We help IT Professionals succeed at work.

We've partnered with Certified Experts, Carl Webster and Richard Faulkner, to bring you a podcast all about Citrix Workspace, moving to the cloud, and analytics & intelligence. Episode 2 coming soon!Listen Now

x

physical location of firewall

npinfotech
npinfotech asked
on
Medium Priority
328 Views
Last Modified: 2013-11-16
Here is the hypothetical:

I have two routers connecting to my individual wan links.  I connect both of them into 1 switch.  Then I connect the switch into a firewall.  Then I connect the firewall into a switch which connects to my internal network.  My lame attampt at a diagram is below:

Router 1 (DSL router)   ==>Switch 1 ==>Firewall 1 ==>internal network 1
Router 2 (Cable router) ==>Switch 1 ==>Firewall 1==>internal Network 1

Lets say I have the firewall setup to send all requests through to "router1" (my firewall has a setting to define only 1 wan link).  Now, I set up a windows XP client to use "router2" as a gateway.  I have port 21 blocked at the firewall, both ways.

Will the firewall block the internal client's request for port 21 on the internet, even though the firewall is configured to use "router 1"?  Will the firewall block requests for port 21 into my network that hit "router 2"?  
Comment
Watch Question

Author

Commented:
basically what I am asking is if I have a firewall appliance separating multiple Wan routers from an internal network, will the firewall police all traffic that flows through it, regardless of configuration?
No. It won't. The traffic from the XP Machine will straight away go to Router2 and so the firewall doesn't see it at all.

Cheers,
Rajesh

Author

Commented:
so, not all traffic that flows through a firewall is checked by the firewall.  the firewall has to be assigned as the gateway at all times?
No again. For the firewall to inspect the traffic, the traffic has to go through it. In your second case, the traffic doesn't go through the firewall at all. For example I have 2 internet connections like this;

ISP1-------
              Router--------Firewall------------Internal Hosts
ISP2-------

In this case, the internal host uses either one of this ISP link to go out to the internet but at any time the incoming and outgoing traffic passes through the firewall.

Cheers,
Rajesh

Author

Commented:
Thanks Rajesh.

Your answers confuses me a bit.  The diagram you drew has both wans connected to 1 router.  All traffic would pass through the firewall regardless of what the internal network PC uses as a gateway.  The scenario I was talking about does the same thing, only with 1 additional router.  

The one I was trying to draw would look like this(with IP addresses assigned):  

               (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall------------Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)

So, my internal host, with ip address 1.1.1.4, uses router 2 (1.1.1.2) as its gateway.  The traffic still has to go through the firewall to get to router 2.  Will the firewall block traffic anyway?  will the firewall monitor traffic originating from router 2 bound for my internal network??  
Npinfotech,

  Sorry if I confused you. Okay, let me be clear now; In your case, the problem is that your internal host 1.1.1.4 bypassess the firewall and gets to Router2 eventhough both are plugged to the same switch, like this;

              (1.1.1.1)
ISP1-------Router 1
                             --------Switch--------Firewall                Internal Hosts
ISP2-------Router 2                               (1.1.1.3)              (1.1.1.4)  
                (1.1.1.2)                                                              |
                         |                                                                |
                          ----------------------------------------------------

This is because you have the default gateway configured as Router2 on 1.1.1.4, so the switch will directly deliver the packet to Router2. Firewall doesn't see it at all. If you had the default gateway as 1.1.1.3, then it will go through the firewall. Remember the traffic between 1.1.1.4 and 1.1.1.2 *DOES NOT* go through the firewall.

Cheers,
Rajesh

Author

Commented:
Now worries, maybe i'm confusing myself!  

there is no way to get to 1.1.1.2 without passing through 1.1.1.3 physically.  all traffic bound for 1.1.1.1 or 1.1.1.2 has to pass through 1.1.1.3.  The switch between the routers and the firewall is just to connect the routers; it connects to nothign else but the routers and the firewall.  

If any traffic passes through the firewall, regardless or settings, will the firewall ignore it?
If the traffic passes through the firewall then it will not ignore it. It will work on the traffic. But again, regardless of the connection (Physical connection) you have, if you have the default gateway as 1.1.1.2 on the machine 1.1.1.4 then it is not going to pass through the firewall. It is the basic tcp/ip networking model.

Cheers,
Rajesh

Author

Commented:
so, if 1.1.1.4 makes the request, will they just get a timeout or something?
If 1.1.1.4 makes a request for internet and if it cannot reach 1.1.1.2, it will timeout. Otherwise if it can reach 1.1.1.2, traffic will pass through and you'll have non-firewalled internet.

Why don't you do this. Just do a tracert to a public ip address and see if it crosses your firewall address. It won't.

Cheers,
Rajesh

Not the solution you were looking for? Getting a personalized solution is easy.

Ask the Experts
NpInfotech,

  Did I help you? I mean did you figure it out? Just wanna make sure...

Cheers,
Rajesh

Author

Commented:
all i get when i try to tracert is "*.*.*.*" request timed out.  Then it will proceed to get the rest of the information as it normally should.

This happens no matter what i use as a gateway.
Ok. but what I mentioned above is the standard behavior of a network.

Have a good day.

Cheers,
Rajesh
Access more of Experts Exchange with a free account
Thanks for using Experts Exchange.

Create a free account to continue.

Limited access with a free account allows you to:

  • View three pieces of content (articles, solutions, posts, and videos)
  • Ask the experts questions (counted toward content limit)
  • Customize your dashboard and profile

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.