Snap Gear Lite 2 Firewall Setup

I Have a co-located Dell Server running Win2K Advanced Server, currently the server is using a Zone Alarm Pro for firewall. The Server is running the following services, DNS, HTTP Server (IIS), FTP, POP3, SMTP, PCAnywhere Host

I have just purchased a Snap Gear Lite 2 VPN Firewall but have no idea how to configure the device.

It is brand new from the manufacturer but their support hasn't been, very, well, quick or supportive!

For the moment i intend to use the device purely as a firewall until i buy another and set up a VPN, I believe two of these devices provide a very secure VPN. I will use PC Anywhere to administer the server for the present.

My problem is i would like to configure the device prior to deployment so i don't have to link a monitor up in the datacenter etc. Its goegraphically far and francly the security don't like you hanging around to configure things, especially if you don't know what your doing ;-)

My server has a total of 64 Public Static IP Addresses assigned to it, I'm currently using around 10 of these. For simplicity I would like to setup all the ports i need to be open for each of these IP's.

So my questions are:
How do i preconfigure my Snap Gear Lite 2 prior to deployment so it accepts requests on IP range (example) -

listening and responding on the following ports:
Win2KDNS PORT: 53(?)
POP3 PORT: 110
PCAnywhere 10.0 PORTS: 5631 - 5632 (?)
PING (?)

I would really like to preconfigure the Firewall using my desktop at home and just take the device down to the datacenter and plug it in blind. However if this is not possible then I need really clear and concise instructions on how to do this as i have no prior knowledge of how to achieve this.

Hope the gurus can help!

I would really appreciate any comments and good clear answers will be rewarded.


Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Here's their basic setup instructions for static routable ip's, hopefully your address space is contiguous :
Assume the following network configuration:

ISP assigned routable subnet

Example Network Setup:

       Internet Gateway            

To setup the Snapgear to bridge between the gateway and internal hosts on this subnet do the following on the Snapgears config:

Under Networking -> IP Configuration:
Internet IP:
Gateway: blank

Advanced IP Configuration:
Disable NAT

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

Under Firewall -> Rules, add the following in addition to the built in rules:
cp /etc/1 /proc/sys/net/ipv4/conf/eth0/proxy_arp
cp /etc/1 /proc/sys/net/ipv4/conf/eth1/proxy_arp

You need to add the additional routes to get the Snapgear to have a default route. Otherwise the Snapgear will
want to add the default route to eth0 and this will not route properly.

Once the Snapgear is setup this way go into Networking -> Advanced Networking, and try pinging the gateway and a host on the Internet.

If this is succesfull, then setup your internal machines with IP's in the routable subnet.

To then allow access to any port on any internal machines add the following rule to the Firewall -> Rules page:

iptables -I ExtAcc -d -j ACCEPT

If you want to keep the firewall enabled and just allow access to certain ports on this internal subnet do the following:

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT

You'll then have to determine the ports you want open for each of your applications.

stellamartoisAuthor Commented:

thanks for your time on this. This is like a foreign language to me, i'm just a mere website developer. But I'm willing to learn and give it a try.

 i think you missunderstood me slightly tho'

the server is not part of a LAN so there wont be any routing required to internal machines. It is purely an internet server which i host my own PERL / ASP/ PHP driven sites on. I'm also running my own DNS to resolve names i purchase to IP's on my server, as well as POP3 and SMTP mail for some of the sites.

all i need is to protect my static IP range (example) it is contiguous x.x.x.28 - x.x.x.62 (i think!)

Obviously Net Bios is the big one, but basically protect all ports for each of the 64 IP's except the ones listed above.

Hope that makes sense, it does to me, just not familiar with the networking jargon you gurus use ;-)

I posted this question in networking also because no one responded quickly in security but i will reward points on both questions.


It is IS part of a lan.. in the sense that the internet is a network, and that's what you're protecting it from

Your router will deny all inbound traffic by default. In the example above, you are bridging the ip addresses the ISP or hosting center gave you through the router. The router will only allow traffic on the ports specified by the

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT


In this example, traffic to port 80 is permitted to all the IP addresses in the subnet.

You could do this on a per address basis as well.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

stellamartoisAuthor Commented:
Hi Chicagoan,

Thank you for the advice again, it is very helpful.

2 last questions (i hope)

Firstly in your statement:

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

The 2 sets of ip numbers you refer to, are these just examples or is that how it SHOULD be set OR do i need to put my subnet mask numbers in there or something?

FYI my IP details are as follows:
IP Address     X.X.X.130
Subnet Mask

would it be ok to perform this configuration using my desktop at home, then take it down to the datacentre and just plug it in between the server and gateway connection OR would you advice performing the setup on the server itself?

i haven't even plugged the snap gear in yet or installed the software! too paranoid about screwing up the config until i get a vague idea of what i'm doing :-)

Sorry for sounding so dumb on all this!

Thank you for your help so far it is really appreciated.
The first statement is a route to the Dell's default router ( it just happens to be contiguous in the example)

the second is a "default route" out - comparing traffic tp a mask of would match everything, so any traffic the internal hosts put on the firewall would be forwarded to Dell's default router.
Note dell may have multiple routes out, you may want to ask them about their BGP configuration, you may want more than one default route.

I don't see why you can't configure it first.
Before you trot over there though, I'd have a name and phone# of a knowledable person at snapgear to help solve the inevitable glitch.
You might even want to install it at home and get it working on that network to get a feel for the commands and the interface.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
stellamartoisAuthor Commented:
thanks for the info chicagoan, i'm sorry for the delay in awarding points, i haven't had time to go to the datacenter to fit the appliance (its running behind zonealarm at moment, not good in know!)

I'll keep you posted of how i get on...
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.