting a TCP/IP network using a ping utility: •Test the LAN Path to Your VPN Firewall •Test the Path from Your Computer to a Remote Device Test the LAN Path to Your VPN Firewall You can ping the VPN firewall from your computer to verify that the LAN path to the VPN firewall is set up correctly. To ping the VPN firewall from a computer running Windows 95 or later: 1. From the Windows taskbar, click Start and select Run. 2. In the field provided, type ping followed by the IP address of the VPN firewall, for example: ping 192.168.1.1 3. Click the OK button. A message similar to the following displays: Pinging with 32 bytes of data If the path is working, you see this message: Reply from : bytes=32 time=NN ms TTL=xxx If the path is not working, you see this message: Request timed out If the path is not functioning correctly, you might have one of the following problems: •Wrong physical connections -Make sure that the LAN port LED is lit. If the LED is off, see Troubleshoot Basic Functioning on page 612. -Check that the corresponding link LEDs are lit for your network interface card and for the hub ports (if any) that are connected to your workstation and VPN firewall. •Wrong network configuration
Diagnostics and Troubleshooting 621 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 -Verify that the Ethernet card driver software and TCP/IP software are both installed and configured on your computer or workstation. -Verify that the IP address for your VPN firewall and your workstation are correct and that the addresses are on the same subnet. Test the Path from Your Computer to a Remote Device After verifying that the LAN path works correctly, test the path from your computer to a remote device. From the Windows Run dialog box, type ping -n 10 in which is the IP address of a remote device such as your ISP’s DNS server. If the path is functioning correctly, replies as in Test the LAN Path to Your VPN Firewall on page 620 are displayed. If you do not receive replies, check the following: •Check that your computer has the IP address of your VPN firewall listed as the default gateway. If the IP configuration of your computer is assigned by DHCP, this information is not visible in your computer’s Network Control Panel. •Check to see that the network address of your computer (the portion of the IP address that is specified by the netmask) is different from the network address of the remote device. •Check that the modem or router is connected and functioning. •For IPv4 PPPoE or PPTP connections, your ISP might check for your computer’s host name. For information about entering the host name, system name, or account name and the domain name or workgroup name that was assigned to you by your ISP, see Manually Configure a PPPoE IPv4 Internet Connection on page 39 or Manually Configure a PPTP IPv4 Internet Connection on page 44. •Your ISP might be rejecting the Ethernet MAC addresses of all but one of your computers. Many broadband ISPs restrict access by allowing traffic only from the MAC address of your broadband modem, but some ISPs additionally restrict access to the MAC address of a single computer connected to that modem. If your ISP does this, you must configure your VPN firewall to clone or spoof the MAC address from the authorized computer. For more information, see Managing Advanced WAN Options on page 66. Troubleshoot Problems with Date and Time The VPN firewall uses the Network Time Protocol (NTP) to obtain the current time from one of several network time servers on the Internet. Each entry in the log is stamped with the date and time of day. For information about displaying the current date and time of day, see Configure Date and Time Service on page 554. Problems with the date and time function can include the following: •Date shown is January 1, 2000. Cause: The VPN firewall has not yet successfully reached a network time server. Check that your Internet access settings are configured
Diagnostics and Troubleshooting 622 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 correctly. If you have just completed configuring the VPN firewall, wait at least five minutes, and check the date and time again. •Time is off by one hour. Cause: The VPN firewall does not automatically detect daylight saving time. To configure the VPN firewall to detect daylight saving time: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Administration > Time Zone. The Time Zone screen displays. 7. Select the Automatically Adjust for Daylight Savings Time check box. 8. Click the Apply button. Your settings are saved. Access Documentation from the Web Management Interface From the web management interface, you can access the online documentation library for your VPN firewall model. To access NETGEAR’s documentation library for your VPN firewall model: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1.
Diagnostics and Troubleshooting 623 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Web Support > Documentation. The download center at downloadcenter.netgear.com displays. 7. In the search field, enter FVS336Gv2. The support page for your product displays. 8. Click the Get more Downloads... link. All available documentation displays on the left side.
624 A A. Network Planning for Multiple WAN Ports This appendix describes the factors to consider when planning a network using a firewall that has more than one WAN port. This appendix contains the following sections: •What to Consider Before You Begin •Overview of the Planning Process •Planning for Inbound Traffic •Planning for Virtual Private Networks
Network Planning for Multiple WAN Ports 625 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 What to Consider Before You Begin The following sections provide information about planning and requirements: •Planning Overview •Cabling and Computer Hardware Requirements •Computer Network Configuration Requirements •Internet Configuration Requirements Planning Overview The VPN firewall is a powerful and versatile solution for your networking needs. To make the configuration process easier and to understand all of the choices that are available to you, consider the following before you begin: 1. Plan your network. a.Determine whether you will use one or several WAN ports. For one WAN port, you might need a fully qualified domain name either for convenience or to remotely access a dynamic WAN IP address. b. If you intend to use several WAN ports, determine whether you will use them in auto-rollover mode for increased system reliability or load balancing mode for maximum bandwidth efficiency. See the topics in this appendix on page 624 for more information. Your decision has the following implications: •Fully qualified domain name (FQDN) -For auto-rollover mode, you need an FQDN to implement features such as exposed hosts and virtual private networks. -For load balancing mode, you might still need an FQDN either for convenience or to remotely access a dynamic WAN IP address. •Protocol binding -For auto-rollover mode, protocol binding does not apply. -For load balancing mode, decide which protocols will be bound to a specific WAN port. -You can also add your own service protocols to the list. 2. Set up your accounts. a.Obtain active Internet services such as DSL broadband accounts and locate the Internet service provider (ISP) configuration information. •In this manual, the WAN side of the network is presumed to be provisioned as shown in the following figure, with two ISPs connected to the VPN firewall through separate physical facilities. •Each WAN port must be configured separately, whether you are using a separate ISP for each WAN port or you are using the same ISP to route the traffic of both WAN ports.
Network Planning for Multiple WAN Ports 626 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •If your ISP charges by the volume of data traffic each month, consider enabling the VPN firewall’s traffic meter to monitor or limit your traffic. Figure 13. Planning for route diversity b. Contact a Dynamic DNS service and register FQDNs for one or both WAN ports. 3. Plan your network management approach. •The VPN firewall can be managed remotely but you must enable remote management locally after each factory default reset. NETGEAR strongly advises you to change the default management password to a strong password before enabling remote management. •If the factory default settings are not suitable for your installation, you can choose various WAN options. These options include enabling a WAN port to respond to a ping, and setting MTU size, port speed, and upload bandwidth. 4. Prepare to physically connect the firewall to your cable or DSL modems and a computer. Instructions for connecting the VPN firewall are in the ProSAFE Gigabit Quad WAN SSL VPN Firewall FVS336Gv2 Installation Guide. Cabling and Computer Hardware Requirements For you to use the VPN firewall in your network, each computer must have an Ethernet network interface card (NIC) installed and must be equipped with an Ethernet cable. If the computer connects to your network at 100 Mbps or higher speeds, you must use a Category 5 (Cat 5) cable. Computer Network Configuration Requirements The VPN firewall integrates a web management interface. To access the configuration screens on the VPN firewall, you must use a Java-enabled web browser that supports HTTP uploads, such as the most recent version of Google Chrome, Microsoft Internet Explorer, Mozilla Firefox, or Apple Safari with JavaScript, cookies, and SSL enabled. Free browsers are readily available for Windows, Macintosh, and UNIX/Linux. For the initial connection to the Internet and configuration of the VPN firewall, you must connect a computer to the VPN firewall and the computer must be configured to automatically get its TCP/IP configuration from the VPN firewall through DHCP. The DSL broadband access device or router must provide a standard Ethernet interface. ISP 1 ISP 2Internet WAN port 1 WAN port 2 Customer premises Physical facility 1 Physical facility 2 Route diversity VPN Firewall
Network Planning for Multiple WAN Ports 627 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Internet Configuration Requirements Depending on how your ISP sets up your Internet accounts, you need the following Internet configuration information to connect VPN firewall to the Internet: •Host and domain names •One or more ISP login names and passwords •ISP Domain Name Server (DNS) addresses •One or more fixed IP addresses (also known as static IP addresses) Where Do I Get the Internet Configuration Information? You can gather the required Internet connection information in several ways. Your ISPs provide all the information needed to connect to the Internet. If you cannot locate this information, you can ask your ISP to provide you with it, or, if you have a computer already connected using the active Internet access account, you can gather the configuration information from that computer. •For Windows computers, open the Network and Sharing Center, select the TCP/IP entry for the Ethernet adapter, and click Properties. Record all the settings for each tab page. •For Macintosh computers, open the TCP/IP or Network Control Panel. Record all the settings for each section. After you have located your Internet configuration information, you might want to record the information in Internet Connection Information on page 627. Internet Connection Information Print the following Internet connection information. Write down the configuration settings that are provided to you by ISP. _________________________________________________________________________ •ISP login information. The login name and password are case-sensitive and must be entered exactly as given by your ISP. Some ISPs use your full email address as the login name. The service name is not required by all ISPs. If you connect using a login name and password, complete the following: WAN 1 login name: ____________________________ WAN 1 password: ____________________________ WAN 1 service name: ____________________________ WAN 2 login name: ____________________________ WAN 2 password: ____________________________ WAN 2 service name: ____________________________ •Fixed or static IP address. If you have a static IP address, record the following information. For example, 169.254.141.148 could be a valid IP address. WAN 1 fixed or static Internet IP address: ______.______.______.______
Network Planning for Multiple WAN Ports 628 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WAN 1 gateway IP address: ______.______.______.______ WAN 1 subnet mask: ______.______.______.______ WAN 2 fixed or static Internet IP address: ______.______.______.______ WAN 2 gateway IP address: ______.______.______.______ WAN 2 subnet mask: ______.______.______.______ •ISP DNS server addresses. If you were given DNS server addresses, complete the following: WAN 1 primary DNS server IP address: ______.______.______.______ WAN 1 secondary DNS server IP address: ______.______.______.______ WAN 2 primary DNS server IP address: ______.______.______.______ WAN 2 secondary DNS server IP address: ______.______.______.______ •Host and domain names. Some ISPs use a specific host or domain name such as CCA7324-A or home. If you were not given host or domain names, you can use the following examples as a guide: -If your main email account with your ISP is [email protected], use aaa as your host name. Your ISP might call this your account, user, host, computer, or system name. -If your ISP’s mail server is mail.xxx.yyy.com, use xxx.yyy.com as the domain name. WAN 1 ISP host name: _______________________ WAN 1 ISP domain name: _______________________ WAN 2 ISP host name: _______________________ WAN 2 ISP domain name: _______________________ •Fully qualified domain name. Some organizations use a fully qualified domain name (FQDN) from a Dynamic DNS service provider for their IP addresses. Dynamic DNS service provider: ______________________ WAN 1 FQDN: ______________________ WAN 2 FQDN: ______________________ _________________________________________________________________________ Overview of the Planning Process The areas that require planning when you use a firewall that has multiple WAN ports such as the VPN firewall include the following: •Inbound traffic (port forwarding, port triggering) •Outbound traffic (protocol binding) •Virtual private networks (VPNs)