Page 31 / 238 Scroll up to view Page 26 - 30
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Network Planning
3-1
202-10085-01, March 2005
Chapter 3
Network Planning
This chapter describes the factors to consider when planning a network using a firewall that has
dual WAN ports.
Overview of the Planning Process
The areas that require planning when using a firewall that has dual WAN ports include:
Inbound traffic (e.g., port forwarding, port triggering)
Virtual private networks (VPNs)
The two WAN ports can be configured on a mutually-exclusive basis to either:
roll over for increased reliability, or
balance the load for outgoing traffic.
These two categories of considerations interact to make the planning process more challenging.
Inbound Traffic
Unrequested incoming traffic can be directed to a PC on your LAN rather than being discarded.
The mechanism for making the IP address public depends on whether the dual WAN ports are
configured to either roll over or balance the loads. See
“Inbound Traffic” on page 3-3
for further
discussion.
Virtual Private Networks (VPNs)
A virtual private network (VPN) tunnel provides a secure communication channel between either
two gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result,
the IP address of at least one of the tunnel end points must be known in advance in order for the
other tunnel end point to establish (or re-establish) the VPN tunnel. See
“Virtual Private Networks
(VPNs)” on page 3-5
for further discussion.
Page 32 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-2
Network Planning
202-10085-01, March 2005
The Rollover Case for Firewalls With Dual WAN Ports
Rollover (
Figure 3-1
) for the dual WAN port case is different from the single gateway WAN port
case when specifying the IP address. Only one WAN port is active at a time and when it rolls over,
the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain
name is always required, even when the IP address of each WAN port is fixed.
Figure 3-1:
Dual WAN ports before and after rollover
Features such as multiple exposed hosts are not supported when using dual WAN port rollover
because the IP addresses of each WAN port must be in the identical range of fixed addresses.
The Load Balancing Case for Firewalls With Dual WAN Ports
Load balancing (
Figure 3-2
) for the dual WAN port case is similar to the single WAN port case
when specifying the IP address. Each IP address is either fixed or dynamic based on the ISP:
fully-qualified domain names must be used when the IP address is dynamic and are optional when
the IP address is static.
Figure 3-2:
Dual WAN ports for load balancing
Note:
Once the gateway firewall WAN port rolls over, the VPN tunnel collapses and
must be re-established using the new WAN IP address.
Router
WAN1 port active
WAN1 IP
Dual WAN Ports (Before Rollover)
WAN2 IP (N/A)
WAN2 port inactive
Router
WAN1 port inactive
WAN1 IP (N/A)
Dual WAN Ports (After Rollover)
WAN2 IP
WAN2 port active
IP address of active WAN port changes after a rollover:
o use of fully-qualified domain names always required
o features requiring fixed IP address blocks not supported
X
X
X
X
Router
netgear1.dyndns.org
WAN1 IP
Dual WAN Ports (Load Balancing)
WAN2 IP
netgear2.dyndns.org
Use of fully-qualified domain names for IP addresses of WAN ports:
o required for dynamic IP addresses
o optional for fixed IP addresses
Page 33 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Network Planning
3-3
202-10085-01, March 2005
Inbound Traffic
Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a
response to one of your local computers or a service that you have configured in the Inbound Rules
menu. Instead of discarding this traffic, you can have it forwarded to one or more LAN hosts on
your network.
The addressing of the firewall’s dual WAN port depends on the configuration being implemented:
Inbound Traffic to Single WAN Port (Reference Case)
The Internet IP address of the firewall’s WAN port must be known to the public so that the public
can send incoming traffic to the exposed host when this feature is supported and enabled.
In the single WAN case (
Figure 3-3
), the WAN’s Internet address is either fixed IP or a
fully-qualified domain name if the IP address is dynamic.
Figure 3-3:
Inbound traffic to single WAN port case
Inbound Traffic to Dual WAN Port Systems
The IP address range of the firewall’s WAN port must be both fixed and public so that the public
can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.
Table 3-1.
IP addressing requirements for exposed hosts in dual WAN port systems
Configuration and
WAN IP address
Single WAN Port
(reference case)
Dual WAN Port Cases
Rollover
Load Balancing
Inbound traffic
Port forwarding
Port triggering
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
Router
netgear.dyndns.org
WAN IP
IP address of WAN port:
FQDN is required for dynamic IP address and is optional for fixed IP address
Page 34 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-4
Network Planning
202-10085-01, March 2005
Inbound Traffic: Dual WAN Ports for Improved Reliability
In the dual WAN port case with rollover (
Figure 3-4
), the WAN’s IP address will always change at
rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the
WAN ports (i.e., WAN1 or WAN2).
Figure 3-4:
Inbound traffic to dual WAN ports, before and after rollover
Inbound Traffic: Dual WAN Ports for Load Balancing
In the dual WAN port case for load balancing (
Figure 3-5
), the Internet address of each WAN port
is either fixed if the IP address is fixed or a fully-qualified domain name if the IP address is
dynamic.
Figure 3-5:
Inbound traffic to dual WAN ports for load balancing
Note:
Load balancing is implemented for outgoing traffic and not for incoming traffic.
Consider making one of the WAN port Internet addresses public and keeping the other
one private in order to maintain better control of WAN port traffic.
Router
netgear.dyndns.org
WAN1 IP
Dual WAN Ports (Before Rollover)
WAN2 IP (N/A)
WAN2 port inactive
Router
WAN1 port inactive
WAN1 IP (N/A)
Dual WAN Ports (After Rollover)
WAN2 IP
netgear.dyndns.org
IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required)
X
X
X
X
Router
netgear1.dyndns.org
WAN1 IP
Dual WAN Ports (Load Balancing)
WAN2 IP
netgear2.dyndns.org
IP addresses of WAN ports:
use of fully-qualified domain names
required for dynamic IP addresses
and optional for fixed IP addresses
Page 35 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Network Planning
3-5
202-10085-01, March 2005
Virtual Private Networks (VPNs)
When implementing virtual private network (VPN) tunnels, a mechanism must be used for
determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN
port depends on the configuration being implemented:
For the single gateway WAN port case, the mechanism is to use a fully-qualified domain name
(FQDN) when the IP address is dynamic and to use either an FQDN or the IP address itself when
the IP address is fixed. The situation is different when dual gateway WAN ports are used in a
rollover-based system.
Rollover Case for Dual Gateway WAN Ports
Rollover (
Figure 3-6
) for the dual gateway WAN port case is different from the single gateway
WAN port case when specifying the IP address of the VPN tunnel end point. Only one WAN
port is active at a time and when it rolls over, the IP address of the active WAN port always
changes. Hence, the use of a fully-qualified domain name is always required, even when the IP
address of each WAN port is fixed.
Table 3-1.
IP addressing requirements for VPNs in dual WAN port systems
Configuration and WAN IP address
Single WAN Port
(reference case)
Dual WAN Port Cases
Rollover
*
*
All tunnels must be re-established after a rollover using the new WAN IP address.
Load Balancing
VPN Road Warrior
(client-to-gateway)
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
VPN Gateway-to-Gateway
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
VPN Telecommuter
(client-to-gateway through
a NAT router)
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
Note:
Once the gateway router WAN port rolls over, the VPN tunnel collapses and must
be re-established using the new WAN IP address.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top