[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Configure Software and Hardware Firewall - HELP PLEASE!

Posted on 2007-10-11
Medium Priority
Last Modified: 2008-01-09
Hello Experts!

I have a software firewall which is a Kerio Winroute Firewall. It runs all my traffic rules for protection to the LAN (the Lan IP is 192.168.0.xxx) - It also runs content filtering. The firewall runs on WIndows Server 2003 SP2 and has 2 NICs.

I now need to host IPSec VPN Tunnels to branch offices and also need to beef up my security at the HQ end.

I have a Netgear firewall - its a FVS338 Prosafe firewall.

I want to configure the Netgear firewall to terminate the VPN Tunnels (as the Kerio Firewall cant do this) which will be initiated from remote offices (single users) using Draytek routers. BUT I want to keep my rules on the software firewall.

If i connect it all up i guess this is how it would be:

Netgear firewall connects to Broadband modem - ip address is = xxx.xxx.xxx.xxx (The netgear firewall runds DHCP and is then the gateway for the interface connecting to it - i.e the NIC from the software firewall)

My software firewall then connects to the netgear firewall - IP address is, subnet is (provided by DHCP).

As the server runnning the software firewall has 2 Network cards the second network card connects to the LAN - ip address - subnet (gateway IP is blank).

The questions i now have are:

1. Will this setup work?
2. Will the VPN clients be able to access my LAN? (this is v. important)
3. I am basically using the hardware firewall to beef up security and forward all traffic to ip address (which is the internet NIC for the software firewall).

Please help as im stuck and confused.

If you need any more info please do not hesitate to ask.

Many thanks for your help in advance.
Question by:BAFP
  • 3
  • 2

Expert Comment

by:Neadom Tucker
ID: 20061738
If your going to use 2 Firewalls then you should use a 2nd IP from your ISP to it.  Block ALL Traffic but VPN.  Point your VPN Clients to the 2nd IP and you should be fine.

Make sure that your outside VPN Clients are on a different subnet  (192.168.10.XXX).  The conflict will hose your network.

Author Comment

ID: 20061796
Does the IP Address for the VPN Client's NIC need to be on a different subnet or does the VPN IP Address need to be on a different subnet?

If i use a second IP for VPN Only traffic - and if i block all the other traffic on the hardware firewall then it will block all traffic to the Software firewall - wont it? So all i will then have is VPNs but nothing else i.e. no Incomming HTTP or Terminal Services connections?

Expert Comment

by:Neadom Tucker
ID: 20062361
Ok lets say your ISP gave you 5 IPs -

You would assign your Software Firewall
You would assign your Hardware Firewall
Your Internal IP Address would be 192.168.0.XXX

Remote Office 1 would have an External IP Address of (Different Location so Different IPs)
Remote Office 1 would have an Internal IP Address of 192.168.11.XXX

Remote Office 2 would have an External IP Address of
Remote Office 2 would have an Internal IP Address of 192.168.12.XXX

And so on.  Your External IPs will all be different.

You will setup your VPN from your remote offices to connect to (Your Hardware Firewall)

You would then route all other traffic to your software firewall.
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.


Author Comment

ID: 20064021
Oh i see what you are saying - but is there a way to have it all setup under one IP Address at all?

Accepted Solution

richy92 earned 1500 total points
ID: 20064289
I think what you want is possible - what you explained above should work no problem.
I would first disable DHCP on the netgear and set the IP on the software firewall as static - just good practice.
then make sure your not running any NAT on the windows firewall and have all incomming ports open
Then configure the netgear to protect you from incomming internet traffic (not the windows box).
Then finally - the only thing I saw missing from above - is to add a route on the netgear firewall that tells it network is available via - without that the vpn clients wont no how to reach the internal net
you may also need to change the default gateway on the windows box - should be no DFG on lan and dfg thats the netgear internal ip) on the lan

Author Comment

ID: 20237342
Hi All

Thanks for your input - in the end i didnt get this working. But your help was much appreciated.

Thanks again

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
Creating an OSPF network that automatically (dynamically) reroutes network traffic over other connections to prevent network downtime.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question