LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (https://www.linuxquestions.org/questions/linux-networking-3/)
-   -   Which gateway in router-firewall setup? (https://www.linuxquestions.org/questions/linux-networking-3/which-gateway-in-router-firewall-setup-391392/)

hussar 12-10-2005 06:38 PM
Which gateway in router-firewall setup?
 
If I am connected to my ISP with a DSL modem and a router and I want to set a firewall behind that, should systems behind the firewall point to the router as their gateway or to the firewall?

Here it is in more detail, the network connections would look like this:

Internet [DSL hook up including DSL modem] <-> Router [Netgear RP614v.x] <-> Firewall [Linux box] <-> 8-port switch <-> up to 7 machines

Currently, I am only using the router. It has two interfaces, one pointing outwards which uses the IP address assigned by my ISP and one pointing inwards which I have set to 192.168.1.3. I want to set a linux box between that router and the rest of my small network and set it up as a firewall with NAT/IP masquerading for the machines behind it. If I give the interface on the firewall that points at the router the IP address 192.168.1.1 and the interface that points inwards toward my network the IP address 192.168.1.2, which IP address would the machines on the protected network use as their gateway, 192.168.1.3, 192.168.1.1 or 192.168.1.2?

acid_kewpie 12-11-2005 03:13 AM
unless you're going to bridge the connections on the firewall then you would need to use to seperate LAN's, e.g. 192.168.0.0/24 and 192.168.1.0/24. and the firewall would be the gateway, but of course, the firewall would also be your router. So do you actually require the router? if it's plain DSL are you not provided with an ethernet connection from your ISP?

hussar 12-11-2005 05:29 AM
Yes, I have an ethernet connection from my ISP and no, I don't really need the router, since I could just use the linux box as my router/firewall and have one interface pointed at my ISP and the Internet and the other interface pointed at my internal network. That's actually the setup I had until my router/firewall suffered a catastrophic hard drive crash.

Even before it failed though, I was thinking of doing a setup like I described in my original post, so that I could potentially hang a machine off the Netgear router to act as a file server that I could reach from anywhere. Sort of a bastion host/DMZ type arrangement. The Netgear router has the capability of making, say, ftp.mydomain.org direct traffic to a specific machine that is attached to it. Also, since this is a hobby network and not a production system, part of the reason I was thinking of going with a setup like this is simply, "Because I can."

I will try setting it up as a separate network as you suggested, where it will look something like this:

ISP <-> [IP address assigned by ISP] Netgear router [192.168.0.1] <-> [192.168.1.1] Firewall [192.168.1.2] <-> Internal network

and then potentially connect another machine to the Netgear router to be a ftp host, like this:

ISP <-> [IP address assigned by ISP] Netgear router [192.168.0.1] <-> [192.168.0.2] ftp.mydomain.org

Will that work?

acid_kewpie 12-11-2005 07:41 AM
if you want a dmz, then i'd personally recommend configuring a third nic on the firewall. assuming that you're running smoothwall, ipcop etc... they will have settigns for a dedicated dmz interface out of the box. that said you certainly could use that layout for a dmz, but wether it's really worth while is a different issue, as just having a single router on the network is a lot lot simpler.

hussar 12-11-2005 11:11 AM
I was looking at IPCop the other day, and if I had a full-size machine, I would probably use it. The machine I am going to use as a firewall, though, uses a VIA EPIA-M 800 motherboard, and it only has one PCI slot. So, I am limited to two interfaces - the one on the motherboard and one installed in the PCI slot. (I am using a 512MB CF card as the harddrive.)

I'm not really going for the simplest solution either. I know what I am planning is actually overkill for a home network. Really when it comes right down to it, I could just keep using the Netgear RP614 router as my network's only connection to my ISP and the Internet. Although, as I think about it, that would also mean that I would have to configure some sort of firewalling on each of the machines attached to the router. There are some Windows machines involved here, so any extra level of protection I can offer them will be a good thing. Building my own firewall with my own rules will also allow me some flexibility in securing my wireless connection.


All times are GMT -5. The time now is 05:42 PM.