1. Home
    2. /
  2. Manuals
    3. /
  3. NETGEAR
    4. /
  4. FVS336Gv2
    5. /
  5. 37
Page 181 / 203 Scroll up to view Page 176 - 180
Appendix B:
Network Planning for Dual WAN Ports
|
181
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Virtual Private Networks (VPNs)
When implementing virtual private network (VPN) tunnels, a mechanism must be used for
determining the IP addresses of the tunnel end points. The addressing of the VPN firewall’s
dual WAN port depends on the configuration being implemented:
For the single gateway WAN port case, the mechanism is to use a fully-qualified domain
name (FQDN) when the IP address is dynamic and to use either an FQDN or the IP address
itself when the IP address is fixed. The situation is different when dual gateway WAN ports
are used in a rollover-based system.
Rollover Case for Dual Gateway WAN Ports
Rollover for the dual gateway WAN port case is different from the single gateway WAN
port case when specifying the IP address of the VPN tunnel end point. Only one WAN
port is active at a time and when it rolls over, the IP address of the active WAN port
always changes. Hence, the use of a fully-qualified domain name is always required,
even when the IP address of each WAN port is fixed.
Table B-2.
IP addressing requirements for VPNs in dual WAN port systems
Configuration and WAN IP address
Single WAN Port
(reference case)
Dual WAN Port Cases
Rollover
1
1 All tunnels must be re-established after a rollover using the new WAN IP address.
Load Balancing
VPN Road Warrior
(client-to-gateway)
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
VPN Gateway-to-Gateway
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
VPN Telecommuter
(client-to-gateway through
a NAT router)
Fixed
Allowed
(FQDN optional)
FQDN required
Allowed
(FQDN optional)
Dynamic
FQDN required
FQDN required
FQDN required
Page 182 / 203
182
|
Appendix B:
Network Planning for Dual WAN Ports
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Note:
Once the gateway router WAN port rolls over, the VPN tunnel
collapses and must be re-established using the new WAN IP
address.
Figure B-7
Rollover with Dual WAN Ports
Load Balancing Case for Dual Gateway WAN Ports
Load balancing for the dual gateway WAN port case is the same as the single gateway
WAN port case when specifying the IP address of the VPN tunnel end point. Each IP
address is either fixed or dynamic based on the ISP: fully-qualified domain names must
be used when the IP address is dynamic and are optional when the IP address is static.
Figure B-8
Load Balancing for Dual Gateway WAN Ports
VPN Road Warrior (Client-to-Gateway)
The following situations exemplify the requirements for a remote PC client with no firewall to
establish a VPN tunnel with a gateway VPN firewall:
Single gateway WAN port
Redundant dual gateway WAN ports for increased reliability (before and after rollover)
Dual gateway WAN ports used for load balancing
Page 183 / 203
Appendix B:
Network Planning for Dual WAN Ports
|
183
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
VPN Road Warrior: Single Gateway WAN Port (Reference Case)
In the case of the single WAN port on the gateway VPN firewall, the remote PC client initiates
the VPN tunnel because the IP address of the remote PC client is not known in advance. The
gateway WAN port must act as the responder.
Figure B-9
Road Warrior, Single WAN Port
The IP address of the gateway WAN port can be either fixed or dynamic. If the IP address is
dynamic, a fully-qualified domain name must be used. If the IP address is fixed, a
fully-qualified domain name is optional.
VPN Road Warrior: Dual Gateway WAN Ports for Improved Reliability
In the case of the dual WAN ports on the gateway VPN firewall, the remote PC client initiates
the VPN tunnel with the active gateway WAN port (port WAN1 in this example) because the
IP address of the remote PC client is not known in advance. The gateway WAN port must act
as a responder.
Figure B-10
Road Warrior, Dual Gateway WAN Ports
The IP addresses of the gateway WAN ports can be either fixed or dynamic, but a
fully-qualified domain name must always be used because the active WAN port could be
either WAN1 or WAN2 (i.e., the IP address of the active WAN port is not known in advance).
Page 184 / 203
184
|
Appendix B:
Network Planning for Dual WAN Ports
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
After a rollover of the gateway WAN port, the previously inactive gateway WAN port becomes
the active port (port WAN2 in this example) and the remote PC client must re-establish the
VPN tunnel. The gateway WAN port must act as the responder.
Figure B-11
Road Warrior, Dual WAN Ports, Rollover
The purpose of the fully-qualified domain name in this case is to toggle the domain name of
the gateway firewall between the IP addresses of the active WAN port (i.e., WAN1 and
WAN2) so that the remote PC client can determine the gateway IP address to establish or
re-establish a VPN tunnel.
VPN Road Warrior: Dual Gateway WAN Ports for Load Balancing
In the case of the dual WAN ports on the gateway VPN firewall, the remote PC initiates the
VPN tunnel with the appropriate gateway WAN port (that is, port WAN1 or WAN2 as
necessary to balance the loads of the two gateway WAN ports) because the IP address of the
remote PC is not known in advance. The chosen gateway WAN port must act as the
responder.
Figure B-12
Road Warrior, Dual WAN Ports, Load Balancing
The IP addresses of the gateway WAN ports can be either fixed or dynamic. If an IP address
is dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a
fully-qualified domain name is optional.
Page 185 / 203
Appendix B:
Network Planning for Dual WAN Ports
|
185
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
VPN Gateway-to-Gateway
The following situations exemplify the requirements for a gateway VPN firewall to establish a
VPN tunnel with another gateway VPN firewall:
Single gateway WAN ports
Redundant dual gateway WAN ports for increased reliability (before and after rollover)
Dual gateway WAN ports used for load balancing
VPN Gateway-to-Gateway: Single Gateway WAN Ports (Reference Case)
In the case of single WAN ports on the gateway VPN firewalls, either gateway WAN port can
initiate the VPN tunnel with the other gateway WAN port because the IP addresses are
known in advance.
Figure B-13
Gateway-to-Gateway with Single WAN Ports
The IP address of the gateway WAN ports can be either fixed or dynamic. If an IP address is
dynamic, a fully-qualified domain name must be used. If an IP address is fixed, a
fully-qualified domain name is optional.
VPN Gateway-to-Gateway: Dual Gateway WAN Ports for Improved Reliability
In the case of the dual WAN ports on the gateway VPN firewall, either of the gateway WAN
ports at one end can initiate the VPN tunnel with the appropriate gateway WAN port at the
other end as necessary to balance the loads of the gateway WAN ports because the IP
addresses of the WAN ports are known in advance. In this example, port WAN_A1 is active

Rate

4 / 5 based on 1 vote.

Popular NETGEAR Models

Famous Router IPs
Famous Router Companies
Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top