Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Network Planning for Multiple WAN Ports 629 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 You can configure two WAN ports on a mutually exclusive basis to do either of the following: •Auto-rollover for increased reliability •Load balance for outgoing traffic These various types of traffic and auto-rollover or load balancing, which are listed below, all interact to make the planning process more challenging: •Inbound traffic. Unrequested incoming traffic can be directed to a computer on your LAN rather than being discarded. The mechanism for making the IP address public depends on whether the dual WAN ports are configured for auto-rollover or load balancing. •Virtual private networks. A virtual private network (VPN) tunnel provides a secure communication channel either between two gateway VPN firewalls or between a remote computer client and gateway VPN firewall. As a result, the IP address of at least one of the tunnel endpoints must be known in advance for the other tunnel endpoint to establish (or reestablish) the VPN tunnel. Note:When the VPN firewall’s WAN port rolls over, the VPN tunnel closes and must be reestablished using the new WAN IP address. However, you can configure automatic IPSec VPN rollover to ensure that an IPSec VPN tunnel is reestablished. •Dual WAN ports in auto-rollover mode. Rollover for a VPN firewall with dual WAN ports is different from a single WAN port gateway configuration when you specify the IP address. Only one WAN port is active at a time, and when it rolls over, the IP address of the active WAN port always changes. Therefore, the use of a fully qualified domain name (FQDN) is always required, even when the IP address of each WAN port is fixed. Figure 14. Dual WAN ports in auto-rollover mode Features such as multiple exposed hosts are not supported in auto-rollover mode because the IP addresses of each WAN port must be in the identical range of fixed addresses. •Dual WAN ports in load balancing mode. Load balancing for a VPN firewall with dual WAN ports is similar to a single WAN gateway configuration when you specify the IP address. Each IP address is either fixed or dynamic based on the ISP: You must use FQDNs when the IP address is dynamic, but FQDNs are optional when the IP address is static.
Network Planning for Multiple WAN Ports 630 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 15. Dual WAN ports in load balancing mode Planning for Inbound Traffic Incoming traffic from the Internet is normally discarded by the VPN firewall unless the traffic is a response to one of your local computers or a service for which you have configured an inbound rule. Instead of discarding this traffic, you can configure the VPN firewall to forward it to one or more LAN hosts on your network. The addressing of the VPN firewall’s dual WAN port depends on the configuration being implemented. The following sections provide information about planning for inbound traffic: •Inbound Traffic to a Single WAN Port System •Inbound Traffic to a Dual WAN Port System Table 11. IP addressing requirements for exposed hosts in a dual WAN port configuration Configuration and WAN IP Address Single WAN Port (Reference Case) Dual WAN Port Cases RolloverLoad Balancing Inbound traffic • Port forwarding • Port triggering Fixed Allowed (FQDN optional)FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required FQDN required
Network Planning for Multiple WAN Ports 631 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Inbound Traffic to a Single WAN Port System The Internet IP address of the VPN firewall’s WAN port must be known to the public so that the public can send incoming traffic to the exposed host when this feature is supported and enabled. In the single WAN case, the WAN’s Internet address is either a fixed IP address or an FQDN if the IP address is dynamic. Figure 16. Inbound traffic to a single WAN port system Inbound Traffic to a Dual WAN Port System The IP address range of the VPN firewall’s WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled. Inbound Traffic: Dual WAN Ports for Improved Reliability In a dual WAN port auto-rollover configuration, the WAN port’s IP address always changes when a rollover occurs. You must use an FQDN that toggles between the IP addresses of the WAN ports (that is, WAN1 or WAN2). Figure 17. Inbound traffic to a dual WAN port system in auto-rollover mode Inbound Traffic: Dual WAN Ports for Load Balancing In a dual WAN port load balancing configuration, the Internet address of each WAN port is either fixed if the IP address is fixed or an FQDN if the IP address is dynamic (see the following figure).
Network Planning for Multiple WAN Ports 632 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Note:Load balancing is implemented for outgoing traffic and not for incoming traffic. To maintain better control of WAN port traffic, consider making one of the WAN port Internet addresses public and to keep the other one private. Figure 18. Inbound traffic to a dual WAN port system in load balancing mode Planning for Virtual Private Networks The following sections provide information about planning for VPN: •VPN Telecommuter - Client-to-Gateway •VPN Gateway-to-Gateway •VPN Telecommuter - Client-to-Gateway Through a NAT Router When implementing virtual private network (VPN) tunnels, you must use a mechanism for determining the IP addresses of the tunnel endpoints. The addressing of the firewall’s WAN ports in a dual WAN port auto-rollover or load balancing configuration depends on the configuration being implemented. Table 12. IP addressing requirements for VPNs in a dual WAN port configuration Configuration and WAN IP AddressSingle WAN Port Configurations (Reference Cases) Dual WAN Port Configurations Rollover Modea a. After a rollover, all tunnels must be reestablished using the new WAN IP address. Load Balancing Mode VPN Telecommuter - Client-to-Gateway Fixed Allowed (FQDN optional)FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required FQDN required VPN Gateway-to-Gateway Fixed Allowed (FQDN optional)FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required FQDN required VPN Telecommuter - Client-to-Gateway Through a NAT Router Fixed Allowed (FQDN optional)FQDN required Allowed (FQDN optional) Dynamic FQDN required FQDN required FQDN required
Network Planning for Multiple WAN Ports 633 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 For a single WAN gateway configuration, use an FQDN when the IP address is dynamic and either an FQDN or the IP address itself when the IP address is fixed. The situation is different in dual WAN port gateway configurations. •Dual WAN ports in auto-rollover mode. A gateway configuration with dual WAN ports that function in auto-rollover mode is different from a gateway configuration with a single WAN port when you specify the IP address of the VPN tunnel endpoint. Only one WAN port is active at a time, and when it rolls over, the IP address of the active WAN port always changes. Therefore, the use of an FQDN is always required, even when the IP address of each WAN port is fixed. Note:When the VPN firewall’s WAN port rolls over, the VPN tunnel collapses and must be reestablished using the new WAN IP address. However, you can configure automatic IPSec VPN rollover to ensure that an IPSec VPN tunnel is reestablished. Figure 19. Dual WAN ports in auto-rollover mode with VPN traffic •Dual WAN ports in load balancing mode. A gateway configuration with dual WAN ports that function in load balancing mode is the same as a single WAN port configuration when you specify the IP address of the VPN tunnel endpoint. Each IP address is either fixed or dynamic based on the ISP: You must use FQDNs when the IP address is dynamic, and FQDNs are optional when the IP address is static. Figure 20. Dual WAN ports in load balancing mode with VPN traffic
Network Planning for Multiple WAN Ports 634 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 VPN Telecommuter - Client-to-Gateway The following situations exemplify the requirements for a remote computer client with no firewall to establish a VPN tunnel with a gateway VPN firewall: •Single-gateway WAN port •Redundant dual-gateway WAN ports for increased reliability (before and after rollover) •Dual-gateway WAN ports for load balancing VPN Telecommuter : Single-Gateway WAN Port - Reference Case In a single WAN port gateway configuration, the remote computer client initiates the VPN tunnel because the IP address of the remote computer client is not known in advance. The gateway WAN port must act as the responder. Figure 21. Telecommuter example in a single WAN port configuration The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, an FQDN must be used. If the IP address is fixed, an FQDN is optional. VPN Telecommuter : Dual-Gateway WAN Ports for Improved Reliability In a gateway configuration with dual WAN ports that function in auto-rollover mode, the remote computer client initiates the VPN tunnel with the active WAN port (port WAN1 in the following figure) because the IP address of the remote computer client is not known in advance. The gateway WAN port must act as a responder. Figure 22. Telecommuter example in a dual WAN port configuration before auto-rollover
Network Planning for Multiple WAN Ports 635 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The IP addresses of the WAN ports can be either fixed or dynamic, but you always must use an FQDN because the active WAN port could be either WAN1 or WAN2 (that is, the IP address of the active WAN port is not known in advance). After a rollover of the WAN port occurs, the previously inactive gateway WAN port becomes the active port (port WAN2 in the following figure) and the remote computer client must reestablish the VPN tunnel. The gateway WAN port must act as the responder. Figure 23. Telecommuter example in a dual WAN port configuration after auto-rollover The purpose of the FQDN in this case is to toggle the domain name of the gateway firewall between the IP addresses of the active WAN port (that is, WAN1 and WAN2) so that the remote computer client can determine the gateway IP address to establish or reestablish a VPN tunnel. VPN Telecommuter: Dual-Gateway WAN Ports for Load Balancing In a gateway configuration with dual WAN ports that function in load balancing mode, the remote computer initiates the VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as necessary to balance the loads of the two gateway WAN ports) because the IP address of the active WAN port is not known in advance. The selected gateway WAN port must act as the responder. Figure 24. Telecommuter example in a dual WAN port configuration with load balancing The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you must use an FQDN. If an IP address is fixed, an FQDN is optional.
Network Planning for Multiple WAN Ports 636 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 VPN Gateway-to-Gateway The following situations exemplify the requirements for a gateway VPN firewall to establish a VPN tunnel with another gateway VPN firewall: •Single-gateway WAN ports •Redundant dual-gateway WAN ports for increased reliability (before and after rollover) •Dual-gateway WAN ports for load balancing VPN Gateway-to-Gateway: Single-Gateway WAN Ports - Reference Case In a configuration with two single WAN port gateways, either gateway WAN port can initiate the VPN tunnel with the other gateway WAN port because the IP addresses are known in advance. Figure 25. Gateway-to-gateway example in a single WAN port configuration The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you must use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Gateway-to-Gateway: Dual-Gateway WAN Ports for Improved Reliability In a configuration with two dual WAN port VPN gateways that function in auto-rollover mode, either of the gateway WAN ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to balance the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance. In this example (see the following figure), port WAN_A1 is active and port WAN_A2 is inactive at Gateway A; port WAN_B1 is active and port WAN_B2 is inactive at Gateway B.
Network Planning for Multiple WAN Ports 637 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 26. Gateway-to-gateway example in a dual WAN port configuration before auto-rollover The IP addresses of the gateway WAN ports can be either fixed or dynamic, but you must always use an FQDN because the active WAN ports could be either WAN_A1, WAN_A2, WAN_B1, or WAN_B2 (that is, the IP address of the active WAN ports is not known in advance). After a rollover of a gateway WAN port, the previously inactive gateway WAN port becomes the active port (port WAN_A2 in the following figure) and one of the gateways must reestablish the VPN tunnel. Figure 27. Gateway-to-gateway example in a dual WAN port configuration after auto-rollover The purpose of the FQDNs is to toggle the domain name of the rolled-over gateway between the IP addresses of the active WAN port (that is, WAN_A1 and WAN_A2 in the previous figure) so that the other end of the tunnel has a known gateway IP address to establish or reestablish a VPN tunnel. VPN Gateway-to-Gateway: Dual-Gateway WAN Ports for Load Balancing In a configuration with two dual-WAN port VPN gateways that function in load balancing mode, either of the gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway WAN ports because the IP addresses of the WAN ports are known in advance.
Network Planning for Multiple WAN Ports 638 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Figure 28. Gateway-to-gateway example in a dual WAN port configuration with load balancing The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is dynamic, you must use an FQDN. If an IP address is fixed, an FQDN is optional. VPN Telecommuter - Client-to-Gateway Through a NAT Router Note:The telecommuter case presumes that the home office has a dynamic IP address and NAT router. The following situations exemplify the requirements for a remote computer client connected to the Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway VPN firewall at the company office: •Single-gateway WAN port •Redundant dual-gateway WAN ports for increased reliability (before and after rollover) •Dual-gateway WAN ports for load balancing VPN Telecommuter : Single-Gateway WAN Port - Reference Case In a single WAN port gateway configuration, the remote computer client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder.