Re: FVS336GV2 - Wireless for Internet-only

bschorr · ‎2012-02-15

Have a network behind a ProSafe FVS336GV2 and we want to set up a wireless network that ONLY has access to the Internet for guests to use.

I've got a NetGear WNR20000-100NAS wireless router and was hoping to plug it into one of the other LAN ports on the FVS336GV2. Imagine my disappointment to discover that the FVS doesn't let us VLAN the ports!

O.K., fine. Maybe I can connect it via the DMZ port. Everything LOOKS like it should work there but for some reason no matter what I do nothing connected to the WNR can get on the Internet when I have it connected to the DMZ port.

So...any suggestions for how I can get this set up? The requirements seem simple enough - they don't want the wireless folks to be able to even see their local network and they DO want the wireless folks to be able to get out on the Internet for web-browsing, e-mail, etc.

fordem · ‎2012-02-15

You need to recognize one thing - as long as you connect the guests to the internal LAN on the FVS336, they are connected to the local network - there is NO way around the fact that the FVS336 does not support VLANs.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.

Dwarf · ‎2012-02-16

Hi there!

I got exactly the same question.

I wonder why this Prosafe router doesn't support VLAN's ??

Come on Netgear, many SOHO doesn't have expensive Layer 3 Switches and want to use the benefit of VLAN separation with intervlan routing/firewalling

Bringing up VLAN support to prosafe routers isn't so fool idea hmm ?

I hope to see this functionallity in future release !!!

@++
Dwarf

fordem · ‎2012-02-16

Come on Dwarf, be realistic - how often do you need a VLAN in a SOHO environment?

There are many SMB environments that don't need VLANs - and think about this - in a SOHO environment, would it not be easier and possibly cheaper to simply buy another switch and create a physically separate LAN rather than do it virtually?

Which would be less expensive, two basic eight port gigabit switches, or a sixteen port smart switch?

The only thing that is easier to do with VLAN technology than a physically separate LAN is set up a branch office and extend the physically separate LANs from head office across to the branch - and that my friend just moved you from SOHO to SMB.

Yes - it would be nice to see it - but are you willing to pay for it?

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.

bschorr · ‎2012-02-16

fordem wrote:
You need to recognize one thing - as long as you connect the guests to the internal LAN on the FVS336, they are connected to the local network - there is NO way around the fact that the FVS336 does not support VLANs.

Yes, I know that, and that's a separate problem...but the FVS336 has a DMZ port that LOOKS like it should be able to allow Internet access while blocking cross traffic to the LAN.

But no matter what I've done to set it up I can't seem to get it to work. There must be some kind of trick to it I guess.

bschorr · ‎2012-02-16

fordem wrote:
Come on Dwarf, be realistic - how often do you need a VLAN in a SOHO environment?

The only thing that is easier to do with VLAN technology than a physically separate LAN is set up a branch office and extend the physically separate LANs from head office across to the branch - and that my friend just moved you from SOHO to SMB.

Yes - it would be nice to see it - but are you willing to pay for it?

Except that so many of the ProSafe's competitors offer it at nearly the same price point. Before McAfee bought them we used to deploy SnapGear's and even their SG300 could VLAN the local ports if you wanted them to. It's not that hard to do.

And the problem is that the FVS336 is our firewall - it's at the edge for us. How exactly do we VLAN behind it without deploying even more switches and getting into tricky routing bits? Ultimately ALL of the cables end up at the FVS336 unless we get a totally separate Internet connection. And if the FVS336 won't segment those networks....

That said, the DMZ port looks like it should be able to be used for this (at least for separating two networks) but...it doesn't seem to work.

jmizoguchi · ‎2012-02-16

Dwarf wrote:
Hi there!

I got exactly the same question.

I wonder why this Prosafe router doesn't support VLAN's ??

Come on Netgear, many SOHO doesn't have expensive Layer 3 Switches and want to use the benefit of VLAN separation with intervlan routing/firewalling

Bringing up VLAN support to prosafe routers isn't so fool idea hmm ?

I hope to see this functionallity in future release !!!

@++
Dwarf

ONLY prosecure line support VLAN

go to prosecure.netgear.com

ALL UTM series supports VLAN

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

Dwarf · ‎2012-02-17

jmizoguchi wrote:
ONLY prosecure line support VLAN

go to prosecure.netgear.com

ALL UTM series supports VLAN

Hi jmizoguchi,

only prosecure line support VLAN ? hmmm What about the SRX5308 ?

This model isn't in the prosecure line and support a maximum of 253 VLANs.
I don't understand why netgear is so hermetic to this feature on its prosafe products. VLAN isn't a new technology, this is well known by know
For those who bought FVS336G v1, UTM series wasn't released yet or wasn't really mature!

@fordem
Like bschorr said, the FVS336G (or FVS336Gv2) is at the edge of our architecture. We bought it because it was corresponding to our needs in terms of protection etc..

In a SOHO or SMB, it won't necessary be cheaper to separate LANs physically, because you need to multiply everything (switches, firewall, Internet connection). At long term, you'll pay more than a simple VLAN functionality in a firmware update, i'm sorry !

I like my FVS336G, it's very stable, fast enought for my needs and do almost everything I wish. My network needs have changed, and I now do need of vlan functionality, I was just adding this to the wish list

@++
Dwarf

fordem · ‎2012-02-17

Dwarf wrote:
@fordem
In a SOHO or SMB, it won't necessary be cheaper to separate LANs physically, because you need to multiply everything (switches, firewall, Internet connection). At long term, you'll pay more than a simple VLAN functionality in a firmware update, i'm sorry !
@++
Dwarf

You've missed the point - where is the need for VLAN in SOHO.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.

jmizoguchi · ‎2012-02-17

Forgot SRAM is only one in prosafe does has vlan

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

bschorr · ‎2012-02-17

fordem wrote:
You've missed the point - where is the need for VLAN in SOHO.

I just told you - a small company that wants to offer wireless Internet to guests but keep them separate from the internal network.

jmizoguchi · ‎2012-02-17

got to guestagate.com

also look openmesh.com

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

bschorr · ‎2012-02-18

So what you're saying is that an FVS336G can't do that simple task?

I don't really understand what all the "DMZ to WAN" and "DMZ to LAN" settings in the FVS336G are for then if you can't use them to say "Yes, allow traffic to the WAN" and "No, don't allow traffic to the LAN."

jmizoguchi · ‎2012-02-19

DMZ-WAN rules for WAN rules for DMZ
DMZ-LAN rules for network connection between DMZ side and LAN side to allow the traffic

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

fordem · ‎2012-02-19

Under ideal circumstances you would/should be able to control access between the WAN and the DMZ and also between the LAN and the DMZ - for example on a cisco PIX I can allow open access from the WAN to the DMZ whilst blocking access from the WAN or the DMZ to the LAN.

I can also (on the PIX) specify which ports I will allow through from the WAN to the DMZ, which is distinctly different to how DMZ implementations work on SOHO firewalls where the purpose of the DMZ is to expose a host to the internet.

This type of implementation requires a firewall with multiple physical internal interfaces - and the DMZ has to be set up as a completely separate network to the LAN - not having worked with the FVS336G v2, I cannot say if this is possible, but I doubt that it is.

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.

jmizoguchi · ‎2012-02-19

Does the same thing

You can open entire ports on dmz-wan while if you want to have access to LAN side you can

LAN side and LAN-dmz so traffice can be set which direction can be accessed
From dmz to LAN or LAN to dmz per preference or simple don't touch either of rules and dmz side will 100% isolated from the LAN side

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

fordem · ‎2012-02-20

Can the DMZ and LAN hosts be in the same subnet?

Give a man a fish, feed him for a day
Teach a man to fish, feed him for life.

Dwarf · ‎2012-02-20

jmizoguchi wrote:
Does the same thing

You can open entire ports on dmz-wan while if you want to have access to LAN side you can

LAN side and LAN-dmz so traffice can be set which direction can be accessed
From dmz to LAN or LAN to dmz per preference or simple don't touch either of rules and dmz side will 100% isolated from the LAN side

@June,

I'm completely agree with you. This should work like you describe it, but if we trust bschorr, this is not the exact behavior of the FVS336G.

I'll make some tests on mine...

@fordem
I'll test that too.

I've definitely stopped to compare Cisco Pix/ASA (even the little 506E or 5505) to Netgear firewalls. It was too hard to go back to netgear firewall's reality

@++
Dwarf

jmizoguchi · ‎2012-02-20

fordem wrote:
Can the DMZ and LAN hosts be in the same subnet?

I don't think it will take it but none the less when dmz-LAN and LAN-dmz rules are used it will route correctly so you can reach the host

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

bschorr · ‎2012-02-20

jmizoguchi wrote:
DMZ-WAN rules for WAN rules for DMZ
DMZ-LAN rules for network connection between DMZ side and LAN side to allow the traffic

Right - but that's what I've been trying to do. Set up a network on the DMZ port that has access to the WAN but no access to the LAN. I connected the wireless router to the DMZ port but no matter what I do machines that connect to that wireless router can't get out to the WAN.

Maybe there's a setting I'm missing - I guess I'm still going to work with it and try to get it sorted.

jmizoguchi · ‎2012-02-20

should work. I use prosecure UTM but on DMZ side I have few lab testing multiple router to create some network and works fine.

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

bschorr · ‎2012-03-07

Well, I still can't get it to work from the DMZ. I set the DMZ-WAN rules to ALLOW all ports inbound and outbound and I sent the DMZ-LAN rules to BLOCK all ports inbound and outbound.

Theoretically that should mean that devices connected to the DMZ port should have access to the WAN but not the LAN...however that's not what happens. I still get no access to the WAN from the DMZ (access to WAN from LAN works perfectly).

I can plug the same WiFi router into any of the other LAN ports on the FVS336GV2 and the WAN works perfectly...but then devices on the WiFi can see the rest of the LAN and I don't want them to do that.

Dwarf wrote:
@June,

I'm completely agree with you. This should work like you describe it, but if we trust bschorr, this is not the exact behavior of the FVS336G.

I'll make some tests on mine...

@fordem
I'll test that too.

I've definitely stopped to compare Cisco Pix/ASA (even the little 506E or 5505) to Netgear firewalls. It was too hard to go back to netgear firewall's reality

@++
Dwarf

jmizoguchi · ‎2012-03-07

try testing with gateway of LAN side

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-

Dwarf · ‎2012-03-09

Hi there !!

So yesterday I have activated the DMZ port of my FVS336G.

I configured an IP address for this subnet and configured a "web server".

Then I configured some basic rules on the following security tabs
- DMZ/WAN tab:

Outbound Rules:

HTTP, HTTPS, DNS, FTP, NNTP, PING rules to authorize access to internet for my WebServer (package updates, time protocol, and ping for debugging issue.
Everything is OK for the DMZ->WAN accesses

Inbound Rules:

HTTP rule, to autorize access from Wan side to my webserver. This is the main goal of a webserver

Everything is OK for the WAN -> DMZ accesses. People can connect to my sites without any problem

- LAN/DMZ tab :

Outbound Rules:

only one rule ANY/ANY permit. Indeed, I autorize everything from my LAN to the DMZ !! (this is for test purpose)

Inbound Rules:

SSH, PING and SNMP rules. My webserver can do ssh, ping and snmp request on clients located into the lan side.

Here again, everything works perfectly well in the both side, except one thing => SNMP to LAN IP@ of the router from the DMZ server fails (I'll open another post for that !)

So, bschorr, Internet access from the DMZ-subnet should work for your wireless clients. You're using a wireless routeur as an AP, so your wireless client dont have the same IP@ as the DMZ subnet right ?
Maybe a net issue ? Do you have a sigle AP which one you could test ?

@++
Dwarf

jmizoguchi · ‎2012-03-09

You're using a wireless routeur as an AP, so your wireless client dont have the same IP@ as the DMZ subnet right ?

should not an issues.

VPN Case Study

VPNCASESTUDY.COM

"Our Second To None VPN Related Setup Case Study[/COLOR][/URL]

"One Stop Solution To Your Netgear VPN Connectivity"

*Visit the site for Non-VPN related Doc & Links* [Windows & Mac user/support]

June Mizoguchi-