asked on Can I put a Managed Switch in Front of my Firewall?
I am having problems getting my network set up with my new SonicWall TZ270 firewall. I set up multiple zones, including one I have called Wifi for an Orbi Router plus 1 satellite. No matter what I try the Orbi router is unable to reach the internet. I think it is a case of having two layers of NAT - the firewall uses NAT and the Orbi router uses NAT. I tried putting the Orbi router in Access Point mode (turn off router function) and still had problems. The Orbi AP kept wanting to default to its 192.168.1.1 address which conflicts with one of my private networks. Even if I got the Orbi AP to work, I am pretty sure my Orbi Sateliite would no longer link with it and create a mesh. I need the satellite to work or wifi is horrible in the house.
I just purchased a Netgear 5-Port Managed Gigabit Ethernet Plus Switch (GS105Ev2) that will be delivered this evening. I was wondering if I could place this in between my NetGear C1100 cable modem and my SonicWall TZ270 firewall? I would configure one of the switch ports to be a fixed IP, say 10.10.99.99 and have the Orbi Router connect to it. The other switch port would be plugged into the firewall's internet port and could be fixed IP on a different network, say 192.168.12.12 or be set to DHCP. Would this work? I am fine having the Orbi wifi outside my firewall, btw.
I need to resolve this today if at all possible. Let me know if you need any other info. THANK YOU!!!
I just purchased a Netgear 5-Port Managed Gigabit Ethernet Plus Switch (GS105Ev2) that will be delivered this evening. I was wondering if I could place this in between my NetGear C1100 cable modem and my SonicWall TZ270 firewall? I would configure one of the switch ports to be a fixed IP, say 10.10.99.99 and have the Orbi Router connect to it. The other switch port would be plugged into the firewall's internet port and could be fixed IP on a different network, say 192.168.12.12 or be set to DHCP. Would this work? I am fine having the Orbi wifi outside my firewall, btw.
I need to resolve this today if at all possible. Let me know if you need any other info. THANK YOU!!!
Hardware FirewallsRoutersWireless NetworkingSwitches / HubsNetworking
Last Comment
Chip Levinson
ASKER
Hi David, for now there is no VLAN setup. To be honest, I am not quite sure how or why to set that up. Why would the firewall need to be configured for the Orbi network if it is in front of the firewall? If I set up a rule that blocked all traffic from 10.10.99.xxx to the Trusted Zones, would that isolate the Orbi network from anything inside or behind the firewall?
PS Thanks for your help. I will try to respond quicker.
PS Thanks for your help. I will try to respond quicker.
if the orbi router is connected to the isp device it should just work. use another port on the isp device to the firewall -> switch -> managed devices (not wireless devices)
I think you need to hit the problem head on rather than work around it.
To start with, unless you get multiple IP addresses from your ISP (very unlikely unless you request them and pay for them), a switch after your modem won't help.
Double-NAT shouldn't be a problem with Orbi, though I'd try to avoid it. I'd set it up as an Access Point.
"The Orbi AP kept wanting to default to its 192.168.1.1 ": you should be able to log into the Orbi and change that address. I think this is your main problem.
"my Orbi Sateliite would no longer link with it and create a mesh ": I have only set up one Orbi system, but I set up the main unit as an AP (with an IP on the same subnet as the main router) and had no problems with the satellites finding it.
The real issue here is the conflict of the IP address of your Orbi with your main router. That's what you need to resolve.
As an aside, I try to avoid common subnets (192.168.0.x, 192.168.1.x, 10.0.x.x, 10.1.x.x, etc.) when configuring a network. They'll get you in trouble later if you want to do VPNs from elsewhere. May not be a problem in your case, but it can be good to plan for future changes.
To start with, unless you get multiple IP addresses from your ISP (very unlikely unless you request them and pay for them), a switch after your modem won't help.
Double-NAT shouldn't be a problem with Orbi, though I'd try to avoid it. I'd set it up as an Access Point.
"The Orbi AP kept wanting to default to its 192.168.1.1 ": you should be able to log into the Orbi and change that address. I think this is your main problem.
"my Orbi Sateliite would no longer link with it and create a mesh ": I have only set up one Orbi system, but I set up the main unit as an AP (with an IP on the same subnet as the main router) and had no problems with the satellites finding it.
The real issue here is the conflict of the IP address of your Orbi with your main router. That's what you need to resolve.
As an aside, I try to avoid common subnets (192.168.0.x, 192.168.1.x, 10.0.x.x, 10.1.x.x, etc.) when configuring a network. They'll get you in trouble later if you want to do VPNs from elsewhere. May not be a problem in your case, but it can be good to plan for future changes.
ASKER
Thank you both for your comments. FYI Amazon just delivered the managed switch.
David - my CM1100 modem has two gigabit ethernet ports. The links support link aggregation... and I thought that that was the only use for the second port. If I can configure the two ports with different IP addresses, that could eliminate the need for the switch as you suggest. I am going to log into the user interface and see if that is possible. I wonder if they have different IP addresses automatically?
CompProbSolv - you bring up some very good points. Yes, I think you are right about conflicts in IP addresses causing problems. Plus my firewall is set so 192.168.1.xxx is in a zone that is isolated from all the other zones, including the interface configured for the Orbi. I would like to get my office LAN off of 192.168.1.1. What is the best way to do it? I have a Windows 2012 file server, a W10 desktop, a printer, and a NAS. What subnets would you suggest I use? Would I simply log into the NAS web UI, change the IP address, then do the same for the server and printer and my desktop, then change the firewall settings so that the zone uses the new static IP rather than the old?
I am curious about your Orbi experience. The Orbi will be providing wifi for the family and internet for streaming smart tvs. I do not want it to be part of any other zone. Is this where a VLAN would come in?
David - my CM1100 modem has two gigabit ethernet ports. The links support link aggregation... and I thought that that was the only use for the second port. If I can configure the two ports with different IP addresses, that could eliminate the need for the switch as you suggest. I am going to log into the user interface and see if that is possible. I wonder if they have different IP addresses automatically?
CompProbSolv - you bring up some very good points. Yes, I think you are right about conflicts in IP addresses causing problems. Plus my firewall is set so 192.168.1.xxx is in a zone that is isolated from all the other zones, including the interface configured for the Orbi. I would like to get my office LAN off of 192.168.1.1. What is the best way to do it? I have a Windows 2012 file server, a W10 desktop, a printer, and a NAS. What subnets would you suggest I use? Would I simply log into the NAS web UI, change the IP address, then do the same for the server and printer and my desktop, then change the firewall settings so that the zone uses the new static IP rather than the old?
I am curious about your Orbi experience. The Orbi will be providing wifi for the family and internet for streaming smart tvs. I do not want it to be part of any other zone. Is this where a VLAN would come in?
ASKER
Oh, for now I am looking for the easiest solution to get the Orbi wifi working with the satellite. I am pressed for time, leaving on a three day trip in the morning and have much to do to get ready. Unless it was very easy and would solve the problem, I hesitate changing my work LAN off of 192.168.1.xxx
set the manage port o[ address tp something other than the 192.168.x.x use 10.x.x.x range same for the orbi just set the gateway to the address of the cable modem
I know squat about ORBI as I use a unifi stack here and I know pfsense and unifi switches work well with vlans i.e.
iotcrap, guest, office, kids
I know squat about ORBI as I use a unifi stack here and I know pfsense and unifi switches work well with vlans i.e.
iotcrap, guest, office, kids
" If I can configure the two ports with different IP addresses ": only if you have two (or more) static IPs from your ISP.
As far as the easiest solution goes, I would do the following:
Configure one LAN port on your firewall
Connect a switch to that port
Connect the Orbi to the switch
Configure the Orbi as an AP
Change the IP address on the Orbi to 192.168.1.2 (or something else that doesn't conflict)
Connect to the Orbi (both through WiFi and through its web interface) and confirm that it works properly
Do the proper configuration (reset?) of the satellites so that they find the base unit
Stop if you don't have it working at this point.
Given your specific time constraints, I'd leave it at that for now. Once you get back, then look into changing the subnet. There is no need to do that at this point.
As far as the easiest solution goes, I would do the following:
Configure one LAN port on your firewall
Connect a switch to that port
Connect the Orbi to the switch
Configure the Orbi as an AP
Change the IP address on the Orbi to 192.168.1.2 (or something else that doesn't conflict)
Connect to the Orbi (both through WiFi and through its web interface) and confirm that it works properly
Do the proper configuration (reset?) of the satellites so that they find the base unit
Stop if you don't have it working at this point.
Given your specific time constraints, I'd leave it at that for now. Once you get back, then look into changing the subnet. There is no need to do that at this point.
"Is this where a VLAN would come in? "
That is one approach. I'd not even consider VLANs (or any other segregation) until you can get the Orbi to work as an AP on your network.
That is one approach. I'd not even consider VLANs (or any other segregation) until you can get the Orbi to work as an AP on your network.
ASKER
Hi, sorry for the delay. I was out of town for a few days and am just getting back into this. Now that I am not so pressed for time. The first thing I think I want to do is get my main work network off of the "common" subnet of 192.168.1.xxx per CompProbSolv suggestion. Would either of you two please suggest a good subnet to use? Which ones are not considered common? Would 192.168.101.xxx be good? Or should I move to one of the 172 subnets like 172.17.17.xxx?
Once I pick a subnet, what is the best way to go about moving everything from the 192.168.1 to the new subnet? Should I first change my Work Zone in my firewall then go into each device (desktop, server, NAS, printer) directly and assign them fixed IPs on the same subnet? Are there any implications for the domain controller function on the server or will it automatically update? I want to make sure I don't break the whole thing so I would appreciate a step-by-step if possible.
Once I pick a subnet, what is the best way to go about moving everything from the 192.168.1 to the new subnet? Should I first change my Work Zone in my firewall then go into each device (desktop, server, NAS, printer) directly and assign them fixed IPs on the same subnet? Are there any implications for the domain controller function on the server or will it automatically update? I want to make sure I don't break the whole thing so I would appreciate a step-by-step if possible.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
CompProbSolv,
Thanks for all of the advice. I will pick something in the 192.168.x.y. subnet.
I am a bit rusty on all of this, I knew it much better when I initially set up the network in the 2007-2012 timeframe. After that, nothing much changed. For example, I am not clear on the relationship between DHCP and AD. In the beginning I had 4 physical rackmount servers - a file server, a web server, a AD server and a backup domain server. When I started to outsource my web application and host it elsewhere my network became much simpler with just a file server. It serves no other function. I am using gmail for email. The NAS is used to backup the work files nearline and as the primary storage for multimedia files.
Active Directory is running on my file server. My Orbi wifi router is acting as the DHCP server for all my wifi devices. All other devices use static IP which is configured in the firewall.
Here is a pic of the error message I just got when I tried to access my server via remote desktop.
![Server-Credentials-Rejected.jpg]()
Once I manually typed in the password I was able to log in. So I am using the name for the server. The NAS is also using a name, not an IP address for drive mapping. When I tried to map one of the NAS volumes I received the following credentials error.
![NAS-Credentials-Rejected.jpg]()
When I changed the username to my account and entered the password, I was able to map the NAS volume. If I need to access the GUI of the NAS for whatever reason, I do use a browser on my desktop and navigate to its fixed IP address.
Based on this, will changing my server's IP address create any issues? Is there some way to check that in advance? Any other suggestions, especially with how to get the drive mapping to be sticky and stay in effect even after I reboot my desktop PC.
Thanks for all of the advice. I will pick something in the 192.168.x.y. subnet.
I am a bit rusty on all of this, I knew it much better when I initially set up the network in the 2007-2012 timeframe. After that, nothing much changed. For example, I am not clear on the relationship between DHCP and AD. In the beginning I had 4 physical rackmount servers - a file server, a web server, a AD server and a backup domain server. When I started to outsource my web application and host it elsewhere my network became much simpler with just a file server. It serves no other function. I am using gmail for email. The NAS is used to backup the work files nearline and as the primary storage for multimedia files.
Active Directory is running on my file server. My Orbi wifi router is acting as the DHCP server for all my wifi devices. All other devices use static IP which is configured in the firewall.
Here is a pic of the error message I just got when I tried to access my server via remote desktop.
Once I manually typed in the password I was able to log in. So I am using the name for the server. The NAS is also using a name, not an IP address for drive mapping. When I tried to map one of the NAS volumes I received the following credentials error. 
When I changed the username to my account and entered the password, I was able to map the NAS volume. If I need to access the GUI of the NAS for whatever reason, I do use a browser on my desktop and navigate to its fixed IP address.Based on this, will changing my server's IP address create any issues? Is there some way to check that in advance? Any other suggestions, especially with how to get the drive mapping to be sticky and stay in effect even after I reboot my desktop PC.
"My Orbi wifi router is acting as the DHCP server for all my wifi devices. "
If Active Directory is running on your file server, I would strongly recommend setting it up as a DNS server and, less strongly but still strongly, as your DHCP server. Your Orbi device should be configured as a WAP.
"Active Directory is running on my file server. ": are you stating that it is a Domain Controller?
"All other devices use static IP which is configured in the firewall. ":That is unclear to me. If devices have static IP addresses, there is nothing configured in the firewall about their addresses. If there are reservations based on their MAC addresses that give them IP addresses, that's what I was referring to as "quasi-static" IP addresses. I would much prefer to do that in the Window Server, but can still be workable there.
"Based on this, will changing my server's IP address create any issues? Is there some way to check that in advance? " Possibly... and yes. Change the IP address and see what happens. Otherwise, you could go to every device and see how it connects to the server. If it is by IP, then it will create issues. If by name then it should not.
If Active Directory is running on your file server, I would strongly recommend setting it up as a DNS server and, less strongly but still strongly, as your DHCP server. Your Orbi device should be configured as a WAP.
"Active Directory is running on my file server. ": are you stating that it is a Domain Controller?
"All other devices use static IP which is configured in the firewall. ":That is unclear to me. If devices have static IP addresses, there is nothing configured in the firewall about their addresses. If there are reservations based on their MAC addresses that give them IP addresses, that's what I was referring to as "quasi-static" IP addresses. I would much prefer to do that in the Window Server, but can still be workable there.
"Based on this, will changing my server's IP address create any issues? Is there some way to check that in advance? " Possibly... and yes. Change the IP address and see what happens. Otherwise, you could go to every device and see how it connects to the server. If it is by IP, then it will create issues. If by name then it should not.
ASKER
Quick Update - I resolved my network drive mapping problem. All my mapped drives now show up when I start my PC. I am now focusing my attention on this question and plan to have an update tomorrow. Thanks
Are zones networks with or without vlan?