ProSafe VPN Firewall 200 FVX538 Reference Manual

3-2

LAN Configuration

v1.0, March 2009

•

Primary DNS Server (the firewall’s LAN IP address).

•

WINS Server (if you entered a WINS server address in the DHCP Setup menu).

•

Lease Time (date obtained and duration of lease).

DHCP Relay

options allow you to make the firewall a dhcp relay agent. The DHCP Relay Agent

makes it possible for DHCP broadcast messages to be sent over routers that do not support

forwarding of these types of messages. The DHCP Relay Agent is therefore the routing protocol

that enables DHCP clients to obtain IP addresses from a DHCP server on a remote subnet, or

which is not located on the local subnet. If you have no configured DHCP Relay Agent, your

clients would only be able to obtain IP addresses from the DHCP server which is on the same

subnet. To enable clients to obtain IP addresses from a DHCP server on a remote subnet, you have

to configure the DHCP Relay Agent on the subnet that contains the remote clients, so that it can

relay DHCP broadcast messages to your DHCP server.

When the

DNS Proxy

option is enabled, the router will act as a proxy for all DNS requests and

communicate with the ISP’s DNS servers (as configured in the WAN settings page). All DHCP

clients will receive the Primary/Secondary DNS IP along with the IP where the DNS Proxy is

running, i.e. the box's LAN IP. When disabled, all DHCP clients will receive the DNS IP addresses

of the ISP excluding the DNS Proxy IP address. The feature is particularly useful in Auto Rollover

mode. For example, if the DNS servers for each connection are different, then a link failure may

render the DNS servers inaccessible. However, when the DNS proxy is enabled, then clients can

make requests to the router and the router, in turn, sends those requests to the DNS servers of the

active connection.

Configuring the LAN Setup Options

The

LAN IP Setup

menu allows configuration of LAN IP services such as DHCP and allows you

to configure a secondary or “multi-home” LAN IP setup in the LAN. The default values are

suitable for most users and situations. Disable the DNS Proxy if you are using a dual WAN

configuration with route diversity and failover. These are advanced settings most usually

configured by a network administrator.

Note:

If you enable the DNS Relay feature, you will not use the FVX538 as a DHCP

server but rather as a DHCP relay agent for a DHCP server somewhere else on

your network.

ProSafe VPN Firewall 200 FVX538 Reference Manual

LAN Configuration

3-3

v1.0, March 2009

1.

Select

Network Configuration

from the primary menu and

LAN Setup

from the submenu.

The

LAN Setup

screen will display.

2.

Enter the

IP Address

of your router (factory default:

192.168.1.1

). (Always make sure that the

LAN Port IP address and DMZ port IP address are in different subnets.)

3.

Enter the

IP Subnet Mask

. The subnet mask specifies the network number portion of an IP

address. Your router will automatically calculate the subnet mask based on the IP address that

you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet mask

(computed by the router).

4.

Check the

Enable DHCP Server

radio button. By default, the router will function as a DHCP

(Dynamic Host Configuration Protocol) server, providing TCP/IP configuration for all

computers connected to the router's LAN. If another device on your network will be the DHCP

server, or if you will manually configure all devices, check the

Disable DHCP Server

radio

button. Enable DHCP Server is the default. If Enabled is selected, enter the following

parameters:

a.

Enter the

Domain Name

of the router (this is optional).

Figure 3-1

ProSafe VPN Firewall 200 FVX538 Reference Manual

3-4

LAN Configuration

v1.0, March 2009

b.

Enter the

Starting IP Address

. This address specifies the first of the contiguous addresses

in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP

address between this address and the Ending IP Address. The IP address 192.168.1.2 is the

default start address.

c.

Enter the

Ending IP Address

. This address specifies the last of the contiguous addresses

in the IP address pool. Any new DHCP client joining the LAN will be assigned an IP

address between the Starting IP address and this IP address. The IP address 192.168.1.100

is the default ending address.

d.

Primary DNS Server

. (Optional) If an IP address is specified, the VPN firewall will

provide this address as the primary DNS server IP address. If no address is specified, the

VPN firewall will provide its own LAN IP address as the primary DNS server IP address.

e.

Secondary DNS Server

. (Optional) If an IP address is specified, the VPN firewall will

provide this address as the secondary DNS server IP address.

f.

Enter a

WINS Server

IP address. This box can specify the Windows NetBios Server IP if

one is present in your network. This field is optional.

g.

Enter a

Lease Time.

This specifies the duration for which IP addresses will be leased to

clients.

h.

To enable the DHCP server to provide LDAP server information, check the Enable LDAP

Information checkbox and fill in the fields accordingly.

i.

Check the

Enable DNS Proxy

radio box. This is optional—the default is enabled. If

enabled, the VPN firewall will provide a LAN IP Address for DNS address name

resolution.

Note:

The Starting and Ending DHCP addresses should be in the same “network”

as the LAN TCP/IP address of the router (the IP Address in

LAN TCP/IP

Setup

section).

Note:

If you change the LAN IP address of the firewall while connected through

the browser, you will be disconnected. You must then open a new

connection to the new IP address and log in again. For example, if you

change the default IP address 192.168.1.1 to 10.0.0.1, you must enter

in your browser to reconnect to the web management

interface.

ProSafe VPN Firewall 200 FVX538 Reference Manual

LAN Configuration

3-5

v1.0, March 2009

The feature is particularly useful in Auto Rollover mode. For example, if the DNS servers

for each connection are different, then a link failure may render the DNS servers

inaccessible. However, when the DNS proxy is enabled, then clients can make requests to

the router and the router, in turn, sends those requests to the DNS servers of the active

connection.

–

When enabled, the router will act as a proxy for all DNS requests and communicate

with the ISP’s DNS servers (as configured in the WAN settings page).

–

When disabled, all DHCP clients will receive the DNS IP addresses of the ISP.

5.

Click

Apply

to save your settings.

6.

Click

Reset

to discard any changes and revert to the previous configuration.

Configuring Multi Home LAN IPs

If you have computers using different IP networks in the LAN, (for example, 172.16.2.0, 10.0.0.0),

then you can add aliases to the LAN port and give computers on those networks access to the

Internet.

The Available Secondary LAN IPs table lists the secondary LAN IP addresses added to the router.

•

IP Address

: The IP address alias added to the LAN port of the router. This is the gateway for

computers that need to access the Internet.

•

Subnet Mask

: IPv4 Subnet Mask.

Note:

Once you have completed the LAN IP setup, all outbound traffic is allowed

and all inbound traffic is discarded. To change these traffic rules, refer to

Chapter 4, “Firewall Protection and Content Filtering

.

Figure 3-2

ProSafe VPN Firewall 200 FVX538 Reference Manual

3-6

LAN Configuration

v1.0, March 2009

•

Action

: The Edit link allows you to make changes to the selected entry.

•

Select All

: Selects all the entries in the Available Secondary LAN IPs table.

•

Delete

: Deletes selected entries from the Available Secondary LAN IPs table.

To add a secondary LAN IP address:

1.

Type in the IP Address and the Subnet Mask in the respective text fields.

2.

Click

Add

. The Secondary LAN IP address will be added to the Secondary LAN IPs table.

Managing Groups and Hosts (LAN Groups)

The

Known PCs and Devices

table on the

Groups and Hosts

screen contains a list of all known

PCs and network devices, as well as hosts, that are assigned dynamic IP addresses by this router.

Collectively, these entries make up the Network Database. The Network Database is created in two

ways:

•

DHCP Client Requests

. By default, the DHCP server in this Router is enabled, and will

accept and respond to DHCP client requests from PCs and other network devices. These

requests also generate an entry in the Network Database. Because of this, leaving the DHCP

Server feature (on the LAN screen) enabled is strongly recommended.

•

Scanning the Network

. The local network is scanned using standard methods such as ARP.

This will detect active devices which are not DHCP clients. However, sometimes the name of

the PC or device cannot be accurately determined, and will be shown as Unknown.

Note:

Additional IP addresses cannot be configured in the DHCP server. The hosts on the

secondary subnets must be manually configured with the IP addresses, gateway IP

and DNS server IPs.

Warning:

Make sure the secondary IP addresses are different from the LAN, WAN,

DMZ, and any other subnet attached to this router.

For example:

WAN1 IP address: 10.0.0.1 with subnet 255.0.0.0

WAN2 IP address: 20.0.0.1 with subnet 255.0.0.0

DMZ IP address: 192.168.10.1 with subnet 255.255.255.0

LAN IP address: 192.168.1.1 with subnet 255.255.255.0

Secondary LAN IP: 192.168.20.1 with subnet 255.255.255.0