FVX538 Reference Manual
Page 8
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the Network Database 3-7 Setting Up Address Reservation 3-9 Configuring and Enabling the DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14...
ProSafe VPN Firewall 200 FVX538 Reference Manual Chapter 3 LAN Configuration Choosing the Firewall DHCP Options 3-1 Configuring the LAN Setup Options 3-2 Configuring Multi Home LAN IPs 3-5 Managing Groups and Hosts (LAN Groups 3-6 Creating the Network Database 3-7 Setting Up Address Reservation 3-9 Configuring and Enabling the DMZ Port 3-10 Static Routes ...3-12 Configuring Static Routes 3-12 Routing Information Protocol (RIP 3-14...
FVX538 Reference Manual
Page 10
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
ProSafe VPN Firewall 200 FVX538 Reference Manual Extended Authentication (XAUTH) Configuration 5-23 Configuring XAUTH for VPN Clients 5-24 User Database Configuration 5-25 RADIUS Client Configuration 5-27 Assigning IP Addresses to Remote Users (ModeConfig 5-29 Mode Config Operation 5-29 Configuring the VPN Firewall 5-30 Configuring the ProSafe VPN Client for ModeConfig 5-33 Chapter 6 Router and Network Management Performance Management 6-1 Bandwidth Capacity 6-1 VPN Firewall Features That...
FVX538 Reference Manual
Page 13
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
ProSafe VPN Firewall 200 FVX538 Reference Manual Multicast/Broadcast Logs C-9 FTP Logging ...C-10 Invalid Packet Logging C-10 Routing Logs ...C-13 LAN to WAN Logs C-13 LAN to DMZ Logs C-14 DMZ to WAN Logs C-14 WAN to LAN Logs C-14 DMZ to LAN Logs C-14 WAN to DMZ Logs C-15 Appendix D Related Documents Appendix E Two Factor Authentication Why do I need Two-Factor Authentication E-1 What are the benefits of Two-Factor Authentication E-1 What is Two-Factor Authentication E-2 NETGEAR Two-Factor Authentication Solutions E-2 Index Contents xiii v1.0, March 2009
FVX538 Reference Manual
Page 19
.... Autosensing Ethernet Connections with NAT. Both the LAN and WAN interfaces are discarded, preventing users outside the LAN are autosensing and capable of ports. • DMZ port. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. You can connect to you to control access to one of cable to a switch or hub. NAT opens...
.... Autosensing Ethernet Connections with NAT. Both the LAN and WAN interfaces are discarded, preventing users outside the LAN are autosensing and capable of ports. • DMZ port. ProSafe VPN Firewall 200 FVX538 Reference Manual • Logs security incidents. You can connect to you to control access to one of cable to a switch or hub. NAT opens...
FVX538 Reference Manual
Page 23
... is operating at 100 Mbps. Speed LED On (Green) On (Amber) Off The LAN port is operating as a dedicated hardware DMZ port. Port 8 is operating at 10 Mbps. The LAN port has detected a link with a connected Ethernet device. The LAN ...Factory Defaults reset push button (see Appendix A, "Default Defaults object Settings and Technical Specifications" for connecting to an optional console terminal. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 4. The LAN port has no link. LAN Ports and LEDs 8-...
... is operating at 100 Mbps. Speed LED On (Green) On (Amber) Off The LAN port is operating as a dedicated hardware DMZ port. Port 8 is operating at 10 Mbps. The LAN port has detected a link with a connected Ethernet device. The LAN ...Factory Defaults reset push button (see Appendix A, "Default Defaults object Settings and Technical Specifications" for connecting to an optional console terminal. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 1-1. Object Descriptions (continued) Object Activity Description 4. The LAN port has no link. LAN Ports and LEDs 8-...
FVX538 Reference Manual
Page 45
... IP address). The DHCP options are satisfactory. The firewall will deliver the following sections: • "Choosing the Firewall DHCP Options" on page 3-1 • "Managing Groups and Hosts (LAN Groups)" on page 3-6 • "Configuring and Enabling the DMZ Port" on page 3-10 • "Static Routes" on your...Specify the pool of IP addresses to be the DHCP server, or if you may wish to save part of the range for your ProSafe VPN Firewall 200, including the following parameters to any LAN device that requests DHCP: • An IP Address from a pool of addresses specified in Appendix...
... IP address). The DHCP options are satisfactory. The firewall will deliver the following sections: • "Choosing the Firewall DHCP Options" on page 3-1 • "Managing Groups and Hosts (LAN Groups)" on page 3-6 • "Configuring and Enabling the DMZ Port" on page 3-10 • "Static Routes" on your...Specify the pool of IP addresses to be the DHCP server, or if you may wish to save part of the range for your ProSafe VPN Firewall 200, including the following parameters to any LAN device that requests DHCP: • An IP Address from a pool of addresses specified in Appendix...
FVX538 Reference Manual
Page 47
... manually configure all computers connected to the router's LAN. Enable DHCP Server is selected, enter the following parameters: a. LAN Configuration 3-3 v1.0, March 2009 If Enabled is the default. ProSafe VPN Firewall 200 FVX538 Reference Manual 1. If another device on the IP address that the LAN Port IP address and DMZ port IP address are implementing subnetting, use...
... manually configure all computers connected to the router's LAN. Enable DHCP Server is selected, enter the following parameters: a. LAN Configuration 3-3 v1.0, March 2009 If Enabled is the default. ProSafe VPN Firewall 200 FVX538 Reference Manual 1. If another device on the IP address that the LAN Port IP address and DMZ port IP address are implementing subnetting, use...
FVX538 Reference Manual
Page 50
... Configuration v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • Action: The Edit link allows you to make up the Network Database. Click Add. By default, the DHCP server in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the LAN, WAN, DMZ, and any other network.... • Scanning the Network. The hosts on the Groups and Hosts screen contains a list of all the entries in this router. These requests also generate an entry in two ways: • DHCP Client Requests. Warning: Make sure the secondary IP addresses are...
... Configuration v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual • Action: The Edit link allows you to make up the Network Database. Click Add. By default, the DHCP server in the Available Secondary LAN IPs table. • Delete: Deletes selected entries from the LAN, WAN, DMZ, and any other network.... • Scanning the Network. The hosts on the Groups and Hosts screen contains a list of all the entries in this router. These requests also generate an entry in two ways: • DHCP Client Requests. Warning: Make sure the secondary IP addresses are...
FVX538 Reference Manual
Page 54
... outside the LAN Address pool, such as a hardware DMZ port for safely providing services to the LAN, has fewer firewall restrictions, by default. ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see "Router Front and Rear Panels" on page 1-6) and...
... outside the LAN Address pool, such as a hardware DMZ port for safely providing services to the LAN, has fewer firewall restrictions, by default. ProSafe VPN Firewall 200 FVX538 Reference Manual To reserve an IP address, use the Groups and Hosts screen under the Network Configuration menu, LAN Groups submenu (see "Router Front and Rear Panels" on page 1-6) and...
FVX538 Reference Manual
Page 55
..., Enable the DHCP Server (Dynamic Host Configuration Protocol), which will not use the FVX538 as a DHCP server but rather as a DNS for address resolution. 5. c. d. If enabled, the VPN firewall will as a DHCP relay agent for all computers connected to the router's DMZ network. b. ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-4 4. This box specifies the first of the contiguous addresses...
..., Enable the DHCP Server (Dynamic Host Configuration Protocol), which will not use the FVX538 as a DHCP server but rather as a DNS for address resolution. 5. c. d. If enabled, the VPN firewall will as a DHCP relay agent for all computers connected to the router's DMZ network. b. ProSafe VPN Firewall 200 FVX538 Reference Manual Figure 3-4 4. This box specifies the first of the contiguous addresses...
FVX538 Reference Manual
Page 56
... 3-12 v1.0, March 2009 LAN Configuration Click Add. The Add Static Route menu, shown below, will display. 2. ProSafe VPN Firewall 200 FVX538 Reference Manual 6. The DMZ LED next to your firewall. Configuring Static Routes To add or edit a static route: 1. Static Routes Static Routes provide additional routing information to LAN... you do not need to save your network. Click Apply to configure additional static routes. To define the DMZ WAN Rules and LAN DMZ Rules, see "Router Front and Rear Panels" on your settings. Enter a route name for this static route in the Route ...
... 3-12 v1.0, March 2009 LAN Configuration Click Add. The Add Static Route menu, shown below, will display. 2. ProSafe VPN Firewall 200 FVX538 Reference Manual 6. The DMZ LED next to your firewall. Configuring Static Routes To add or edit a static route: 1. Static Routes Static Routes provide additional routing information to LAN... you do not need to save your network. Click Apply to configure additional static routes. To define the DMZ WAN Rules and LAN DMZ Rules, see "Router Front and Rear Panels" on your settings. Enter a route name for this static route in the Route ...
FVX538 Reference Manual
Page 62
... resources. Outbound traffic is normally allowed unless the firewall is in response to the other. The firewall can be applied to block or allow this otherwise blocked traffic. 4-2 Firewall Protection and Content Filtering v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited ...one side to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Supported FIrewall Rule Configurations Traffic Rule LAN WAN DMZ WAN LAN DMZ Outbound Rules 50 50 50 Inbound Rules 50 50 50 Services-Based Rules The rules to block...
... resources. Outbound traffic is normally allowed unless the firewall is in response to the other. The firewall can be applied to block or allow this otherwise blocked traffic. 4-2 Firewall Protection and Content Filtering v1.0, March 2009 ProSafe VPN Firewall 200 FVX538 Reference Manual intrusions. NAT performs a very limited ...one side to an outgoing request, but true Stateful Packet Inspection goes far beyond NAT. Supported FIrewall Rule Configurations Traffic Rule LAN WAN DMZ WAN LAN DMZ Outbound Rules 50 50 50 Inbound Rules 50 50 50 Services-Based Rules The rules to block...
FVX538 Reference Manual
Page 64
... Groups and Hosts (LAN Groups)" on the DMZ network are affected by this rule. Enter the required address in the start and finish fields. • Groups - If this rule will apply. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. These settings determine which... this option is selected, you must enter the start and finish fields of the DMZ computers. 4-4 Firewall Protection and Content Filtering v1.0, March 2009 Select the ...
... Groups and Hosts (LAN Groups)" on the DMZ network are affected by this rule. Enter the required address in the start and finish fields. • Groups - If this rule will apply. ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. These settings determine which... this option is selected, you must enter the start and finish fields of the DMZ computers. 4-4 Firewall Protection and Content Filtering v1.0, March 2009 Select the ...
FVX538 Reference Manual
Page 66
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Bandwidth Limiting for outbound traffic will be done on the user-specified interface in the single port and Auto-Failover modes. Select the desired action: • Always - Inbound Rules (Port Forwarding) Because the FVX538 uses Network Address Translation... an inbound rule you can always find your host. The rule tells the firewall to direct inbound traffic for inbound traffic will not apply to the DMZ interface. Outbound Rules (continued) Item Bandwidth Profile Log Description Bandwidth Limiting determines the...
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-2. Bandwidth Limiting for outbound traffic will be done on the user-specified interface in the single port and Auto-Failover modes. Select the desired action: • Always - Inbound Rules (Port Forwarding) Because the FVX538 uses Network Address Translation... an inbound rule you can always find your host. The rule tells the firewall to direct inbound traffic for inbound traffic will not apply to the DMZ interface. Outbound Rules (continued) Item Bandwidth Profile Log Description Bandwidth Limiting determines the...
FVX538 Reference Manual
Page 67
....0, March 2009 If the desired service or application does not appear in the start and end fields. LAN Server or DMZ This LAN address or DMZ Server address determines which Internet locations are covered by this rule. • Single address - Table 4-3. Action (Select ... always • ALLOW by schedule, otherwise Block Note: Any inbound traffic which is selected, you create will be blocked by the firewall. ProSafe VPN Firewall 200 FVX538 Reference Manual • Local PCs must define it can also translate this address to a port number.) Translate to Port Number Check ...
....0, March 2009 If the desired service or application does not appear in the start and end fields. LAN Server or DMZ This LAN address or DMZ Server address determines which Internet locations are covered by this rule. • Single address - Table 4-3. Action (Select ... always • ALLOW by schedule, otherwise Block Note: Any inbound traffic which is selected, you create will be blocked by the firewall. ProSafe VPN Firewall 200 FVX538 Reference Manual • Local PCs must define it can also translate this address to a port number.) Translate to Port Number Check ...
FVX538 Reference Manual
Page 68
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Bandwidth Limiting for all the bandwidth of your network. This determines whether ...of our internet link. Inbound Rules (continued) Item Bandwidth Profile Log Description Bandwidth Limiting determines the way in your VPN firewall. The limiting will be done on the LAN interface for outbound traffic will not apply to run any active services ...-specified interface in the single port and Auto-Failover modes. If you to the DMZ interface. Note: Some residential broadband ISP accounts do not allow you are logged.
ProSafe VPN Firewall 200 FVX538 Reference Manual Table 4-3. Bandwidth Limiting for all the bandwidth of your network. This determines whether ...of our internet link. Inbound Rules (continued) Item Bandwidth Profile Log Description Bandwidth Limiting determines the way in your VPN firewall. The limiting will be done on the LAN interface for outbound traffic will not apply to run any active services ...-specified interface in the single port and Auto-Failover modes. If you to the DMZ interface. Note: Some residential broadband ISP accounts do not allow you are logged.
FVX538 Reference Manual
Page 72
... your changes and reset the fields on page 4-7). 3. The Add LAN WAN Inbound Service screen will be listed on the DMZ WAN Rules screen. The Default Outbound Policy is blocked. ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for your network. Complete the...
... your changes and reset the fields on page 4-7). 3. The Add LAN WAN Inbound Service screen will be listed on the DMZ WAN Rules screen. The Default Outbound Policy is blocked. ProSafe VPN Firewall 200 FVX538 Reference Manual LAN WAN Inbound Services Rules This Inbound Services Rules table lists all existing rules for your network. Complete the...
FVX538 Reference Manual
Page 73
The default outbound policy can be changed to block all outbound traffic and enable only specific services to the DMZ (Inbound). Figure 4-5 Firewall Protection and Content Filtering v1.0, March 2009 4-13 ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to pass through the router by adding an Outbound services Rule.
The default outbound policy can be changed to block all outbound traffic and enable only specific services to the DMZ (Inbound). Figure 4-5 Firewall Protection and Content Filtering v1.0, March 2009 4-13 ProSafe VPN Firewall 200 FVX538 Reference Manual out from the DMZ to the Internet (Outbound) or coming in from the Internet to pass through the router by adding an Outbound services Rule.
FVX538 Reference Manual
Page 74
... Outbound and Inbound Policies is automatically enabled. ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. The DMZ WAN Rules screen will display. 3. Select Security from the main menu, Firewall Rules from the DMZ to block specific types of traffic between the local LAN and DMZ network. The LAN DMZ Rules screen will appear in "Setting...
... Outbound and Inbound Policies is automatically enabled. ProSafe VPN Firewall 200 FVX538 Reference Manual To change the Default Outbound Policy: 1. The DMZ WAN Rules screen will display. 3. Select Security from the main menu, Firewall Rules from the DMZ to block specific types of traffic between the local LAN and DMZ network. The LAN DMZ Rules screen will appear in "Setting...
FVX538 Reference Manual
Page 75
... column adjacent to the rule definition. The Outbound Service screen will appear in the table rank. 2. The "!" Figure 4-7 Firewall Protection and Content Filtering v1.0, March 2009 4-15 to make changes to move the rule down one position in the table rank... display containing the data for each rule. to an existing outbound or inbound LAN DMZ service rule: 1. LAN DMZ Outbound Services Rules To create a new outbound LAN DMZ service rule: 1. Status icon will display. ProSafe VPN Firewall 200 FVX538 Reference Manual To make any changes to the rule click: • Edit -
... column adjacent to the rule definition. The Outbound Service screen will appear in the table rank. 2. The "!" Figure 4-7 Firewall Protection and Content Filtering v1.0, March 2009 4-15 to make changes to move the rule down one position in the table rank... display containing the data for each rule. to an existing outbound or inbound LAN DMZ service rule: 1. LAN DMZ Outbound Services Rules To create a new outbound LAN DMZ service rule: 1. Status icon will display. ProSafe VPN Firewall 200 FVX538 Reference Manual To make any changes to the rule click: • Edit -