Page 31 / 203 Scroll up to view Page 26 - 30
Chapter 3:
LAN Configuration
|
31
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
between 192.168.1.2 and 192.168.1.100, although you may wish to save part of the range for
devices with fixed addresses.
The network storage will deliver the following parameters to any LAN device that requests
DHCP:
An IP address from the range you have defined.
Subnet mask.
Gateway IP address (the network storage’s LAN IP address).
Primary DNS server (the network storage’s LAN IP address).
WINS server (if you entered a WINS server address on the
DHCP
section of the LAN
Setup screen).
Lease time (date obtained and duration of lease).
DHCP Relay
options allow you to make the network storage a dhcp relay agent. The DHCP
Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do
not support forwarding of these types of messages. The DHCP Relay Agent is therefore the
routing protocol that enables DHCP clients to obtain IP addresses from a DHCP server on a
remote subnet, or which is not located on the local subnet. If you have no configured DHCP
Relay Agent, your clients would only be able to obtain IP addresses from the DHCP server
which is on the same subnet. To enable clients to obtain IP addresses from a DHCP server
on a remote subnet, you have to configure the DHCP Relay Agent on the subnet that
contains the remote clients, so that it can relay DHCP broadcast messages to your DHCP
server.
When the
DNS Proxy
option is enabled, the network storage will act as a proxy for all DNS
requests and communicate with the ISP’s DNS servers (as configured in the WAN settings
screen). All DHCP clients will receive the Primary/Secondary DNS IP along with the IP
address where the DNS Proxy is running, that is, the network storage’s LAN IP address.
When disabled, all DHCP clients will receive the DNS IP addresses of the ISP excluding the
DNS Proxy IP address. The feature is particularly useful in Auto Rollover mode. For example,
if the DNS servers for each connection are different, then a link failure may render the DNS
servers inaccessible. However, when the DNS proxy is enabled, then clients can make
requests to the network storage and the network storage, in turn, sends those requests to the
DNS servers of the active connection.
Configuring the LAN Setup Options
The LAN Setup screen allows configuration of LAN IP services such as DHCP and allows you to
configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are suitable
for most users and situations. Disable the DNS Proxy if you are using a dual WAN configuration
with route diversity and failover. These are advanced settings most usually configured by a
network administrator.
Page 32 / 203
32
|
Chapter 3:
LAN Configuration
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Note:
If you enable the DNS Relay feature, you will not use the network
storage as a DHCP server but rather as a DHCP relay agent for a
DHCP server somewhere else on your network.
1.
Go to Network Configuration > LAN Settings
to display the LAN Setup screen.
2.
In the LAN TCP/IP Setup section, configure the following settings:
IP Address
. The LAN address of your VPN firewall (factory default:
192.168.1.1
).
Note:
If you change the LAN IP address of the network storage while
connected through the browser, you will be disconnected. You must
then open a new connection to the new IP address and log in again.
For example, if you change the default IP address 192.168.1.1 to
10.0.0.1, you must now enter
in your browser to
reconnect to the Web Configuration Manager.
IP Subnet Mask
. The subnet mask specifies the network number portion of an IP
address. Your VPN firewall will automatically calculate the subnet mask based on the
IP address that you assign. Unless you are implementing subnetting, use
255.255.255.0 as the subnet mask.
Page 33 / 203
Chapter 3:
LAN Configuration
|
33
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
3.
In the DHCP section, select
Disable DHCP Server
,
Enable DHCP Server
, or
DHCP
Relay
.
By default, the VPN firewall will function as a DHCP server, providing TCP/IP
configuration settings for all computers connected to the VPN firewall's LAN. If another
device on your network will be the DHCP server, or if you will manually configure all
devices, click
Disable DHCP Server
. If the VPN firewall will function as a DHCP relay
agent, select
DHCP Relay
and enter the IP address of the DHCP relay gateway in the
Relay Gateway field.
If the DHCP server is enabled, enter the following parameters:
Domain Name.
(Optional) The DHCP will assign the entered domain to DHCP
clients.
Starting IP Address
. Specifies the first of the contiguous addresses in the IP address
pool. Any new DHCP client joining the LAN will be assigned an IP address between
this address and the Ending IP Address. The IP address 192.168.1.2 is the default
start address.
Ending IP Address
. Specifies the last of the contiguous addresses in the IP address
pool. The IP address 192.168.1.100 is the default ending address.
Note:
The starting and ending DHCP addresses should be in the same
subnet as the LAN IP address of the VPN firewall (the IP address
configured in the
LAN TCP/IP Setup
section of the LAN Setup
screen).
Primary DNS Server
. (Optional) If an IP address is specified, the VPN firewall will
provide this address as the primary DNS server IP address. If no address is specified,
the VPN firewall will provide its own LAN IP address as the primary DNS server IP
address.
Secondary DNS Server
. (Optional) If an IP address is specified, the VPN firewall will
provide this address as the secondary DNS server IP address.
WINS Server
. (Optional) Specifies the IP address of a local Windows NetBIOS Server
if one is present in your network.
Lease Time.
This specifies the duration for which IP addresses will be leased to
clients.
If you will use a Lightweight Directory Access Protocol (LDAP) authentication server for
network-validated domain-based authentication, select
Enable LDAP Information
to
enable the DHCP server to provide LDAP server information. Enter the following
parameters:
LDAP Server
. Specifies the name or the IP address of the device that hosts the LDAP
server.
Search Base
. Specifies the distinguished name (dn) at which to start the search,
specified as a sequence of relative distinguished names (rdn), connected with
Page 34 / 203
34
|
Chapter 3:
LAN Configuration
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
commas and without any blank spaces. For most users, the search base is a variation
of the domain name. For example, if your domain is yourcompany.com, your search
base dn might be as follows: dc=yourcompany,dc=com.
port
. Specifies the port number that the LDAP server is using. Leave this field blank
for the default port.
4.
In the Advanced Settings section, configure the following settings:
Enable DNS Proxy
. If the DNS proxy is enabled (which is the default setting), the
DHCP server will provide the VPN firewall’s LAN IP address as the DNS server for
address name resolution. If this box is unchecked, the DHCP server will provide the
ISP’s DNS server IP addresses. The VPN firewall will still service DNS requests sent
to its LAN IP address unless you disable DNS Proxy in the network storage settings
(see
“Attack Checks”
on page 54).
Enable ARP Broadcast
. If ARP broadcast is enabled (which is the default setting),
the Address Resolution Protocol (ARP) is broadcasted on the LAN so that IP
addresses can be mapped to physical addresses (that is, MAC addresses).
5.
Click
Apply
to save your settings.
Note:
Once you have completed the LAN setup, all outbound traffic is
allowed and all inbound traffic is discarded. To change these default
traffic rules, refer to Chapter 4,
“Firewall Protection and Content
Filtering"
.
Managing Groups and Hosts (LAN Groups)
The
Known PCs and Devices
table on the
LAN Groups
screen contains a list of all known
PCs and network devices that are assigned dynamic IP addresses by the VPN firewall, or
have been discovered by other means. Collectively, these entries make up the LAN Groups
Database.
The LAN Groups Database is updated by these methods:
DHCP Client Requests
. By default, the DHCP server in this VPN firewall is enabled, and
will accept and respond to DHCP client requests from PCs and other network devices.
These requests also generate an entry in the LAN Groups Database. Because of this,
leaving the DHCP server feature (on the LAN screen) enabled is strongly recommended.
Scanning the Network
. The local network is scanned using ARP requests. The ARP
scan will detect active devices that are not DHCP clients. However, sometimes the name
of the PC or device cannot be accurately determined, and will appear in the database as
Unknown.
Manual Entry
. You can manually enter information about a network device.
Page 35 / 203
Chapter 3:
LAN Configuration
|
35
ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN FVS336Gv2 Reference Manual
Some advantages of the LAN Groups Database are:
Generally, you do not need to enter either IP address or MAC addresses. Instead, you
can just select the desired PC or device.
No need to reserve an IP address for a PC in the DHCP server. All IP address
assignments made by the DHCP server will be maintained until the PC or device is
removed from the database, either by expiry (inactive for a long time) or by you.
No need to use a fixed IP on PCs. Because the address allocated by the DHCP server
will never change, you don't need to assign a fixed IP to a PC to ensure it always has the
same IP address.
MAC level control over PCs. The LAN Groups Database uses the MAC address to
identify each PC or device. So changing a PC’s IP address does not affect any
restrictions on that PC.
Group and individual control over PCs.
-
You can assign PCs to Groups and apply restrictions to each Group using the Firewall
Rules screen (see
“Using Rules to Block or Allow Specific Kinds of Traffic”
on
page 43).
-
You can also select the Groups to be covered by the Block Sites feature (see
“Blocking Internet Sites (Content Filtering)”
on page 62).
-
If necessary, you can also create Firewall Rules to apply to a single PC (see
“Configuring Source MAC Filtering”
on page 64). Because the MAC address is used
to identify each PC, users cannot avoid these restrictions by changing their IP
address.
A computer is identified by its MAC address—not its IP address. Hence, changing a
computer’s IP address does not affect any restrictions applied to that PC.
Viewing the LAN Groups Database
To view the LAN Groups Database, follow these steps:
1.
Select Network Configuration > LAN Settings from the menu. The LAN Setup screen is
displayed.
2.
Click the
LAN Groups
tab. The LAN Groups
screen is displayed.

Rate

4 / 5 based on 1 vote.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top