ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

LAN Configuration

3-1

v1.0, October 2008

Chapter 3

LAN Configuration

This chapter describes how to configure the advanced LAN features of your ProSafe Wireless-N

VPN Firewall.

This chapter contains the following sections:

•

“Configuring the LAN Setup Options” on page 3-1

•

“Managing Groups and Hosts (LAN Groups)” on page 3-4

•

“Configuring DHCP Address Reservation” on page 3-4

•

“Using the VPN Firewall as a DHCP Server” on page 3-3

•

“Configuring Multi Home LAN IP Addresses” on page 3-8

•

“Configuring Static Routes” on page 3-10

•

“Configuring Routing Information Protocol (RIP)” on page 3-11

Configuring the LAN Setup Options

The

LAN Setup

menu allows configuration of LAN IP services such as DHCP and allows you to

configure a secondary or “multi-home” LAN IP setup on the LAN. The default values are suitable

for most users and situations. These are advanced settings usually configured by a network

administrator.

To modify your LAN setup, follow these steps:

1.

Select

Network Configuration > LAN Settings

from the main/sub-menu.

The LAN Settings tabs (LAN Setup, LAN Groups, and LAN Multi-homing) are displayed

with LAN Setup as the default tab.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

3-2

LAN Configuration

v1.0, October 2008

.

2.

In the LAN TCP/IP Setup section, configure the following settings:

•

IP Address

. The LAN address of your firewall (factory default:

192.168.1.1

).

•

IP Subnet Mask

. The subnet mask specifies the network number portion of an IP address.

Your firewall will automatically calculate the subnet mask based on the IP address that

you assign. Unless you are implementing subnetting, use 255.255.255.0 as the subnet

mask.

3.

In the DHCP section, leave the DNCP enabled, or select

Disable DHCP Server.

•

The firewall will function as a DHCP server (default), providing TCP/IP configuration

settings for all the computers connected to the firewall's LAN.

•

If another device on your network will be the DHCP server, or if you will manually

configure all devices, click

Disable DHCP Server

.

If the DHCP server is enabled, enter the following parameters:

•

Domain Name.

(Optional) The DHCP will assign the entered domain to its DHCP clients.

Figure 3-1

Note:

If you change the LAN IP address of the firewall while connected through the

browser, you will be disconnected. You must then open a new connection to

the new IP address and log in again. For example, if you change the default IP

address 192.168.1.1 to 10.0.0.1, you must now enter

in your

browser to reconnect to the Web Configuration Manager.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

LAN Configuration

3-3

v1.0, October 2008

•

Starting IP Address

. Specifies the first of the contiguous addresses in the IP address pool.

Any new DHCP client joining the LAN will be assigned an IP address between this

address and the Ending IP Address. The IP address 192.168.1.2 is the default start address.

•

Ending IP Address

. Specifies the last of the contiguous addresses in the IP address pool.

The IP address 192.168.1.100 is the default ending address.

•

Primary DNS Server

. (Optional) If an IP address is specified, the firewall will provide

this address as the primary DNS server IP address. If no address is specified, the firewall

will provide its own LAN IP address as the primary DNS server IP address.

•

Secondary DNS Server

. (Optional) If an IP address is specified, the firewall will provide

this address as the secondary DNS server IP address.

•

WINS Server

. (Optional) Specifies the IP address of a local Windows NetBios Server if

one is present in your network.

•

Lease Time

. Specifies the duration for which a DHCP-provided IP address will be leased

to a client.

•

Enable DNS Proxy

. When DNS proxy is enabled (default), the DHCP server will provide

the SRXN3205 LAN IP address as the DNS server for address name resolution. If this box

is unchecked, the DHCP server will provide the ISP’s DNS server IP addresses. The

firewall will still service DNS requests sent to its LAN IP address unless you disable DNS

Proxy in the DHCP settings (see

“Attack Checks” on page 5-10

).

4.

Click

Apply

to save your settings.

Using the VPN Firewall as a DHCP Server

By default, the firewall will function as a DHCP (Dynamic Host Configuration Protocol) server,

allowing it to assign IP, DNS server, WINS Server, and default gateway addresses to all computers

connected to the LAN. The assigned default gateway address is the LAN address of the firewall. IP

Note:

The Starting and Ending DHCP addresses should be in the same subnet as

the LAN IP address of the firewall (the IP Address configured in the

LAN

TCP/IP Setup

section).

Note:

Once you have completed the LAN setup, all outbound traffic is allowed and

all inbound traffic is discarded. To change these default traffic rules, refer to

Chapter 5, “Firewall Security and Content Filtering

.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

3-4

LAN Configuration

v1.0, October 2008

addresses will be assigned to the attached PCs from a pool of addresses specified in this menu.

Each pool address is tested before it is assigned to avoid duplicate addresses on the LAN.

Specify the pool of IP addresses to be assigned by setting the Starting IP Address and Ending IP

Address. These addresses should be part of the same IP address subnet as the firewall’s LAN IP

address. Using the default addressing scheme, you would define a range between 192.168.1.2 and

192.168.1.100, although you may wish to save part of the range for devices with fixed addresses.

If another device on your network will be the DHCP server, or if you will manually configure the

network settings of all of your computers, clear the

Enable DHCP server

radio box by clicking

the

Disable DHCP Server

radio box. Otherwise, leave it checked.

Configuring DHCP Address Reservation

A computer (or device) will always receive the same IP address, if you specify a reserved IP

address for the computer (or device) on the LAN (based on the MAC address of the device), each

time it accesses the firewall’s DHCP server. Reserved IP addresses should be assigned to servers

or access points that require permanent IP address settings. The Reserved IP address that you

select must be outside of the DHCP Server pool.

To reserve an IP address, manually enter the device in the

LAN Groups

tab, specifying

Reserved

(DHCP Client)

,

as described in

“Adding Devices to the LAN Groups Database” on page 3-6

.

Managing Groups and Hosts (LAN Groups)

The

Known PCs and Devices

table in the

LAN Groups

menu contains a list of all known PCs

and network devices that are assigned dynamic IP addresses by the firewall, or have been

discovered by other means. Collectively, these entries make up the LAN Groups Database.

The LAN Groups Database is updated by these methods:

•

DHCP Client Requests

. By default, the DHCP server in this firewall is enabled, and will

accept and respond to DHCP client requests from PCs and other network devices. These

requests also generate an entry in the LAN Groups Database. Because of this, leaving the

DHCP server feature (LAN Setup tab) enabled is strongly recommended.

Note:

The reserved address will not be assigned until the next time the PC contacts the

firewall’s DHCP server. Reboot the PC or access its IP configuration and force a

DHCP release and renew.

ProSafe Wireless-N VPN Firewall SRXN3205 Reference Manual

LAN Configuration

3-5

v1.0, October 2008

•

Scanning the Network

. The local network is scanned using ARP requests. The ARP scan will

detect active devices that are not DHCP clients. However, sometimes the name of the PC or

device cannot be accurately determined, and will appear in the database as Unknown.

•

Manual Entry

. You can manually enter information about a network device.

Some advantages of the LAN Groups Database are:

•

Generally, you do not need to enter IP addresses or MAC addresses. Instead, you can just

select the desired PC or device.

•

No need to reserve an IP address for a PC in the DHCP server. All IP address assignments

made by the DHCP server will be maintained until the PC or device is removed from the

database, either by expiry (inactive for a long time) or by you.

•

No need to use a fixed IP on PCs. Because the address allocated by the DHCP server will

never change, you don't need to assign a fixed IP to a PC to ensure it always has the same IP

address.

•

MAC level control over PCs. The LAN Groups Database uses the MAC address to identify

each PC or device. So changing a PC’s IP address does not affect any restrictions on that PC.

•

Group and individual control over PCs.

–

You can assign PCs to Groups and apply restrictions to each Group using the Firewall

Rules screen (see

“Using Rules & Services to Block or Allow Traffic” on page 5-2

).

–

You can also select the Groups to be covered by the Block Sites feature (see

“Setting

Block Sites (Content Filtering)” on page 5-18

).

–

If necessary, you can also create Firewall Rules to apply to a single PC (see

“Enabling

Source MAC Filtering (Address Filter)” on page 5-20

). Because the MAC address is used

to identify each PC, users cannot avoid these restrictions by changing the IP address.

•

A computer is identified by its MAC address—not its IP address. Hence, changing a

computer’s IP address does not affect any restrictions applied to that PC.

Viewing the LAN Groups Database

To view the LAN Groups Database, follow these steps:

1.

Select

Network Configuration > LAN Settings

from the main/sub-menu.

The LAN Setup tab displays.