Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual
Have a look at the manual Netgear Netgar VPN FIrewall FVS336Gv2 Reference Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 137 Netgear manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
Configure the IPv4 Internet and WAN Settings 81 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > QoS. The QoS screen displays. The following figure shows some profiles in the List of QoS Profiles table. 7. To enable QoS, select the Ye s radio button. By default, the No radio button is selected. 8. Specify the profile type that must be active. •Rate control. All rate control QoS profiles that you configure are active, but priority QoS profiles are not. •Priority. All priority QoS profiles that you configure are active, but rate control QoS profiles are not. 9. Click the Apply button. Your settings are saved. The List of QoS Profiles table shows the following columns:
Configure the IPv4 Internet and WAN Settings 82 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 •QoS Type. The type of profile, either Rate Control or Priority. •Interface Name. The WAN interface to which the profile applies (WAN1 or WAN2). •Service. The service to which the profile applies. •Direction. The WAN direction to which the profile applies (inbound, outbound, or both). •Rate. The bandwidth rate in Kbps or the priority. •Hosts. The IP address, IP addresses, or group to which the rate control profile applies. (The information in this column does not apply to priority profiles.) •Action. The Edit button provides access to the Edit QoS screen for the corresponding profile. For more information about the information that is shown in the List of QoS Profiles table, see Add a Rate Control WAN QoS Profile on page 75 and Add a Priority Queue WAN QoS Profile on page 78. Change a QoS Profile The following procedure describes how to change an existing WAN QoS profile. To change a QoS profile: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > QoS. The QoS screen displays. 7. In the List of QoS Profiles table, click the Edit button for the profile that you want to change. The Edit QoS screen displays.
Configure the IPv4 Internet and WAN Settings 83 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 8. Change the settings. For information about the settings, see Add a Rate Control WAN QoS Profile on page 75 and Add a Priority Queue WAN QoS Profile on page 78. 9. Click the Apply button. Your settings are saved. The modified QoS profile displays in the List of QoS Profiles table on the QoS screen. Enable, Disable, or Remove One or More WAN QoS Profiles The following procedure describes how to enable or disable existing WAN QoS profiles or remove WAN QoS profiles that you no longer need. To enable, disable, or remove one or more WAN QoS profiles: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > QoS. The QoS screen displays. 7. In the List of QoS Profiles table, select the check box to the left of each QoS profile that you want to remove or click the Select All button to select all profiles. 8. Click one of the following buttons: •Enable. Enables the selected WAN QoS profiles. The ! status icons change from gray circles to green circles, indicating that the selected profiles are enabled. (By default, when you add a profile, the profile is automatically enabled.) •Disable. Disables the selected WAN QoS profiles.
Configure the IPv4 Internet and WAN Settings 84 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 The ! status icons change from green circles to gray circles, indicating that the selected profiles are disabled. •Delete. Removes the selected WAN QoS profiles. The selected profiles are removed from the List of QoS Profiles table. Additional WAN-Related Configuration Tasks If you want the ability to manage the VPN firewall remotely, enable remote management (see Set Up Remote Management Access on page 534). If you enable remote management, NETGEAR strongly recommends that you change your password (see Change Passwords and Automatic Logout Period on page 511). As an option, you can also set up the traffic meter for each WAN interface (see Configure and Enable the WAN IPv4 Traffic Meter on page 558). Test the VPN firewall before deploying it in a live production environment. Verify that network traffic can pass through the VPN firewall by doing the following: •Ping an Internet URL. •Ping the IP address of a device on either side of the VPN firewall. What to Do Next After you complete setting up the WAN connection for the VPN firewall, you might want to address the important tasks described in the following chapters and sections before you deploy the VPN firewall in your network: •Chapter 3, Configure the IPv6 Internet and WAN Settings •Chapter 4, Configure the IPv4 LAN Settings •Configure Authentication Domains, Groups, and User Accounts on page 488 •Manage Digital Certificates for VPN Connections on page 512 •Use the IPSec VPN Wizard for Client and Gateway Configurations on page 334 •Chapter 9, Set Up Virtual Private Networking with SSL Connections
85 3 3. Configure the IPv6 Internet and WAN Settings This chapter explains how to configure the IPv6 Internet and WAN settings. The chapter contains the following sections: •Roadmap to Setting Up an IPv6 Internet Connection to Your ISP •Configure the IPv6 Internet Connection and WAN Settings •Manage Tunneling for IPv6 Traffic •Configure Stateless IP/ICMP Translation •Configure Auto-Rollover for IPv6 Interfaces •Additional WAN-Related Configuration Tasks •What to Do Next
Configure the IPv6 Internet and WAN Settings 86 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Roadmap to Setting Up an IPv6 Internet Connection to Your ISP Typically, the VPN firewall is installed as a network gateway to function as a combined LAN switch and firewall to protect the network from incoming threats and provide secure connections. To complement the firewall protection, NETGEAR recommends that you use a gateway security appliance such as a NETGEAR ProSECURE STM appliance. The tasks that are required to complete the Internet connection of your VPN firewall depend on whether you use an IPv4 connection, an IPv6 connection, or both to connect to your Internet service provider (ISP). For information about setting up an IPv4 connection, see Chapter 2, Configure the IPv4 Internet and WAN Settings. Note:The VPN firewall supports simultaneous IPv4 and IPv6 connections. You can configure only one WAN interface for IPv6. You can configure the other WAN interface for IPv4. Setting up an IPv6 Internet connection to your ISP includes six tasks, four of which are optional. Complete these tasks: 1. Configure the IPv6 routing mode. Configure the VPN firewall to support both devices with IPv4 addresses and devices with IPv6 addresses. This task is described in Manage the IPv6 Routing Mode on page 88. 2. Configure the IPv6 Internet connection to your ISP. Connect to an ISP by configuring a WAN interface. You have three configuration options. These tasks are described in the following sections: •Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically on page 90 •Manually Configure a Static IPv6 Internet Connection on page 94 •Manually Configure a PPPoE IPv6 Internet Connection on page 97 3. (Optional) Configure the IPv6 tunnels. Enable 6to4 tunnels and configure ISATAP tunnels. These tasks are described in the following sections: •Manage 6to4 Automatic Tunneling on page 101 •Manage ISATAP Automatic Tunneling on page 103 4. (Optional) Configure Stateless IP/ICMP Translation (SIIT). Enable IPv6 devices that do not have permanently assigned IPv4 addresses to communicate with IPv4-only devices. This task is described in Configure Stateless IP/ICMP Translation on page 108.
Configure the IPv6 Internet and WAN Settings 87 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 5. (Optional) Configure auto-rollover and failure detection. By default, the WAN interfaces are configured for primary (single) WAN mode. You can enable auto-rollover and configure the failure detection settings. These tasks are described in Configure Auto-Rollover for IPv6 Interfaces on page 109. 6. (Optional) Configure advanced WAN options. If necessary, change the factory default MTU size, port speed and duplex settings, advertised MAC address of the VPN firewall, and WAN connection type and corresponding upload and download connection speeds. These are advanced features, and you usually do not need to change the settings. These tasks are described in Managing Advanced WAN Options on page 66 in Chapter 2. Configure the IPv6 Internet Connection and WAN Settings The following sections provide information about configuring the IPv6 Internet connection and WAN settings: •IPv6 Network •Manage the IPv6 Routing Mode •Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically •Manually Configure a Static IPv6 Internet Connection •Manually Configure a PPPoE IPv6 Internet Connection IPv6 Network The nature of your IPv6 network determines how you must configure the IPv6 Internet connections: •Native IPv6 network. Your network is a native IPv6 network if the VPN firewall has an IPv6 address and is connected to an IPv6 ISP and if your network consists of IPv6-only devices. However, because we are in a IPv4-to-IPv6 transition period, native IPv6 is not yet common. •Isolated IPv6 network. If your network is an isolated IPv6 network that is not connected to an IPv6 ISP, you must make sure that the IPv6 packets can travel over the IPv4 Internet backbone; you do this by enabling automatic 6to4 tunneling (see Manage 6to4 Automatic Tunneling on page 101). •Mixed network with IPv4 and IPv6 devices. If your network is an IPv4 network that consists of both IPv4 and IPv6 devices, you must make sure that the IPv6 packets can travel over the IPv4 intranet; you do this by enabling and configuring ISATAP tunneling (see Manage ISATAP Automatic Tunneling on page 103). Note:A network can be both an isolated IPv6 network and a mixed network with IPv4 and IPv6 devices.
Configure the IPv6 Internet and WAN Settings 88 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 After you configured the IPv6 routing mode, you must configure a WAN interface with a global unicast address to enable secure IPv6 Internet connections on your VPN firewall. A global unicast address is a public and routable IPv6 WAN address that can be statically or dynamically assigned. The web management interface offers two connection configuration options: •Automatic configuration of the network connection (see Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically on page 90) •Manual configuration of the network connection (see Manually Configure a Static IPv6 Internet Connection on page 94 or Manually Configure a PPPoE IPv6 Internet Connection on page 97) Manage the IPv6 Routing Mode By default, the VPN firewall does not support the IPv6 mode. You must enable the IPv6 routing mode. The following sections provide information about managing the IPv6 routing mode: •IPv6 Routing Mode •Enable the IPv6 Routing Mode IPv6 Routing Mode By default the VPN firewall supports IPv4 only. To use IPv6, you must enable the VPN firewall to support both devices with IPv4 addresses and devices with IPv6 addresses. The routing mode does not include an IPv6-only option; however, you can still configure a native IPv6 network if your ISP supports IPv6. The options are as follows: •IPv4-only mode. The VPN firewall communicates only with devices that have IPv4 addresses. •IPv4/IPv6 mode. The VPN firewall communicates with both devices that have IPv4 addresses and devices that have IPv6 addresses. Load balancing and IPv4/IPv6 mode are mutually exclusive. You can select IPv4/IPv6 mode only when one interface functions in primary WAN mode. Note:IPv6 always functions in classical routing mode between the WAN interface and the LAN interfaces; NAT does not apply to IPv6.
Configure the IPv6 Internet and WAN Settings 89 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 Enable the IPv6 Routing Mode The following procedure describes how to enable the IPv6 routing mode. To enable the IPv6 routing mode: 1. On your computer, launch an Internet browser. 2. In the address field of your browser, enter the IP address that was assigned to the VPN firewall during the installation process. The VPN firewall factory default IP address is 192.168.1.1. The NETGEAR Configuration Manager Login screen displays. 3. In the Username field, type your user name and in the Password / Passcode field, type your password. For the default administrative account, the default user name is admin and the default password is password. 4. If you changed the default domain or were assigned a domain, from the Domain menu, select the domain. If you did not change the domain or were not assigned a domain, leave the menu selection at geardomain. 5. Click the Login button. The Router Status screen displays. 6. Select Network Configuration > WAN Settings > WAN Mode. The WAN Mode screen displays. 7. In the Routing Mode section, select the IPv4 / IPv6 mode radio button. By default, the IPv4 only mode radio button is selected, and IPv6 is disabled.
Configure the IPv6 Internet and WAN Settings 90 ProSAFE Dual WAN Gigabit WAN SSL VPN Firewall FVS336Gv2 WARNING: Changing the IP routing mode causes the VPN firewall to reboot. 8. Click the Apply button. Your settings are saved. Use a DHCPv6 Server to Configure an IPv6 Internet Connection Automatically A DHCPv6 server can allow the VPN firewall to autoconfigure its IPv6 Internet settings. The following sections provide information about using a DHCPv6 sever to configure an IPv6 Internet connection automatically: •DHCPv6 Server: Stateless and Stateful Autoconfiguration •Let the VPN Firewall Automatically Configure a WAN Interface for IPv6 DHCPv6 Server : Stateless and Stateful Autoconfiguration The VPN firewall can autoconfigure its ISP settings through the DHCPv6 server by using either stateless or stateful address autoconfiguration: •Stateless address autoconfiguration. The VPN firewall generates its own IP address by using a combination of locally available information and router advertisements but receives DNS server information from the ISP DHCPv6 server. Router advertisements include a prefix that identifies the subnet that is associated with the WAN port. The IP address is formed by combining this prefix and the MAC address of the WAN port. The IP address is a dynamic address. Note:As an option for stateless address autoconfiguration, the ISP DHCPv6 server can assign a prefix through prefix delegation to the VPN firewall. Based on this ISP assignment, the VPN firewall’s own stateless DHCPv6 server can assign advertisement prefixes to its IPv6 LAN clients through the Router Advertisement Daemon (RADVD). For more information about this LAN configuration option, see Configure a Stateless DHCPv6 Server Without Prefix Delegation for the LAN on page 155. •Stateful address autoconfiguration. The VPN firewall obtains an interface address, configuration information such as DNS server information, and other parameters from the ISP DHCPv6 server. The IP address is a dynamic address. Let the VPN Firewall Automatically Configure a WAN Interface for IPv6 The following procedure describes how to let the VPN firewall automatically configure its IPv6 WAN addresses through a DHCPv6 server.