Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Network Planning

3-1

202-10085-01, March 2005

Chapter 3

Network Planning

This chapter describes the factors to consider when planning a network using a firewall that has

dual WAN ports.

Overview of the Planning Process

The areas that require planning when using a firewall that has dual WAN ports include:

•

Inbound traffic (e.g., port forwarding, port triggering)

•

Virtual private networks (VPNs)

The two WAN ports can be configured on a mutually-exclusive basis to either:

•

roll over for increased reliability, or

•

balance the load for outgoing traffic.

These two categories of considerations interact to make the planning process more challenging.

Inbound Traffic

Unrequested incoming traffic can be directed to a PC on your LAN rather than being discarded.

The mechanism for making the IP address public depends on whether the dual WAN ports are

configured to either roll over or balance the loads. See

“Inbound Traffic” on page 3-3

for further

discussion.

Virtual Private Networks (VPNs)

A virtual private network (VPN) tunnel provides a secure communication channel between either

two gateway VPN firewalls or between a remote PC client and gateway VPN firewall. As a result,

the IP address of at least one of the tunnel end points must be known in advance in order for the

other tunnel end point to establish (or re-establish) the VPN tunnel. See

“Virtual Private Networks

(VPNs)” on page 3-5

for further discussion.

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

3-2

Network Planning

202-10085-01, March 2005

The Rollover Case for Firewalls With Dual WAN Ports

Rollover (

Figure 3-1

) for the dual WAN port case is different from the single gateway WAN port

case when specifying the IP address. Only one WAN port is active at a time and when it rolls over,

the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain

name is always required, even when the IP address of each WAN port is fixed.

Figure 3-1:

Dual WAN ports before and after rollover

Features such as multiple exposed hosts are not supported when using dual WAN port rollover

because the IP addresses of each WAN port must be in the identical range of fixed addresses.

The Load Balancing Case for Firewalls With Dual WAN Ports

Load balancing (

Figure 3-2

) for the dual WAN port case is similar to the single WAN port case

when specifying the IP address. Each IP address is either fixed or dynamic based on the ISP:

fully-qualified domain names must be used when the IP address is dynamic and are optional when

the IP address is static.

Figure 3-2:

Dual WAN ports for load balancing

Note:

Once the gateway firewall WAN port rolls over, the VPN tunnel collapses and

must be re-established using the new WAN IP address.

Router

WAN1 port active

WAN1 IP

Dual WAN Ports (Before Rollover)

WAN2 IP (N/A)

WAN2 port inactive

Router

WAN1 port inactive

WAN1 IP (N/A)

Dual WAN Ports (After Rollover)

WAN2 IP

WAN2 port active

IP address of active WAN port changes after a rollover:

o use of fully-qualified domain names always required

o features requiring fixed IP address blocks not supported

X

X

X

X

Router

netgear1.dyndns.org

WAN1 IP

Dual WAN Ports (Load Balancing)

WAN2 IP

netgear2.dyndns.org

Use of fully-qualified domain names for IP addresses of WAN ports:

o required for dynamic IP addresses

o optional for fixed IP addresses

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Network Planning

3-3

202-10085-01, March 2005

Inbound Traffic

Incoming traffic from the Internet is normally discarded by the firewall unless the traffic is a

response to one of your local computers or a service that you have configured in the Inbound Rules

menu. Instead of discarding this traffic, you can have it forwarded to one or more LAN hosts on

your network.

The addressing of the firewall’s dual WAN port depends on the configuration being implemented:

Inbound Traffic to Single WAN Port (Reference Case)

The Internet IP address of the firewall’s WAN port must be known to the public so that the public

can send incoming traffic to the exposed host when this feature is supported and enabled.

In the single WAN case (

Figure 3-3

), the WAN’s Internet address is either fixed IP or a

fully-qualified domain name if the IP address is dynamic.

Figure 3-3:

Inbound traffic to single WAN port case

Inbound Traffic to Dual WAN Port Systems

The IP address range of the firewall’s WAN port must be both fixed and public so that the public

can send incoming traffic to the multiple exposed hosts when this feature is supported and enabled.

Table 3-1.

IP addressing requirements for exposed hosts in dual WAN port systems

Configuration and

WAN IP address

Single WAN Port

(reference case)

Dual WAN Port Cases

Rollover

Load Balancing

Inbound traffic

•

Port forwarding

•

Port triggering

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

FQDN required

FQDN required

Router

netgear.dyndns.org

WAN IP

IP address of WAN port:

FQDN is required for dynamic IP address and is optional for fixed IP address

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

3-4

Network Planning

202-10085-01, March 2005

Inbound Traffic: Dual WAN Ports for Improved Reliability

In the dual WAN port case with rollover (

Figure 3-4

), the WAN’s IP address will always change at

rollover. A fully-qualified domain name must be used that toggles between the IP addresses of the

WAN ports (i.e., WAN1 or WAN2).

Figure 3-4:

Inbound traffic to dual WAN ports, before and after rollover

Inbound Traffic: Dual WAN Ports for Load Balancing

In the dual WAN port case for load balancing (

Figure 3-5

), the Internet address of each WAN port

is either fixed if the IP address is fixed or a fully-qualified domain name if the IP address is

dynamic.

Figure 3-5:

Inbound traffic to dual WAN ports for load balancing

Note:

Load balancing is implemented for outgoing traffic and not for incoming traffic.

Consider making one of the WAN port Internet addresses public and keeping the other

one private in order to maintain better control of WAN port traffic.

Router

netgear.dyndns.org

WAN1 IP

Dual WAN Ports (Before Rollover)

WAN2 IP (N/A)

WAN2 port inactive

Router

WAN1 port inactive

WAN1 IP (N/A)

Dual WAN Ports (After Rollover)

WAN2 IP

netgear.dyndns.org

IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required)

X

X

X

X

Router

netgear1.dyndns.org

WAN1 IP

Dual WAN Ports (Load Balancing)

WAN2 IP

netgear2.dyndns.org

IP addresses of WAN ports:

use of fully-qualified domain names

required for dynamic IP addresses

and optional for fixed IP addresses

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Network Planning

3-5

202-10085-01, March 2005

Virtual Private Networks (VPNs)

When implementing virtual private network (VPN) tunnels, a mechanism must be used for

determining the IP addresses of the tunnel end points. The addressing of the firewall’s dual WAN

port depends on the configuration being implemented:

For the single gateway WAN port case, the mechanism is to use a fully-qualified domain name

(FQDN) when the IP address is dynamic and to use either an FQDN or the IP address itself when

the IP address is fixed. The situation is different when dual gateway WAN ports are used in a

rollover-based system.

•

Rollover Case for Dual Gateway WAN Ports

Rollover (

Figure 3-6

) for the dual gateway WAN port case is different from the single gateway

WAN port case when specifying the IP address of the VPN tunnel end point. Only one WAN

port is active at a time and when it rolls over, the IP address of the active WAN port always

changes. Hence, the use of a fully-qualified domain name is always required, even when the IP

address of each WAN port is fixed.

Table 3-1.

IP addressing requirements for VPNs in dual WAN port systems

Configuration and WAN IP address

Single WAN Port

(reference case)

Dual WAN Port Cases

Rollover

*

*

All tunnels must be re-established after a rollover using the new WAN IP address.

Load Balancing

VPN Road Warrior

(client-to-gateway)

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

FQDN required

FQDN required

VPN Gateway-to-Gateway

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

FQDN required

FQDN required

VPN Telecommuter

(client-to-gateway through

a NAT router)

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

FQDN required

FQDN required

Note:

Once the gateway router WAN port rolls over, the VPN tunnel collapses and must

be re-established using the new WAN IP address.