Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 427
  • Last Modified:

T1 and DSL through one firewall

I am going to be setting up a new network for our business. We are going to have a fractal T1 (768) and a DSL line. I want to run all of my servers on the T1 line and the internal users will use the DSL. I am looking for a firewall to use and need some good advice on getting a firewall that can have two WAN interfaces and one internal interface.

I would be using NAT to assign IP address to all of the computers in the network.

Right now I have the following servers on the T1:
Windows 2k server, IIS 5
Windows 2k server, SQL 2000
Windows 2k, Domain Controller/Internal DNS server
Windows 2k, Exchange 2000

I would assign all of the server an IP address that would go through the T1 line and all of the other computers will use DHCP and run off of the DSL.

I read a little on the Cisco PIX firewalls and they can run multiple interfaces. Is this all I need? Are there are other firewalls that can forward packets based on the internal IP address through a specified WAN interface?

Would I have all of the computer point to my DNS server (which runs on the T1) and then send their network traffic through the DSL?

Any help would be greatly appreciated.
  • 2
  • 2
  • 2
1 Solution
You can also do this with the iptables built-in to the Linux 2.4 kernel.  I have two broadband connections at home and use a single firewall to split the outbound traffic (HTTP over one and everything else over the other).  Runs on old PC with 10mpbs ISA cards and works great.  One ISP gives a static IP, the other gives DHCP and that works fine.  Also allows for incoming traffic over either connection or can be filtered to only allow incoming traffic over one of the two.

If this sounds like something you'd be interested in, let me know and I can post the type of rules you'd need for a setup like this.
The PIX won't work the way you want. You cannot have two WAN interfaces on a PIX because you can only have one default gateway. In your case, if you want to split the oubound traffic, one simple solution would be two PIX's. One used by all the normal traffic outbound through the dsl, and one used by the servers.

The Linux solution may work, though I don't know any businesses that can afford a T1 that use Linux as their gateway router/firewall.

There are other solutions such as Fatpipes' Warp device that can help:
danman226Author Commented:
I would like some more info on the Linux solution. I have an extra server that I could run it off of. I am assuming I would need three ethernet cards. Am I correct?

To lrmoore: The fat pipe looks good, but probally way to expensive. Thank for the info.
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

These products may be less expensive than the fatpipes (which cost around $7k):

If you'd like a GUI to configure rules, you can check out Firewall Builder:

It generates a shell script that will put your rules in place.  I haven't used it since v0.99 so I'm not sure if it can handle your rather complex setup now or not.

Here's a shell script that should be pretty close to working for you.  This assumes only one IP is assigned by each ISP (one for DSL and one for T1).  If you've got multiple IPs from the T1, then some changes would need to be made.  This script has the following basic features:
 - Outbound packets default to going over the DSL
 - Outbound packets from any of the servers goes over the T1
 - Incoming packets on the T1 are forwarded to the appropriate server

I've added a couple samples of different types of rules that you could use in various situations:
 - allowing an internal machine to run MRTG for traffic monitoring (requires SNMP be installed)
 - allowing ssh in from a specific external host

You'd also asked if you'd need 3 NICs and the answer is "normally".  It *can* be done with 2 (that's how my setup is).  I've got two ISPs and each of their connections runs in to adjacent ports on a 4-port hub.  Of the two remaining ports, one connects to the external interface of my firewall and the other goes to an IDS.  For your situation though, I'd recommend 3 NICs as it's a more straight-forward way to go.

#Change IPs and network numbers here
# eth0 = internal interface
# eth1 = DSL
# eth2 = T1
T1IP =


#If you're using either FTP or IRC, include this line
modprobe ip_conntrack || exit 1

#If using FTP, include these two
modprobe ip_conntrack_ftp || exit 1
modprobe ip_nat_ftp || exit 1

#If using IRC, include these two
modprobe ip_conntrack_irc || exit 1
modprobe ip_nat_irc || exit 1

# suspend routing while rules are applied... don't let anything through while rules are being changed.
echo "0" > /proc/sys/net/ipv4/ip_forward

# drop packets that arrive on an interface they shouldn't
echo "1" > /proc/sys/net/ipv4/conf/eth0/rp_filter
# bug in iptables will drop returned packets when mixing MASQ and SNAT
# may be fixed in newer version, present in 1.2.5
echo "0" > /proc/sys/net/ipv4/conf/eth2/rp_filter
echo "0" > /proc/sys/net/ipv4/conf/eth1/rp_filter

#Set some more basic options
echo "0" > /proc/sys/net/ipv4/conf/all/log_martians
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all
echo "1" > /proc/sys/net/ipv4/icmp_ignore_bogus_error_responses
echo "30" > /proc/sys/net/ipv4/tcp_fin_timeout
echo "1800" > /proc/sys/net/ipv4/tcp_keepalive_intvl
echo "1" > /proc/sys/net/ipv4/tcp_window_scaling
echo "1" > /proc/sys/net/ipv4/tcp_syncookies

#Set default filter policy to drop packets by default
iptables -P OUTPUT  DROP
iptables -P INPUT   DROP
iptables -P FORWARD DROP

cat /proc/net/ip_tables_names | while read table; do
  iptables -t $table -L -n | while read c chain rest; do
      if test "X$c" = "XChain" ; then
        iptables -t $table -F $chain
  iptables -t $table -X

#clear old IPs
ip addr flush dev lo scope link
ip addr flush dev eth0 scope link
ip addr flush dev eth1 scope link
ip addr flush dev eth2 scope link

#Clear old route
ip route delete default table t1traffic

# Setup custom routing table:
ip rule delete priority 10
ip rule add priority 10 fwmark 1 lookup t1traffic
route add -net $T1NET netmask $T1NETMASK dev eth2
ip route add default via $T1ROUTER dev eth2 src $T1IP table t1traffic

#Allow connections that were already in place to continue.
iptables -A INPUT   -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT  -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT

# Outbound traffic will default to the DSL, but exceptions can be made here
#This rule sends all traffic from machines on $SERVERNET out the T1
iptables -t mangle -A PREROUTING -s $SERVERNET/$SERVERNETBITS -i eth0 -j MARK --set-mark 0x1

# Create new NAT chain for the T1 traffic
iptables -t nat -N t1outbound
iptables -t nat -A t1outbound -o eth2 -j SNAT --to-source $T1IP
# Send packets that are marked in the above section to the new chain
iptables -t nat -A POSTROUTING -m mark --mark 0x1 -j t1outbound

# Outbound everything else through DSL
iptables -t nat -A POSTROUTING -o eth1 -j MASQUERADE

# Inbound stuff via T1 is NAT'd to $SERVERNET
#these rules need to be customized depending on if IPs are allocated from the T1's ISP.
iptables -t nat -A PREROUTING -i eth2 -p udp -d $T1IP --dport 53  -j DNAT --to-destination $DNSSERVER
iptables -t nat -A PREROUTING -i eth2 -p tcp -d $T1IP --dport 80  -j DNAT --to-destination $WEBSERVER
iptables -t nat -A PREROUTING -i eth2 -p tcp -d $T1IP --dport 443 -j DNAT --to-destination $WEBSERVER
# Allow ssh in from one external host
iptables -t nat -A PREROUTING -i eth2 -p tcp -s $MYHOMEIP -d $T1IP --d-port 22 -j DNAT --to-destination $SSHSERVER

# Reject incoming ident requests to avoid login delays
#iptables -A INPUT -p tcp -d $T1IP --d-port 113 -j REJECT

# Allow internal server to run MRTG:
iptables -A INPUT -t filter -i eth0 -s $MRTGSERVER -p udp --dport 161 -j ACCEPT

# Allow traffic on the loopback interface
iptables -A INPUT  -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT

# Allow traffic from trusted internal interface.
iptables -A INPUT   -i eth0 -p tcp --dport 22  -j ACCEPT
iptables -A FORWARD -i eth0 -j ACCEPT

#Re-enable packet forwarding
echo "1" > /proc/sys/net/ipv4/ip_forward
danman226Author Commented:
Thanks a lot. This will be a good base to get started on.

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 2
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now