Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-6
Network Planning
202-10085-01, March 2005
Figure 3-6:
Dual gateway WAN ports before and after rollover
•
Load Balancing Case for Dual Gateway WAN Ports
Load balancing (
Figure 3-7
) for the dual gateway WAN port case is the same as the single
gateway WAN port case when specifying the IP address of the VPN tunnel end point. Each IP
address is either fixed or dynamic based on the ISP: fully-qualified domain names must be
used when the IP address is dynamic and are optional when the IP address is static.
Figure 3-7:
Dual gateway WAN ports for load balancing
VPN Road Warrior (Client-to-Gateway)
The following situations exemplify the requirements for a remote PC client with no firewall to
establish a VPN tunnel with a gateway VPN firewall:
•
Single gateway WAN port
•
Redundant dual gateway WAN ports for increased reliability (before and after rollover)
•
Dual gateway WAN ports used for load balancing
VPN Road Warrior: Single Gateway WAN Port (Reference Case)
In the case of the single WAN port on the gateway VPN firewall (
Figure 3-8
), the remote PC client
initiates the VPN tunnel because the IP address of the remote PC client is not known in advance.
The gateway WAN port must act as the responder.
Gateway
netgear.dyndns.org
WAN1 IP
Dual WAN Ports (Before Rollover)
VPN Router
WAN2 IP (N/A)
WAN2 port inactive
Gateway
WAN1 port inactive
WAN1 IP (N/A)
Dual WAN Ports (After Rollover)
VPN Router
WAN2 IP
netgear.dyndns.org
IP address of active WAN port changes after a rollover (use of fully-qualified domain names always required)
X
X
X
X
Gateway
netgear1.dyndns.org
WAN1 IP
Dual WAN Ports (Load Balancing)
VPN Router
WAN2 IP
netgear2.dyndns.org
IP addresses of WAN ports same as single
WAN port case (use of fully-qualified domain
names required for dynamic IP addresses
and optional for fixed IP addresses)