Solved

Seperate Subnets/Network for servers?

Posted on 2007-03-29
15
341 Views
Last Modified: 2013-11-16
HI everyone.

I am running asterisk server and wish to use external extentions. I need to forward a range of ports. I have a 3com wireless router which does not allow me to forward ranges (it only allows me to forward specific ports). The only way i can get my server to work is by making it DMZ which is very insecure.

Somewhere collecting dust, I have a Watchguard Firebox SOHO 6. I would like to connect this to my 3com router (making the watchguard DMZ on the 3com settings) then connecting just my servers to the watchguard which can handle the port forwarding (ie. my watchguard is being used as a firewall). In the watchguards settings I can set the 3com to be used as the default gateway so the server can access the internet. My question is how do I set up IP routing and wot IP addresses do I use on the network if I want my lan which my workstations are on (ie. connected directly to the 3com) so they are able to access the servers?

I am new to IP routing so any help would be appreciated.

Many Thanks
0
Comment
Question by:jonnytabpni
  • 8
  • 7
15 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18821461
How about a different option. set the WatchGuard up as the primary router/firewall, and make the 3Com a wireless access point.
To make the wireless router an access point, rather than a gateway:
-no changes required to the wired router
-reset the wireless WAN connection to default, i.e un-configured
-assign the wireless LAN side an IP address in the same subnet as the wired router.  Make sure it does not conflict with the wired router's DHCP range, or any statically assigned devices
-disable DHCP on the wireless
-wireless connections should be configured in the normal manor
-connect a cable from one of the LAN ports of the wired router to one of the LAN (not WAN) ports of the wireless. If the lights do not light up indicating a connection you may need a cross-over cable (usually only necessary on older units)
-now all devices should have Internet access and be able to easily connect to one another to share resources. Don't forget to refresh and DHCP addresses on the wireless clients  
0
 

Author Comment

by:jonnytabpni
ID: 18822041
hi there

that's a good solution but the thing is is that my wireless router has my DSL modem in it and the watchguard doesnt have a modem in it:( I could buy another modem for the watchguard however i have tried this in the past and i think there is something wrong with my watchguard as it keeps dropping the connection when connected to a modem.

Many Thans
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18822643
Ah, I see the problem.
However, in your original suggestion, there are severe security risks. You want the wireless users to access the WatchGuard network via the external Interface. Doing so would require opening a huge security hole that would also be more or less available to anyone on the Internet, i.e. they could have file and print sharing access via the DMZ.

How many wireless users do you have, and do you have the MUVPN (Mobile User VPN) option for your SOHO 6? It's a paid option, and allows 10 VPN connections. If you have that, you could allow the wireless users VPN access to the WatchGuard network.
0
Migrating Your Company's PCs

To keep pace with competitors, businesses must keep employees productive, and that means providing them with the latest technology. This document provides the tips and tricks you need to help you migrate an outdated PC fleet to new desktops, laptops, and tablets.

 

Author Comment

by:jonnytabpni
ID: 18823007
Nope sorry I don't have the VPN option just the bog-standard features. I always htough there was a way to have multiple subnets in a network where there is only one External IP address...

Many Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18823030
You can have multiple subnets, configuring the routing is not the issue. The problem is you have a firewall blocking the traffic between the two. Opening those ports is very risky.
0
 

Author Comment

by:jonnytabpni
ID: 18824113
ok i understand :)

If i wanted a setup like this how would i go about it? Would i need a seperate router?

Thanks
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 125 total points
ID: 18824192
A couple of options:
-If the 3com can be put in bridge mode, do so and turn off the wireless, probably will by default. Then use the WatchGuard as your primary router and add a new wireless to the LAN side of it as described earlier.
-You can replace the 3 com with a basic modem and again use the WatchGuard as the primary router and ass aw wireless. I don't know if the 3 com can be uses as a LAN side access point. I am doubtful.
-or go for broke and get a basic modem and a new wireless router to use as the primary unit and do your forwarding.
0
 

Author Comment

by:jonnytabpni
ID: 18824218
Thank you for your response. I have infact done the above today (the 1st point) - i found another wireless access point. However if I wanted to have multiple subnets, I would i go about setting this up? many thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18824624
The primary difference is the cable would be connected to the LAN of the WatchGuard and the WAN of the wireless. This way you have 2 segments, both protected by the Watchguard, and the wireless can route the packets between the two. Not all routers (the wireless) can be configured for routing, but assuming it can. You would leave the Watchguard alone, with DHCP enabled, if you need it (assume 192.168.100.0/24 subnet). Connect the two together LAN=>WAN. Assign the WAN side of the wireless an IP in the same subnet as the WatchGuard (that doesn't conflict with static or DHCP addresses- assume 192.168.100.254). Assign the LAN side of the wireless an IP in a different subnet, and enable DHCP on the wireless (assume 192.168.200.0/24).
Next the routing. I don't know your model of the WatchGuard, you may be able to set up the routing on it. If so you want to tell it to route packets for the 192.168.200.0/24 subnet using 192.168.100.254  If you cannot configure this, on each machine you want to have access to the 192.168.200.0 network ,you need to add the following route from a command line:
  Route  –p  add  192.168.200.0  mask 255.255.255.0 192.168.100.254
To remove, if necessary:
  Route  delete  192.168.200.0
The wireless clients will be able be able to reach the WatchGuard 192.168.100.0/24 network as the wireless knows the route, which is the default gateway route for all packets destined for the non-wireless subnet. However, the firewall is still enabled, you need to disable the firewall on the wireless router, and this is not possible on all routers. Some also allow you to switch from gateway mode to router mode.
The above assumes you have 2 subnets and you want them to be able to “talk” to one another. Is this the case or are you trying to isolate?
 
0
 

Author Comment

by:jonnytabpni
ID: 18831715
ok how about this. I am thinking about doing all this rigmaroll as m setting up an asterisk server. With the setup that you advised me:

First router-----DMZ---->Watchguard----->Workstations and Servers and wireless gateway

im having NAT problems with asterisk so I'm thinking of doing it this way: Currently i have 2 servers. One is for asterisk and the other is for email/web. Wot if i run my asterisk server off DMZ of my first router, then run everything else off my firebox and have my firebox connected to the first router? That way if some1 hacked into my asterisk server (as its on DMZ) they would not get access to the rest of my network as they are behind the firebox? Would that be secure?

Many Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18831819
Is "the first router" a combined modem and router? If so can you put it in bridge mode making it a basic modem ? This simplifies "things" a lot, and eliminates one hop and one NAT device. You could still then use the WatchGuard's DMZ.
Is the Asterix going to be for site to site, or general use? If site-to-site it would usually be done in a VPN tunnel and no DMZ used.
0
 

Author Comment

by:jonnytabpni
ID: 18832101
the first router is a combined modem and router however it cant be put into bridge mode:( I have decided to fork out some cash and go for this buy: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&ih=010&sspagename=STRK%3AMEBI%3AIT&viewitem=&item=200093815722&rd=1&rd=1

It support forwarding of ranges so i don't need to use a DMZ or the watchguard. I will use the 3com for the wireless gateway turning off the DHCP etc...

Thats sounds like a better solution doesn't it>
Many Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18832188
Sounds good. Make sure you update the firmware, often you get additional features with the updates.

One note however. Noticed the model # AG241. Are you in Europe, and if so any chance your connection uses PPPoA? I know this is a different solution, but my bridge mode solution above won't work with the WatchGuard as I don't believe it supports PPPoA.

Good luck with it. Hope all goes well.
--Rob
0
 

Author Comment

by:jonnytabpni
ID: 18832237
yes i am in Europer - the UK infact. and yes we do use PPoA :( i hate it really means less stuff is available for us DSL users overs here (cable people have it easy over here!)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18832275
Thanks jonnytabpni.
Yes PPPoA does limit your choices.
I'm in Canada for the record. Cheers !
--Rob
0

Featured Post

Announcing the Most Valuable Experts of 2016

MVEs are more concerned with the satisfaction of those they help than with the considerable points they can earn. They are the types of people you feel privileged to call colleagues. Join us in honoring this amazing group of Experts.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With healthcare moving into the digital age with things like Healthcare.gov, the digitization of patient records and video conferencing with patients, data has a much greater chance of being exposed than ever before.
One of the biggest threats in the cyber realm pertains to advanced persistent threats (APTs). This paper is a compare and contrast of Russian and Chinese APT's.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

813 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now