-   Linux - Networking (
-   -   Do I need another router to firewall (terminate) a fixed ip DSL (

devwink 03-25-2010 12:49 AM

Do I need another router to firewall (terminate) a fixed ip DSL
Hi All,

My question is,
I have a block of 10 fixed i.p.s.

I have a netcomm nb6+4 wireless adsl router that briges the wan and gives me 4 ethernet and up to 8 wireless i.p's.

I have an ethernet router teminating one wan fixed I.P. that I use for office p.c's. 192.168.1.XXX

I have two linux machines on two their fixed i.p's termating on their eternet adaptors (as linux is is a firewall).

My question is this?
If I use the wireless in the dsl router, it appears to be www and is only available by setting the adaptor of a laptop to a fixed i.p. with it's subnet mask/gateway.

Is windows xp firewall enough to have the wireless adaptor terminating the fixed i.p. or should i install another wirelss router after one of the the existing routers just for protection. (behind the ethernet router if i want the laptop on the office lan, or behind the dsl router if i want a new lan subnet.

Thanks for yr advice?

al_bye 03-25-2010 04:00 AM

Hi DevWink

All bit I'm a newbie to Linux but I can assist in your network configuration. You say you have a block of 10IP address's have this been issued by your ISP? I get allocated out a block of 8 IP's from my ISP of which 5 are only usable. I currently sit behind a firewall using NAT and have coded in static NAT rules for certain devices (Easier to manage the internal network). For each of these NAT rule's I've built up access control rules i.e www forwarded to from on the external network.

Are you trying to achieve something like the above. (Sorry I'm only on my first coffee)

devwink 03-25-2010 05:09 AM

Thanks Al Bye,

sorry, I have the same as you, 5 usable,from 8 cant use the first and last and 2nd is gateway..

I have Nat enabled, I can get my wireless to work with one of the fixed i.p's using a 255.255.248 subnet mask and the second lowest as the gateway.

Sorry to sound vague but it is my understanding that the router prtects the computers by blocking all ports and then allowing some.

I would have no idea about how to edit a std scenareo for a nat connection.

Should i use i.p filtering to block by default and start opening ports as required for that i.p

Protocol | Source IP addr| Dest IP addr |Port | Range |Allow Edit
Start| End

sorry to seem vauge ,, i'm a newbie to this

Doesnnt seem to be much in the nat region as far as rules

Thanks again

al_bye 03-25-2010 02:36 PM

Hi Dev,

I need to know what you want to achieve as an end result? If you use the computers for surfacing e-mail downloads etc. then just leave the setup as default. If it's a more complicated environment i.e dedicated e-mail service MailerDaemon or something along those lines then you'd have to setup a PAT rule on the firewall. This means adding a Static internal IP address and assigning and external address. Then redirecting all tcp 110 POP3 traffic to this server. Your firewall may need to be changed as some standard ADSL router/modems can't cope with more than one external IP address.



devwink 03-25-2010 04:18 PM

Thanks Al

I Guess what i'm asking is

my router is set up as the like this: is not used (1st) is the lan ip of the dsl modem is another eternet router behind the dsl modem for 3 office pc's lan is a centos server is a centos server

all i want to do is user the wireless connection on the nb6+4W dsl modem/router.

here, the only thing that works is to use one of my fixed ip addresses at the laptop wireless adaptor.

Q. does a modem/router usually offer any protection by default other than rules set up by the user?

should i use another wireless router (behind the modem)instead of having the fixed i.p at the laptop, as i understand this is briged connection with no router protection...

Thanks again, i can draw a map if that helps

al_bye 03-26-2010 09:25 AM


I've just found the router and Manual online which I've quickly skimming through as I type. It appears that the router you have is more designed for home user than an office but we'll have a go. Firstly I'd like to show the following setup as I would put into a small business suite. If you have the budget then I'd go with below

1. Dedicated Router
2. Firewall
3. 10/100/1000 switch
3. Wireless Access Point

Because the router is in Bridged mode the only way your going to get out on the internet is via an external IP address assignment to anything. What would be better would be to make the router standard dialup router first as it comes out of the packet i.e. dhcp server giving out 192.x address's on lan and WIFI. That'll give all internal lan or wifi computers access to www without an external IP address. The hard part comes with the two servers you've got the option of using virtual servers in the advanced section of the firewall this will allow you to use port forwarding to certain address internal major draw back is that you'd have to use the external ip address of the firewall in order to accomplish this and change any dns records etc out in the wild.

You going to struggle with what you want to achieve with this router. Throwing more equipment at this problem is going to cause an nightmare administration job. As I siad I'd go with the solution I added above moeny permitted there are a few cheap firewalls out on the market you already have a router and then you need to create a backbone on your lan again very cheap switches out there and very cheap access points.

Sorry I can't really progress on this any further. I'll try and find an alternative way of doing during reading the manual.

devwink 03-27-2010 06:26 AM

Thanks Al,
I think yr right,
I'll look at yr setup as i have another wireless router.

everything works fine at the mom, all the the wan I.P addresses are available after the modem.

some terminate at servers ,

One happens to be a laptop on the wireless in the router.

I just need to know if it is technically safe to have the laptop aligned to the www as far as not having any router functions in front as to my understanding, the router briges all the wan i.p's to the ethernet/wireless ports.
Are all routers doing nothing really to the access unless rules are set?

Thanks again for all yr help.


al_bye 03-28-2010 01:48 PM


The most safest place for any computer is without any sort of network attached to it... I assume the laptop is of Windows OS. My personel and professional view anything out on the web should be behind a firewall. Unfortunatley we have gone of the day's of compuserve and such like. Not neccesary because of hacking etc more for your privacy. If the laptop needs to sit on an external IP the first thing to do is switch netbios off via the registry search google for you OS. Obvouisly make sure your AV and Malware protection is on and disable any shares. There are pieces of software out there which can mask IP and MAC address's you'll have to search for them as I can't make recommendations.

Good Luck

devwink 03-29-2010 07:49 AM

Thanks Al,

That's what I was unsure about. Happy to know i was a bit on the right track and that there is a difference between public i.p's (without and without using a router).

For the $80 (Aus.. we pay double for stuff) , i'll put a wireless router in place of the office network router and I can then share printers and files on windows network.

Thanks so much for your help as always



All times are GMT -5. The time now is 10:57 AM.