NETGEAR FVX538 Network Card User Manual


 
Network Planning Guide for ProSafe VPN Firewall Router FVX538
2-2 Network Planning
October 2004
Virtual Private Networks (VPNs)
A virtual private network (VPN) tunnel provides a secure communication channel between either
two gateway VPN routers or between a remote PC client and gateway VPN router. As a result, the
IP address of at least one of the tunnel end points must be known in advance in order for the other
tunnel end point to establish (or re-establish) the VPN tunnel. See “Virtual Private Networks
(VPNs)” on page 2-6 for further discussion.
The Fail-over Case for Routers With Dual WAN Ports
Failover (Figure 2-1) for the dual WAN port case is different from the single gateway WAN port
case when specifying the IP address. Only one WAN port is active at a time and when it fails over,
the IP address of the active WAN port always changes. Hence, the use of a fully-qualified domain
name is always required, even when the IP address of each WAN port is fixed.
Figure 2-1: Dual WAN ports before and after failover
Features such as multiple exposed hosts are not supported when using dual WAN port failover
because the IP addresses of each WAN port must be in the identical range of fixed addresses.
The Load Balancing Case for Routers With Dual WAN Ports
Load balancing (Figure 2-2) for the dual WAN port case is similar to the single WAN port case
when specifying the IP address. Each IP address is either fixed or dynamic based on the ISP:
fully-qualified domain names must be used when the IP address is dynamic and are optional when
the IP address is static.
Note: Once the gateway router WAN port fails over, the VPN tunnel collapses and must
be re-established using the new WAN IP address.
Router
WAN1 port active
WAN1 IP
Dual WAN Ports (Before Failover)
WAN2 IP (N/A)
WAN2 port inactive
Router
WAN1 port inactive
WAN1 IP (N/A)
Dual WAN Ports (After Failover)
WAN2 IP
WAN2 port active
IPaddress ofactiveWANport changesafter afailover:
o use offully-qualifieddomain namesalwaysrequired
o featuresrequiringfixed IPaddressblocks notsupported
X
X
XX