Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Snap Gear Lite 2 Firewall Setup

Posted on 2003-11-10
Medium Priority
Last Modified: 2013-11-16
I Have a co-located Dell Server running Win2K Advanced Server, currently the server is using a Zone Alarm Pro for firewall. The Server is running the following services, DNS, HTTP Server (IIS), FTP, POP3, SMTP, PCAnywhere Host

I have just purchased a Snap Gear Lite 2 VPN Firewall but have no idea how to configure the device.

It is brand new from the manufacturer but their support hasn't been, very, well, quick or supportive!

For the moment i intend to use the device purely as a firewall until i buy another and set up a VPN, I believe two of these devices provide a very secure VPN. I will use PC Anywhere to administer the server for the present.

My problem is i would like to configure the device prior to deployment so i don't have to link a monitor up in the datacenter etc. Its goegraphically far and francly the security don't like you hanging around to configure things, especially if you don't know what your doing ;-)

My server has a total of 64 Public Static IP Addresses assigned to it, I'm currently using around 10 of these. For simplicity I would like to setup all the ports i need to be open for each of these IP's.

So my questions are:
How do i preconfigure my Snap Gear Lite 2 prior to deployment so it accepts requests on IP range (example) -

listening and responding on the following ports:
Win2KDNS PORT: 53(?)
POP3 PORT: 110
PCAnywhere 10.0 PORTS: 5631 - 5632 (?)
PING (?)

I would really like to preconfigure the Firewall using my desktop at home and just take the device down to the datacenter and plug it in blind. However if this is not possible then I need really clear and concise instructions on how to do this as i have no prior knowledge of how to achieve this.

Hope the gurus can help!

I would really appreciate any comments and good clear answers will be rewarded.


Question by:stellamartois
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 3
LVL 18

Expert Comment

ID: 9731556
Here's their basic setup instructions for static routable ip's, hopefully your address space is contiguous :
Assume the following network configuration:

ISP assigned routable subnet

Example Network Setup:

       Internet Gateway            

To setup the Snapgear to bridge between the gateway and internal hosts on this subnet do the following on the Snapgears config:

Under Networking -> IP Configuration:
Internet IP:
Gateway: blank

Advanced IP Configuration:
Disable NAT

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

Under Firewall -> Rules, add the following in addition to the built in rules:
cp /etc/1 /proc/sys/net/ipv4/conf/eth0/proxy_arp
cp /etc/1 /proc/sys/net/ipv4/conf/eth1/proxy_arp

You need to add the additional routes to get the Snapgear to have a default route. Otherwise the Snapgear will
want to add the default route to eth0 and this will not route properly.

Once the Snapgear is setup this way go into Networking -> Advanced Networking, and try pinging the gateway and a host on the Internet.

If this is succesfull, then setup your internal machines with IP's in the routable subnet.

To then allow access to any port on any internal machines add the following rule to the Firewall -> Rules page:

iptables -I ExtAcc -d -j ACCEPT

If you want to keep the firewall enabled and just allow access to certain ports on this internal subnet do the following:

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT

You'll then have to determine the ports you want open for each of your applications.


Author Comment

ID: 9736151

thanks for your time on this. This is like a foreign language to me, i'm just a mere website developer. But I'm willing to learn and give it a try.

 i think you missunderstood me slightly tho'

the server is not part of a LAN so there wont be any routing required to internal machines. It is purely an internet server which i host my own PERL / ASP/ PHP driven sites on. I'm also running my own DNS to resolve names i purchase to IP's on my server, as well as POP3 and SMTP mail for some of the sites.

all i need is to protect my static IP range (example) it is contiguous x.x.x.28 - x.x.x.62 (i think!)

Obviously Net Bios is the big one, but basically protect all ports for each of the 64 IP's except the ones listed above.

Hope that makes sense, it does to me, just not familiar with the networking jargon you gurus use ;-)

I posted this question in networking also because no one responded quickly in security but i will reward points on both questions.


LVL 18

Expert Comment

ID: 9736862
It is IS part of a lan.. in the sense that the internet is a network, and that's what you're protecting it from

Your router will deny all inbound traffic by default. In the example above, you are bridging the ip addresses the ISP or hosting center gave you through the router. The router will only allow traffic on the ports specified by the

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT


In this example, traffic to port 80 is permitted to all the IP addresses in the subnet.

You could do this on a per address basis as well.
When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot has fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.


Author Comment

ID: 9738285
Hi Chicagoan,

Thank you for the advice again, it is very helpful.

2 last questions (i hope)

Firstly in your statement:

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

The 2 sets of ip numbers you refer to, are these just examples or is that how it SHOULD be set OR do i need to put my subnet mask numbers in there or something?

FYI my IP details are as follows:
IP Address     X.X.X.130
Subnet Mask

would it be ok to perform this configuration using my desktop at home, then take it down to the datacentre and just plug it in between the server and gateway connection OR would you advice performing the setup on the server itself?

i haven't even plugged the snap gear in yet or installed the software! too paranoid about screwing up the config until i get a vague idea of what i'm doing :-)

Sorry for sounding so dumb on all this!

Thank you for your help so far it is really appreciated.
LVL 18

Accepted Solution

chicagoan earned 1200 total points
ID: 9738589
The first statement is a route to the Dell's default router ( it just happens to be contiguous in the example)

the second is a "default route" out - comparing traffic tp a mask of would match everything, so any traffic the internal hosts put on the firewall would be forwarded to Dell's default router.
Note dell may have multiple routes out, you may want to ask them about their BGP configuration, you may want more than one default route.

I don't see why you can't configure it first.
Before you trot over there though, I'd have a name and phone# of a knowledable person at snapgear to help solve the inevitable glitch.
You might even want to install it at home and get it working on that network to get a feel for the commands and the interface.

Author Comment

ID: 10368557
thanks for the info chicagoan, i'm sorry for the delay in awarding points, i haven't had time to go to the datacenter to fit the appliance (its running behind zonealarm at moment, not good in know!)

I'll keep you posted of how i get on...

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With the rising number of cyber attacks in recent years, keeping your personal data safe has become more important than ever. The tips outlined in this article will help you keep your identitfy safe.
Check out the latest tech news, community articles, and expert highlights in August's newsletter.
Sending a Secure fax is easy with eFax Corporate ( First, just open a new email message. In the To field, type your recipient's fax number You can even send a secure international fax — just include t…
We’ve all felt that sense of false security before—locking down external access to a database or component and feeling like we’ve done all we need to do to secure company data. But that feeling is fleeting. Attacks these days can happen in many w…

715 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question