• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1115
  • Last Modified:

Routing and Switching

Hello Experts,

I would like to do the following: Setup back-to-back firewalls for all outbound and inbound traffic, lets just focus on the outbound for now though.

I have the following hardware: 1) Cable modem with 5 static IPs, 2) Netgear FVX538, 3) Netgear FVS336 - both are "somewhat enterprise firewalls". Both support NAT, and Classical Routing.

Here is what i tried to do: and yeah no it didnt work.

1) I tired setting the static WAN ips on the netgear fvs336, setting the LAN ips to 172.16.1.1 and disabling NAT. That worked i could ping 4.2.2.1

2) I then set the WAN ip of the netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1, connected a cable from the wan of the FVX538 to the LAN of the FVS336

3) I then set the LAN ip of the netgear fvx538 to 192.168.1.1

4) Then i set a client PC to 192.168.1.5 gateway 192.16.1.1

5) If i enable NAT on both devices it works like a charm, but that is double natting and isnt the best solution.

SO if i disable NAT on the first netgear (fvx538) and enable classical routing. I can ping from the netgears internal diagnostics to any address no problem.

However and here is the problem: Any pc that is on the 192.168.1.x network (the lan side of the fvx 538) cannot ping any address outside of its own network. it also can't access the internet.

At this point i just want to know if this should work? Shouldnt i be able to take traffic from the "192.168.1.x network" and route it to the 172.16.1.x network without enabling NAT?

Any ideas would be great, if i have this misunderstood then well at least hopefully someone can tell me.

Thanks,

Robert
0
castellansolutions
Asked:
castellansolutions
  • 4
  • 3
1 Solution
 
Fred MarshallPrincipalCommented:
Let me play this back just to make sure:
Netgear FVS336 is configured with a public IP on the WAN
Netgear FVS336 is configured with private 172.16.1.1. on the LAN
this LAN is connected to:
Netgear FVX538 WAN set to 172.16.1.5 and gateway set at 172.16.1.1
Netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1
Netgear FVX538 is configured with private 192.168.1.1 on the LAN
Client computers are on this latter LAN.

Netgear FVX538 is configured with NAT.
Netgear FVS336 is configured in Classical Routing mode.

According to the User Manual:


- If you only have a single public Internet IP address, you MUST use NAT. (the default setting).

- If your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your PCs, and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule.

Classical Routing
In classical routing mode, the VPN firewall performs routing, but without NAT. To gain Internet access, each PC on your LAN must have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to each PC, you can choose classical routing. Or, you can use classical routing for routing private IP addresses within a campus environment.

I would translate the manual words a bit:

- If you only have a single public Internet IP address, you MUST use NAT. (the default setting). [Of course, this is not your case ... or need not be your case].

- Since your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your Netgear FVX538.

Classical Routing (as applied to the Netgear FVS336):
In classical routing mode, the VPN firewall performs routing, but without NAT. To gain Internet access, Netgear FVX538 must have a valid static Internet IP address.
If your ISP has allocated a number of static IP addresses to you, and you have assigned one of these addresses to the Netgear FVX538, you can choose classical routing.

Or, you can use classical routing for routing private IP addresses within a campus environment??

***************

I don't know; this all seems a bit convolved language.  Here's what I might suggest:

1) Is the Netgear FVS336 intended to be the internet gateway with *all* the public IP addresses available on it's LAN side?  Or, not?  I take it from what you've said .. "not".

2) you have multiple IP addresses and they must be accessible (as in "usable") at some point in the architecture.  I presume that's where the Netgear FVS336 WAN is connected.
I would plug in a switch at this point (even if conceptually) and I would plug in the Netgear FVS336 and the ISP access node into this switch.   At least now you can conceptually plug in other devices which will have public IP addresses assigned that are in your assigned range.

3) Of course, all of those public-addressed devices won't have the benefit of a firewall of any sort unless it's built into them.  So, I can imagine that you might want some degree of firewall capability for them (such as in the case if they are internet servers).  And, I sort of take it that this is what you want to use the Netgear FVS336 to do?

4) If this is the case then the Netgear FVS336 needs to have public addresses on both sides, WAN and LAN.  I've only dealt with this where the WAN and LAN were on separate (public) subnets.  But the manual seems to suggest they could be on the same subnet.  One has to ponder the routing table.
Let's assume the public range assigned to you is 1.2.3.0 / 24
Let's assume that the ISP is using 1.2.3.1 on their end as your gateway.
Let's assign 1.2.3.2 to the Netgear FVS336 WAN with 1.2.3.1 as the gateway.
Let's assign 1.2.3.3 to the Netgear FVS336 LAN.
Now you can assign 1.2.3.4 to 1.2.3.254 to any other devices with 1.2.3.3 as their gateway.
Of course, one of those would be the Netgear FVX538 WAN.

OK.. now how about routing in the Netgear FVS336?
I can imagine:
0.0.0.0 to 1.2.3.1 via 1.2.3.2
1.2.3.0 to 1.2.3.1 to 1.2.3.2  and this is a problem I believe because you need packets destined for 1.2.3.4, etc. to go to 1.2.3.3 (LAN) and not 1.2.3.2 (WAN).

So, I think you need to have the Netgear FVS336 on two public subnets: the ISPs and yours.  I don't know that for sure but it's the only arrangement that I've seen.  
Perhaps the manual's words:
you can use one address as the primary shared address for Internet access by your PCs, and you can map incoming traffic on the other public IP addresses to specific PCs on your LAN. This one-to-one inbound mapping is configured using an inbound firewall rule.
Might this suggest that you can do what you want as follows:
1) Assign a public address to the WAN.
2) Assign public addresses to devices on other ports.
3) set a one-to-one rule for each of those other ports. ??

Page 4-14 of the manual says:
LAN WAN Inbound Rule: Setting Up One-to-One NAT Mapping
If you arrange with your ISP to have more than one public IP address for your use, you can use the additional public IP addresses to map to servers on your LAN. One of these public IP addresses will be used as the primary IP address of the VPN firewall. This address will be used to provide Internet access to your LAN PCs through NAT. The other addresses are available to map to your servers.
In the example shown in Figure 4-7, we have configured multi-NAT to support multiple public IP addresses on one WAN interface. The inbound rule instructs the VPN firewall to host an additional public IP address (10.1.0.5) and to associate this address with the Web server on the LAN (at 192.168.0.2). We also instruct the VPN firewall to translate the incoming HTTP port number (port 80) to a different port number (port 8080).

The following addressing scheme is used in this example:
• VPN firewall FVS336G
– WAN1 primary public IP address: 10.1.0.1
– WAN1 additional public IP address: 10.1.0.5
– LAN IP address 192.168.1.1

Getting back to your current configuration, maybe the issue is that the device will not route packets that have private addresses to a public address.  That's not allowed.  So, the packets are dropped by design because the "interim" subnet you chose is a private subnet.
0
 
castellansolutionsAuthor Commented:
Almost...

Let me play this back just to make sure:
Netgear FVS336 is configured with a public IP on the WAN
Netgear FVS336 is configured with private 172.16.1.1. on the LAN
this LAN is connected to:
Netgear FVX538 WAN set to 172.16.1.5 and gateway set at 172.16.1.1
Netgear FVX538 to 172.16.1.5 and the gateway to 172.16.1.1
Netgear FVX538 is configured with private 192.168.1.1 on the LAN
Client computers are on this latter LAN.

Netgear FVX538 is configured with NAT.
Netgear FVS336 is configured in Classical Routing mode.

Netgear is FVS336 is in NAT mode to the internet  (Traffic is NATTED by this device from the 172.16.1.x network to the public IPs) , Netgear 538 is in classical routing mode.

If i remove the FVX538 and just use 172.16.1.x and set a client PC to that same network on the fvs336 everything works fine.
0
 
castellansolutionsAuthor Commented:
Getting back to your current configuration, maybe the issue is that the device will not route packets that have private addresses to a public address.  That's not allowed.  So, the packets are dropped by design because the "interim" subnet you chose is a private subnet.

You think that could be it? I didnt think of that. so if i made the (middle network) 100.100.1.x and then set the client pcs on the fvx538's lan side to 192.168.1.x it might work... like this..

Internet << (Static IPs) on FVS336 >> LAN side of FVS336 100.100.1.1 / 24 >> WAN side of FVX538 100.100.1.5/24 Gateway 100.100.1.1 >>  LAN side of FVX538 192.168.1.1 ?

thanks...
0
Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

 
castellansolutionsAuthor Commented:
- Since your ISP has provided you with multiple public IP addresses, you can use one address as the primary shared address for Internet access by your Netgear FVX538.

I tired this first:

1) set the ip of xxx.xxx.221.130 / gateway xxx.xxx.221.129 mask 27 on the WAN interface
2) set the remainder of the IPs (so 4 more) 131,132,138,139 on the LAN interface
3) Everything worked!!
4) Everything failed after 4hours, this occurred 3 times.

I basically had a singl subnet stretched across 2 separate interface's. I was quite surprised it all worked and then naturally it failed.

The above is exactly what i wanted though beucase it would allow me to do protocol only blocking on a separate device.

LIke i said it only worked for 4 hours. then jsut stopped routing packets alltogether
0
 
Fred MarshallPrincipalCommented:
OK - so the "outer" device is in NAT mode between public and private subnets.

And the "inner" device is in router mode between two different private subnets.

In that case I can't see why it wouldn't work.
AND I don't see why the inner device is needed at all.

AND I don't see how you might use the additional public addresses.

Might you illuminate on this a bit?
0
 
castellansolutionsAuthor Commented:
OK - so the "outer" device is in NAT mode between public and private subnets.

Yes, Outer = FVS336

And the "inner" device is in router mode between two different private subnets.

Yes, Inner = FVX538

In that case I can't see why it wouldn't work.

Nor do i.

AND I don't see why the inner device is needed at all.

I am trying to enhance security by adding a second firewall

AND I don't see how you might use the additional public addresses.

1x1 NAT was my solution there. I was allowing everything through the first firewall based on port

Might you illuminate on this a bit?

Just trying to setup a more secure network
0
 
Fred MarshallPrincipalCommented:
OK thanks.  Well learning about how things work and how to do things is a good idea.  So, I hope this helps.  

The one thing I can now imagine is the the inner router needs to have firewall rules to allow the two subnets to communicate.  That would be over and above simply connecting them and setting up IP addresses.  Some devices require "policies", etc.

I'm not sure that a second firewall enhances security that much unless you do have interim devices like web servers which reside in a DMZ and the interim subnet is your DMZ.  Otherwise you should be able to block whatever traffic as necessary with one firewall.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Network Scalability - Handle Complex Environments

Monitor your entire network from a single platform. Free 30 Day Trial Now!

  • 4
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now