Go Premium for a chance to win a PS4. Enter to Win


Snap Gear Lite 2 Firewall Setup

Posted on 2003-11-10
Medium Priority
Last Modified: 2013-11-16
I Have a co-located Dell Server running Win2K Advanced Server, currently the server is using a Zone Alarm Pro for firewall. The Server is running the following services, DNS, HTTP Server (IIS), FTP, POP3, SMTP, PCAnywhere Host

I have just purchased a Snap Gear Lite 2 VPN Firewall but have no idea how to configure the device.

It is brand new from the manufacturer but their support hasn't been, very, well, quick or supportive!

For the moment i intend to use the device purely as a firewall until i buy another and set up a VPN, I believe two of these devices provide a very secure VPN. I will use PC Anywhere to administer the server for the present.

My problem is i would like to configure the device prior to deployment so i don't have to link a monitor up in the datacenter etc. Its goegraphically far and francly the security don't like you hanging around to configure things, especially if you don't know what your doing ;-)

My server has a total of 64 Public Static IP Addresses assigned to it, I'm currently using around 10 of these. For simplicity I would like to setup all the ports i need to be open for each of these IP's.

So my questions are:
How do i preconfigure my Snap Gear Lite 2 prior to deployment so it accepts requests on IP range (example) -

listening and responding on the following ports:
Win2KDNS PORT: 53(?)
POP3 PORT: 110
PCAnywhere 10.0 PORTS: 5631 - 5632 (?)
PING (?)

I would really like to preconfigure the Firewall using my desktop at home and just take the device down to the datacenter and plug it in blind. However if this is not possible then I need really clear and concise instructions on how to do this as i have no prior knowledge of how to achieve this.

Hope the gurus can help!

I would really appreciate any comments and good clear answers will be rewarded.


Question by:stellamartois
  • 3
  • 3
LVL 18

Expert Comment

ID: 9731556
Here's their basic setup instructions for static routable ip's, hopefully your address space is contiguous :
Assume the following network configuration:

ISP assigned routable subnet

Example Network Setup:

       Internet Gateway            

To setup the Snapgear to bridge between the gateway and internal hosts on this subnet do the following on the Snapgears config:

Under Networking -> IP Configuration:
Internet IP:
Gateway: blank

Advanced IP Configuration:
Disable NAT

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

Under Firewall -> Rules, add the following in addition to the built in rules:
cp /etc/1 /proc/sys/net/ipv4/conf/eth0/proxy_arp
cp /etc/1 /proc/sys/net/ipv4/conf/eth1/proxy_arp

You need to add the additional routes to get the Snapgear to have a default route. Otherwise the Snapgear will
want to add the default route to eth0 and this will not route properly.

Once the Snapgear is setup this way go into Networking -> Advanced Networking, and try pinging the gateway and a host on the Internet.

If this is succesfull, then setup your internal machines with IP's in the routable subnet.

To then allow access to any port on any internal machines add the following rule to the Firewall -> Rules page:

iptables -I ExtAcc -d -j ACCEPT

If you want to keep the firewall enabled and just allow access to certain ports on this internal subnet do the following:

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT

You'll then have to determine the ports you want open for each of your applications.


Author Comment

ID: 9736151

thanks for your time on this. This is like a foreign language to me, i'm just a mere website developer. But I'm willing to learn and give it a try.

 i think you missunderstood me slightly tho'

the server is not part of a LAN so there wont be any routing required to internal machines. It is purely an internet server which i host my own PERL / ASP/ PHP driven sites on. I'm also running my own DNS to resolve names i purchase to IP's on my server, as well as POP3 and SMTP mail for some of the sites.

all i need is to protect my static IP range (example) it is contiguous x.x.x.28 - x.x.x.62 (i think!)

Obviously Net Bios is the big one, but basically protect all ports for each of the 64 IP's except the ones listed above.

Hope that makes sense, it does to me, just not familiar with the networking jargon you gurus use ;-)

I posted this question in networking also because no one responded quickly in security but i will reward points on both questions.


LVL 18

Expert Comment

ID: 9736862
It is IS part of a lan.. in the sense that the internet is a network, and that's what you're protecting it from

Your router will deny all inbound traffic by default. In the example above, you are bridging the ip addresses the ISP or hosting center gave you through the router. The router will only allow traffic on the ports specified by the

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT


In this example, traffic to port 80 is permitted to all the IP addresses in the subnet.

You could do this on a per address basis as well.
Lessons on Wi-Fi & Recommendations on KRACK

Simplicity and security can be a difficult  balance for any business to tackle. Join us on December 6th for a look at your company's biggest security gap. We will also address the most recent attack, "KRACK" and provide recommendations on how to secure your Wi-Fi network today!


Author Comment

ID: 9738285
Hi Chicagoan,

Thank you for the advice again, it is very helpful.

2 last questions (i hope)

Firstly in your statement:

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

The 2 sets of ip numbers you refer to, are these just examples or is that how it SHOULD be set OR do i need to put my subnet mask numbers in there or something?

FYI my IP details are as follows:
IP Address     X.X.X.130
Subnet Mask

would it be ok to perform this configuration using my desktop at home, then take it down to the datacentre and just plug it in between the server and gateway connection OR would you advice performing the setup on the server itself?

i haven't even plugged the snap gear in yet or installed the software! too paranoid about screwing up the config until i get a vague idea of what i'm doing :-)

Sorry for sounding so dumb on all this!

Thank you for your help so far it is really appreciated.
LVL 18

Accepted Solution

chicagoan earned 1200 total points
ID: 9738589
The first statement is a route to the Dell's default router ( it just happens to be contiguous in the example)

the second is a "default route" out - comparing traffic tp a mask of would match everything, so any traffic the internal hosts put on the firewall would be forwarded to Dell's default router.
Note dell may have multiple routes out, you may want to ask them about their BGP configuration, you may want more than one default route.

I don't see why you can't configure it first.
Before you trot over there though, I'd have a name and phone# of a knowledable person at snapgear to help solve the inevitable glitch.
You might even want to install it at home and get it working on that network to get a feel for the commands and the interface.

Author Comment

ID: 10368557
thanks for the info chicagoan, i'm sorry for the delay in awarding points, i haven't had time to go to the datacenter to fit the appliance (its running behind zonealarm at moment, not good in know!)

I'll keep you posted of how i get on...

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Sometimes Administrators rights are not enough. These cases call for the SYSTEM account. The process in this article outlines the steps required to execute commands using the SYSTEM account.
When you put your credit card number into a website for an online transaction, surely you know to look for signs of a secure website such as the padlock icon in the web browser or the green address bar.  This is one way to protect yourself from oth…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…

927 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question