ProSafe VPN Firewall 200 FVX538 Reference Manual

LAN Configuration

3-7

v1.0, March 2009

Creating the Network Database

Some advantages of the Network Database are:

•

Generally, you do not need to enter either IP address or MAC addresses. Instead, you can just

select the desired PC or device.

•

No need to reserve an IP address for a PC in the DHCP Server. All IP address assignments

made by the DHCP Server will be maintained until the PC or device is removed from the

database, either by expiry (inactive for a long time) or by you.

•

No need to use a Fixed IP on PCs. Because the address allocated by the DHCP Server will

never change, you don't need to assign a fixed IP to a PC to ensure it always has the same IP

address.

•

MAC level control over PCs. The Network Database uses the MAC address to identify each

PC or device. So changing a PC’s IP address does not affect any restrictions on that PC.

•

Group and individual control over PCs.

–

You can assign PCs to Groups and apply restrictions to each Group using the Firewall

Rules screen (see

“Using Rules to Block or Allow Specific Kinds of Traffic” on page 4-2

).

–

You can also select the Groups to be covered by the Block Sites feature (see

“Setting

Block Sites (Content Filtering)” on page 4-29

).

–

If necessary, you can also create Firewall Rules to apply to a single PC (see

“Enabling

Source MAC Filtering” on page 4-31

). Because the MAC address is used to identify each

PC, users cannot avoid these restrictions by changing their IP address.

•

A computer is identified by its MAC address—not its IP address. Hence, changing a

computer’s IP address does not affect any restrictions applied to that PC.

The LAN Groups screen contains a list of all known PCs and network devices, as well as hosts that

are assigned dynamic IP addresses by this router.

ProSafe VPN Firewall 200 FVX538 Reference Manual

3-8

LAN Configuration

v1.0, March 2009

The Network Database is created by:

•

Using the DHCP Server

: The router’s DHCP server is configured, by default, to respond to

DHCP requests from clients on the LAN. Every computer that receives a response from the

router will be added to the Network Database. Because of this, leaving the DHCP Server

feature enabled (on the LAN Setup screen) is strongly recommended.

•

Scanning the Network

: The router also scans the local network periodically using protocols

such as ARP and NetBIOS to detect active computers or devices that are not DHCP clients.

For computers that do not support the NetBIOS protocol, the name will be displayed as

Unknown.

The Known PCs and Devices table lists the entries in the Network Database. For each computer or

device, the following fields are displayed:

•

Name

: The name of the computer or device. Computers that do not support the NetBIOS

protocol will be listed as Unknown. In this case, the name can be edited manually for easier

management. If the computer was assigned an IP address by the DHCP server, then an asterisk

is be appended to the name.

•

IP Address

: The current IP address of the computer. For DHCP clients of the router, this IP

address will not change. If a computer is assigned a static IP address, you must to update this

entry manually when the IP address of the computer changes.

Figure 3-3

ProSafe VPN Firewall 200 FVX538 Reference Manual

LAN Configuration

3-9

v1.0, March 2009

•

MAC Address

: The MAC address of the computer’s network interface.

•

Group

: Each PC or device can be assigned to a single group. By default, a computer is

assigned to the first group (Group 1). To change the group assignment by selecting the

Edit

link in the

Action

column.

•

Action/Edit

: Allows modification of the selected entry.

To add known PCs and devices:

1.

To add computers to the network database manually, fill in the following fields:

•

Name

: The name of the PC or device.

•

IP Address Type

:

–

Select

Reserved (DHCP Client)

to direct the router to reserve the IP address for

allocation by the DHCP server.

–

Select

Fixed (Set on PC)

if the IP address is statically assigned on the computer.

•

IP Address

: The IP address that this computer or device is assigned. If the IP Address

Type is

Reserved (DHCP Client)

, the router will reserve the IP address for the associated

MAC address.

•

MAC Address

: The MAC address of the computer’s network interface. The MAC

address should be in the form:

xx:xx:xx:xx:xx:xx (for example, 00:80:48:2a:8b:c0)

•

Group

: The group to which the computer has to be assigned.

2.

Click

Add

to add the new entry to the network database.

To edit the names of any of the eight available groups:

1.

Select the group by checking the adjacent radio button and typing in a suitable name in the

associated field.

2.

Click

Apply

to save the settings or click

Reset

to revert to the previous settings.

Setting Up Address Reservation

When you specify a reserved IP address for a device on the LAN (based on the MAC address of

the device), that computer or device will always receive the same IP address each time it accesses

the firewall’s DHCP server. Reserved IP addresses should be assigned to servers or access points

that require permanent IP settings. The Reserved IP address that you select must be outside of the

DHCP Server pool.

ProSafe VPN Firewall 200 FVX538 Reference Manual

3-10

LAN Configuration

v1.0, March 2009

To reserve an IP address, use the

Groups and Hosts

screen under the

Network Configuration

menu

, LAN Groups

submenu (see

“Creating the Network Database” on page 3-7

).

Configuring and Enabling the DMZ Port

The De-Militarized Zone (DMZ) is a network which, when compared to the LAN, has fewer

firewall restrictions, by default. This zone can be used to host servers (such as a web server, ftp

server, or email server, for example) and give public access to them. The eighth LAN port on the

router can be dedicated as a hardware DMZ port for safely providing services to the Internet,

without compromising security on your LAN.

The DMZ port feature is also helpful when using some online games and videoconferencing

applications that are incompatible with NAT. The firewall is programmed to recognize some of

these applications and to work properly with them, but there are other applications that may not

function well. In some cases, local PCs can run the application properly if those PCs are used on

the DMZ port.

The

DMZ Setup

screen allows you to set up the DMZ port. It permits you to enable or disable the

hardware DMZ port (LAN port 8, see

“Router Front and Rear Panels” on page 1-6

) and configure

an IP address and Mask for the DMZ port.

To enable and configure the DMZ port:

1.

From the main menu, select

Network Configuration

and then select

DMZ Setup

from the

submenu. The

DMZ Setup

screen will display.

2.

Check the

Do you want to enable DMA Port?

radio box.

3.

Enter an

IP Address

and the

Subnet mask

for the DMZ port. Make sure that the DMZ port IP

address and LAN Port IP address are in different subnets (for example, an address outside the

LAN Address pool, such as 192.168.1.101).

Note:

The reserved address will not be assigned until the next time the PC contacts the

firewall's DHCP server. Reboot the PC or access its IP configuration and force a

DHCP release and renew.

Note:

A separate firewall security profile is provided for the DMZ port that is hardware

independent of the standard firewall security used for the LAN.

ProSafe VPN Firewall 200 FVX538 Reference Manual

LAN Configuration

3-11

v1.0, March 2009

4.

If desired,

Enable the DHCP Server

(Dynamic Host Configuration Protocol), which will

provide TCP/IP configuration for all computers connected to the router’s DMZ network.

Then configure the following items:

a.

Starting IP Address

– This box specifies the first of the contiguous addresses in the IP

address pool.

b.

Ending IP Address

– This box specifies the last of the contiguous addresses in the IP

address pool.

c.

WINS Server

– This box specifies the Windows Internet Naming Service Server IP.

d.

Lease Time

– This box specifies the Lease time to be given to the DHCP Clients.

e.

Enable DNS Proxy

– If enabled, the VPN firewall will as a DNS for address resolution.

5.

Click

Reset

to cancel changes made on this screen and revert to the previous settings.

Figure 3-4

Note:

If you enable the DNS Relay feature, you will not use the FVX538 as a DHCP

server but rather as a DHCP relay agent for a DHCP server somewhere else on

your network.