Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

WAN and LAN Configuration

4-5

May 2004, 202-10030-02

3.

Type the MAC Address of the PC or server.

Note:

If the PC is already present on your network, you can copy its MAC address from the

Attached Devices menu and paste it here.

4.

Click Apply to enter the reserved address into the table.

Note:

The reserved address will not be assigned until the next time the PC contacts the router's

DHCP server. Reboot the PC or access its IP configuration and force a DHCP release and

renew.

To edit or delete a reserved address entry:

1.

Click the button next to the reserved address you want to edit or delete.

2.

Click Edit or Delete.

Configuring WAN Settings

Using this page, you can set up a Default DMZ Server and allow the router to respond to a ping

from the Internet. Both of these options have security issues, so use them carefully.

The WAN Setup menu allows configuration of WAN services such as automatic connection, DMZ

server, enabling diagnostic PING tests on the WAN interface, setting the MTU size, and the WAN

port speed. These features can be found under the Advanced WAN Setup heading in the Main

Menu of the browser interface.

Note:

Configure the Networking Database (see

“Network Database” on page 7-5

) before

configuring the DMZ Servers (see

“Setting Up a Default DMZ Server” on page 4-7

and

“Multi-DMZ Servers” on page 4-7

).

These features are discussed below.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

4-6

WAN and LAN Configuration

May 2004, 202-10030-02

Figure 4-2:

WAN Setup

Connect Automatically, as Required

Normally, this option should be Enabled, so that an Internet connection will be made

automatically, whenever Internet-bound traffic is detected. If this causes high connection costs,

you can disable this setting.

If disabled, you must connect manually, using the sub-screen accessed from the Connection Status

button on the

Status

screen.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

WAN and LAN Configuration

4-7

May 2004, 202-10030-02

Setting Up a Default DMZ Server

Specifying a Default DMZ Server allows you to set up a computer or server that is available to

anyone on the Internet for services that you haven't defined. There are security issues with doing

this, so only do this if you're willing to risk open access. If you do not assign a Default DMZ

Server, the router discards any incoming service requests that are undefined.

The default DMZ server feature is helpful when using some online games and videoconferencing

applications that are incompatible with NAT. The firewall is programmed to recognize some of

these applications and to work properly with them, but there are other applications that may not

function well. In some cases, one local PC can run the application properly if that PC’s IP address

is entered as the default DMZ server.

Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a

response to one of your local computers or a service that you have configured in the Ports menu.

Instead of discarding this traffic, you can have it forwarded to one computer on your network. This

computer is called the Default DMZ Server.

How to Assign a Default DMZ Server

1.

Click Default DMZ Server check box.

2.

Type the IP address for that server.

3.

Click Apply.

Multi-DMZ Servers

This feature can only be used if your ISP has allocated you

multiple fixed Internet IP addresses

.

In this situation, you can define a separate DMZ server for each Internet IP address. To use the

Multi-DMZ feature, follow this procedure for each Internet IP address:

1.

Enable one of the Multi-DMZ checkboxes.

2.

To the right of the checkbox, enter the Internet IP address assigned to you by your ISP.

Note:

For security, you should avoid using the default DMZ server feature. When a

computer is designated as the default DMZ server, it loses much of the protection of the

firewall, and is exposed to many exploits from the Internet. If compromised, the

computer can be used to attack your network.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

4-8

WAN and LAN Configuration

May 2004, 202-10030-02

3.

Select the PC to be used as the DMZ Server for this IP address.

•

Click

Apply

.

Note:

•

All

incoming traffic to that IP address will be sent to the selected PC.

•

Out-going traffic from the selected PC will use the IP address you entered, not the default

WAN IP address.

•

If you only have one (1) Internet IP address, you cannot use the Multi-DMZ feature, only the

Default DMZ Server

setting above.

Responding to Ping on Internet WAN Port

If you want the FVL328 to respond to a ping from the Internet, click this check box. This should

only be used as a diagnostic tool, since it allows your firewall to be discovered. Again, like the

DMZ server, this can be a security problem. You shouldn't check this box unless you have a

specific reason to do so.

MTU Size

The normal MTU (Maximum Transmit Unit) value for most Ethernet networks is 1500 bytes or

1492 Bytes for PPPoE connections. For some ISPs you may need to reduce the MTU. But this is

rarely required, and should not be done unless you are sure it is necessary for your ISP connection.

Any packets sent through the firewall that are larger than the configured MTU size will be

repackaged into smaller packets to meet the MTU requirement.

To change the MTU size:

1.

Under MTU Size, select Custom.

2.

Enter a new size between 64 and 1500.

3.

Click Apply to save the new configuration.

Port Speed

In most cases, your router can automatically determine the connection speed of the Internet

(WAN) port. If you cannot establish an Internet connection and the Internet LED blinks

continuously, you may need to manually select the port speed.

Model FVL328 ProSafe High-Speed VPN Firewall Reference Manual Revision 2

WAN and LAN Configuration

4-9

May 2004, 202-10030-02

If you know that the Ethernet port on your broadband modem supports 100BaseT, select 100M;

otherwise, select 10M. Use the half-duplex settings unless you are sure you need full duplex.

Port Triggering

Port Triggering is used to allow applications which would otherwise be blocked by the firewall.

Using this feature requires that you know the port numbers used by the Application.

Once configured, operation is as follows:

1.

A PC makes an outgoing connection using a port number defined in the Port Triggering table.

2.

This Router records this connection, opens the INCOMING port or ports associated with this

entry in the Port Triggering table, and associates them with the PC.

3.

The remote system receives the PC’s request, and responds using a different port number.

4.

This Router matches the response to the previous request, and forwards the response to the PC.

(Without Port Triggering, this response would be treated as a new connection request rather

than a response. As such, it would be handled in accordance with the Port Forwarding rules.)

Note

•

Only 1 PC can use a Port Triggering application at any time.

•

After a PC has finished using a Port Triggering application, there is a Time-out period before

the application can be used by another PC. This is required because this Router cannot be sure

when the application has terminated.

Figure 4-3:

Port Triggering