Re: Firewall/Router

Joseph Byrns wrote:
Leaving NAT on the DSL router and putting the firewall between it and the server was what I originally tried, unfortunately I lost internet access, panicked and returned everything to normal, hence my original comment on setting the mode to bridge.

For clarity, here is approximately what I tried:

DSL WAN:
IP: static IP provided by ISP

DSL LAN:
IP 192.168.1.1
MASK : 255.255.255.0

Firewall WAN:
IP 192.168.1.2
MASK 255.255.255.0
Gateway 192.168.1.1

Firewall LAN
IP 192.168.16.2
MASK 255.255.255.0

With DHCP only on the SBS (SBS IP 192.168.16.1, 255.255.255.0).

Various NAT was set up on the DSL Router, and exactly the same port forwarding was set up on the firewall, only it was looking at the source and destination IPs, so if the inpbound data in the firewall was being sent to 192.168.16.5:1000 it was then forwarded to 192.168.16.5:1000 by the firewall (the default for the firewall is to expect everything being sent to the WAN IP, so if it not (due to the DSL router changing it), the IP must be specified).


(I think probably here I should have hade the DSL router forward
everything to the firewall WAN IP).

You can certainly do that, and it simplifies some things, but you're
then passing all the rubbish to the firewall to deal with. It will,
but if you have firewalling capability in your first line of defence,
and NAT is certainly a primitive form of it, then it makes sense to
use it. Everything you repel at one stage in the chain is one less
risk further in. The principle of least privilege suggests that only
required ports should be forwarded.


The NAT was largely irrelevant at this stage though as it was outbound internet access that stopped. I assumed it was because the server had the wrong IP address for the gateway. I tried both 192.168.16.2 and 192.168.1.1, both to no avail.

Does this look like the correct approach to you?


There's a routing issue. You have the choice of doing NAT on the
firewall or not. If you do, then the port forwarding must be the
same on both routers i.e. DSL router forwards incoming port 25 to
192.168.1.2, firewall then forwards it to 192.168.16.1. The SBS
has a default gateway of 192.168.16.2 and the firewall has a DG
of 192.168.1.1. SBS doesn't need to know about the 192.168.1.0
network and the DSL router doesn't need to know about 192.168.16.0.
That's the magic of NAT. I'd make a guess that NAT was not enabled
on the firewall during your trial.

If you don't use NAT on the firewall, you need to set up standard
TCP/IP routing. You forward ports directly from the DSL router to
the SBS, and don't need forwarding on the firewall, as it's acting
as a plain router. However, you must tell the DSL router where the
SBS is, or it will assume the 192.168.16.0 network is the other side
of its own default gateway, which should have been assigned by the
ISP by DHCP. Again, this is a reason for using NAT on the DSL box
as it is then the only machine which needs to know your public IP
address and the ISP's default gateway, and it should get both of
these automatically.

The firewall will route messages between the 192.168.1.0 and
192.168.16.0 networks, but only if those messages are actually sent
to it. You would need a static route on the DSL router stating that
the gateway to network 192.168.16.0/24 is address 192.168.1.2. The
counterpart to this rule would be either a default gateway for the
SBS of 192.168.16.2 or a default gateway of 192.168.1.1 and a static
route showing 192.168.16.2 as the gateway to 192.168.1.0/24.

The secret to TCP/IP routing is to make sure each machine knows where
to send things *in both directions*. Even the humble ping must not
only get to its destination, but the reply must get back. If something
isn't working, the first thing to establish is whether the initial
connection is being blocked, or the reply.

Everything that does TCP/IP routing uses a table of some kind, trying
destination addresses against successive entries until it gets a
match. They're not trivial for a human to read, but not that difficult
either, and are often the only way of solving a routing problem. On a
Windows machine, open a command prompt and type: route print

Network appliances like firewalls normally have a web interface, and
the routing table should be available for inspection on one of the
more obscure pages, probably among diagnostics. Firewalls and sometimes
DSL routers can keep logs of successful and unsuccessful connections
(Windows itself can do this, enabled by policy) and this is another
way of seeing what is going on. There are also network monitoring
utilities, but these tend to have a steep learning curve.
.

Relevant Pages

  • Re: Install nightmare
    ... > the LAN of your DSL router, the WAN of your Firewall device and your SBS ... > all in the same subnet. ...
    (microsoft.public.windows.server.sbs)
  • Re: Firewall/Router
    ... Leaving NAT on the DSL router and putting the firewall between it and the ... I assumed it was because the server had the ...
    (microsoft.public.windows.server.sbs)
  • Re: Sonicwall firewall setup for TS Gateway and OWA,Remote https
    ... There's no need to do anything at the firewall specific to the TS. ... When using TS Gateway, the gateway computer is the SBS by default remote.domain.com, and you are connecting to the TS computer named terminalserver.domain.com. ... It's in the SBS 2008 online documentation. ... First server is SBS 2008 with OWA and remote website which uses port 443 (IP ...
    (microsoft.public.windows.server.sbs)
  • Re: Reaching public NNTP servers through SBS 2003 Std.
    ... IP address of the router should be the default gateway of SBS internal ... The external NIC of your SBS ... Or you only have RRAS as your firewall? ...
    (microsoft.public.windows.server.sbs)
  • Re: SBS2K - Howto config with external Firewall?
    ... pointing to the server, ... > I have an SBS 2000 with a single NIC and an external firewall. ... > to use the firewall as a gateway and the DNS on the SBS the firewall ...
    (microsoft.public.windows.server.sbs)