FVS338 ProSafe VPN Firewall 50 Reference Manual

3-2

LAN Configuration

v1.0, September 2006

To modify your LAN setup:

1.

Select

Network Configuration

from the main menu and

LAN Setup

from the submenu. The

LAN Setup

screen will display.

2.

Enter the

IP Address

of your router (factory default:

192.168.1.1

). (Always make sure that the

LAN Port IP address and DMZ port IP address are in different subnets.)

3.

Enter the

IP Subnet Mask

. The subnet mask specifies the network number portion of an IP

address. Your router will automatically calculate the subnet mask based on the IP address that

you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask

(computed by the router).

4.

Check the

Enable DHCP Server

radio button. By default, the router will function as a DHCP

(Dynamic Host Configuration Protocol) server, providing TCP/IP configuration for all

computers connected to the router's LAN. If another device on your network will be the DHCP

server, or if you will manually configure all devices, check the

Disable DHCP Server

radio

button. Enable DHCP Server is the default. If Enabled is selected, enter the following

parameters:

a.

Enter the

Domain Name

of the router (this is optional).

Figure 3-1

FVS338 ProSafe VPN Firewall 50 Reference Manual

LAN Configuration

3-3

v1.0, September 2006

b.

Enter the

Starting IP Address

. This address specifies the first of the contiguous addresses

in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP

address between this address and the Ending IP Address. The IP address 192.168.1.2 is the

default start address.

c.

Enter the

Ending IP Address

. This address specifies the last of the contiguous addresses

in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP

address between the Starting IP address and this IP address. The IP address 192.168.1.100

is the default ending address.

d.

Enter a

WINS Server

IP address. This box can specify the Windows NetBios Server IP if

one is present in your network. This field is optional.

e.

Enter a

Lease Time.

This specifies the duration for which IP addresses will be leased to

clients.

f.

Check the

Enable DNS Proxy

radio box. This is optional—the default is enabled. If

enabled, the VPN firewall will provide a LAN IP Address for DNS address name

resolution.

5.

Click

Apply

to save your settings.

6.

Click

Reset

to discard any changes and revert to the previous configuration.

Note:

The Starting and Ending DHCP addresses should be in the same “network”

as the LAN TCP/IP address of the router (the IP Address in

LAN TCP/IP

Setup

section).

Note:

If you change the LAN IP address of the firewall while connected through the

browser, you will be disconnected. You must then open a new connection to

the new IP address and log in again. For example, if you change the default IP

address

192.168.1.1

to

10.0.0.1

, you must enter

in your browser

to connect to the web management interface.

Note:

Once you have completed the LAN IP setup, all outbound traffic is allowed

and all inbound traffic is discarded. To change these traffic rules, refer to

Chapter 4, “Firewall Protection and Content Filtering

.”

FVS338 ProSafe VPN Firewall 50 Reference Manual

3-4

LAN Configuration

v1.0, September 2006

Configuring Multi-Home LAN IPs

If you have computers that are using different IP address ranges in the LAN (for example,

172.16.2.0 or 10.0.0.0), then you can add “aliases” to the LAN port which give computers on those

networks access to the Internet. This allows the firewall to act as a gateway to additional logical

subnets on your LAN.

To add a secondary LAN IP address:

1.

Select

Network Configuration

from the main menu and

LAN Setup

from the secondary

menu. Click the

Multi Home LAN IPs Setup

link (see

Figure 3-2 on page 3-4

) The

Secondary LAN IP Setup screen will display.

2.

Enter the Secondary IP address and Subnet Mask and click

Add.

The Secondary IP address

will be added to the

Available Secondary LAN IPs

table.

Note:

Additional IP addresses cannot be configured in the DHCP server. The hosts on

the secondary subnets must be manually configured with IP addresses,

gateway IP and DNS server IP addresses.

Figure 3-2

Tip:

The Secondary LAN IP address will be assigned to the LAN interface of the

router and can be used as a gateway by the secondary subnet.

FVS338 ProSafe VPN Firewall 50 Reference Manual

LAN Configuration

3-5

v1.0, September 2006

Managing Groups and Hosts

The

Known PCs and Devices

table on the

Groups and Hosts

screen contains a list of all known

PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this router.

Collectively, these entries make up the Network Database. The Network Database is created in two

ways:

•

Using the DHCP Server.

The router’s DHCP server will accept and respond to DHCP client

requests from PCs and other network devices. Every computer that is responded to will be

added to the Network Database in the

Known PCs and Devices

table.

•

Scanning the Network

. The router will scan the local network periodically, using standard

methods such as ARP and NetBIOS, to detect active computers or devices which are not

DHCP clients. For computers that do not support the NetBIOS protocol, the name will be

displayed in the

known PCs and Devices

table as “Unknown”.

Creating the Network Database

The Network Database offers a number of advantages:

•

Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just

select the desired PC or device.

•

No need to reserve an IP address for a PC in the DHCP Server. All IP address assignments

made by the DHCP Server will be maintained until the PC or device is removed from the

database, either by expiry (inactive for a long time) or by you.

•

No need to use a Fixed IP on PCs. Because the address allocated by the DHCP Server will

never change, you don't need to assign a fixed IP to a PC to ensure it always has the same IP

address.

•

MAC-level Control over PCs. The Network Database uses the MAC address to identify each

PC or device. So changing a PC's IP address does not affect any restrictions on that PC.

•

Group and Individual Control over PCs

–

You can assign PCs to Groups and apply restrictions to each Group using the Firewall

Rules screen (see

“Services-Based Rules” on page 4-2

).

–

You can also select the Groups to be covered by the Block Sites feature (see

“Setting

Block Sites (Content Filtering)” on page 4-21

).

–

If necessary, you can also create Firewall Rules to apply to a single PC (see

“Enabling

Source MAC Filtering” on page 4-23

). Because the MAC address is used to identify each

PC, users cannot avoid these restrictions by changing their IP address.

FVS338 ProSafe VPN Firewall 50 Reference Manual

3-6

LAN Configuration

v1.0, September 2006

•

A computer is identified by its MAC address—not its IP address. Hence, changing a

computer’s IP address does not affect any restrictions applied to that PC.

This

Known PCs and Devices

table lists entries in the Network Database. For each computer or

device, the following fields are displayed:

•

Name

: The name of the PC or device. For computers that do not support the NetBIOS

protocol, this will be listed as “Unknown” (you can edit the entry manually to add a

meaningful name). If the computer was assigned an IP address by the DHCP server, then the

Name will be appended by an asterisk.

•

IP Address

: The current IP address of the computer. For DHCP clients of the router, this IP

address will not change. If a computer is assigned a static IP addresses, you will need to update

this entry manually if the IP address on the computer has been changed.

•

MAC Address

: The MAC address of the PC’s network interface.

•

Group

: Each PC or device can be assigned to a single group. By default, a computer is

assigned to Group 1, unless a different group is selected from the Group pull-down menu.

•

Action

: Allows modification of the selected entry by clicking Edit.

To add computers to the network database manually:

1.

Select

Network Configuration

from the main menu and

LAN Groups

from the submenu.

The

Groups and Hosts

screen will display.

2.

In the

Add Known PCs and Devices

table, enter the name of the PC or device.

3.

Enter the

IP Address Type

. Select

Reserved (DHCP Client)

to direct the router to reserve the

IP address for allocation by the DHCP server. Select

Fixed (Set on PC)

if the IP address is

statically assigned on the computer.

4.

Enter the

IP Address

that this computer or device is assigned. If the IP Address Type is

Reserved (DHCP Client), the router will reserve the IP address for the associated MAC

address.

5.

Enter the

MAC Address

of the computer. The MAC address should be in the form:

xx:xx:xx:xx:xx:xx (for example: 00:80:48:2a:8b:c0)

6.

From the

Group

pull-down menu, select the group to which the computer will be assigned.

7.

Click

Add

to add the new entry to the network database in the

Known PCs and Devices

table.

Note:

When specifying a Reserved IP address, make sure that you select an IP

address outside of the DHCP Server pool of addresses.