Routing and Switching
Hello Experts,
I would like to do the following: Setup back-to-back firewalls for all outbound and inbound traffic, lets just focus on the outbound for now though.
I have the following hardware: 1) Cable modem with 5 static IPs, 2) Netgear FVX538, 3) Netgear FVS336 - both are "somewhat enterprise firewalls". Both support NAT, and Classical Routing.
Here is what i tried to do: and yeah no it didnt work.
1) I tired setting the static WAN ips on the netgear fvs336, setting the LAN ips to 172.16.1.1 and disabling NAT. That worked i could ping 4.2.2.1
2) I then set the WAN ip of the netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1, connected a cable from the wan of the FVX538 to the LAN of the FVS336
3) I then set the LAN ip of the netgear fvx538 to 192.168.1.1
4) Then i set a client PC to 192.168.1.5 gateway 192.16.1.1
5) If i enable NAT on both devices it works like a charm, but that is double natting and isnt the best solution.
SO if i disable NAT on the first netgear (fvx538) and enable classical routing. I can ping from the netgears internal diagnostics to any address no problem.
However and here is the problem: Any pc that is on the 192.168.1.x network (the lan side of the fvx 538) cannot ping any address outside of its own network. it also can't access the internet.
At this point i just want to know if this should work? Shouldnt i be able to take traffic from the "192.168.1.x network" and route it to the 172.16.1.x network without enabling NAT?
Any ideas would be great, if i have this misunderstood then well at least hopefully someone can tell me.
Thanks,
Robert
I would like to do the following: Setup back-to-back firewalls for all outbound and inbound traffic, lets just focus on the outbound for now though.
I have the following hardware: 1) Cable modem with 5 static IPs, 2) Netgear FVX538, 3) Netgear FVS336 - both are "somewhat enterprise firewalls". Both support NAT, and Classical Routing.
Here is what i tried to do: and yeah no it didnt work.
1) I tired setting the static WAN ips on the netgear fvs336, setting the LAN ips to 172.16.1.1 and disabling NAT. That worked i could ping 4.2.2.1
2) I then set the WAN ip of the netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1, connected a cable from the wan of the FVX538 to the LAN of the FVS336
3) I then set the LAN ip of the netgear fvx538 to 192.168.1.1
4) Then i set a client PC to 192.168.1.5 gateway 192.16.1.1
5) If i enable NAT on both devices it works like a charm, but that is double natting and isnt the best solution.
SO if i disable NAT on the first netgear (fvx538) and enable classical routing. I can ping from the netgears internal diagnostics to any address no problem.
However and here is the problem: Any pc that is on the 192.168.1.x network (the lan side of the fvx 538) cannot ping any address outside of its own network. it also can't access the internet.
At this point i just want to know if this should work? Shouldnt i be able to take traffic from the "192.168.1.x network" and route it to the 172.16.1.x network without enabling NAT?
Any ideas would be great, if i have this misunderstood then well at least hopefully someone can tell me.
Thanks,
Robert
ASKER
Almost...
Let me play this back just to make sure:
Netgear FVS336 is configured with a public IP on the WAN
Netgear FVS336 is configured with private 172.16.1.1. on the LAN
this LAN is connected to:
Netgear FVX538 WAN set to 172.16.1.5 and gateway set at 172.16.1.1
Netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1
Netgear FVX538 is configured with private 192.168.1.1 on the LAN
Client computers are on this latter LAN.
Netgear FVX538 is configured with NAT.
Netgear FVS336 is configured in Classical Routing mode.
Netgear is FVS336 is in NAT mode to the internet (Traffic is NATTED by this device from the 172.16.1.x network to the public IPs) , Netgear 538 is in classical routing mode.
If i remove the FVX538 and just use 172.16.1.x and set a client PC to that same network on the fvs336 everything works fine.
Let me play this back just to make sure:
Netgear FVS336 is configured with a public IP on the WAN
Netgear FVS336 is configured with private 172.16.1.1. on the LAN
this LAN is connected to:
Netgear FVX538 WAN set to 172.16.1.5 and gateway set at 172.16.1.1
Netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1
Netgear FVX538 is configured with private 192.168.1.1 on the LAN
Client computers are on this latter LAN.
Netgear FVX538 is configured with NAT.
Netgear FVS336 is configured in Classical Routing mode.
Netgear is FVS336 is in NAT mode to the internet (Traffic is NATTED by this device from the 172.16.1.x network to the public IPs) , Netgear 538 is in classical routing mode.
If i remove the FVX538 and just use 172.16.1.x and set a client PC to that same network on the fvs336 everything works fine.
ASKER
Getting back to your current configuration, maybe the issue is that the device will not route packets that have private addresses to a public address. That's not allowed. So, the packets are dropped by design because the "interim" subnet you chose is a private subnet.
You think that could be it? I didnt think of that. so if i made the (middle network) 100.100.1.x and then set the client pcs on the fvx538's lan side to 192.168.1.x it might work... like this..
Internet << (Static IPs) on FVS336 >> LAN side of FVS336 100.100.1.1 / 24 >> WAN side of FVX538 100.100.1.5/24 Gateway 100.100.1.1 >> LAN side of FVX538 192.168.1.1 ?
thanks...
You think that could be it? I didnt think of that. so if i made the (middle network) 100.100.1.x and then set the client pcs on the fvx538's lan side to 192.168.1.x it might work... like this..
Internet << (Static IPs) on FVS336 >> LAN side of FVS336 100.100.1.1 / 24 >> WAN side of FVX538 100.100.1.5/24 Gateway 100.100.1.1 >> LAN side of FVX538 192.168.1.1 ?
thanks...
ASKER
- Since your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your Netgear FVX538.
I tired this first:
1) set the ip of xxx.xxx.221.130 / gateway xxx.xxx.221.129 mask 27 on the WAN interface
2) set the remainder of the IPs (so 4 more) 131,132,138,139 on the LAN interface
3) Everything worked!!
4) Everything failed after 4hours, this occurred 3 times.
I basically had a singl subnet stretched across 2 separate interface's. I was quite surprised it all worked and then naturally it failed.
The above is exactly what i wanted though beucase it would allow me to do protocol only blocking on a separate device.
LIke i said it only worked for 4 hours. then jsut stopped routing packets alltogether
I tired this first:
1) set the ip of xxx.xxx.221.130 / gateway xxx.xxx.221.129 mask 27 on the WAN interface
2) set the remainder of the IPs (so 4 more) 131,132,138,139 on the LAN interface
3) Everything worked!!
4) Everything failed after 4hours, this occurred 3 times.
I basically had a singl subnet stretched across 2 separate interface's. I was quite surprised it all worked and then naturally it failed.
The above is exactly what i wanted though beucase it would allow me to do protocol only blocking on a separate device.
LIke i said it only worked for 4 hours. then jsut stopped routing packets alltogether
OK - so the "outer" device is in NAT mode between public and private subnets.
And the "inner" device is in router mode between two different private subnets.
In that case I can't see why it wouldn't work.
AND I don't see why the inner device is needed at all.
AND I don't see how you might use the additional public addresses.
Might you illuminate on this a bit?
And the "inner" device is in router mode between two different private subnets.
In that case I can't see why it wouldn't work.
AND I don't see why the inner device is needed at all.
AND I don't see how you might use the additional public addresses.
Might you illuminate on this a bit?
ASKER
OK - so the "outer" device is in NAT mode between public and private subnets.
Yes, Outer = FVS336
And the "inner" device is in router mode between two different private subnets.
Yes, Inner = FVX538
In that case I can't see why it wouldn't work.
Nor do i.
AND I don't see why the inner device is needed at all.
I am trying to enhance security by adding a second firewall
AND I don't see how you might use the additional public addresses.
1x1 NAT was my solution there. I was allowing everything through the first firewall based on port
Might you illuminate on this a bit?
Just trying to setup a more secure network
Yes, Outer = FVS336
And the "inner" device is in router mode between two different private subnets.
Yes, Inner = FVX538
In that case I can't see why it wouldn't work.
Nor do i.
AND I don't see why the inner device is needed at all.
I am trying to enhance security by adding a second firewall
AND I don't see how you might use the additional public addresses.
1x1 NAT was my solution there. I was allowing everything through the first firewall based on port
Might you illuminate on this a bit?
Just trying to setup a more secure network
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Netgear FVS336 is configured with a public IP on the WAN
Netgear FVS336 is configured with private 172.16.1.1. on the LAN
this LAN is connected to:
Netgear FVX538 WAN set to 172.16.1.5 and gateway set at 172.16.1.1
Netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1
Netgear FVX538 is configured with private 192.168.1.1 on the LAN
Client computers are on this latter LAN.
Netgear FVX538 is configured with NAT.
Netgear FVS336 is configured in Classical Routing mode.
According to the User Manual:
I would translate the manual words a bit:
- If you only have a single public Internet IP address, you MUST use NAT. (the default setting). [Of course, this is not your case ... or need not be your case].
- Since your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your Netgear FVX538.
Classical Routing (as applied to the Netgear FVS336):
In classical routing mode, the VPN firewall performs routing, but without NAT. To gain Internet access, Netgear FVX538 must have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to the Netgear FVX538, you can choose classical routing.
Or, you can use classical routing for routing private IP addresses within a campus environment??
***************
I don't know; this all seems a bit convolved language. Here's what I might suggest:
1) Is the Netgear FVS336 intended to be the internet gateway with *all* the public IP addresses available on it's LAN side? Or, not? I take it from what you've said .. "not".
2) you have multiple IP addresses and they must be accessible (as in "usable") at some point in the architecture. I presume that's where the Netgear FVS336 WAN is connected.
I would plug in a switch at this point (even if conceptually) and I would plug in the Netgear FVS336 and the ISP access node into this switch. At least now you can conceptually plug in other devices which will have public IP addresses assigned that are in your assigned range.
3) Of course, all of those public-addressed devices won't have the benefit of a firewall of any sort unless it's built into them. So, I can imagine that you might want some degree of firewall capability for them (such as in the case if they are internet servers). And, I sort of take it that this is what you want to use the Netgear FVS336 to do?
4) If this is the case then the Netgear FVS336 needs to have public addresses on both sides, WAN and LAN. I've only dealt with this where the WAN and LAN were on separate (public) subnets. But the manual seems to suggest they could be on the same subnet. One has to ponder the routing table.
Let's assume the public range assigned to you is 1.2.3.0 / 24
Let's assume that the ISP is using 1.2.3.1 on their end as your gateway.
Let's assign 1.2.3.2 to the Netgear FVS336 WAN with 1.2.3.1 as the gateway.
Let's assign 1.2.3.3 to the Netgear FVS336 LAN.
Now you can assign 1.2.3.4 to 1.2.3.254 to any other devices with 1.2.3.3 as their gateway.
Of course, one of those would be the Netgear FVX538 WAN.
OK.. now how about routing in the Netgear FVS336?
I can imagine:
0.0.0.0 to 1.2.3.1 via 1.2.3.2
1.2.3.0 to 1.2.3.1 to 1.2.3.2 and this is a problem I believe because you need packets destined for 1.2.3.4, etc. to go to 1.2.3.3 (LAN) and not 1.2.3.2 (WAN).
So, I think you need to have the Netgear FVS336 on two public subnets: the ISPs and yours. I don't know that for sure but it's the only arrangement that I've seen.
Perhaps the manual's words:
Might this suggest that you can do what you want as follows:
1) Assign a public address to the WAN.
2) Assign public addresses to devices on other ports.
3) set a one-to-one rule for each of those other ports. ??
Page 4-14 of the manual says:
Getting back to your current configuration, maybe the issue is that the device will not route packets that have private addresses to a public address. That's not allowed. So, the packets are dropped by design because the "interim" subnet you chose is a private subnet.