User manual NETGEAR FVX538

[. . . ] Test mode: The system is initializing or the initialization has failed. The system has booted successfully. Introducing the FVX538 October 2004 1-1 Network Planning Guide for ProSafe VPN Firewall Router FVX538 Table 1-1. Object WAN Ports and LEDs Object Descriptions (continued) Activity Description Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Link/Act LED On (Green) Blinking (Green) Off 100 LED On (Green) Off Active LED On (Green) On (Amber) Off The WAN port has detected a link with a connected Ethernet device. N-way automatic speed negotiation, auto MDI/MDIX. LAN Ports and LEDs 8-port RJ-45 10/100 Mbps Fast Ethernet Switch Link/Act LED On (Green) Blinking (Green) Off 100 LED On (Green) Off DMZ (port 8) On (Green) Off The LAN port has detected a link with a connected Ethernet device. [. . . ] Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic. 2-4 October 2004 Network Planning Network Planning Guide for ProSafe VPN Firewall Router FVX538 Dual WAN Ports (Load Balancing) Router netgear1. dyndns. org netgear2. dyndns. org exposed host WAN1 IP IP addresses of WAN ports: use of fully-qualified domain names required for dynamic IP addresses and optional for fixed IP addresses WAN2 IP Figure 2-5: Dual WAN port case for exposed host with load balancing Multiple Exposed Hosts The IP address range of the router's WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled. Multiple Exposed Hosts: Single WAN Port (Reference Case) In the single WAN case (Figure 2-6), the WAN port's IP address range must be fixed. Single WAN Port Router WAN IPs 22. 23. 24. 25 22. 23. 24. 26 . . . exposed hosts IP addresses of WAN port must be a fixed block Figure 2-6: Single WAN port case with multiple exposed hosts Multiple Exposed Hosts: Dual WAN Ports for Improved System Reliability Using multiple exposed hosts with routers that have dual WAN ports for improved system reliability is a disallowed combination because to do so, the IP addresses of each WAN port would have to be the identical range of fixed addresses. Instead, use additional routers that have dual WAN ports with a single exposed host for improved system reliability. Multiple Exposed Hosts: Dual WAN Ports for Load Balancing In the dual WAN port case for load balancing (Figure 2-7), the IP address range of each WAN port must be fixed. Network Planning October 2004 2-5 Network Planning Guide for ProSafe VPN Firewall Router FVX538 Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider publicizing one of the WAN port Internet addresses and keeping the other one unpublicized in order to maintain better control of WAN port traffic. Dual WAN Ports Router 22. 23. 24. 25, 22. 23. 24. 26, . . WAN1 IP Addresses WAN2 IP Addresses exposed hosts IP addresses of WAN ports must be fixed blocks Figure 2-7: Dual WAN port case for multiple exposed hosts with load balancing Virtual Private Networks (VPNs) When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the router's dual WAN port depends on the configuration being implemented: Table 2-1. IP addressing requirements for VPNs in dual WAN port systems Dual WAN Port Cases Configuration and WAM IP address VPN Road Warrior (client-to-gateway) Fixed Dynamic VPN Gateway-to-Gateway Fixed Dynamic VPN Telecommuter Fixed (client-to-gateway through a NAT router) Dynamic Single WAN Port (reference case) Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required Failovera FQDN required FQDN required FQDN required FQDN required FQDN required FQDN required Load Balancing Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required a. All tunnels must be re-established after a failover using the new WAN IP adress. 2-6 October 2004 Network Planning Network Planning Guide for ProSafe VPN Firewall Router FVX538 For the single gateway WAN port case, the mechanism is to use a fully-qualified domain name (FQDN) when the IP address is dynamic and to use either an FQDN or the IP address itself when the IP address is fixed. The situation is different when dual gateway WAN ports are used in a failover-based system. · Failover Case for Dual Gateway WAN Ports Failover (Figure 2-8) for the dual gateway WAN port case is different from the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Only one WAN port is active at a time and when it fails over, the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain name is always required, even when the IP address of each WAN port is fixed. Note: Once the gateway router WAN port fails over, the VPN tunnel collapses and must be re-established using the new WAN IP address. Dual WAN Ports (Before Failover) Gateway VPN Router netgear. dyndns. org WAN2 port inactive Dual WAN Ports (After Failover) Gateway VPN Router WAN1 port inactive WAN1 IP WAN1 IP (N/A) X X X X WAN2 IP (N/A) WAN2 IP netgear. dyndns. org IP address of active WAN port changes after a failover (use of fully-qualified domain names always required) Figure 2-8: Dual gateway WAN ports before and after failover · Load Balancing Case for Dual Gateway WAN Ports Load balancing (Figure 2-9) for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static. Dual WAN Ports (Load Balancing) Gateway VPN Router netgear1. dyndns. org netgear2. dyndns. org WAN1 IP IP addresses of WAN ports same as single WAN port case (use of fully-qualified domain names required for dynamic IP addresses and optional for fixed IP addresses) WAN2 IP Figure 2-9: Dual gateway WAN ports for load balancing Network Planning October 2004 2-7 Network Planning Guide for ProSafe VPN Firewall Router FVX538 VPN Road Warrior (Client-to-Gateway) The following situations exemplify the requirements for a remote PC client with no router to establish a VPN tunnel with a gateway VPN router: · · · Single gateway WAN port Redundant dual gateway WAN ports for increased system reliability (before and after failover) Dual gateway WAN ports used for load balancing VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN router (Figure 2-10), the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder. 10. 5. 6. 0/24 Road Warrior Example (Single WAN Port) Gateway A LAN IP 10. 5. 6. 1 VPN Router (at employer's main office) Client B WAN IP 0. 0. 0. 0 WAN IP FQDN bzrouter. dyndns. org Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses Remote PC (running NETGEAR ProSafe VPN Client) Figure 2-10: Single gateway WAN port case for VPN road warrior The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified domain name is optional. VPN Road Warrior: Dual Gateway WAN Ports for Improved System Reliability In the case of the dual WAN ports on the gateway VPN router (Figure 2-11), the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as a responder. 2-8 October 2004 Network Planning Network Planning Guide for ProSafe VPN Firewall Router FVX538 10. 5. 6. 0/24 Road Warrior Example (Dual WAN Ports, Before Failover) Gateway A bzrouter. dyndns. org Client B WAN IP WAN1 IP LAN IP 10. 5. 6. 1 VPN Router (at employer's main office) X WAN2 port inactive X WAN2 IP (N/A) 0. 0. 0. 0 Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses - required for Dynamic IP addresses Remote PC (running NETGEAR ProSafe VPN Client) Figure 2-11: Dual gateway WAN ports, before failover, for VPN road warrior The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i. e. , the IP address of the active WAN port is not known in advance). After a failover of the gateway WAN port (Figure 2-12), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel. [. . . ] If the IP address is dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified domain name is optional. VPN Telecommuter: Dual Gateway WAN Ports for Improved System Reliability In the case of the dual WAN ports on the gateway VPN router (Figure 2-19), the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder. 10. 5. 6. 0/24 Telecommuter Example (Dual WAN Ports, Before Failover) Gateway A bzrouter1. dyndns. org WAN2 port inactive VPN Router (at employer's main office) Client B WAN IP 0. 0. 0. 0 NAT Router (at telecommuter's home office) Remote PC (running NETGEAR ProSafe VPN Client) WAN1 IP NAT Router B LAN IP 10. 5. 6. 1 X X WAN2 IP (N/A) Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses - required for Dynamic IP addresses Figure 2-19: Dual gateway WAN ports, before failover, for VPN telecommuter The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i. e. , the IP address of the active WAN port is not known in advance). 2-14 October 2004 Network Planning Network Planning Guide for ProSafe VPN Firewall Router FVX538 After a failover of the gateway WAN port (Figure 2-20), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel. [. . . ]