Seperate Subnets/Network for servers?

HI everyone.

I am running asterisk server and wish to use external extentions. I need to forward a range of ports. I have a 3com wireless router which does not allow me to forward ranges (it only allows me to forward specific ports). The only way i can get my server to work is by making it DMZ which is very insecure.

Somewhere collecting dust, I have a Watchguard Firebox SOHO 6. I would like to connect this to my 3com router (making the watchguard DMZ on the 3com settings) then connecting just my servers to the watchguard which can handle the port forwarding (ie. my watchguard is being used as a firewall). In the watchguards settings I can set the 3com to be used as the default gateway so the server can access the internet. My question is how do I set up IP routing and wot IP addresses do I use on the network if I want my lan which my workstations are on (ie. connected directly to the 3com) so they are able to access the servers?

I am new to IP routing so any help would be appreciated.

Many Thanks
jonnytabpniAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Rob WilliamsCommented:
How about a different option. set the WatchGuard up as the primary router/firewall, and make the 3Com a wireless access point.
To make the wireless router an access point, rather than a gateway:
-no changes required to the wired router
-reset the wireless WAN connection to default, i.e un-configured
-assign the wireless LAN side an IP address in the same subnet as the wired router.  Make sure it does not conflict with the wired router's DHCP range, or any statically assigned devices
-disable DHCP on the wireless
-wireless connections should be configured in the normal manor
-connect a cable from one of the LAN ports of the wired router to one of the LAN (not WAN) ports of the wireless. If the lights do not light up indicating a connection you may need a cross-over cable (usually only necessary on older units)
-now all devices should have Internet access and be able to easily connect to one another to share resources. Don't forget to refresh and DHCP addresses on the wireless clients  
0
jonnytabpniAuthor Commented:
hi there

that's a good solution but the thing is is that my wireless router has my DSL modem in it and the watchguard doesnt have a modem in it:( I could buy another modem for the watchguard however i have tried this in the past and i think there is something wrong with my watchguard as it keeps dropping the connection when connected to a modem.

Many Thans
0
Rob WilliamsCommented:
Ah, I see the problem.
However, in your original suggestion, there are severe security risks. You want the wireless users to access the WatchGuard network via the external Interface. Doing so would require opening a huge security hole that would also be more or less available to anyone on the Internet, i.e. they could have file and print sharing access via the DMZ.

How many wireless users do you have, and do you have the MUVPN (Mobile User VPN) option for your SOHO 6? It's a paid option, and allows 10 VPN connections. If you have that, you could allow the wireless users VPN access to the WatchGuard network.
0
ON-DEMAND: 10 Easy Ways to Lose a Password

Learn about the methods that hackers use to lift real, working credentials from even the most security-savvy employees in this on-demand webinar. We cover the importance of multi-factor authentication and how these solutions can better protect your business!

jonnytabpniAuthor Commented:
Nope sorry I don't have the VPN option just the bog-standard features. I always htough there was a way to have multiple subnets in a network where there is only one External IP address...

Many Thanks
0
Rob WilliamsCommented:
You can have multiple subnets, configuring the routing is not the issue. The problem is you have a firewall blocking the traffic between the two. Opening those ports is very risky.
0
jonnytabpniAuthor Commented:
ok i understand :)

If i wanted a setup like this how would i go about it? Would i need a seperate router?

Thanks
0
Rob WilliamsCommented:
A couple of options:
-If the 3com can be put in bridge mode, do so and turn off the wireless, probably will by default. Then use the WatchGuard as your primary router and add a new wireless to the LAN side of it as described earlier.
-You can replace the 3 com with a basic modem and again use the WatchGuard as the primary router and ass aw wireless. I don't know if the 3 com can be uses as a LAN side access point. I am doubtful.
-or go for broke and get a basic modem and a new wireless router to use as the primary unit and do your forwarding.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jonnytabpniAuthor Commented:
Thank you for your response. I have infact done the above today (the 1st point) - i found another wireless access point. However if I wanted to have multiple subnets, I would i go about setting this up? many thanks
0
Rob WilliamsCommented:
The primary difference is the cable would be connected to the LAN of the WatchGuard and the WAN of the wireless. This way you have 2 segments, both protected by the Watchguard, and the wireless can route the packets between the two. Not all routers (the wireless) can be configured for routing, but assuming it can. You would leave the Watchguard alone, with DHCP enabled, if you need it (assume 192.168.100.0/24 subnet). Connect the two together LAN=>WAN. Assign the WAN side of the wireless an IP in the same subnet as the WatchGuard (that doesn't conflict with static or DHCP addresses- assume 192.168.100.254). Assign the LAN side of the wireless an IP in a different subnet, and enable DHCP on the wireless (assume 192.168.200.0/24).
Next the routing. I don't know your model of the WatchGuard, you may be able to set up the routing on it. If so you want to tell it to route packets for the 192.168.200.0/24 subnet using 192.168.100.254  If you cannot configure this, on each machine you want to have access to the 192.168.200.0 network ,you need to add the following route from a command line:
  Route  –p  add  192.168.200.0  mask 255.255.255.0 192.168.100.254
To remove, if necessary:
  Route  delete  192.168.200.0
The wireless clients will be able be able to reach the WatchGuard 192.168.100.0/24 network as the wireless knows the route, which is the default gateway route for all packets destined for the non-wireless subnet. However, the firewall is still enabled, you need to disable the firewall on the wireless router, and this is not possible on all routers. Some also allow you to switch from gateway mode to router mode.
The above assumes you have 2 subnets and you want them to be able to “talk” to one another. Is this the case or are you trying to isolate?
 
0
jonnytabpniAuthor Commented:
ok how about this. I am thinking about doing all this rigmaroll as m setting up an asterisk server. With the setup that you advised me:

First router-----DMZ---->Watchguard----->Workstations and Servers and wireless gateway

im having NAT problems with asterisk so I'm thinking of doing it this way: Currently i have 2 servers. One is for asterisk and the other is for email/web. Wot if i run my asterisk server off DMZ of my first router, then run everything else off my firebox and have my firebox connected to the first router? That way if some1 hacked into my asterisk server (as its on DMZ) they would not get access to the rest of my network as they are behind the firebox? Would that be secure?

Many Thanks
0
Rob WilliamsCommented:
Is "the first router" a combined modem and router? If so can you put it in bridge mode making it a basic modem ? This simplifies "things" a lot, and eliminates one hop and one NAT device. You could still then use the WatchGuard's DMZ.
Is the Asterix going to be for site to site, or general use? If site-to-site it would usually be done in a VPN tunnel and no DMZ used.
0
jonnytabpniAuthor Commented:
the first router is a combined modem and router however it cant be put into bridge mode:( I have decided to fork out some cash and go for this buy: http://cgi.ebay.co.uk/ws/eBayISAPI.dll?ViewItem&ih=010&sspagename=STRK%3AMEBI%3AIT&viewitem=&item=200093815722&rd=1&rd=1

It support forwarding of ranges so i don't need to use a DMZ or the watchguard. I will use the 3com for the wireless gateway turning off the DHCP etc...

Thats sounds like a better solution doesn't it>
Many Thanks
0
Rob WilliamsCommented:
Sounds good. Make sure you update the firmware, often you get additional features with the updates.

One note however. Noticed the model # AG241. Are you in Europe, and if so any chance your connection uses PPPoA? I know this is a different solution, but my bridge mode solution above won't work with the WatchGuard as I don't believe it supports PPPoA.

Good luck with it. Hope all goes well.
--Rob
0
jonnytabpniAuthor Commented:
yes i am in Europer - the UK infact. and yes we do use PPoA :( i hate it really means less stuff is available for us DSL users overs here (cable people have it easy over here!)
0
Rob WilliamsCommented:
Thanks jonnytabpni.
Yes PPPoA does limit your choices.
I'm in Canada for the record. Cheers !
--Rob
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.