NETGEAR SRX5308 Router Manual PDF (Setup & Configuration Guide)

Page 416 / 469 Scroll up to view Page 411 - 415

Network Planning for Multiple WAN Ports

416

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Internet Configuration Requirements

Depending on how your ISP sets up your Internet accounts, you need the following Internet

configuration information to connect VPN firewall to the Internet:

•

Host and domain names

•

One or more ISP login names and passwords

•

ISP Domain Name Server (DNS) addresses

•

One or more fixed IP addresses (also known as static IP addresses)

Where Do I Get the Internet Configuration Information?

There are several ways you can gather the required Internet connection information.

Your ISPs provide all the information needed to connect to the Internet. If you cannot locate

this information, you can ask your ISP to provide you with it, or, if you have a computer

already connected using the active Internet access account, you can gather the configuration

information from that computer.

•

For Windows 95/98/ME, open the Network Control Panel, select the TCP/IP entry for the

Ethernet adapter, and click

Properties

. Record all the settings for each tab page.

•

For Windows 2000/XP/Vista, open the Local Area Network Connection, select the TCP/IP

entry for the Ethernet adapter, and click

Properties

. Record all the settings for each tab

page.

•

For Macintosh computers, open the TCP/IP or Network Control Panel. Record all the

settings for each section.

After you have located your Internet configuration information, you might want to record the

information in the following section.

Page 417 / 469

Network Planning for Multiple WAN Ports

417

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Internet Connection Information

Print this page with the Internet connection information. Fill in the configuration settings that

are provided to you by ISP.

_________________________________________________________________________

•

ISP login name

. The login name and password are case-sensitive and need to be

entered exactly as given by your ISP. For AOL customers, the login name is their primary

screen name. Some ISPs use your full email address as the login name. The service

name is not required by all ISPs. If you connect using a login name and password, fill in

the following:

Login name:

____________________________

Password:

____________________________

Service name: ____________________________

•

Fixed or static IP address

. If you have a static IP address, record the following

information. For example, 169.254.141.148 could be a valid IP address.

Fixed or static Internet IP address:

______.______.______.______

Gateway IP address:

______.______.______.______

Subnet mask:

______.______.______.______

•

ISP DNS server addresses

. If you were given DNS server addresses, fill in the following:

Primary DNS server IP address:

______.______.______.______

Secondary DNS server IP address: ______.______.______.______

•

Host and domain names

.

Some ISPs use a specific host or domain name such as

CCA7324-A or home. If you have not been given host or domain names, you can use the

following examples as a guide:

-

If your main email account with your ISP is [email protected], use

aaa

as your host

name. Your ISP might call this your account, user, host, computer, or system name.

-

If your ISP’s mail server is mail.xxx.yyy.com, use

xxx.yyy.com

as the domain name.

ISP host name:

_______________________

ISP domain name: _______________________

•

Fully qualified domain name

.

Some organizations use a fully qualified domain name

(FQDN) from a Dynamic DNS service provider for their IP addresses.

Dynamic DNS service provider: ______________________

FQDN:

______________________

_________________________________________________________________________

Page 418 / 469

Network Planning for Multiple WAN Ports

418

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Overview of the Planning Process

The areas that require planning when you use a firewall that has multiple WAN ports such as

the VPN firewall include the following:

•

Inbound traffic (port forwarding, port triggering)

•

Outbound traffic (protocol binding)

•

Virtual private networks (VPNs)

Two WAN ports can be configured on a mutually exclusive basis to do either of the following:

•

Auto-rollover for increased reliability

•

Load balance for outgoing traffic

These various types of traffic and auto-rollover or load balancing all interact to make the

planning process more challenging:

•

Inbound traffic

. Unrequested incoming traffic can be directed to a computer on your LAN

rather than being discarded. The mechanism for making the IP address public depends

on whether the dual WAN ports are configured for auto-rollover or load balancing.

•

Virtual private networks

. A virtual private network (VPN) tunnel provides a secure

communication channel either between two gateway VPN firewalls or between a remote

computer client and gateway VPN firewall. As a result, the IP address of at least one of

the tunnel endpoints needs to be known in advance in order for the other tunnel endpoint

to establish (or reestablish) the VPN tunnel.

Note:

When the VPN firewall’s WAN port rolls over, the VPN tunnel closes

and needs to be reestablished using the new WAN IP address.

However, you can configure automatic IPSec VPN rollover to ensure

that an IPSec VPN tunnel is reestablished.

•

Dual WAN ports in auto-rollover mode

. Rollover for a VPN firewall with dual WAN ports

is different from a single WAN port gateway configuration when you specify the IP

address. Only one WAN port is active at a time, and when it rolls over, the IP address of

the active WAN port always changes. Therefore, the use of a fully qualified domain name

(FQDN) is always required, even when the IP address of each WAN port is fixed.

Figure 263.

Page 419 / 469

Network Planning for Multiple WAN Ports

419

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Features such as multiple exposed hosts are not supported in auto-rollover mode

because the IP addresses of each WAN port need to be in the identical range of fixed

addresses.

•

Dual WAN ports in load balancing mode

. Load balancing for a VPN firewall with dual

WAN ports is similar to a single WAN gateway configuration when you specify the IP

address. Each IP address is either fixed or dynamic based on the ISP: You need to use

FQDNs when the IP address is dynamic, but FQDNs are optional when the IP address is

static.

Figure 264.

Inbound Traffic

•

Inbound Traffic to a Single WAN Port System

•

Inbound Traffic to a Dual WAN Port System

Incoming traffic from the Internet is normally discarded by the VPN firewall unless the traffic is

a response to one of your local computers or a service for which you have configured an

inbound rule. Instead of discarding this traffic, you can configure the VPN firewall to forward it

to one or more LAN hosts on your network.

The addressing of the VPN firewall’s dual WAN port depends on the configuration being

implemented.

Inbound Traffic to a Single WAN Port System

The Internet IP address of the VPN firewall’s WAN port needs to be known to the public so

that the public can send incoming traffic to the exposed host when this feature is supported

and enabled.

In the single WAN case, the WAN’s Internet address is either a fixed IP address or an FQDN

if the IP address is dynamic.

Table 104.

IP addressing requirements for exposed hosts in a dual WAN port configuration

Configuration and

WAN IP Address

Single WAN Port

(Reference Case)

Dual WAN Port Cases

Rollover

Load Balancing

Inbound traffic

•

Port forwarding

•

Port triggering

Fixed

Allowed

(FQDN optional)

FQDN required

Allowed

(FQDN optional)

Dynamic

FQDN required

Page 420 / 469

Network Planning for Multiple WAN Ports

420

ProSAFE Gigabit Quad WAN SSL VPN Firewall SRX5308

Figure 265.

Inbound Traffic to a Dual WAN Port System

The IP address range of the VPN firewall’s WAN port needs to be both fixed and public so

that the public can send incoming traffic to the multiple exposed hosts when this feature is

supported and enabled.

Inbound Traffic: Dual WAN Ports for Improved Reliability

In a dual WAN port auto-rollover configuration, the WAN port’s IP address always changes

when a rollover occurs. You need to use an FQDN that toggles between the IP addresses of

the WAN ports (that is, WAN1 or WAN2).

Figure 266.

Inbound Traffic: Dual WAN Ports for Load Balancing

In a dual WAN port load balancing configuration, the Internet address of each WAN port is

either fixed if the IP address is fixed or an FQDN if the IP address is dynamic (see the

following figure).

Note:

Load balancing is implemented for outgoing traffic and not for

incoming traffic. To maintain better control of WAN port traffic,

consider to make one of the WAN port Internet addresses public and

to keep the other one private.

Rate

Popular NETGEAR Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share