Snap Gear Lite 2 Firewall Setup

Posted on 2003-11-10
Last Modified: 2013-11-16
I Have a co-located Dell Server running Win2K Advanced Server, currently the server is using a Zone Alarm Pro for firewall. The Server is running the following services, DNS, HTTP Server (IIS), FTP, POP3, SMTP, PCAnywhere Host

I have just purchased a Snap Gear Lite 2 VPN Firewall but have no idea how to configure the device.

It is brand new from the manufacturer but their support hasn't been, very, well, quick or supportive!

For the moment i intend to use the device purely as a firewall until i buy another and set up a VPN, I believe two of these devices provide a very secure VPN. I will use PC Anywhere to administer the server for the present.

My problem is i would like to configure the device prior to deployment so i don't have to link a monitor up in the datacenter etc. Its goegraphically far and francly the security don't like you hanging around to configure things, especially if you don't know what your doing ;-)

My server has a total of 64 Public Static IP Addresses assigned to it, I'm currently using around 10 of these. For simplicity I would like to setup all the ports i need to be open for each of these IP's.

So my questions are:
How do i preconfigure my Snap Gear Lite 2 prior to deployment so it accepts requests on IP range (example) -

listening and responding on the following ports:
Win2KDNS PORT: 53(?)
POP3 PORT: 110
PCAnywhere 10.0 PORTS: 5631 - 5632 (?)
PING (?)

I would really like to preconfigure the Firewall using my desktop at home and just take the device down to the datacenter and plug it in blind. However if this is not possible then I need really clear and concise instructions on how to do this as i have no prior knowledge of how to achieve this.

Hope the gurus can help!

I would really appreciate any comments and good clear answers will be rewarded.


Question by:stellamartois
  • 3
  • 3
LVL 18

Expert Comment

ID: 9731556
Here's their basic setup instructions for static routable ip's, hopefully your address space is contiguous :
Assume the following network configuration:

ISP assigned routable subnet

Example Network Setup:

       Internet Gateway            

To setup the Snapgear to bridge between the gateway and internal hosts on this subnet do the following on the Snapgears config:

Under Networking -> IP Configuration:
Internet IP:
Gateway: blank

Advanced IP Configuration:
Disable NAT

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

Under Firewall -> Rules, add the following in addition to the built in rules:
cp /etc/1 /proc/sys/net/ipv4/conf/eth0/proxy_arp
cp /etc/1 /proc/sys/net/ipv4/conf/eth1/proxy_arp

You need to add the additional routes to get the Snapgear to have a default route. Otherwise the Snapgear will
want to add the default route to eth0 and this will not route properly.

Once the Snapgear is setup this way go into Networking -> Advanced Networking, and try pinging the gateway and a host on the Internet.

If this is succesfull, then setup your internal machines with IP's in the routable subnet.

To then allow access to any port on any internal machines add the following rule to the Firewall -> Rules page:

iptables -I ExtAcc -d -j ACCEPT

If you want to keep the firewall enabled and just allow access to certain ports on this internal subnet do the following:

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT

You'll then have to determine the ports you want open for each of your applications.


Author Comment

ID: 9736151

thanks for your time on this. This is like a foreign language to me, i'm just a mere website developer. But I'm willing to learn and give it a try.

 i think you missunderstood me slightly tho'

the server is not part of a LAN so there wont be any routing required to internal machines. It is purely an internet server which i host my own PERL / ASP/ PHP driven sites on. I'm also running my own DNS to resolve names i purchase to IP's on my server, as well as POP3 and SMTP mail for some of the sites.

all i need is to protect my static IP range (example) it is contiguous x.x.x.28 - x.x.x.62 (i think!)

Obviously Net Bios is the big one, but basically protect all ports for each of the 64 IP's except the ones listed above.

Hope that makes sense, it does to me, just not familiar with the networking jargon you gurus use ;-)

I posted this question in networking also because no one responded quickly in security but i will reward points on both questions.


LVL 18

Expert Comment

ID: 9736862
It is IS part of a lan.. in the sense that the internet is a network, and that's what you're protecting it from

Your router will deny all inbound traffic by default. In the example above, you are bridging the ip addresses the ISP or hosting center gave you through the router. The router will only allow traffic on the ports specified by the

iptables -I ExtAcc -p tcp -d --dport 80 -j ACCEPT


In this example, traffic to port 80 is permitted to all the IP addresses in the subnet.

You could do this on a per address basis as well.
U.S. Department of Agriculture and Acronis Access

With the new era of mobile computing, smartphones and tablets, wireless communications and cloud services, the USDA sought to take advantage of a mobilized workforce and the blurring lines between personal and corporate computing resources.


Author Comment

ID: 9738285
Hi Chicagoan,

Thank you for the advice again, it is very helpful.

2 last questions (i hope)

Firstly in your statement:

Under Networking -> Advanced Networking:
Additional routes:
Address       Type Netmask  Gateway       Metric Interface  Host -        NONE          NONE   eth1       Net  NONE   eth1

The 2 sets of ip numbers you refer to, are these just examples or is that how it SHOULD be set OR do i need to put my subnet mask numbers in there or something?

FYI my IP details are as follows:
IP Address     X.X.X.130
Subnet Mask

would it be ok to perform this configuration using my desktop at home, then take it down to the datacentre and just plug it in between the server and gateway connection OR would you advice performing the setup on the server itself?

i haven't even plugged the snap gear in yet or installed the software! too paranoid about screwing up the config until i get a vague idea of what i'm doing :-)

Sorry for sounding so dumb on all this!

Thank you for your help so far it is really appreciated.
LVL 18

Accepted Solution

chicagoan earned 300 total points
ID: 9738589
The first statement is a route to the Dell's default router ( it just happens to be contiguous in the example)

the second is a "default route" out - comparing traffic tp a mask of would match everything, so any traffic the internal hosts put on the firewall would be forwarded to Dell's default router.
Note dell may have multiple routes out, you may want to ask them about their BGP configuration, you may want more than one default route.

I don't see why you can't configure it first.
Before you trot over there though, I'd have a name and phone# of a knowledable person at snapgear to help solve the inevitable glitch.
You might even want to install it at home and get it working on that network to get a feel for the commands and the interface.

Author Comment

ID: 10368557
thanks for the info chicagoan, i'm sorry for the delay in awarding points, i haven't had time to go to the datacenter to fit the appliance (its running behind zonealarm at moment, not good in know!)

I'll keep you posted of how i get on...

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The related questions "How do I recover the passwords for my Q-See DVR" and "How can I reset my Q-See DVR to eliminate a password" are seen several times a week.  Here we discuss the grim reality of the situation.
Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

713 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question