1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS124G
    5. /
  5. 28
Page 136 / 238 Scroll up to view Page 131 - 135
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
8-2
Router and Network Management
202-10085-01, March 2005
VPN Firewall Features That Reduce Traffic
Features of the VPN firewall that can be called upon to decrease WAN-side loading are as follows:
Service blocking
Block sites
Source MAC filtering
Service Blocking
Note:
This feature is for Advanced Administrators only! Incorrect configuration will cause serious
problems.
You can control specific outbound traffic (i.e., from LAN to WAN). Outbound Services lists all
existing rules for outbound traffic. If you have not defined any rules, only the default rule will be
listed. The default rule allows all outgoing traffic.
Each rule lets you specify the desired action for the connections covered by the rule:
BLOCK always
BLOCK by schedule, otherwise Allow
ALLOW always
ALLOW by schedule, otherwise Block
As you define your firewall rules, you can further refine their application according to the
following criteria:
LAN users—These settings determine which computers on your network are affected by this
rule. Select the desired options:
Any: All PCs and devices on your LAN.
Single address: The rule will be applied to the address of a particular PC.
Address range: The rule is applied to a range of addresses.
Groups: The rule is applied to a Group (you use the Network Database to assign PCs to
Groups—see
“Groups and Hosts” on page 8-3
).
WAN Users—These settings determine which Internet locations are covered by the rule, based
on their IP address.
Any: The rule applies to all Internet IP address.
Single address: The rule applies to a single Internet IP address.
Page 137 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Router and Network Management
8-3
202-10085-01, March 2005
Address range: The rule is applied to a range of Internet IP addresses.
Services—You can specify the desired Services or applications to be covered by this rule. If
the desired service or application does not appear in the list, you must define it using the
Services menu (see
“Services” on page 8-3
).
Schedule—You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or
Schedule 3 time schedule (see
“Schedule” on page 8-3
).
See
“Using Rules to Block or Allow Specific Kinds of Traffic” on page 6-1
for the procedure on
how to use this feature.
Services
The Rules menu contains a list of predefined Services for creating firewall rules. If a service does
not appear in the predefined Services list, you can define the service. The new service will then
appear in the Rules menu's Services list.
See
“Services-Based Rules” on page 6-4
for the procedure on how to use this feature.
Groups and Hosts
You can apply these rules selectively to groups of PCs to reduce the outbound or inbound traffic.
The Network Database is an automatically-maintained list of all known PCs and network devices.
PCs and devices become known by the following methods:
DHCP Client Request—By default, the DHCP server in this Router is enabled, and will accept
and respond to DHCP client requests from PCs and other network devices. These requests also
generate an entry in the Network Database. Because of this, leaving the DHCP Server feature
(on the LAN screen) enabled is strongly recommended.
Scanning the Network—The local network is scanned using standard methods such as arp.
This will detect active devices which are not DHCP clients. However, sometimes the name of
the PC or device cannot be accurately determined, and will be shown as Unknown.
See
“Managing Groups and Hosts” on page 6-20
for the procedure on how to use this feature.
Schedule
If you have set firewall rules on the Rules screen, you can configure three different schedules (i.e.,
schedule 1, schedule 2, and schedule 3) for when a rule is to be applied. Once a schedule is
configured, it affects all Rules that use this schedule. You specify the days of the week and time of
day for each schedule.
Page 138 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
8-4
Router and Network Management
202-10085-01, March 2005
See
“Using a Schedule to Block or Allow Specific Traffic” on page 6-22
for the procedure on how
to use this feature.
Block Sites
If you want to reduce traffic by preventing access to certain sites on the Internet, you can use the
VPN firewall's filtering feature. By default, this feature is disabled; all requested traffic from any
Web site is allowed.
Keyword (and domain name) blocking—You can specify up to 32 words that, should they
appear in the website name (i.e., URL) or in a newsgroup name, will cause that site or
newsgroup to be blocked by the VPN firewall.
You can apply the keywords to one or more groups. Requests from the PCs in the groups for
which keyword blocking has been enabled will be blocked. Blocking does not occur for the
PCs that are in the groups for which keyword blocking has not been enabled.
You can bypass keyword blocking for trusted domains by adding the exact matching domain
to the list of Trusted Domains. Access to the domains on this list by PCs even in the groups for
which keyword blocking has been enabled will still be allowed without any blocking.
Web component blocking—You can block the following Web component types: Proxy, Java,
ActiveX, and Cookies. Sites on the Trusted Domains list are still subject to Web component
blocking when the blocking of a particular Web component has been enabled.
See
“Block Sites” on page 6-24
for the procedure on how to use this feature.
Source MAC Filtering
If you want to reduce outgoing traffic by preventing Internet access by certain PCs on the LAN,
you can use the source MAC filtering feature to drop the traffic received from the PCs with the
specified MAC addresses. By default, this feature is disabled; all traffic received from PCs with
any MAC address is allowed.
See
“Source MAC Filtering” on page 6-27
for the procedure on how to use this feature.
VPN Firewall Features That Increase Traffic
Features that tend to increase WAN-side loading are as follows:
Port forwarding
Port triggering
Exposed hosts
Page 139 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Router and Network Management
8-5
202-10085-01, March 2005
VPN tunnels
Port Forwarding
The firewall always blocks DoS (Denial of Service) attacks. A DoS attack does not attempt to steal
data or damage your PCs, but overloads your Internet connection so you can not use it (i.e., the
service is unavailable). You can also create additional firewall rules that are customized to block or
allow specific traffic.
Note:
This feature is for Advanced Administrators only! Incorrect configuration will cause serious
problems.
You can control specific inbound traffic (i.e., from WAN to LAN). Inbound Services lists all
existing rules for inbound traffic. If you have not defined any rules, only the default rule will be
listed. The default rule blocks all inbound traffic.
Each rule lets you specify the desired action for the connections covered by the rule:
BLOCK always
BLOCK by schedule, otherwise Allow
ALLOW always
ALLOW by schedule, otherwise Block
You can also enable a check on special rules:
VPN Passthrough—Enable this to pass the VPN traffic without any filtering, specially used
when this firewall is between two VPN tunnel end points.
Drop fragmented IP packets—Enable this to drop the fragmented IP packets.
UDP Flooding—Enable this to limit the number of UDP sessions created from one LAN
machine.
TCP Flooding—Enable this to protect the router from Syn flood attack.
Enable DNS Proxy—Enable this to allow the incoming DNS queries.
Enable Stealth Mode—Enable this to set the firewall to operate in stealth mode.
As you define your firewall rules, you can further refine their application according to the
following criteria:
LAN users—These settings determine which computers on your network are affected by this
rule. Select the desired IP Address in this field.
Page 140 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
8-6
Router and Network Management
202-10085-01, March 2005
WAN Users—These settings determine which Internet locations are covered by the rule, based
on their IP address.
Any: The rule applies to all Internet IP address.
Single address: The rule applies to a single Internet IP address.
Address range: The rule is applied to a range of Internet IP addresses.
Destination Address—These settings determine the destination IP address for this rule which
will be applicable to incoming traffic, this rule will be applied only when the destination IP
address of the incoming packet matches the IP address of the WAN interface selected or
Specific IP address entered in this field.Selecting ANY enables the rule for any IP in
destination field.similarly WAN1 and WAN2 corresponds to respective wan interfaces.
Services—You can specify the desired Services or applications to be covered by this rule. If
the desired service or application does not appear in the list, you must define it using the
Services menu (see
“Services” on page 8-3
).
Schedule—You can specify whether the rule is to be applied on the Schedule 1, Schedule 2, or
Schedule 3 time schedule (see
“Schedule” on page 8-3
).
See
“Using Rules to Block or Allow Specific Kinds of Traffic” on page 6-1
for the procedure on
how to use this feature.
Port Triggering
Port triggering allows some applications to function correctly that would otherwise be partially
blocked by the firewall. Using this feature requires that you know the port numbers used by the
Application.
Once configured, operation is as follows:
A PC makes an outgoing connection using a port number defined in the Port Triggering table.
This Router records this connection, opens the additional INCOMING port or ports associated
with this entry in the Port Triggering table, and associates them with the PC.
The remote system receives the PCs request and responds using the different port numbers that
you have now opened.
This Router matches the response to the previous request and forwards the response to the PC.
Without Port Triggering, this response would be treated as a new connection request rather
than a response. As such, it would be handled in accordance with the Port Forwarding rules.
Only one PC can use a Port Triggering application at any time.

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top