VPN Case Study Banner

Service Vertical Line Case Studies Vertical Line Technical Docs Vertical Line FAQ Vertical Line URL Links Vertical Line Nav Blank Vertical Line Netgear Demo Vertical Line NETGEAR Forum


Using Multi-NAT with the FVX538 or FVS338 ProSafe VPN Firewall

Security: Comparing NAT, Static Content Filtering, SPI, and Firewalls

Using NAT with NETGEAR products, accessing the Internet

Last update on Tuesday, January 19, 2010

Firewall on Routers

Stateful Packet Inspection (SPI) - Read more

In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) travelling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.
Early attempts at producing firewalls operated at the application level of the seven-layer OSI model but this required too much CPU speed. Packet filters operate at the network layer (layer-3) and function more efficiently because they only look at the header part of a packet. However, pure packet filters have no concept of state as defined by computer science using the term finite state machine and are subject to spoofing attacks and other exploits.

Classic Routing

Select NAT if your ISP has assigned only one IP address to you. The computers that connect through the router will need to be assigned IP addresses from a private subnet (example: If your ISP has assigned an IP address for each of the computers that you use, select Classic Routing.

Network Address Translation (NAT) - Read more

In computer networking, network address translation (NAT, also known as network masquerading, native address translation or IP masquerading) is a technique of transceiving network traffic through a router that involves re-writing the source and/or destination IP addresses and usually also the TCP/UDP port numbers of IP packets as they pass through. Checksums (both IP and TCP/UDP) must also be rewritten to take account of the changes. Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). Nonetheless, NAT can introduce complications in communication between hosts and may have a performance impact.


NAT Routers are usually also DHCP clients too. As we've seen, NAT routers contain a DHCP server that is used to automatically configure their client computers on the LAN. But many NAT routers are also DHCP clients of the public Internet ISP.
When the NAT router is powered up, it broadcasts its own DHCP query out of its WAN-side network interface asking the Internet ISP to assign it an available public Internet IP address and to provide it with any other information it will need for communicating over the ISP's network.
This comes into play in "multi-router networks" since the "internal" NAT router will be a DHCP server to the client machines on its LAN, and it will simultaneously be a DHCP client to the external NAT router which serves as its DHCP server.

NAT Diagram

Putting it all together . . .

We can distill all of the information above into three simple rules:

  •  Unless your ISP requires non-DHCP configuration for your primary external NAT router, or you have special needs for establishing fixed addresses for specific machines within your network, you may use your NAT router's built-in DHCP server and client to automatically assign and establish all IP addresses within your network.
  • Every NAT router must be configured to use blocks of non-public, private IP addresses shown in the table above.
  • Routers decide whether to route local data packets "upstream", out of their WAN port based upon whether or not the packet's destination IP address falls within the local LAN address range. Therefore, the IP address assigned to a router's WAN port must lie outside the address range the router is using for its LAN-side addresses.

Following these two simple rules, a typical two-router configuration could be setup with the external NAT router configured to issue LAN addresses in the 192.168.1.* range and the internal router configured to issue its LAN addresses from the non-overlapping range 192.168.2.*.

Since the internal router's DHCP client would receive an address for its WAN port from the external router's LAN range (192.168.1.*), no address it receives — where the third address byte is "1" — could possibly conflict with any of the 192.168.2.* addresses it will be assigning to its own machines. Therefore the internal router will always be able to determine whether data packets are bound for other machines within its LAN, or need to be "routed" out of its WAN port.

If your routers allow the third number of their LAN networks to be user-specified and configured (as all routers we've seen do), while assigning the final address byte automatically as needed, you can sequentially and uniquely number every NAT router within your network (of any complexity), and use that number as the third address byte assigned to machines within that router's LAN network. In this way, EVERY computer will have a unique private address, none of the private LAN networks will be overlapping, and there will never be any collision with the Internet's public IP space.

Firewall on PC

Disabling Conflicting Firewalls Such as Windows XP, McAfee, Norton, or Zone Alarm

Often two firewalls on the same LAN conflict. Both are trying to do the same job; the conflict may cause an otherwise good Internet connection to drop. If this happens, use the NETGEAR firewall, and disable the other. Two situations are described here, but the general approach applies to any firewall active on a NETGEAR LAN.

How Are a Computer's or a Router's Ports Secured?

As described in How is Port Forwarding Configured?, software ports are numbered connections that computers and routers use to tell one type of network traffic from another. For data to pass to or from the Internet, there must be an open port for that traffic on your computer or router.

A port can be attacked when it is open. Generally, it cannot be attacked when closed. Therefore, to protect your computers, the tasks are to protect the ports that are open, and close the ones that are not used. NETGEAR routers can easily be configured to open or close ports. Depending on the router, there additional features to secure ports as well. The document "How is Port Forwarding Configured" (above) explains one of the important ways to secure ports to the Internet.

By default, with NETGEAR, all ports to the Internet, and most ports to your LAN are closed. A few LAN-side ports are open — such as FTP and HTTP — since they are needed for basic router connectivity.

Ports can be controlled by hardware such as a router, or by software firewalls. NETGEAR firewall routers are fast, do not slow your computers, and often have more features than a software firewall. Software firewalls, such as the one included in Windows XP, may conflict with a hardware firewall, resulting in problems such as loss of connectivity. Generally, NETGEAR recommends not using software firewalls.

Even with a NETGEAR firewall router in place, other security issues exist:

  • When a port is open, the software using that port can be attacked. Therefore anti-virus programs, and installing critical security updates for your operating system and other software are still absolutely critical.
  • Hackers will probe your network frequently to see whether there is a problem with the way you have secured your ports. Here are three programs to test if your router or computer's ports are secure. The first gives the simplest "good / bad" results.

Since these programs are concerned with any possible threat, they may report things that are in practice usually safe. For example, although the Sygate and Gibson sites note ports that are not "stealthy", in practice ports that are "just" closed are usually quite secure

Important Note for GRC's ShieldsUP! (below information should apply for all online security check)

The GRC port scan is not scanning the actual PC, but the hardware firewall of either the Wild Blue modem or the NOC from Wild Blue.

Therefore, GRC's tests are seeing the gateway not your computer.

Testing of satellite ISPs goes thru the NOC IP address and not the user computer's IP address. The individual user computers are not visible on the Internet under satellite protocol. The external IP/public IP address is that of the satellite NOC and your computer IP address is protected in most cases from being "visible".

GRC was designed for cable, DSL, dialup, etc., and should not be used to determine satellite ports being open or closed. GRC was there long before satellite became an entity and before popularity of satellite users.

GRC's port scan reports most ports open for satellite ISPs such as WildBlue, Hughes, DirecWay.

© 2006~2010 VPN Case Study | All Rights Reserved |

Disclaimer: This site has no relationship with Netgear Corporation nor sponsored and endorsed by Netgear Corporation to post these informations. If you feel that this site has represent in manner which does not correspond to "

Trademark & Advertising Guidelines" (section II-B) , please E-mail i....@vpncasestudy.com