NETGEAR FVS124G Router Manual PDF (Setup & Configuration Guide)

Home

Manuals

NETGEAR

FVS124G

Page 41 / 238 Scroll up to view Page 36 - 40

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Network Planning

3-11

202-10085-01, March 2005

Figure 3-14:

Dual gateway WAN ports, after rollover, for gateway-to-gateway VPN tunnels

The purpose of the fully-qualified domain names is this case is to toggle the domain name of the

failed-over gateway firewall between the IP addresses of the active WAN port (i.e., WAN_A1 and

WAN _A2 in this example) so that the other end of the tunnel has a known gateway IP address to

establish or re-establish a VPN tunnel.

VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Load Balancing

In the case of the dual WAN ports on the gateway VPN firewall (

Figure 3-15

), either of the

gateway WAN ports at one end can be programmed in advance to initiate the VPN tunnel with the

appropriate gateway WAN port at the other end as necessary to manage the loads of the gateway

WAN ports because the IP addresses of the WAN ports are known in advance.

Figure 3-15:

Dual gateway WAN ports (load balancing case) for gateway-to-gateway VPN

tunnels

Gateway A

netgearB.dyndns.org

WAN_A1 port inactive

10.5.6.0/24

172.23.9.0/24

172.23.9.1

10.5.6.1

WAN_A1 IP (N/A)

WAN_B1 IP

LAN IP

Gateway B

Gateway-to-Gateway Example

(Dual WAN Ports, After Rollover)

Fully-Qualified Domain Names (FQDN)

- required for Fixed IP addresses

- required for Dynamic IP addresses

VPN Router

(at office A)

VPN Router

(at office B)

WAN_B2 IP (N/A)

WAN_A2 IP

netgear.dyndns.org

WAN_B2 port inactive

One of the gateway routers must re-establish VPN tunnel after a rollover

Gateway A

22.23.24.25

netgear1.dyndns.org

10.5.6.0/24

172.23.9.0/24

172.23.9.1

10.5.6.1

WAN_A1 IP

WAN_B1 IP

LAN IP

Gateway B

Gateway-to-Gateway Example

(Dual WAN Ports, Load Balancing)

Fully-Qualified Domain Names (FQDN)

- optional for Fixed IP addresses

- required for Dynamic IP addresses

VPN Router

(at office A)

VPN Router

(at office B)

WAN_B2 IP

WAN_A2 IP

netgear2.dyndns.org

22.23.24.26

Page 42 / 238

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

3-12

Network Planning

202-10085-01, March 2005

The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is

dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified

domain name is optional.

VPN Telecommuter (Client-to-Gateway Through a NAT Router)

The following situations exemplify the requirements for a remote PC client connected to the

Internet with a dynamic IP address through a NAT router to establish a VPN tunnel with a gateway

VPN firewall at the company office:

•

Single gateway WAN port

•

Redundant dual gateway WAN ports for increased reliability (before and after rollover)

•

Dual gateway WAN ports used for load balancing

VPN Telecommuter: Single Gateway WAN Port (Reference Case)

In the case of the single WAN port on the gateway VPN firewall (

Figure 3-16

), the remote PC

client at the NAT router initiates the VPN tunnel because the IP address of the remote NAT router

is not known in advance. The gateway WAN port must act as the responder.

Figure 3-16:

Single gateway WAN port case for VPN telecommuter

The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is

dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a fully-qualified

domain name is optional.

Note:

The telecommuter case presumes the home office has a dynamic IP address and

NAT router.

Gateway A

bzrouter.dyndns.org

10.5.6.0/24

10.5.6.1

WAN IP

LAN IP

Client B

FQDN

0.0.0.0

VPN Router

(at employer's

main office)

Telecommuter Example (Single WAN Port)

NAT Router B

NAT Router

(at telecommuter's

home office)

Remote PC

(running NETGEAR

ProSafe VPN Client)

Fully-Qualified Domain Names (FQDN)

- optional for Fixed IP addresses

- required for Dynamic IP addresses

Page 43 / 238

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

Network Planning

3-13

202-10085-01, March 2005

VPN Telecommuter: Dual Gateway WAN Ports for Improved Reliability

In the case of the dual WAN ports on the gateway VPN firewall (

Figure 3-17

), the remote PC

client initiates the VPN tunnel with the active gateway WAN port (port WAN1 in this example)

because the IP address of the remote NAT router is not known in advance. The gateway WAN port

must act as the responder.

Figure 3-17:

Dual gateway WAN ports, before rollover, for VPN telecommuter

The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a fully-qualified

domain name must always be used because the active WAN port could be either WAN1 or WAN2

(i.e., the IP address of the active WAN port is not known in advance).

After a rollover of the gateway WAN port (

Figure 3-18

), the previously inactive gateway WAN

port becomes the active port (port WAN2 in this example) and the remote PC must re-establish the

VPN tunnel. The gateway WAN port must act as the responder.

Figure 3-18:

Dual gateway WAN ports, after rollover, for VPN telecommuter

Gateway A

WAN2 port inactive

10.5.6.0/24

10.5.6.1

WAN1 IP

WAN IP

LAN IP

Client B

0.0.0.0

VPN Router

(at employer's

main office)

Telecommuter Example

(Dual WAN Ports, Before Rollover)

NAT Router B

NAT Router

(at telecommuter's

home office)

Remote PC

(running NETGEAR

ProSafe VPN Client)

Fully-Qualified Domain Names (FQDN)

- required for Fixed IP addresses

- required for Dynamic IP addresses

WAN2 IP (N/A)

bzrouter1.dyndns.org

Gateway A

bzrouter2.dyndns.org

10.5.6.0/24

10.5.6.1

WAN1 IP (N/A)

WAN IP

LAN IP

Client B

0.0.0.0

VPN Router

(at employer's

main office)

Telecommuter Example

(Dual WAN Ports, After Rollover)

NAT Router B

NAT Router

(at telecommuter's

home office)

Remote PC

(running NETGEAR

ProSafe VPN Client)

Fully-Qualified Domain Names (FQDN)

- required for Fixed IP addresses

- required for Dynamic IP addresses

WAN2 IP

WAN1 port inactive

Remote PC must re-establish VPN tunnel after a rollover

Page 44 / 238

Reference Manual for the ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports

3-14

Network Planning

202-10085-01, March 2005

The purpose of the fully-qualified domain name is this case is to toggle the domain name of the

gateway router between the IP addresses of the active WAN port (i.e., WAN1 and WAN2) so that

the remote PC client can determine the gateway IP address to establish or re-establish a VPN

tunnel.

VPN Telecommuter: Dual Gateway WAN Ports for Load Balancing

In the case of the dual WAN ports on the gateway VPN firewall (

Figure 3-19

), the remote PC

client initiates the VPN tunnel with the appropriate gateway WAN port (i.e., port WAN1 or WAN2

as necessary to balance the loads of the two gateway WAN ports) because the IP address of the

remote NAT router is not known in advance. The chosen gateway WAN port must act as the

responder.

Figure 3-19:

Dual gateway WAN ports (load balancing case) for VPN telecommuter

The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address is

dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a fully-qualified

domain name is optional.

Gateway A

bzrouter2.dyndns.org

10.5.6.0/24

10.5.6.1

WAN1 IP

WAN IP

LAN IP

Client B

0.0.0.0

VPN Router

(at employer's

main office)

Telecommuter Example

(Dual WAN Ports, Load Balancing)

NAT Router B

NAT Router

(at telecommuter's

home office)

Remote PC

(running NETGEAR

ProSafe VPN Client)

Fully-Qualified Domain Names (FQDN)

- optional for Fixed IP addresses

- required for Dynamic IP addresses

WAN2 IP

bzrouter1.dyndns.org

Page 45 / 238

Connecting the FVS124G to the Internet

4-1

202-10085-01, March 2005

Chapter 4

Connecting the FVS124G to the Internet

This chapter describes how to connect the WAN ports of the FVS124G VPN Firewall to the

Internet.

What You Will Need to Do Before You Begin

The FVS124G ProSafe VPN Firewall 25 with 4 Gigabit LAN and Dual WAN Ports is a powerful

and versatile solution for your networking needs. But to make the configuration process easier and

to understand all of the choices available to you, you need to think through the following items

before you begin:

Plan your network

Determine whether you are going to use one or both WAN ports. For one WAN port, you

may need a fully qualified domain name either for convenience or if you have a dynamic

IP address.

If you are going to use both WAN ports, determine whether you are going to use them in

rollover mode for increased system reliability or load balancing mode for maximum

bandwidth efficiency. See

Chapter 3, “Network Planning

for more information. Your

decision has the following implications:

•

Fully qualified domain name

–

For rollover mode, you are going to need a fully qualified domain name to

implement features such as exposed hosts and virtual private networks.

–

For load balancing mode, you may still need a fully qualified domain name either

for convenience or if you have a dynamic IP address.

•

Protocol binding

–

For rollover mode, protocol binding does not apply.

–

For load balancing mode, you need to decide which protocols you want to bind to

a specific WAN port if you are going to take advantage of this option (you will

make these selections in

“Step 4: Configure the WAN Mode (Required for Dual

WAN)” on page 4-15

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share