Page 41 / 238 Scroll up to view Page 36 - 40
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Network Planning
3-11
202-10085-01, March 2005
Figure 3-14:
Dual gateway WAN ports, after rollover, for gateway-to-gateway VPN tunnels
The purpose of the fully-qualified domain names is this case is to toggle the domain name of the
failed-over gateway firewall between the IP addresses of the active WAN port (i.e., WAN_A1 and
WAN _A2 in this example) so that the other end of the tunnel has a known gateway IP address to
establish or re-establish a VPN tunnel.
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing
In the case of the dual WAN ports on the gateway VPN firewall (
Figure 3-15
), either of the
gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the
appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway
WAN ports because the IP addresses of the WAN ports are known in advance.
Figure 3-15:
Dual gateway WAN ports (load balancing case) for gateway-to-gateway VPN
tunnels
Gateway A
netgearB.dyndns.org
WAN_A1 port inactive
10.5.6.0/24
172.23.9.0/24
172.23.9.1
10.5.6.1
WAN_A1 IP (N/A)
WAN_B1 IP
LAN IP
LAN IP
Gateway B
Gateway-to-Gateway Example
(Dual WAN Ports, After Rollover)
Fully-Qualified Domain Names (FQDN)
- required for Fixed IP addresses
- required for Dynamic IP addresses
VPN Router
(at office A)
VPN Router
(at office B)
WAN_B2 IP (N/A)
WAN_A2 IP
netgear.dyndns.org
WAN_B2 port inactive
One of the gateway routers must re-establish VPN tunnel after a rollover
X
X
X
X
Gateway A
22.23.24.25
netgear1.dyndns.org
10.5.6.0/24
172.23.9.0/24
172.23.9.1
10.5.6.1
WAN_A1 IP
WAN_B1 IP
LAN IP
LAN IP
Gateway B
Gateway-to-Gateway Example
(Dual WAN Ports, Load Balancing)
Fully-Qualified Domain Names (FQDN)
- optional for Fixed IP addresses
- required for Dynamic IP addresses
VPN Router
(at office A)
VPN Router
(at office B)
WAN_B2 IP
WAN_A2 IP
netgear2.dyndns.org
22.23.24.26
Page 42 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-12
Network Planning
202-10085-01, March 2005
The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified
domain name is optional.
VPN Telecommuter (Client-to-Gateway Through a NAT Router)
The following situations exemplify the requirements for a remote PC client connected to the
Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway
VPN firewall at the company office:
Single gateway WAN port
Redundant dual gateway WAN ports for increased reliability (before and after rollover)
Dual gateway WAN ports used for load balancing
VPN Telecommuter: Single Gateway WAN Port (Reference Case)
In the case of the single WAN port on the gateway VPN firewall (
Figure 3-16
), the remote PC
client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router
is not known in advance. The gateway WAN port must act as the responder.
Figure 3-16:
Single gateway WAN port case for VPN telecommuter
The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is
dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified
domain name is optional.
Note:
The telecommuter case presumes the home office has a dynamic IP address and
NAT router.
Gateway A
bzrouter.dyndns.org
10.5.6.0/24
10.5.6.1
WAN IP
WAN IP
LAN IP
Client B
FQDN
0.0.0.0
VPN Router
(at employer's
main office)
Telecommuter Example (Single WAN Port)
NAT Router B
NAT Router
(at telecommuter's
home office)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- optional for Fixed IP addresses
- required for Dynamic IP addresses
Page 43 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
Network Planning
3-13
202-10085-01, March 2005
VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability
In the case of the dual WAN ports on the gateway VPN firewall (
Figure 3-17
), the remote PC
client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example)
because the IP address of the remote NAT router is not known in advance. The gateway WAN port
must act as the responder.
Figure 3-17:
Dual gateway WAN ports, before rollover, for VPN telecommuter
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified
domain name must always be used because the active WAN port could be either WAN1 or WAN2
(i.e., the IP address of the active WAN port is not known in advance).
After a rollover of the gateway WAN port (
Figure 3-18
), the previously inactive gateway WAN
port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the
VPN tunnel. The gateway WAN port must act as the responder.
Figure 3-18:
Dual gateway WAN ports, after rollover, for VPN telecommuter
Gateway A
WAN2 port inactive
10.5.6.0/24
10.5.6.1
WAN1 IP
WAN IP
LAN IP
Client B
0.0.0.0
VPN Router
(at employer's
main office)
Telecommuter Example
(Dual WAN Ports, Before Rollover)
NAT Router B
NAT Router
(at telecommuter's
home office)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- required for Fixed IP addresses
- required for Dynamic IP addresses
WAN2 IP (N/A)
bzrouter1.dyndns.org
X
X
Gateway A
bzrouter2.dyndns.org
10.5.6.0/24
10.5.6.1
WAN1 IP (N/A)
WAN IP
LAN IP
Client B
0.0.0.0
VPN Router
(at employer's
main office)
Telecommuter Example
(Dual WAN Ports, After Rollover)
NAT Router B
NAT Router
(at telecommuter's
home office)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- required for Fixed IP addresses
- required for Dynamic IP addresses
WAN2 IP
WAN1 port inactive
Remote PC must re-establish VPN tunnel after a rollover
X
X
Page 44 / 238
Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports
3-14
Network Planning
202-10085-01, March 2005
The purpose of the fully-qualified domain name is this case is to toggle the domain name of the
gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that
the remote PC client can determine the gateway IP address to establish or re-establish a VPN
tunnel.
VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing
In the case of the dual WAN ports on the gateway VPN firewall (
Figure 3-19
), the remote PC
client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2
as necessary to balance the loads of the two gateway WAN ports) because the IP address of the
remote NAT router is not known in advance. The chosen gateway WAN port must act as the
responder.
Figure 3-19:
Dual gateway WAN ports (load balancing case) for VPN telecommuter
The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified
domain name is optional.
Gateway A
bzrouter2.dyndns.org
10.5.6.0/24
10.5.6.1
WAN1 IP
WAN IP
LAN IP
Client B
0.0.0.0
VPN Router
(at employer's
main office)
Telecommuter Example
(Dual WAN Ports, Load Balancing)
NAT Router B
NAT Router
(at telecommuter's
home office)
Remote PC
(running NETGEAR
ProSafe VPN Client)
Fully-Qualified Domain Names (FQDN)
- optional for Fixed IP addresses
- required for Dynamic IP addresses
WAN2 IP
bzrouter1.dyndns.org
Page 45 / 238
Connecting the FVS124G to the Internet
4-1
202-10085-01, March 2005
Chapter 4
Connecting the FVS124G to the Internet
This chapter describes how to connect the WAN ports of the FVS124G VPN Firewall to the
Internet.
What You Will Need to Do Before You Begin
The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports is a powerful
and versatile solution for your networking needs. But to make the configuration process easier and
to understand all of the choices available to you, you need to think through the following items
before you begin:
1.
Plan your network
a.
Determine whether you are going to use one or both WAN ports. For one WAN port, you
may need a fully qualified domain name either for convenience or if you have a dynamic
IP address.
b.
If you are going to use both WAN ports, determine whether you are going to use them in
rollover mode for increased system reliability or load balancing mode for maximum
bandwidth efficiency. See
Chapter 3, “Network Planning
for more information. Your
decision has the following implications:
Fully qualified domain name
For rollover mode, you are going to need a fully qualified domain name to
implement features such as exposed hosts and virtual private networks.
For load balancing mode, you may still need a fully qualified domain name either
for convenience or if you have a dynamic IP address.
Protocol binding
For rollover mode, protocol binding does not apply.
For load balancing mode, you need to decide which protocols you want to bind to
a specific WAN port if you are going to take advantage of this option (you will
make these selections in
“Step 4: Configure the WAN Mode (Required for Dual
WAN)” on page 4-15
).

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top