Solved

Seperate Subnets/Network for servers?

Posted on 2007-03-29
15
338 Views
Last Modified: 2013-11-16
HI everyone.

I am running asterisk server and wish to use external extentions. I need to forward a range of ports. I have a 3com wireless router which does not allow me to forward ranges (it only allows me to forward specific ports). The only way i can get my server to work is by making it DMZ which is very insecure.

Somewhere collecting dust, I have a Watchguard Firebox SOHO 6. I would like to connect this to my 3com router (making the watchguard DMZ on the 3com settings) then connecting just my servers to the watchguard which can handle the port forwarding (ie. my watchguard is being used as a firewall). In the watchguards settings I can set the 3com to be used as the default gateway so the server can access the internet. My question is how do I set up IP routing and wot IP addresses do I use on the network if I want my lan which my workstations are on (ie. connected directly to the 3com) so they are able to access the servers?

I am new to IP routing so any help would be appreciated.

Many Thanks
0
Comment
Question by:jonnytabpni
  • 8
  • 7
15 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18821461
How about a different option. set the WatchGuard up as the primary router/firewall, and make the 3Com a wireless access point.
To make the wireless router an access point, rather than a gateway:
-no changes required to the wired router
-reset the wireless WAN connection to default, i.e un-configured
-assign the wireless LAN side an IP address in the same subnet as the wired router.  Make sure it does not conflict with the wired router's DHCP range, or any statically assigned devices
-disable DHCP on the wireless
-wireless connections should be configured in the normal manor
-connect a cable from one of the LAN ports of the wired router to one of the LAN (not WAN) ports of the wireless. If the lights do not light up indicating a connection you may need a cross-over cable (usually only necessary on older units)
-now all devices should have Internet access and be able to easily connect to one another to share resources. Don't forget to refresh and DHCP addresses on the wireless clients  
0
 

Author Comment

by:jonnytabpni
ID: 18822041
hi there

that's a good solution but the thing is is that my wireless router has my DSL modem in it and the watchguard doesnt have a modem in it:( I could buy another modem for the watchguard however i have tried this in the past and i think there is something wrong with my watchguard as it keeps dropping the connection when connected to a modem.

Many Thans
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18822643
Ah, I see the problem.
However, in your original suggestion, there are severe security risks. You want the wireless users to access the WatchGuard network via the external Interface. Doing so would require opening a huge security hole that would also be more or less available to anyone on the Internet, i.e. they could have file and print sharing access via the DMZ.

How many wireless users do you have, and do you have the MUVPN (Mobile User VPN) option for your SOHO 6? It's a paid option, and allows 10 VPN connections. If you have that, you could allow the wireless users VPN access to the WatchGuard network.
0
 

Author Comment

by:jonnytabpni
ID: 18823007
Nope sorry I don't have the VPN option just the bog-standard features. I always htough there was a way to have multiple subnets in a network where there is only one External IP address...

Many Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18823030
You can have multiple subnets, configuring the routing is not the issue. The problem is you have a firewall blocking the traffic between the two. Opening those ports is very risky.
0
 

Author Comment

by:jonnytabpni
ID: 18824113
ok i understand :)

If i wanted a setup like this how would i go about it? Would i need a seperate router?

Thanks
0
 
LVL 77

Accepted Solution

by:
Rob Williams earned 125 total points
ID: 18824192
A couple of options:
-If the 3com can be put in bridge mode, do so and turn off the wireless, probably will by default. Then use the WatchGuard as your primary router and add a new wireless to the LAN side of it as described earlier.
-You can replace the 3 com with a basic modem and again use the WatchGuard as the primary router and ass aw wireless. I don't know if the 3 com can be uses as a LAN side access point. I am doubtful.
-or go for broke and get a basic modem and a new wireless router to use as the primary unit and do your forwarding.
0
Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

 

Author Comment

by:jonnytabpni
ID: 18824218
Thank you for your response. I have infact done the above today (the 1st point) - i found another wireless access point. However if I wanted to have multiple subnets, I would i go about setting this up? many thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18824624
The primary difference is the cable would be connected to the LAN of the WatchGuard and the WAN of the wireless. This way you have 2 segments, both protected by the Watchguard, and the wireless can route the packets between the two. Not all routers (the wireless) can be configured for routing, but assuming it can. You would leave the Watchguard alone, with DHCP enabled, if you need it (assume 192.168.100.0/24 subnet). Connect the two together LAN=>WAN. Assign the WAN side of the wireless an IP in the same subnet as the WatchGuard (that doesn't conflict with static or DHCP addresses- assume 192.168.100.254). Assign the LAN side of the wireless an IP in a different subnet, and enable DHCP on the wireless (assume 192.168.200.0/24).
Next the routing. I don't know your model of the WatchGuard, you may be able to set up the routing on it. If so you want to tell it to route packets for the 192.168.200.0/24 subnet using 192.168.100.254  If you cannot configure this, on each machine you want to have access to the 192.168.200.0 network ,you need to add the following route from a command line:
  Route  –p  add  192.168.200.0  mask 255.255.255.0 192.168.100.254
To remove, if necessary:
  Route  delete  192.168.200.0
The wireless clients will be able be able to reach the WatchGuard 192.168.100.0/24 network as the wireless knows the route, which is the default gateway route for all packets destined for the non-wireless subnet. However, the firewall is still enabled, you need to disable the firewall on the wireless router, and this is not possible on all routers. Some also allow you to switch from gateway mode to router mode.
The above assumes you have 2 subnets and you want them to be able to “talk” to one another. Is this the case or are you trying to isolate?
 
0
 

Author Comment

by:jonnytabpni
ID: 18831715
ok how about this. I am thinking about doing all this rigmaroll as m setting up an asterisk server. With the setup that you advised me:

First router-----DMZ---->Watchguard----->Workstations and Servers and wireless gateway

im having NAT problems with asterisk so I'm thinking of doing it this way: Currently i have 2 servers. One is for asterisk and the other is for email/web. Wot if i run my asterisk server off DMZ of my first router, then run everything else off my firebox and have my firebox connected to the first router? That way if some1 hacked into my asterisk server (as its on DMZ) they would not get access to the rest of my network as they are behind the firebox? Would that be secure?

Many Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18831819
Is "the first router" a combined modem and router? If so can you put it in bridge mode making it a basic modem ? This simplifies "things" a lot, and eliminates one hop and one NAT device. You could still then use the WatchGuard's DMZ.
Is the Asterix going to be for site to site, or general use? If site-to-site it would usually be done in a VPN tunnel and no DMZ used.
0
 

Author Comment

by:jonnytabpni
ID: 18832101
the first router is a combined modem and router however it cant be put into bridge mode:( I have decided to fork out some cash and go for this buy: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&ih=010&sspagename=STRK%3AMEBI%3AIT&viewitem=&item=200093815722&rd=1&rd=1

It support forwarding of ranges so i don't need to use a DMZ or the watchguard. I will use the 3com for the wireless gateway turning off the DHCP etc...

Thats sounds like a better solution doesn't it>
Many Thanks
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18832188
Sounds good. Make sure you update the firmware, often you get additional features with the updates.

One note however. Noticed the model # AG241. Are you in Europe, and if so any chance your connection uses PPPoA? I know this is a different solution, but my bridge mode solution above won't work with the WatchGuard as I don't believe it supports PPPoA.

Good luck with it. Hope all goes well.
--Rob
0
 

Author Comment

by:jonnytabpni
ID: 18832237
yes i am in Europer - the UK infact. and yes we do use PPoA :( i hate it really means less stuff is available for us DSL users overs here (cable people have it easy over here!)
0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18832275
Thanks jonnytabpni.
Yes PPPoA does limit your choices.
I'm in Canada for the record. Cheers !
--Rob
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…

759 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now