Router and Firewall config question

Gortex · 06-29-2007, 12:46 AM

This is the question,
I have a router from linksys to network my computers and some other devices, I am wanting to install a fire wall. I have decided the best way to do this for me physical is to put the firewall between the cable modem and router. Now my question is this how will the rotuer interact with the fire wall to route the approriate packets to the computers ( Static IP address btw)

Cable Modem ----Firewall --- Router -----Intranet

Do i just set the router to look for the fire wall as the gateway ?

Almost forgot I have to have the router as a wireless access point for my wife's computer.

SCerovec · 06-29-2007, 03:51 AM

cablemodem[gw1.addres]---[fw1.address]Firewall[fw2.address]--->

>---[rt1.address]WiFiRourer[rt2.addres]---{subnet}

Firewall:
default gateway=gw1.address

WiFiRouter:
default gateway=fw2.address

{subnet hosts} (including wireless):
default gateway=rt2.address

any [x]---[y] pair of addresses should belong to different networks eg.:
192.168.168.0/24
192.168.1.0/24
10.0.0.0/24
or similar.
;-)
further questions (You're welcome.)?

Gortex · 06-29-2007, 03:58 AM

No, that about sums it up. But I am not realy subneting any thing right now the ip address are just

x.x.x.x (isp provided static address)
192.168.1.1(router - internal gateway address
x.x.x.2(fileserver
x.x.x.3(my computer
x.x.x.4(other computer
ext ext ext

SCerovec · 06-29-2007, 05:31 AM

If You don't subnet it the routing host will get confused and might fail to properly route the packages.

Subnetting is a way for the respective kernels to guess the right paths for incoming packets 'out of the box'.

If You _must_ avoid subnetting (I don't recommend it) then You _have_ to add static default routes for every host involved in the chain.

I recommend You to try the subnetwoking way.

Gortex · 06-29-2007, 05:46 AM

The only reason I have not subnetted the network is this

the gateway address is 192.168.1.1
there are only 10 devices on the network atm ranging from x.x.1.2 to x.x.1.12

so I didnt really see a reason to sub it.
i should also add, this is for a home set up and not a bussness.

I am not useing the router to make multi- phsyical networks, its just forwarding the packets
from the cable modem to the respective computers ( its a linksys wrt54g router)

so what you are saying is if i dont sub it add a firewall, the router will get confused ?
not forsure if I am following what you are saying.

I thought the only time you needed to really subnet something was if you were trying to
devide 2 phsyical networks say ( accounts ) ( management)

rossonieri#1 · 06-30-2007, 12:48 AM

hi Gortex,

from yours :
"Now my question is this how will the rotuer interact with the fire wall to route the approriate packets to the computers ( Static IP address btw)"

are those IPs from your ISP?
if not - then you should do NAT.

there 2 kinds of network operation :
1. is bridging mode,
2. is routing mode (NAT).

if you have those static IPs from your ISP - then you can directly bridge your connection to your end computer. From your end computer perspective - the default gateway will be your ISP.

if you dont have them, then you can do routing/NAT (thus - you need different subnet) mode either from your edge FW or your middle router or can be BOTH (the last is a bit complicated). From your end computer perspective - the default gateway will be your router.

or you can do the same bridging technique on your router (if supported).

DNS server can just pointed to your ISP.

HTH.

jschiwal · 06-30-2007, 01:00 AM

What kind of router do you have? If it is a NAT router, then you already have a firewall. The router can't forward a connection if you haven't already started it from the inside. It simply has no way of knowing for which IP to forward it to and has to drop it.

You need to use subnetting to perform routing between two connections. I once used my laptop to forward traffic to my wireless router. The wired subnet was 192.168.1.0/255.255.255.128. The wireless subnet was 192.168.1.128/255.25.255.128.
Then I could configure the routes so that it would use eth0 for the wired subnet and wlan0 for the wireless subnet.
I even gave each network a name in /etc/networks. The NAT function was supplied by the router, so I didn't need to add any ip_table rules. ( The desktop & printer used the dhcp server from another wired linksys router/switch ).

Gortex · 06-30-2007, 01:36 AM

Its just a store bought linksys router, and yes it does have a firewall built in to it, but with no configuration options. I wanted to install a Firewall passed the router, so I could get a beter understand on how firewalls work.

also if i set the router to routing mode over gateway mode it opts to use arp.

The only thing I am not understanding exactly is why, I should subnet the Devices on to diffrent networks ? Deviding them in to 2 seperate networks doesnt really make any since to me beings that I have Plenty of address for hosts when I dont see having more then 10 devices connected to my network.

also the only real reason the router even exists atm is to provide a WAP for my wifes wireless connection.

as for the Ip address my ISP ( Cox Communications) Provides one static address to me But i used the reserved addresses for the internetwork.

last but not least every thing is working fine on my network. I am just trying to Figure out How the Firewall Will Route packets to the router then from there how the router will know how to send them to the hosts on my network.

such as Will the information denoting that the packet is for PC.1 be droped between the firewall and the router..

Gortex · 06-30-2007, 01:44 AM

Code:

                     Internet
                        |
                        |
                     (isp assigned address)
                            Router
                     (192.168.1.1) Ineternal gateway address for my network
                         |   |  |
                         |   |  |
                         |   |  |
                         |   |   192.168.1.2 ( Linux file server)
                         |   192.168.1.3 ( My Computer)
                         |
                          192.168.1.4 ( my Xbox) 
                     
                       

then there is  (wireless Devices) 
  192.168.1.5  my wifes computer
  192.168.1.6   my PsP
  192.168.1.7   My Nintendo wii
  192.168.1.8   my Xbox 360
  192.168.1.9   ( some times friends come over ext ext)

That is my current configuration
What I want to know is if I add a Firewall between the Internet and my current
gateway ( that is primarly used to provide Wi-Fi) will there be any problems

Also I should add that the router is just a linksys wireless router with a built in 5 port eathernet switch, Its only there to provide access to multiple computers not to connect two internal networks

if this isnt explaning what I am tryint to do well enough I can get out the camera and snap some picts to help describe it beter.

SCerovec · 06-30-2007, 03:02 AM

Quote:

Originally Posted by Gortex

Code:

                     Internet(the modem i presume?)
                        |
                        |
                     (isp assigned address)

Code:

                     (isp assigned address)
                           FIREWALL
                     (192.168.168.1)
                         |
                         |
                     (192.168.168.2)
                            Your router's 
                                  'public' interface

Quote:

Code:

                            Router
                     (192.168.1.1) Ineternal gateway address for my network
                         |   |  |
                         |   |  |
                         |   |  |
                         |   |   192.168.1.2 ( Linux file server)
                         |   192.168.1.3 ( My Computer)
                         |
                          192.168.1.4 ( my Xbox)

If this still is overhelmming or confusing I could send You pics too :-)

jschiwal · 06-30-2007, 03:43 AM

The Linux Network Administrator's Guide 2nd Ed. is available at the www.tldp.org website. It explains networks, and IP addresses and what various devices do.

Actually, you wouldn't need to subnet your network. Just use the Linksys as a switch. One interface will be for the modem and have a public IP address. The other will have a 192.168.1.0/24 address. You could use the Linksys for the DHCP server, or you could do that yourself as well. You will need to configure NAT on the computer of course.

Gortex · 06-30-2007, 09:40 PM

Nope, I think you guys are just missing my question.

If I add a Firewall to My current Network Configuration, will it stop working ?

jschiwal · 06-30-2007, 10:25 PM

If you go from this:

Code:

                     Internet
                        |
                        |
                     (isp assigned address)
                            Router
                     (192.168.1.1) Ineternal gateway address for my network
                         |   |  |
                         |   |  |
                         |   |  |
                         |   |   192.168.1.2 ( Linux file server)
                         |   192.168.1.3 ( My Computer)
                         |
                          192.168.1.4 ( my Xbox)

To this:

Code:

                     Internet
                        |
                        |
                     (isp assigned address)
                        | 
                        |
                     Firewall
                   (192.168.2.1)
                        |
                        |
                   (192.168.2.2) WAN port
                     Router
                     (192.168.1.1) Internal gateway address for my network
                         |   |  |
                         |   |  |
                         |   |  |
                         |   |   192.168.1.2 ( Linux file server)
                         |   192.168.1.3 ( My Computer)
                         |
                          192.168.1.4 ( my Xbox)

Then you shouldn't have a problem. Configure the internet side of the firewall to behave as the Linksys router did. ( You may need to authorize the firewall with the cable company, just like you did for the Linksys, because it has a different MAC address ) Now you need a network address between the firewall and the router that isn't 192.168.1.0/255.255.255.0 and isn't the old WAN address. I arbitrarily chose 192.168.2.0/255.255.255.0 for this network.
Here, you could keep the NAT on the Linksys router and just use the firewall to filter traffic; or you could even have both provide NAT(which would be silly for the firewall because it would only be serving the Linksys router); or you could put the Linksys in router mode (vs what they call gateway mode) and perform NAT on the firewall. Now your present LAN configuration should still work.

You could also do this:

Code:

         Internet
            |
            |
    (isp assigned address)
            | 
            |
         Firewall
            |
            |
      (192.168.1.1) Internal gateway address for my network
            |           
            |        
            |      Router switch ports
            |        |   |   |  |
            |________|   |   |  |
                         |   |  |
                         |   |   192.168.1.2 ( Linux file server)
                         |   192.168.1.3 ( My Computer)
                         |
                          192.168.1.4 ( my Xbox)

Here the router is just used as a switch, and the firewall is configured to behave as the router did. The server, "My Computer", and Xbox have the same configuration. You will need to change the local IP address of the router so there isn't a conflict with 192.168.1.1. The router is used as a the gateway for the LAN using the same gateway IP address. If your wife's wireless host has the IP address of the AP in it's configuration (The Linksys), that will need to be changed.
Here you will provide NAT masquerading on the Firewall. The router will be used as a switch and an AP for the wireless computer. You could use the DHCP server on the Linksys and have a client running on the LAN hosts and the firewall. Or you could have a DHCP server running on the firewall for more control. In both cases you need to change the "Local IP Address" setting on the Linksys router because you are using that address for the LAN side of the firewall.

The third method would waste one LAN port on the Linksys. The WAN port would be unused. However you wouldn't need to reconfigure LAN hosts. They can still use DHCP if they were before, and don't need to change their gateway IP address settings.

Gortex · 07-01-2007, 01:03 AM

Thanks for the help, that basicly answered the questions I have.

I was using static Ip address for every thing because I have a DMZ set up on the linksys router for my linux box ( never winter Nights server)

jschiwal · 07-01-2007, 01:19 AM

It is often best to use static IP addresses for servers. You could have a 3rd NIC interface on the firewall for the DMZ as well. SuSE Linux's SuSEfirewall2 configures zones; internal, external, DMZ. Then you can have different services allowed for the different zones. Because you want to do this as a learning experience, you might want to roll your own instead. You may be able to find Linux router kits that have 4 or more interfaces, are small and low power compared to a desktop. Something like that might be ideal for what you want to do.