Link to home
Start Free TrialLog in
Avatar of jonnytabpni
jonnytabpni

asked on

Seperate Subnets/Network for servers?

HI everyone.

I am running asterisk server and wish to use external extentions. I need to forward a range of ports. I have a 3com wireless router which does not allow me to forward ranges (it only allows me to forward specific ports). The only way i can get my server to work is by making it DMZ which is very insecure.

Somewhere collecting dust, I have a Watchguard Firebox SOHO 6. I would like to connect this to my 3com router (making the watchguard DMZ on the 3com settings) then connecting just my servers to the watchguard which can handle the port forwarding (ie. my watchguard is being used as a firewall). In the watchguards settings I can set the 3com to be used as the default gateway so the server can access the internet. My question is how do I set up IP routing and wot IP addresses do I use on the network if I want my lan which my workstations are on (ie. connected directly to the 3com) so they are able to access the servers?

I am new to IP routing so any help would be appreciated.

Many Thanks
Avatar of Rob Williams
Rob Williams
Flag of Canada image

How about a different option. set the WatchGuard up as the primary router/firewall, and make the 3Com a wireless access point.
To make the wireless router an access point, rather than a gateway:
-no changes required to the wired router
-reset the wireless WAN connection to default, i.e un-configured
-assign the wireless LAN side an IP address in the same subnet as the wired router.  Make sure it does not conflict with the wired router's DHCP range, or any statically assigned devices
-disable DHCP on the wireless
-wireless connections should be configured in the normal manor
-connect a cable from one of the LAN ports of the wired router to one of the LAN (not WAN) ports of the wireless. If the lights do not light up indicating a connection you may need a cross-over cable (usually only necessary on older units)
-now all devices should have Internet access and be able to easily connect to one another to share resources. Don't forget to refresh and DHCP addresses on the wireless clients  
Avatar of jonnytabpni
jonnytabpni

ASKER

hi there

that's a good solution but the thing is is that my wireless router has my DSL modem in it and the watchguard doesnt have a modem in it:( I could buy another modem for the watchguard however i have tried this in the past and i think there is something wrong with my watchguard as it keeps dropping the connection when connected to a modem.

Many Thans
Ah, I see the problem.
However, in your original suggestion, there are severe security risks. You want the wireless users to access the WatchGuard network via the external Interface. Doing so would require opening a huge security hole that would also be more or less available to anyone on the Internet, i.e. they could have file and print sharing access via the DMZ.

How many wireless users do you have, and do you have the MUVPN (Mobile User VPN) option for your SOHO 6? It's a paid option, and allows 10 VPN connections. If you have that, you could allow the wireless users VPN access to the WatchGuard network.
Nope sorry I don't have the VPN option just the bog-standard features. I always htough there was a way to have multiple subnets in a network where there is only one External IP address...

Many Thanks
You can have multiple subnets, configuring the routing is not the issue. The problem is you have a firewall blocking the traffic between the two. Opening those ports is very risky.
ok i understand :)

If i wanted a setup like this how would i go about it? Would i need a seperate router?

Thanks
ASKER CERTIFIED SOLUTION
Avatar of Rob Williams
Rob Williams
Flag of Canada image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Thank you for your response. I have infact done the above today (the 1st point) - i found another wireless access point. However if I wanted to have multiple subnets, I would i go about setting this up? many thanks
The primary difference is the cable would be connected to the LAN of the WatchGuard and the WAN of the wireless. This way you have 2 segments, both protected by the Watchguard, and the wireless can route the packets between the two. Not all routers (the wireless) can be configured for routing, but assuming it can. You would leave the Watchguard alone, with DHCP enabled, if you need it (assume 192.168.100.0/24 subnet). Connect the two together LAN=>WAN. Assign the WAN side of the wireless an IP in the same subnet as the WatchGuard (that doesn't conflict with static or DHCP addresses- assume 192.168.100.254). Assign the LAN side of the wireless an IP in a different subnet, and enable DHCP on the wireless (assume 192.168.200.0/24).
Next the routing. I don't know your model of the WatchGuard, you may be able to set up the routing on it. If so you want to tell it to route packets for the 192.168.200.0/24 subnet using 192.168.100.254  If you cannot configure this, on each machine you want to have access to the 192.168.200.0 network ,you need to add the following route from a command line:
  Route  –p  add  192.168.200.0  mask 255.255.255.0 192.168.100.254
To remove, if necessary:
  Route  delete  192.168.200.0
The wireless clients will be able be able to reach the WatchGuard 192.168.100.0/24 network as the wireless knows the route, which is the default gateway route for all packets destined for the non-wireless subnet. However, the firewall is still enabled, you need to disable the firewall on the wireless router, and this is not possible on all routers. Some also allow you to switch from gateway mode to router mode.
The above assumes you have 2 subnets and you want them to be able to “talk” to one another. Is this the case or are you trying to isolate?
 
ok how about this. I am thinking about doing all this rigmaroll as m setting up an asterisk server. With the setup that you advised me:

First router-----DMZ---->Watchguard----->Workstations and Servers and wireless gateway

im having NAT problems with asterisk so I'm thinking of doing it this way: Currently i have 2 servers. One is for asterisk and the other is for email/web. Wot if i run my asterisk server off DMZ of my first router, then run everything else off my firebox and have my firebox connected to the first router? That way if some1 hacked into my asterisk server (as its on DMZ) they would not get access to the rest of my network as they are behind the firebox? Would that be secure?

Many Thanks
Is "the first router" a combined modem and router? If so can you put it in bridge mode making it a basic modem ? This simplifies "things" a lot, and eliminates one hop and one NAT device. You could still then use the WatchGuard's DMZ.
Is the Asterix going to be for site to site, or general use? If site-to-site it would usually be done in a VPN tunnel and no DMZ used.
the first router is a combined modem and router however it cant be put into bridge mode:( I have decided to fork out some cash and go for this buy: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&ih=010&sspagename=STRK%3AMEBI%3AIT&viewitem=&item=200093815722&rd=1&rd=1

It support forwarding of ranges so i don't need to use a DMZ or the watchguard. I will use the 3com for the wireless gateway turning off the DHCP etc...

Thats sounds like a better solution doesn't it>
Many Thanks
Sounds good. Make sure you update the firmware, often you get additional features with the updates.

One note however. Noticed the model # AG241. Are you in Europe, and if so any chance your connection uses PPPoA? I know this is a different solution, but my bridge mode solution above won't work with the WatchGuard as I don't believe it supports PPPoA.

Good luck with it. Hope all goes well.
--Rob
yes i am in Europer - the UK infact. and yes we do use PPoA :( i hate it really means less stuff is available for us DSL users overs here (cable people have it easy over here!)
Thanks jonnytabpni.
Yes PPPoA does limit your choices.
I'm in Canada for the record. Cheers !
--Rob