SnapGear SG565 Router Manual PDF (Setup & Configuration Guide)

Page 81 / 249 Scroll up to view Page 76 - 80

Network Connections

76

Figure 3-6

Network Address Translation (NAT/masquerading)

The CyberGuard SG appliance can utilize

IP Masquerading

(a simple form of Network

Address Translation, or NAT) where PCs on the local network effectively share a single

external IP address.

Masquerading allows insiders to get out, without allowing outsiders

in.

By default, the Internet port is setup to masquerade.

Masquerading has the following advantages:

•

Added security because machines outside the local network only know the

gateway address.

•

All machines on the local network can access the Internet using a single ISP

account.

•

Only one public IP address is used and is shared by all machines on the local

network.

Each machine has its own private IP address.

Note

It is strongly recommended that you leave

Enable NAT on Internet Interface

checked.

On SG570 and SG575 models, you may set up masquerading relationships between the

LAN

,

DMZ

and

Internet

ports.

Page 82 / 249

Network Connections

77

Dynamic DNS

A dynamic DNS service is useful when you don’t have a static Internet IP address, but

need to remain contactable by hosts on the Internet.

Dynamic DNS service providers

such as TZO.com and dyndns.org can register an Internet domain name that will point to

your Internet IP address no matter how often it changes.

Whenever its Internet IP address changes, the CyberGuard SG appliance will alert the

dynamic DNS service provider so the domain name records can be updated

appropriately.

First, create an account with the dynamic DNS service provider of your choice.

Click the

red TZO logo if you wish to take advantage of the 30 day free trial with TZO.

Next, select your chosen

Dynamic DNS service

and click

Continue

.

Select which

interface/connection’s IP address you want associated with your newly created DNS

name from

Internet Connection

. Enter the details provided by your dynamic DNS

service provider and click

Apply

to enable.

Figure 3-7

Interface aliases

allow the CyberGuard SG appliance to respond to multiple IP

addresses on its LAN, Internet and DMZ ports.

For Internet and DMZ aliased ports, you

must also setup appropriate

Packet Filtering

and/or

Port forwarding

rules to allow

traffic on these ports to be passed onto the local network.

See the chapter entitled

Firewall

for details.

Page 83 / 249

Network Connections

78

Change MAC address

On rare occasions it may be necessary to change the Ethernet hardware or

MAC

Address

of your CyberGuard SG appliance.

The MAC address is a globally unique

address and is specific to a single CyberGuard SG appliance.

It is set by the

manufacturer and should not normally be changed.

However, you may need to change it

if your ISP has configured your ADSL or cable modem to only communicate with a device

with a known MAC address.

On SG570 and SG575, you may also change the MAC

address of the DMZ port.

QoS Traffic Shaping

Traffic shaping provides a level of control over the relative performance of various types

of IP traffic.

The traffic shaping feature of your CyberGuard SG appliance allows you to

allocate

High

,

Medium

, or

Low

priority to the following services:

domain (tcp), domain

(udp), ftp, ftp-data, http, https, imap, irc, nntp, ntp, pop3, smtp, ssh,

and

telnet

.

This advanced feature is provided for expert users to fine tune their networks.

The

Auto

Traffic Shaper

uses a set of inbuilt traffic shaping rules to attempt to ensure low latency

on interactive connections, while maintaining fast throughput on bulk transfers.

The

Upstream

and

Downstream Speed

should.

Note

If you have a PPTP or PPPoE connection to the Internet, enter approximately 80 – 90%

of the speed that the ISP supplied to account for protocol overheads.

Page 84 / 249

Network Connections

79

VLANs

Note

VLANs are

not

supported by the SG300.

Overview

VLAN stands for virtual local area network.

It is a method of creating multiple virtual

network interfaces using a single physical network interface.

Packets in a VLAN are simply Ethernet packets that have an extra 4 bytes immediately

after the Ethernet header.

The format for these bytes is defined by the standard IEEE

802.1Q.

Essentially, they provide for a VLAN ID and a priority.

The VLAN ID is used to

distinguish each VLAN.

A packet containing a VLAN header is called a

tagged

packet.

Once added, VLAN interfaces can be configured as if they were additional physical

network interfaces.

Note

Since the addition and removal of the VLAN header are performed in software, any

network device can support VLANs.

Further, this means that VLANs should not be used

for security unless you trust all the devices on the network segment.

A typical use of VLANs with the CyberGuard SG appliance is to it to enforce access

policies between ports on an external switch that supports port-based VLANs.

In this scenario, only the switch and other trusted devices should be directly connected to

the LAN port of the CyberGuard SG appliance.

The CyberGuard SG appliance and the

switch are configured with a VLAN for each port or group of ports on the switch.

The

switch is configured to map packets between its ports and the VLANs.

The CyberGuard

SG appliance can then be configured with firewall rules for the VLANs, and these rules

will effectively apply to the corresponding ports on the switch.

Page 85 / 249

Network Connections

80

Note

Additionally, switch

A

on the SG560, SG565 and SG580 (but not the SG710 or SG710+)

supports

port based VLANs

.

One benefit of this feature is that you are able to assign

individual functions to each of the ports on the switch, e.g. you might decide to use port

A2

to connect to a DMZ, and port

A3

as a second Internet connection.

See the section

entitled

Port Based VLANs

later in this chapter for details.

Adding VLANs

Select

Network Setup

from the

Networking

menu.

Next to the interface on which you

want to add a VLAN (e.g.

LAN

), select

Add VLAN

from the

Configuration

drop down

box.

The following settings will be displayed:

•

VLAN Name:

A name to display in the

Network Setup

menu

for this VLAN interface.

•

VLAN ID:

Enter an ID number, if this VLAN interface is to participate on an existing

VLAN, this number must match the existing VLAN’s ID.

Click

Apply

, then

Reboot Now

.

You have now added a

tagged

VLAN interface that you

may configure through

Network Setup

as you would any other network interface.

When a packet is routed out this VLAN interface, the VLAN header is inserted and then

the packet is sent out on the underlying physical interface.

When a packet is received on

the physical interface, it is checked for a VLAN header.

If present, the router makes it

appear as though the packet arrived on the corresponding VLAN interface.

Editing VLANs

Once a VLAN has been added, you may edit the settings your entered in

Adding VLANs

by selecting

Edit VLAN configuration

from the VLAN interface’s

Configuration

drop

down box in the

Network Setup

menu.

Removing VLANs

To remove a VLAN, select

Remove this VLAN device

from the vLAN interface’s

Configuration

drop down box in the

Network Setup

menu.

Rate

Popular SnapGear Models

Famous Router IPs

Famous Router Companies

Bookmark Our Site

Share