Configure Software and Hardware Firewall - HELP PLEASE!

Posted on 2007-10-11
Last Modified: 2008-01-09
Hello Experts!

I have a software firewall which is a Kerio Winroute Firewall. It runs all my traffic rules for protection to the LAN (the Lan IP is - It also runs content filtering. The firewall runs on WIndows Server 2003 SP2 and has 2 NICs.

I now need to host IPSec VPN Tunnels to branch offices and also need to beef up my security at the HQ end.

I have a Netgear firewall - its a FVS338 Prosafe firewall.

I want to configure the Netgear firewall to terminate the VPN Tunnels (as the Kerio Firewall cant do this) which will be initiated from remote offices (single users) using Draytek routers. BUT I want to keep my rules on the software firewall.

If i connect it all up i guess this is how it would be:

Netgear firewall connects to Broadband modem - ip address is = (The netgear firewall runds DHCP and is then the gateway for the interface connecting to it - i.e the NIC from the software firewall)

My software firewall then connects to the netgear firewall - IP address is, subnet is (provided by DHCP).

As the server runnning the software firewall has 2 Network cards the second network card connects to the LAN - ip address - subnet (gateway IP is blank).

The questions i now have are:

1. Will this setup work?
2. Will the VPN clients be able to access my LAN? (this is v. important)
3. I am basically using the hardware firewall to beef up security and forward all traffic to ip address (which is the internet NIC for the software firewall).

Please help as im stuck and confused.

If you need any more info please do not hesitate to ask.

Many thanks for your help in advance.
Question by:BAFP
    LVL 6

    Expert Comment

    by:Neadom Tucker
    If your going to use 2 Firewalls then you should use a 2nd IP from your ISP to it.  Block ALL Traffic but VPN.  Point your VPN Clients to the 2nd IP and you should be fine.

    Make sure that your outside VPN Clients are on a different subnet  (192.168.10.XXX).  The conflict will hose your network.
    LVL 1

    Author Comment

    Does the IP Address for the VPN Client's NIC need to be on a different subnet or does the VPN IP Address need to be on a different subnet?

    If i use a second IP for VPN Only traffic - and if i block all the other traffic on the hardware firewall then it will block all traffic to the Software firewall - wont it? So all i will then have is VPNs but nothing else i.e. no Incomming HTTP or Terminal Services connections?
    LVL 6

    Expert Comment

    by:Neadom Tucker
    Ok lets say your ISP gave you 5 IPs -

    You would assign your Software Firewall
    You would assign your Hardware Firewall
    Your Internal IP Address would be 192.168.0.XXX

    Remote Office 1 would have an External IP Address of (Different Location so Different IPs)
    Remote Office 1 would have an Internal IP Address of 192.168.11.XXX

    Remote Office 2 would have an External IP Address of
    Remote Office 2 would have an Internal IP Address of 192.168.12.XXX

    And so on.  Your External IPs will all be different.

    You will setup your VPN from your remote offices to connect to (Your Hardware Firewall)

    You would then route all other traffic to your software firewall.
    LVL 1

    Author Comment

    Oh i see what you are saying - but is there a way to have it all setup under one IP Address at all?
    LVL 5

    Accepted Solution

    I think what you want is possible - what you explained above should work no problem.
    I would first disable DHCP on the netgear and set the IP on the software firewall as static - just good practice.
    then make sure your not running any NAT on the windows firewall and have all incomming ports open
    Then configure the netgear to protect you from incomming internet traffic (not the windows box).
    Then finally - the only thing I saw missing from above - is to add a route on the netgear firewall that tells it network is available via - without that the vpn clients wont no how to reach the internal net
    you may also need to change the default gateway on the windows box - should be no DFG on lan and dfg thats the netgear internal ip) on the lan
    LVL 1

    Author Comment

    Hi All

    Thanks for your input - in the end i didnt get this working. But your help was much appreciated.

    Thanks again

    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    The Cisco RV042 router is a popular small network interfacing device that is often used as an internet gateway. Network administrators need to get at the management interface to make settings, change passwords, etc. This access is generally done usi…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    733 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    17 Experts available now in Live!

    Get 1:1 Help Now