webinar netgear - prosafe vpn firewall - configurazione di nat e gestione della banda
TRANSCRIPT
ProSafe VPN Firewall
Configurazione di NATe della gestione di banda
Formazione Online
Andrea RossiSenior System Engineer
ProSsafe VPN Firewalls Proven Firewall Technology
+ Range from 5 user to 200 user offices
+ Wired & Wireless N
+ All based on same stable code-base custom developed
+ IPsec & SSL VPNs for Remote Access
+ 802.1Q VLAN Support
Prosafe VPN Firewalls Proven Firewall Technology
Prosafe VPN Firewall Product Lineup
Small business (5 users) SMB (200 users)
4
FVS318G
Desktop IPsec FW
ROBO
FVS336G
Desktop SSL & IPsec
FW
Dual WAN
FVS318N
Desktop FW
SSL & IPsec
Wireless N
SRX5308
SSL & IPsec FW
Quad WAN
Prosafe VPN Firewall Matrix
5
Prosafe VPN Firewall Matrix
6
Prosafe VPN Firewall Matrix
7
ProSafe VPN Firewall Matrix
FVS318G
FVS336G
Prosafe VPN Firewall
NAT/PAT configuration
Footer use for Presentation Title or footnotes9
NAT/PAT Example
INTERNET
IP Public Network 10.85.1.0/24
IP Private Network 192.168.1.0/24
Default Gateway 192.168.1.1
.2
.3
.4
.5.6
Default Gateway 10.85.1.1
NAT/PAT Example
INTERNET
IP Public Network 10.85.1.0/24
IP Private Network 192.168.1.0/24
Default Gateway 192.168.1.1
.2
.3
.4
.5.6
.1.24
Default Gateway 10.85.1.1
NAT/PAT Example
Internal Host
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
…
192.168.1.254
INTERNETPAT IP address
10.85.1.24
PAT map multiple private hosts to one publicly exposed IP address
Port Address Tranlation is also called porting, port overloading,
port-level multiplexed NAT and single address NAT.
NAT/PAT Example
Internal Host
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
…
192.168.1.254
INTERNET
PAT IP address
10.85.1.24
NAT IP address
10.85.1.25
NAT provides a one-to-one translation of IP addresses. RFC 2663 refers to
this type of NAT as basic NAT; it is often also called a one-to-one NAT
Static NAT is a type of NAT in which a private IP address is mapped to a
public IP address, where the public address is always the same IP
address. This allows an internal host, such as a Web server, to have an
unregistered (private) IP address and still be reachable over the Internet.
PAT setup
14
PAT is the default mode configured in Prosafe Firewall
NAT setup
15
N.B. Prosafe Firewalls support Static NAT mode only
NAT setup
16
NAT setup
17
NAT setup
18
NAT setup
19
Create the OUTOUND rule in «LAN WAN Rules»
NAT setup
20
Create the OUTOUND rule in «LAN WAN Rules»
NAT setup
21
Create the OUTOUND rule in «LAN WAN Rules»
NAT setup
22
Create the OUTOUND rule in «LAN WAN Rules»
NAT setup
23
Create the OUTOUND rule in «LAN WAN Rules»
NAT setup
24
Create the INBOUND rule in «LAN WAN Rules»
NAT setup
25
Create the INBOUND rule in «LAN WAN Rules»
NAT setup
26
Create the INBOUND rule in «LAN WAN Rules»
NAT setup
27
Create the INBOUND rule in «LAN WAN Rules»
NAT setup
28
Create the INBOUND rule in «LAN WAN Rules»
NAT setup
29
Two rules to create the Static NAT, but the INBOUND opens everything
𝑣𝑣
NAT setup
30 Create a Service Group for a Web Server
NAT setup
31 Add a custom Service to the Service Group for a Web Server
NAT setup
32
Modify the INBOUND rule in «LAN WAN Rules» to permit Web Service only
NAT setup
33
Modify the INBOUND rule in «LAN WAN Rules» to permit Web Service only
Prosafe VPN Firewall
Bandwidht management
Footer use for Presentation Title or footnotes34
Bandwidth ExampleLoad Balancing
INTERNET
WAN1 IP Public Network 10.85.1.0/24
IP Private Network 192.168.1.0/24
Default Gateway 192.168.1.1
.2
.3
.4
.5.6
20/1 Mbps12/12 Mbps
WAN2 IP Public Network 172.16.0.0/24
Load Balancing setup
36
Setup effective Download / Upload speed of the WAN links/interfaces
Load Balancing setup
37
Setup effective Download / Upload speed of the WAN1 link/interface
Load Balancing setup
38
Setup effective Download / Upload speed of the WAN2 link/interface
Load Balancing setup
39
Enable Load Balancing in Weighted LB mode
In Weighted Load Balancing (LB) mode, the balance weights are calculated
based on WAN link speed and available WAN bandwidth. This is the default and
most efficient balancing algorithm.
Internal Host
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
…
192.168.1.254
INTERNET
PAT IP address
10.85.1.24
NAT IP address
10.85.1.25
Load Balancing setup
Internal Host
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.6
…
192.168.1.254
INTERNET
PAT IP address
172.16.0.1
NAT IP address
10.85.1.25
Load Balancing setup
12/12Mbps
24/1Mbps
WEB server
Load Balancing setup
42
Protocol Binding rule for the Web Server
Load Balancing setup
43
Protocol Binding rule for everything else
Bandwidth ExampleBandiwth Profile
INTERNET
WAN1 IP Public Network 10.85.1.0/24
.2
.3
.4
.5.6
20/1 Mbps12/12 Mbps
WAN2 IP Public Network 172.16.0.0/24
Limit the bandwith per user to:
- Download Max: 20 Mbps
- Download Min: 1 Mbps
Bandwidth Profile setup
45
Enable Bandwidth Profiles
Bandwidth Profile setup
46
Create Bandwidth Profiles:
- a) for 20 Ip address concurrent sets:
- b) Inbound Minimum: 1Mbps
- c) Inbound Maximum: 20Mbps
b
c
a
a
Bandwidth Profile setup
47
Create an Outbound rule to whom apply the Bandwidth Profile
Bandwidth ExampleQos
INTERNET
WAN1 IP Public Network 10.85.1.0/24
.2
.3
.4
.5.6
20/1 Mbps12/12 Mbps
WAN2 IP Public Network 172.16.0.0/24
Prioritize some Internet traffic:
- VoIP
- …
QoS setup
49
Enable QoS with Priority mode
QoS setup
50
Create a QoS Profile Inbound for VoIP with HIGH Priority value
QoS setup
51
Create a QoS Profile Outbound for VoIP with HIGH Priority value
QoS setup
52
Create other QoS Profiles as needed
N.B: it’s possibile to create a QoS Profile with Priority set to LOW
The other traffic has NORMAL default value of Priority