Solved

firewall inside of network

Posted on 2016-09-04
9
89 Views
Last Modified: 2016-09-20
one of the computers is a temporary web server.  I had to put it outside of the firewall (DMZ) to make everything work because somehow the uverse router blocks everything even if I open all the ports.  

Since it is now in the DMZ, I want to add some layer of hardware firewall in front of the server.  I am only allowed 1 IP address in the DMZ, its the same as my external address.  So the firewall, router, or whatever I use could not be on the same network as the computer in the DMZ.  It would have to scan packets at the port level regardless of what network it's on.  

I already have the windows 10 firewall on of course.  I guess if I can't make the hardware firewall idea work I would like to add extra security against DoS and other threats on the makeshift server.  

Any ideas?
0
Comment
Question by:icecom4
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
9 Comments
 
LVL 37

Expert Comment

by:bbao
ID: 41783935
> somehow the uverse router blocks everything even if I open all the ports.  

technically a firewall behind firewall will be workable, but for your scenario it is not optimal especially if there is only a single host behind the inside firewall.

what's the particular reason blacking everything even if all ports are opened (at where?)?

additionally, the Windows built-in firewall on the computer in DMZ can be enabled for general protection but not for some serious attacks such as DoS.
0
 

Author Comment

by:icecom4
ID: 41783976
I don't really know how uverse is able to stop traffic, but they do.  I opened up all the TCP and UDP ports I need and then later it always stops working, makes me put in DMZ.  This has happened to me with a web, ftp, and gameserver.  I dont know what technology is behind it, perhaps they do this for liability reasons to protect my home network and their equipment, DVR...etc.  

I have a small firewall appliance, but it wants me to assign it an ip address and be on the same network.  In my case, I cant do this.  I was hoping to find something that protects at the physical layer, like maybe a switch that can block ftp and other open ports regardless of the network configuration.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41784018
> I opened up all the TCP and UDP ports I need and then later it always stops working,

better post a screenshot showing how you "opened up all the TCP and UDP ports"?
0
Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

 

Author Comment

by:icecom4
ID: 41784205
0
 
LVL 9

Expert Comment

by:Christopher Jay Wolff
ID: 41784231
If Uverse RG is forcing into DMZ it sounds like in the past, that the Uverse RG had been set up to be in bridge mode for someone using router behind router, where all ports get forwarded from the Uverse RG to your personal router that you bought somewhere, that is behind the Uverse RG.  Are you using two routers?

The 22 minute video shows an example of setting up a bridge and getting forced into DMZ.  Please jump to 10:30 time in the video to verify if this is the screen you're referring to.
https://www.youtube.com/watch?v=LZy1C5qHxKc
0
 
LVL 5

Accepted Solution

by:
Gareth Tomlinson CISSP earned 500 total points
ID: 41784311
To get back to the original question, it is possible to deploy a hardware firewall in 2 ways;
traditional routed mode, where the web server has a different address and the firewall will NAT the IP address appropriately
transparent mode, where the web server can keep its address, and the firewall sits between it and the router and has no active IP address (apart from management).
You can still enforce traffic control and even application scanning on the transparent firewall.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41784609
do you mean the open ports do not work if you input a large range for ports instead of pointing a DMZ host?
0
 

Author Comment

by:icecom4
ID: 41784770
@ Bing, yes, even if I open up a wide range of ports including port 80 it still does not work, however it did initially and even when I changed nothing, somehow uverse blocked it....shrug.  unless there is a port I am unaware of that needs to be open.  Its a windows server running apache web server and OSQA.  

@ Gareth
which routers have transparent mode?  That might be a solution.  

@Chris
It's not being forced into DMZ, I placed it there to allow the web server to be accessible from outside.  I actually have that nighthawk router but I am using as a wireless AP.  I need both the wifi from uverse and the wifi from the nighthawk because I have a wireless camera system that refuses to work with the nighthawk, so I use uverse wifi only for cameras and everything else on my nighthawk.  However, this is tempting to completely move to the nighthawk.
0
 

Author Closing Comment

by:icecom4
ID: 41806695
thank you!
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

724 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question