firewall help

tsaravan · 07-18-2007, 11:41 PM

Dear All,

We have squid proxy Server (IP 192.168.0.1) and broadband Modem is connected to it. Now we have purchased NetGear VPN box for connecting our HO's (B class network) Intranet and they too have NetGear VPN box for this purpose. We have tested broadband Modem connecting to NetGear VPN with IP range 192.168.1.0/24. In this situation I want a help to configure firewall in Squid proxy Server when user wants to access Intranet for eg. http://abc.xxx.yyy.zzz to be routed through NetGear VPN box and when user wants to access internet to be routed through Squid proxy Server.

I request to please note the situation of IP Addresses and advise me how to configure firewall and also what are the changes that i may have to do. And Also if there is any better solution given the above scenario.

regards,

T. Saravana

jschiwal · 07-19-2007, 01:03 AM

Normally, each site is on a different subnet. A route to the other subnet (location) will use the VPN box as the gateway device. The default gateway on your site will be your proxy server.

So your local LAN might be on 192.168.0.0/24 and the other site 192.168.1.0/24. The other site may have it's own proxy/gateway at 192.168.1.1. So you don't need to go through the proxy server. Just connect both to the router.

I wasn't certain from your post if you have two modems, one for the intranet and one for the internet. Or if you have a single router with more than one internet IP addresses. Or are you using the squid server's firewall to NAT IP addresses? I don't know how internet access is sold in India. In the US, there are two types of service. Residential with lower upload speed than download speed and a single IP address (which may not be permanent) and Commercial with higher upload speeds and at least 3 Fixed internet IP addresses.

If you have two modems then I think what I already suggested would work best.

If you have one modem but a dedicated internet IP address for the VNC device, then installing a switch between the Modem and the VPN & Squid WAN ports would work out best.

If you have one modem and only one IP address, then forward traffic for vpn (1194 tcp/udp) to the interface for the VPN device. I think a dnat rule could do this. You only have one possible destination, so the connection doesn't need to be tracked.

You could make things very easy by using a router and forwarding traffic for port 1194 to the VPN device. The rest of the traffic would go to the squid server. If your network isn't too large (as the 192.168. network addresses tend to indicate) a NAT router might do. ( I'm assuming your device uses the openvpn port that is listed in /etc/services. It may use a different port.)

I'm sorry I'm not a squid or iptables expert. My main points are 1) use different subnets for each site. 2) bypass the squid proxy for the VPN traffic. The squid server has enough to do dealing with internet traffic.

tsaravan · 07-19-2007, 01:26 AM

Thank you very for your reply.

We have our side only one Modem with one IP. Our network range is 192.168.0.0/24 presently and for some reasons we are able to connect our HO through VPN box for intranet with only 192.168.1.0/24 ip range. So i do not want to change all client side with 192.168.1.0/24 ip range to access only intranet. In this situation i need help when user wants to access Intranet routed through vpn box and when user wants to access Internet to be routed through Squid proxy on ip 192.168.0.1. Right now we are not running any firewall.

I hope i am clear now and would need appropriate solution.

regards,

T. Saravana

Quote:

Originally Posted by jschiwal

Normally, each site is on a different subnet. A route to the other subnet (location) will use the VPN box as the gateway device. The default gateway on your site will be your proxy server.

So your local LAN might be on 192.168.0.0/24 and the other site 192.168.1.0/24. The other site may have it's own proxy/gateway at 192.168.1.1. So you don't need to go through the proxy server. Just connect both to the router.

I wasn't certain from your post if you have two modems, one for the intranet and one for the internet. Or if you have a single router with more than one internet IP addresses. Or are you using the squid server's firewall to NAT IP addresses? I don't know how internet access is sold in India. In the US, there are two types of service. Residential with lower upload speed than download speed and a single IP address (which may not be permanent) and Commercial with higher upload speeds and at least 3 Fixed internet IP addresses.

If you have two modems then I think what I already suggested would work best.

If you have one modem but a dedicated internet IP address for the VNC device, then installing a switch between the Modem and the VPN & Squid WAN ports would work out best.

If you have one modem and only one IP address, then forward traffic for vpn (1194 tcp/udp) to the interface for the VPN device. I think a dnat rule could do this. You only have one possible destination, so the connection doesn't need to be tracked.

You could make things very easy by using a router and forwarding traffic for port 1194 to the VPN device. The rest of the traffic would go to the squid server. If your network isn't too large (as the 192.168. network addresses tend to indicate) a NAT router might do. ( I'm assuming your device uses the openvpn port that is listed in /etc/services. It may use a different port.)

I'm sorry I'm not a squid or iptables expert. My main points are 1) use different subnets for each site. 2) bypass the squid proxy for the VPN traffic. The squid server has enough to do dealing with internet traffic.

jschiwal · 07-19-2007, 05:28 AM

I'm not sure I got everything from your last message.

Your local lan is using a 192.168.0.0/24 network. The HO uses a 192.168.1.0/24 network.

If you try to access a computer on the 192.168.1.0 network, it needs to travel through the VPN device.
The default gateway is 192.168.0.1.
Is this correct?

You didn't state the address of the VPN device (on the local side) so I'll assume it is 192.168.0.2 for example sake.

Code:

/sbin/route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
192.168.0.0     *               255.255.255.0   U     0      0        0 eth0
loopback        *               255.0.0.0       U     0      0        0 lo
192.168.1.0     192.168.0.2     0.0.0.0         UG    0      0        0 eth0
default         192.168.0.1     0.0.0.0         UG    0      0        0 eth0

The third route is for the VPN device. Any attempt to access a host on the 192.168.1.0/24 network will be directed to the VPN device. The default is used for internet access and the squid server is the gateway.

Could you post the model number and a link to information on the vpn device. I'm wondering if it could pass through non-vpn traffic.