Results 1 to 5 of 5

Thread: Setting up DMZs/Screened Subnets with Commodity Firewalls

  1. #1
    Junior Member
    Join Date
    Aug 2006
    Posts
    13

    Setting up DMZs/Screened Subnets with Commodity Firewalls

    We have a couple of DMZs set up with Firewalls such as Checkpoint and NetGear (fvs114) to separate the subnets.

    The NetGear is causing me problems and I am looking at other firewalls (such as SonicWall Soho 3 which I happen to have). This subnets do not go directly to the internet. They are just separating my data servers from my DMZ that that has my webservers on one side and our Protected intranet on the other.

    The problem is that these are Firewall/Dsl Routers that are intended to route information from your local network to the Internet that also have firewall functions. After reading the document on the Netgear - it talks about Internet Sharing Firewalls where requests from the outside are discarded. Only packets that come from the outside as a response are accepted. On the Netgear, this is also the case unless you have a rule set up to accept requests by service (such as port 80 - http).

    I don't know if this normal or not but one of the things required is a Gateway. I would assume that a normal non-internet sharing firewall wouldn't have a Gateway as you are only routing packets from one subnet to another (no Nat).

    I am not sure if the SonicWall does this or not. If not, I will need to look elsewhere.

    The Wan side has a gateway that is usually the DSL Router.

    You can usually set up the Firewall as Standard or Nat. With standard the Lan and Wan have to be the same sub net. With Nat the Wan is the ISPs Router address (public) and the Lan is your private network.

    In my case, I want to use Firewall inside the private network where both the Lan and Wan would have private addresses but each would be a public address.

    So on my Protected network I would have all my user machines on the 10.0.0.X network and my DMZ that has my Sql Servers would be on the 10.0.3.X network.

    I don't know if it matters which side has Lan or Wan interface. But what about the Gateway address. I have it set up at the moment as:

    Wan:
    IP Address:10.0.0.251
    Mask: 255.255.255.0
    Gateway: ?

    Lan:
    IP Address: 10.0.3.251
    Mask: 255.255.255.0

    Sql Server IP Address: 10.0.3.2
    My workstation: 10.0.0.25

    I am assuming that Nat needs to be set for this to work. But in the Internet world you would not be able to accesses an address in the private network directly. Only in response to a request. So there would need to be a request from the Private address first to the Internet and the Internet would respond. But not the other way round.

    Since I am Natting here, wouldn't I have the same problem? Is there a way to make this work with these types of Firewalls?

    We have a Checkpoint Firewall that does this great. But that is too expensive for us here in this scenario.
    _________________
    Thanks,

    Tom

  2. #2
    Advanced Member
    Join Date
    Dec 2001
    Location
    NY
    Posts
    688
    I don't really think you can accomplish what you want without a more sophisticated router in place. You want something that knows about each subnet, and has an interface in each. Then it becomes simple as can be. Packet arrives for WAN gets routed out eth0, LAN eth1, DMZ eth2.

    How is your WNA 10.whatever? That isn't possible, it is a private address.

    Anyway have you thought of a Smoothwall? That is what I was using before I got my PIX. There is some custimization you can do to it to have multiple LAN subnets, or a built in LAN, WAN, DMZ setup. You enter an IP configuration on each and the one device knows of all of them. Then the security rules will dictate what can go from where to where.

  3. #3
    Junior Member
    Join Date
    Aug 2006
    Posts
    13
    The reason the Wan address has a Wan address is that there is one Wan port and one Lan port. The Wan port is expected to be a public address from the ISP. This would be if I was using this as a border router/firewall. But I want to use this to separate subnets in my Lan. So I use the Wan port as an interface to one of my subnets and the Lan port as an interface to may other subnet.

    If I decide to go with a router to solve the problem - I have the same problem. Which one to use.

    I was looking at a Cisco 800 series router - but it has only one Wan port and it is ADSL - so the question is will I have the same type of problem in that it may be an Internet Sharing Firewall (Border router) where the routing that is done is Nating only.

    The other possibly an 1841 which I can get for about $271.

    There may be other options but these are all I have come up with so far.

    Thanks,

    Tom

  4. #4
    Advanced Member
    Join Date
    Dec 2001
    Location
    NY
    Posts
    688
    You need to look at modular routers, like the 2600 (soon to be replaced by the 2800) series. Heck even a 1721 with an extra ethernet wic would do.

  5. #5
    Junior Member
    Join Date
    Aug 2006
    Posts
    13
    They are pretty expensive.

    What about the Zywall? Someone was telling me they would also do the job. But I don't know anything about them.

    What about the Netgear FVS114 that we have been using? We are having problems with it seeming to work much of the time but for about 10-20 minutes every few days or so we seem unable to connect to our database servers. I am not sure that the netgear is the problem but it is a possibility. The Specs on it say:

    Mode of Operation: One-to-one/many-to-one Multi-Network Address Translation (NAT), classical routing, unrestricted users per port

    It says classical routing (so I assume this is different from say a linksys router). I am just trying to figure out if we may be causing ourselves a problem by trying to use a device meant for some other purpose to fit into our scenario.

    Tom

Similar Threads

  1. Help!!!i cannot access to my router setting
    By jeff1984 in forum Networking Forum
    Replies: 0
    Last Post: 08-31-06, 10:44 PM
  2. dsl305E router setting help ....
    By baby0522 in forum Wireless Networks & Routers
    Replies: 0
    Last Post: 05-20-06, 07:50 PM
  3. Setting up modem & wireless router
    By turando in forum Wireless Networks & Routers
    Replies: 3
    Last Post: 02-18-06, 01:44 PM
  4. Upnp Setting error after auto-tweak
    By NobleSquire in forum Broadband Tweaks Help
    Replies: 4
    Last Post: 07-22-05, 10:31 AM
  5. Setting the DNS timeout duration on WinXP
    By Blisster in forum General Discussion Board
    Replies: 1
    Last Post: 03-07-05, 01:58 PM

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •