User manual NETGEAR FVX538
DON'T FORGET : ALWAYS READ THE USER GUIDE BEFORE BUYING !!!
If this document matches the user guide, instructions manual or user manual, feature sets, schematics you are looking for, download it now. Diplodocs provides you a fast and easy access to the user manual NETGEAR FVX538. We hope that this NETGEAR FVX538 user guide will be useful to you.
You may also download the following manuals related to this product:
NETGEAR FVX538 V1.1 REFERENCE MANUAL (7212 ko)
Manual abstract: user guide NETGEAR FVX538
Detailed instructions for use are in the User's Guide.
[. . . ] Test mode: The system is initializing or the initialization has failed. The system has booted successfully.
Introducing the FVX538 October 2004
1-1
Network Planning Guide for ProSafe VPN Firewall Router FVX538 Table 1-1.
Object WAN Ports and LEDs
Object Descriptions (continued)
Activity Description
Two RJ-45 WAN ports N-way automatic speed negotiation, Auto MDI/MDIX. Link/Act LED On (Green) Blinking (Green) Off 100 LED On (Green) Off Active LED On (Green) On (Amber) Off The WAN port has detected a link with a connected Ethernet device. N-way automatic speed negotiation, auto MDI/MDIX.
LAN Ports and LEDs
8-port RJ-45 10/100 Mbps Fast Ethernet Switch Link/Act LED On (Green) Blinking (Green) Off 100 LED On (Green) Off DMZ (port 8) On (Green) Off
The LAN port has detected a link with a connected Ethernet device. [. . . ] Consider making one of the WAN port Internet addresses public and keeping the other one private in order to maintain better control of WAN port traffic.
2-4 October 2004
Network Planning
Network Planning Guide for ProSafe VPN Firewall Router FVX538
Dual WAN Ports (Load Balancing)
Router
netgear1. dyndns. org netgear2. dyndns. org exposed host
WAN1 IP
IP addresses of WAN ports: use of fully-qualified domain names required for dynamic IP addresses and optional for fixed IP addresses
WAN2 IP
Figure 2-5: Dual WAN port case for exposed host with load balancing
Multiple Exposed Hosts
The IP address range of the router's WAN port must be both fixed and public so that the public can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled. Multiple Exposed Hosts: Single WAN Port (Reference Case) In the single WAN case (Figure 2-6), the WAN port's IP address range must be fixed.
Single WAN Port
Router WAN IPs
22. 23. 24. 25 22. 23. 24. 26 . . . exposed hosts IP addresses of WAN port must be a fixed block
Figure 2-6: Single WAN port case with multiple exposed hosts
Multiple Exposed Hosts: Dual WAN Ports for Improved System Reliability Using multiple exposed hosts with routers that have dual WAN ports for improved system reliability is a disallowed combination because to do so, the IP addresses of each WAN port would have to be the identical range of fixed addresses. Instead, use additional routers that have dual WAN ports with a single exposed host for improved system reliability. Multiple Exposed Hosts: Dual WAN Ports for Load Balancing In the dual WAN port case for load balancing (Figure 2-7), the IP address range of each WAN port must be fixed.
Network Planning October 2004
2-5
Network Planning Guide for ProSafe VPN Firewall Router FVX538
Note: Load balancing is implemented for outgoing traffic and not for incoming traffic. Consider publicizing one of the WAN port Internet addresses and keeping the other one unpublicized in order to maintain better control of WAN port traffic.
Dual WAN Ports
Router
22. 23. 24. 25, 22. 23. 24. 26, . .
WAN1 IP Addresses
WAN2 IP Addresses
exposed hosts
IP addresses of WAN ports must be fixed blocks
Figure 2-7: Dual WAN port case for multiple exposed hosts with load balancing
Virtual Private Networks (VPNs)
When implementing virtual private network (VPN) tunnels, a mechanism must be used for determining the IP addresses of the tunnel end points. The addressing of the router's dual WAN port depends on the configuration being implemented:
Table 2-1. IP addressing requirements for VPNs in dual WAN port systems
Dual WAN Port Cases Configuration and WAM IP address VPN Road Warrior (client-to-gateway) Fixed Dynamic VPN Gateway-to-Gateway Fixed Dynamic VPN Telecommuter Fixed (client-to-gateway through a NAT router) Dynamic Single WAN Port (reference case) Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required Failovera FQDN required FQDN required FQDN required FQDN required FQDN required FQDN required Load Balancing Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required Allowed (FQDN optional) FQDN required
a. All tunnels must be re-established after a failover using the new WAN IP adress.
2-6 October 2004
Network Planning
Network Planning Guide for ProSafe VPN Firewall Router FVX538
For the single gateway WAN port case, the mechanism is to use a fully-qualified domain name (FQDN) when the IP address is dynamic and to use either an FQDN or the IP address itself when the IP address is fixed. The situation is different when dual gateway WAN ports are used in a failover-based system. · Failover Case for Dual Gateway WAN Ports Failover (Figure 2-8) for the dual gateway WAN port case is different from the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Only one WAN port is active at a time and when it fails over, the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain name is always required, even when the IP address of each WAN port is fixed. Note: Once the gateway router WAN port fails over, the VPN tunnel collapses and must be re-established using the new WAN IP address.
Dual WAN Ports (Before Failover)
Gateway VPN Router
netgear. dyndns. org WAN2 port inactive
Dual WAN Ports (After Failover)
Gateway VPN Router
WAN1 port inactive
WAN1 IP
WAN1 IP (N/A) X
X X X WAN2 IP (N/A) WAN2 IP
netgear. dyndns. org
IP address of active WAN port changes after a failover (use of fully-qualified domain names always required)
Figure 2-8: Dual gateway WAN ports before and after failover
·
Load Balancing Case for Dual Gateway WAN Ports Load balancing (Figure 2-9) for the dual gateway WAN port case is the same as the single gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP address is either fixed or dynamic based on the ISP: fully-qualified domain names must be used when the IP address is dynamic and are optional when the IP address is static.
Dual WAN Ports (Load Balancing)
Gateway VPN Router
netgear1. dyndns. org netgear2. dyndns. org
WAN1 IP
IP addresses of WAN ports same as single WAN port case (use of fully-qualified domain names required for dynamic IP addresses and optional for fixed IP addresses)
WAN2 IP
Figure 2-9: Dual gateway WAN ports for load balancing
Network Planning October 2004
2-7
Network Planning Guide for ProSafe VPN Firewall Router FVX538
VPN Road Warrior (Client-to-Gateway)
The following situations exemplify the requirements for a remote PC client with no router to establish a VPN tunnel with a gateway VPN router: · · · Single gateway WAN port Redundant dual gateway WAN ports for increased system reliability (before and after failover) Dual gateway WAN ports used for load balancing
VPN Road Warrior: Single Gateway WAN Port (Reference Case) In the case of the single WAN port on the gateway VPN router (Figure 2-10), the remote PC client initiates the VPN tunnel because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as the responder.
10. 5. 6. 0/24
Road Warrior Example (Single WAN Port)
Gateway A LAN IP
10. 5. 6. 1 VPN Router (at employer's main office)
Client B WAN IP
0. 0. 0. 0
WAN IP
FQDN bzrouter. dyndns. org Fully-Qualified Domain Names (FQDN) - optional for Fixed IP addresses - required for Dynamic IP addresses
Remote PC (running NETGEAR ProSafe VPN Client)
Figure 2-10: Single gateway WAN port case for VPN road warrior
The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified domain name is optional. VPN Road Warrior: Dual Gateway WAN Ports for Improved System Reliability In the case of the dual WAN ports on the gateway VPN router (Figure 2-11), the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote PC client is not known in advance. The gateway WAN port must act as a responder.
2-8 October 2004
Network Planning
Network Planning Guide for ProSafe VPN Firewall Router FVX538
10. 5. 6. 0/24
Road Warrior Example (Dual WAN Ports, Before Failover)
Gateway A
bzrouter. dyndns. org
Client B WAN IP
WAN1 IP
LAN IP
10. 5. 6. 1 VPN Router (at employer's main office)
X
WAN2 port inactive
X
WAN2 IP (N/A)
0. 0. 0. 0
Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses - required for Dynamic IP addresses
Remote PC (running NETGEAR ProSafe VPN Client)
Figure 2-11: Dual gateway WAN ports, before failover, for VPN road warrior
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i. e. , the IP address of the active WAN port is not known in advance). After a failover of the gateway WAN port (Figure 2-12), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC client must re-establish the VPN tunnel. [. . . ] If the IP address is dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified domain name is optional. VPN Telecommuter: Dual Gateway WAN Ports for Improved System Reliability In the case of the dual WAN ports on the gateway VPN router (Figure 2-19), the remote PC client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the IP address of the remote NAT router is not known in advance. The gateway WAN port must act as the responder.
10. 5. 6. 0/24
Telecommuter Example (Dual WAN Ports, Before Failover)
Gateway A
bzrouter1. dyndns. org WAN2 port inactive VPN Router (at employer's main office)
Client B WAN IP
0. 0. 0. 0 NAT Router (at telecommuter's home office) Remote PC (running NETGEAR ProSafe VPN Client)
WAN1 IP
NAT Router B
LAN IP
10. 5. 6. 1
X
X
WAN2 IP (N/A)
Fully-Qualified Domain Names (FQDN) - required for Fixed IP addresses - required for Dynamic IP addresses
Figure 2-19: Dual gateway WAN ports, before failover, for VPN telecommuter
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified domain name must always be used because the active WAN port could be either WAN1 or WAN2 (i. e. , the IP address of the active WAN port is not known in advance).
2-14 October 2004
Network Planning
Network Planning Guide for ProSafe VPN Firewall Router FVX538
After a failover of the gateway WAN port (Figure 2-20), the previously inactive gateway WAN port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the VPN tunnel. [. . . ]
DISCLAIMER TO DOWNLOAD THE USER GUIDE NETGEAR FVX538
Click on "Download the user Manual" at the end of this Contract if you accept its terms, the downloading of the manual NETGEAR FVX538 will begin.