Re: Firewall/Router
- From: "Joseph Byrns" <JosephByrns@xxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 3 Jul 2006 19:44:56 +0100
Leaving NAT on the DSL router and putting the firewall between it and the
server was what I originally tried, unfortunately I lost internet access,
panicked and returned everything to normal, hence my original comment on
setting the mode to bridge.
For clarity, here is approximately what I tried:
DSL WAN:
IP: static IP provided by ISP
DSL LAN:
IP 192.168.1.1
MASK : 255.255.255.0
Firewall WAN:
IP 192.168.1.2
MASK 255.255.255.0
Gateway 192.168.1.1
Firewall LAN
IP 192.168.16.2
MASK 255.255.255.0
With DHCP only on the SBS (SBS IP 192.168.16.1, 255.255.255.0).
Various NAT was set up on the DSL Router, and exactly the same port
forwarding was set up on the firewall, only it was looking at the source and
destination IPs, so if the inpbound data in the firewall was being sent to
192.168.16.5:1000 it was then forwarded to 192.168.16.5:1000 by the firewall
(the default for the firewall is to expect everything being sent to the WAN
IP, so if it not (due to the DSL router changing it), the IP must be
specified). (I think probably here I should have hade the DSL router forward
everything to the firewall WAN IP).
The NAT was largely irrelevant at this stage though as it was outbound
internet access that stopped. I assumed it was because the server had the
wrong IP address for the gateway. I tried both 192.168.16.2 and
192.168.1.1, both to no avail.
Does this look like the correct approach to you?
Thanks.
"Joe" <joe@xxxxxxxxxxxxxx> wrote in message
news:%232U%230%23rnGHA.4728@xxxxxxxxxxxxxxxxxxxxxxx
JosephByrns wrote:
I have an ADSL router (with static IP address), which uses NAT to pass
various stuff around.
I have just bought a Firewall/Router (DLink DFL-700), which I would like
to place between the ADSL router and the network.
So my questions:
Do I need to configure the ADSL router as a bridge connection?
No. You can, but you don't need to. Leaving it doing NAT will
probably be more useful.
A DSL router doing NAT, connected to an additional firewall and/or
router is a perfectly normal situation, and will cause no difficulty
with most protocols. IPSec may be difficult, and in any case is best
handled at the firewall level rather than terminated on an internal
machine. On-line games protocols that rely on port triggering will
have trouble, but they have no place in an SBS LAN anyway.
You obviously have more to do to let the outside world reach your
server, but this is no big deal. Exactly what you do depends on
whether you want the new machine to also do NAT. It doesn't need
to, but doing so provides a slight extra layer of protection if
the DSL router gets compromised. Without NAT, the DSL router will
need a static route configured to reach the LAN, and this would
also allow a cracker an easy way in. DSL box compromise is fairly
rare, and it is not worth making the NAT decision just on that
basis. On the other hand, you may wish to use the additional DMZ
formed between the two routers to place a high-risk public server,
such as web or FTP, and NAT at the inner router would definitely
be worth doing then.
You probably have different logging and firewalling facilities on
the two machines, and therefore more flexibility in doing both.
There's all kinds of pros and cons, before we even consider the
second NIC in the SBS...
.
- Follow-Ups:
- Re: Firewall/Router
- From: Joe
- Re: Firewall/Router
- References:
- Firewall/Router
- From: JosephByrns
- Re: Firewall/Router
- From: Joe
- Firewall/Router
- Prev by Date: remote desktop connection
- Next by Date: Re: Cannot open Group Policy Objects in SBS 2003 Premium
- Previous by thread: Re: Firewall/Router
- Next by thread: Re: Firewall/Router
- Index(es):
Relevant Pages
|
