NETGEAR FVS318N Router Manual PDF (Setup & Configuration Guide)

Page 171 / 414 Scroll up to view Page 166 - 170

Firewall Protection

171

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

Create Bandwidth Profiles

Bandwidth profiles determine the way in which data is communicated with the hosts. The

purpose of bandwidth profiles is to provide a method for allocating and limiting traffic, thus

allocating LAN users sufficient bandwidth while preventing them from consuming all the

bandwidth on your WAN link. A single bandwidth profile can be for both outbound and

inbound traffic.

For outbound IPv4 traffic, you can apply bandwidth profiles on the WAN interface; for inbound

IPv4 traffic, you can apply bandwidth profiles to a LAN interface. Bandwidth profiles do not

apply to the DMZ interface, nor to IPv6 traffic.

When a new connection is established by a device, the device locates the firewall rule

corresponding to the connection:

•

If the rule has a bandwidth profile specification, the device creates a bandwidth class in

the kernel.

•

If multiple connections correspond to the same firewall rule, the connections all share the

same bandwidth class.

An exception occurs for an individual bandwidth profile if the classes are per-source IP

address classes. The source IP address is the IP address of the first packet that is

transmitted for the connection. So for outbound firewall rules, the source IP address is the

LAN-side IP address; for inbound firewall rules, the source IP address is the WAN-side IP

address. The class is deleted when all the connections that are using the class expire.

After you have created a bandwidth profile, you can assign the bandwidth profile to firewall

rules on the following screens:

•

Add LAN WAN Outbound Services screen for IPv4 (see

Figure 63

on page 138)

•

Add LAN WAN Inbound Services screen for IPv4 (see

Figure 65

on page 140)



To add and enable a bandwidth profile:

1.

Select

Security > Bandwidth Profiles

. The Bandwidth Profiles screen displays. (The

following figure shows some examples.)

Figure 92.

Page 172 / 414

Firewall Protection

172

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

2.

Under the List of Bandwidth Profiles table, click the

Add

table button.

The Add Bandwidth

Profile screen displays:

Figure 93.

3.

Enter the settings as explained in the following table:

Table 37.

Add Bandwidth Profile screen settings

Setting

Description

Profile Name

A descriptive name of the bandwidth profile for identification and management

purposes.

Direction

From the Direction drop-down list, select the traffic direction for the bandwidth profile:

•

Inbound Traffic

. The bandwidth profile is applied only to inbound traffic. Specify

the inbound minimum and maximum bandwidths.

•

Outbound Traffic

. The bandwidth profile is applied only to outbound traffic.

Specify the outbound minimum and maximum bandwidths.

•

Both

. The bandwidth profile is applied to both outbound and inbound traffic.

Specify both the outbound and inbound minimum and maximum bandwidths.

Inbound Minimum

Bandwidth

The inbound minimum allocated bandwidth in Kbps. There is no default setting.

Inbound Maximum

Bandwidth

The inbound maximum allowed bandwidth in Kbps. The maximum allowable

bandwidth is 100000 Kbps, and you cannot configure less than 100 Kbps. There is

no default setting.

Outbound Minimum

Bandwidth

The outbound minimum allocated bandwidth in Kbps. There is no default setting.

Page 173 / 414

Firewall Protection

173

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

4.

Click

Apply

to save your settings. The new bandwidth profile is added to the List of

Bandwidth Profiles table.



To edit a bandwidth profile:

1.

In the List of Bandwidth Profiles table, click the

Edit

table button to the right of the

bandwidth profile that you want to edit. The Edit Bandwidth Profile screen displays.

2.

Modify the settings that you wish to change (see the previous table).

3.

Click

Apply

to save your changes. The modified bandwidth profile is displayed in the List of

Bandwidth Profiles table.



To delete one or more bandwidth profiles:

1.

In the List of Bandwidth Profiles table, select the check box to the left of each bandwidth

profile that you want to delete, or click the

Select All

table button to select all profiles.

2.

Click the

Delete

table button to delete the selected profile or profiles.

Preconfigured Quality of Service Profiles

A Quality of Service (QoS) profile defines the relative priority of an IP packet when multiple

connections are scheduled for simultaneous transmission on the wireless VPN firewall. A

QoS profile becomes active only when it is associated with a nonblocking inbound or

outbound firewall rule or service, and traffic matching the firewall rule or service is processed

by the wireless VPN firewall. Priorities are defined by the Type of Service (ToS) in the Internet

Protocol Suite standards, RFC 1349.

You can assign a QoS profile to a firewall rule or service on the following screens:

•

Add LAN WAN Outbound Services screen for IPv4 (see

Figure 63

on page 138)

•

Add LAN WAN Outbound Services screen for IPv6 (see

Figure 64

on page 139)

•

Add DMZ WAN Outbound Services screen for IPv4 (see

Figure 69

on page 145)

•

Add DMZ WAN Outbound Services screen for IPv6 (see

Figure 70

on page 146)

•

Services screen (see

Figure 90

on page 169)

Outbound Maximum

Bandwidth

The outbound maximum allowed bandwidth in Kbps. The maximum allowable

bandwidth is 100000 Kbps, and you cannot configure less than 100 Kbps. There is

no default setting.

Type

From the Type drop-down list, select the type for the bandwidth profile:

•

Group

. The profile applies to all users, that is, all users share the available

bandwidth.

•

Individual

. The profile applies to an individual user, that is, each user can use the

available bandwidth.

Table 37.

Add Bandwidth Profile screen settings (continued)

Setting

Description

Page 174 / 414

Firewall Protection

174

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

These are the default QoS profiles that are preconfigured and that cannot be edited:

•

Normal-Service

. Used when no special priority is given to the traffic. IP packets are

marked with a ToS value of 0.

•

Minimize-Cost

. Used when data needs to be transferred over a link that has a lower cost.

IP packets are marked with a ToS value of 2.

•

Maximize-Reliability

. Used when data needs to travel to the destination over a reliable

link and with little or no retransmission. IP packets are marked with a ToS value of 4.

•

Maximize-Throughput

. Used when the volume of data transferred during an interval is

important even if the latency over the link is high. IP packets are marked with a ToS value

of 8.

•

Minimize-Delay

. Used when the time required (latency) for the packet to reach the

destination needs to be low. IP packets are marked with a ToS value of 16.

Configure Content Filtering

To restrict internal LAN users from access to certain sites on the Internet, you can use the

content filtering and web component blocking features of the wireless VPN firewall. By

default, these features are disabled; all requested traffic from any website is allowed. If you

enable one or more of these features and users try to access a blocked site, they will see a

“Blocked by NETGEAR” message.

Note:

Content filtering is supported for IPv4 users and groups only.

Several types of blocking are available:

•

Web component blocking

. You can block the following web component types: proxy,

Java, ActiveX, and cookies. Even sites that are listed in the Trusted Domains table are

subject to web component blocking when the blocking of a particular web component is

enabled.

-

Proxy

. A proxy server (or simply, proxy) allows computers to route connections to

other computers through the proxy, thus circumventing certain firewall rules. For

example, if connections to a specific IP address are blocked by a firewall rule, the

requests can be routed through a proxy that is not blocked by the rule, rendering the

restriction ineffective. Enabling this feature blocks proxy servers.

-

Java

. Blocks Java applets from being downloaded from pages that contain them.

Java applets are small programs embedded in web pages that enable dynamic

functionality of the page. A malicious applet can be used to compromise or infect

computers. Enabling this setting blocks Java applets from being downloaded.

Page 175 / 414

Firewall Protection

175

ProSafe Wireless-N 8-Port Gigabit VPN Firewall FVS318N

-

ActiveX

. Similar to Java applets, ActiveX controls are installed on a Windows

computer running Internet Explorer. A malicious ActiveX control can be used to

compromise or infect computers. Enabling this setting blocks ActiveX applets from

being downloaded.

-

Cookies

. Cookies are used to store session information by websites that usually

require login. However, several websites use cookies to store tracking information

and browsing habits. Enabling this option blocks cookies from being created by a

website.

Note:

Many websites require that cookies be accepted in order for the site

to be accessed correctly. Blocking cookies might interfere with

useful functions provided by these websites.

•

Keyword blocking

(domain name blocking)

. You can specify up to 32 words to block. If

any of these words appear in the website name (URL) or in a newsgroup name, the

website or newsgroup is blocked by the wireless VPN firewall.

You can apply the keywords to one or more LAN groups. Requests from the computers in

the groups are blocked where keyword blocking has been enabled. Blocking does not

occur for the computers in the groups where keyword blocking has been disabled.

You can bypass keyword blocking for trusted domains by adding the exact matching

domain to the Trusted Domains table. Access to the domains or keywords on this list by

computers in the groups where keyword blocking has been enabled will be allowed to

pass without any blocking.

Keyword application examples:

•

If the keyword “xxx” is specified, the URL http://www.companycom/xxx.html is

blocked, as is the newsgroup alt.pictures.xxx.

•

If the keyword “.com” is specified, only websites with other domain suffixes (such as

.edu, .org, or .gov) can be viewed.

•

If you wish to block all Internet browsing access, enter

.

(period) as the keyword.



To enable and configure content filtering:

1.

Select

Security > Content Filtering

. The Block Sites screen displays. (The following

figure shows some examples.)

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share