Solved

best network configuration for lan and vpn,  1 static Ip + Router + Firewall

Posted on 2008-10-26
6
743 Views
Last Modified: 2012-05-05
hello people,please help me with this network configuration...
I have to setup a small lan with one kind of vpn connection.

Situation is:
1 ip static address from my Isp
1 router dlink DI624 (only to establish connection)
1 firewall Zyxel Usg 100 (to manage vpn, web auth, backup line...and so on)
1 dhcp and dns server (on internal hp server ,Dc with Windows 2003R2)

I cannot establish an l2tp connection from outside (on Zyxel),and i cannot use dlink wer femote interface (on Dlink).
Now router has on wan interface the isp ip information 82.xxx.yyy.zzz
and on the lan side 192.168.0.254 address.
On dmz i put 192.168.0.200.
So firewall has on the wan interface address 192.168.0.200 (this to obtain vpn and firewall administration remoting) and on the lan side 192.168.1.200 (inner 10 clients and 2 servers on this network)
But something miss...maybe static router or port forwarding between router and firewall.

These are the question.
1)i suppose i can put dlink like a bridge instead of using a dmz, and firewall in this condition has on wan side the Isp Ip.
This is better than use dlink with dmz, like above?Can u explain in that way?
2)Why i cannot see from outside the firewall? dlink needs static route to route traffic to firewall?dmz is not enough?
3)remote http management of dlink.it's enabled , wit " * " in the ip field, on 8080 port. but from outside it doesn't work.because of Dmz?

I would information to configuring router+firewall in the best way,using some of the zyxell ability (first of all, a reliable vpn.I was talking of 2lpt cause of Ssl has only 2 license)
Ask me for details, i have router and firewall manual available.
0
Comment
Question by:Mattia Minervini
  • 4
  • 2
6 Comments
 
LVL 4

Expert Comment

by:ltxda
Comment Utility
L2TP typically uses port 1701.  Try opening that port on the router and pointing it to the firewalls IP.

You can put the router to forward ALL traffic to your firewall as well.  That should do the trick.

If you're not planning on putting computers in the DMZ then either bridge the router so your firewall has the public IP or forward all traffic from the router to the firewall.  

See if that works and let me know if I haven't answered all your questions.

Hope this helps!

LTxda
0
 

Author Comment

by:Mattia Minervini
Comment Utility
Only to learn:
Ok, but Dmz is not enough? all traffic should be directed to firewall,isn't it?
So what layer is dmz? why i have to add also a specific route.
Real case:
I think in a couple of days i could try to manage dlink.
Under "static route configuration" ,"virtual server" or "port redirection"(i it there's)?
In a few words, what are the differences between dmz and the last three?
Thanks a lot Ltxda
0
 

Author Comment

by:Mattia Minervini
Comment Utility
nothing to do...
router has lan ip 192.168.0.241
it has in dmz firewall wan1 ip, 192.168.0.240.

I thought this was enough, but from external pc i cannot reach firewall.

So i added virtual server feature on router, passing port udp/tcp 1701 + udp 500 for ike + udp 4500 to ip 192.168.0.240.
nothing...
0
What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

 
LVL 4

Expert Comment

by:ltxda
Comment Utility
-  Need to make sure that the WAN/outside IP of your router (not firewall) is something other than 192. or 172. or 10.  Let's make sure your ISP isn't natting and firewalling you from the beginning.

-  Can you ping 192.168.0.240 from within your router at 192.168.0.241?

-  Can you pass ALL traffic from the router to the firewall to see if that works and if it does we'll go from there.
0
 

Accepted Solution

by:
Mattia Minervini earned 0 total points
Comment Utility
wan router 88.53.xxx.yyy.
ROUTER
lan router 192.168.0.241(and .240 in dmz)
      |
wan1 firewall 192.168.0.240
FIREWALL
lan1 firewall 192.168.1.1

My router wan ip is 88.53.xxx.yyy.
This is a PPoA connection with my Isp, stable since 2004.

Only to test, i put a pc with 192.168.0.200 directly connected on lan side of router (it has 4 port).
Surfing internet is ok , and i can open web interface of router (.241) and web interface of firewall (.240).I cannot try ping now, but it's ok for me.

I cannot pass ALL traffic to .241(lan router) to .240(wan firewall)  because of my dlink router has only DMZ, or VIRTUAL SERVER options.i can't find STATIC ROUTE option.
So i tried with DMZ and VIRTUAL SERVER to .240 for 1701/4500/500 UDP port and 1710 TCP port.
Nothing.

Another strange thing.
Router has WEB MANAGEMENT MODE to control interface from outside.
This function is enabled accepting all ip on 8080 port.
But from outside,typing (in a browser of a pc using another internet connection)   http://88.53.xxx.yyy:8080  nothing to do,doesn't go.

0
 

Author Comment

by:Mattia Minervini
Comment Utility
I need to close this question!!!! I need to ask another thing....u cannot do this! abandoned from 14 days, there 's no a solution , no one help me. I changed hardware and technologies to solve my problem. in the alert box i can see this question should be closed yesterday.Please help me...
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Hi All,  Recently I have installed and configured a Sonicwall NS220 in the network as a firewall and Internet access gateway. All was working fine until users started reporting that they cannot use the Cisco VPN client to connect to the customer'…
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now