Link to home
Start Free TrialLog in
Avatar of npinfotech
npinfotechFlag for United States of America

asked on

physical location of firewall

Here is the hypothetical:

I have two routers connecting to my individual wan links.  I connect both of them into 1 switch.  Then I connect the switch into a firewall.  Then I connect the firewall into a switch which connects to my internal network.  My lame attampt at a diagram is below:

Router 1 (DSL router)   ==>Switch 1 ==>Firewall 1 ==>internal network 1
Router 2 (Cable router) ==>Switch 1 ==>Firewall 1==>internal Network 1

Lets say I have the firewall setup to send all requests through to "router1" (my firewall has a setting to define only 1 wan link).  Now, I set up a windows XP client to use "router2" as a gateway.  I have port 21 blocked at the firewall, both ways.

Will the firewall block the internal client's request for port 21 on the internet, even though the firewall is configured to use "router 1"?  Will the firewall block requests for port 21 into my network that hit "router 2"?  
Avatar of npinfotech
npinfotech
Flag of United States of America image

ASKER

basically what I am asking is if I have a firewall appliance separating multiple Wan routers from an internal network, will the firewall police all traffic that flows through it, regardless of configuration?
No. It won't. The traffic from the XP Machine will straight away go to Router2 and so the firewall doesn't see it at all.

Cheers,
Rajesh
so, not all traffic that flows through a firewall is checked by the firewall.  the firewall has to be assigned as the gateway at all times?
No again. For the firewall to inspect the traffic, the traffic has to go through it. In your second case, the traffic doesn't go through the firewall at all. For example I have 2 internet connections like this;

ISP1-------
              Router--------Firewall------------Internal Hosts
ISP2-------

In this case, the internal host uses either one of this ISP link to go out to the internet but at any time the incoming and outgoing traffic passes through the firewall.

Cheers,
Rajesh
Thanks Rajesh.

Your answers confuses me a bit.  The diagram you drew has both wans connected to 1 router.  All traffic would pass through the firewall regardless of what the internal network PC uses as a gateway.  The scenario I was talking about does the same thing, only with 1 additional router.  

The one I was trying to draw would look like this(with IP addresses assigned):  

               (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall------------Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)

So, my internal host, with ip address 1.1.1.4, uses router 2 (1.1.1.2) as its gateway.  The traffic still has to go through the firewall to get to router 2.  Will the firewall block traffic anyway?  will the firewall monitor traffic originating from router 2 bound for my internal network??  
Npinfotech,

  Sorry if I confused you. Okay, let me be clear now; In your case, the problem is that your internal host 1.1.1.4 bypassess the firewall and gets to Router2 eventhough both are plugged to the same switch, like this;

              (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall                Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)                                                              |
                         |                                                                |
                          ----------------------------------------------------

This is because you have the default gateway configured as Router2 on 1.1.1.4, so the switch will directly deliver the packet to Router2. Firewall doesn't see it at all. If you had the default gateway as 1.1.1.3, then it will go through the firewall. Remember the traffic between 1.1.1.4 and 1.1.1.2 *DOES NOT* go through the firewall.

Cheers,
Rajesh
Now worries, maybe i'm confusing myself!  

there is no way to get to 1.1.1.2 without passing through 1.1.1.3 physically.  all traffic bound for 1.1.1.1 or 1.1.1.2 has to pass through 1.1.1.3.  The switch between the routers and the firewall is just to connect the routers; it connects to nothign else but the routers and the firewall.  

If any traffic passes through the firewall, regardless or settings, will the firewall ignore it?
If the traffic passes through the firewall then it will not ignore it. It will work on the traffic. But again, regardless of the connection (Physical connection) you have, if you have the default gateway as 1.1.1.2 on the machine 1.1.1.4 then it is not going to pass through the firewall. It is the basic tcp/ip networking model.

Cheers,
Rajesh
so, if 1.1.1.4 makes the request, will they just get a timeout or something?
ASKER CERTIFIED SOLUTION
Avatar of rsivanandan
rsivanandan
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
NpInfotech,

  Did I help you? I mean did you figure it out? Just wanna make sure...

Cheers,
Rajesh
all i get when i try to tracert is "*.*.*.*" request timed out.  Then it will proceed to get the rest of the information as it normally should.

This happens no matter what i use as a gateway.
Ok. but what I mentioned above is the standard behavior of a network.

Have a good day.

Cheers,
Rajesh