firewall routing setup - Networking

This is a discussion on firewall routing setup - Networking ; Hi all, Thanks for the input. I have a difficult situation that needs all help. currently setup is WAN router connect to a switch, then all workstations connect to switch, router and workstation are using same subnet, like 168.1.X.X What ...

+ Reply to Thread
Results 1 to 9 of 9

Thread: firewall routing setup

  1. firewall routing setup

    Hi all,

    Thanks for the input. I have a difficult situation that needs all help.

    currently setup is WAN router connect to a switch, then all workstations
    connect to switch, router and workstation are using same subnet, like
    168.1.X.X

    What I want is to setup a firewall server (2 NIC cards) between Router and
    swith.

    how do I setup this firewall without changing WAN router configuration?
    Another word, if this case, two NIC cards will have same IP subnet, but how
    is routing going to work?

    Thanks.



  2. Re: firewall routing setup



    steeles wrote:
    > Hi all,
    >
    > Thanks for the input. I have a difficult situation that needs all help.
    >
    > currently setup is WAN router connect to a switch, then all workstations
    > connect to switch, router and workstation are using same subnet, like
    > 168.1.X.X
    >
    > What I want is to setup a firewall server (2 NIC cards) between Router and
    > swith.
    >
    > how do I setup this firewall without changing WAN router configuration?
    > Another word, if this case, two NIC cards will have same IP subnet, but how
    > is routing going to work?
    >
    > Thanks.
    >
    >

    you need a firewall in bridging mode

  3. Re: firewall routing setup

    On 02/13/2007 09:06 PM, steeles wrote:
    > currently setup is WAN router connect to a switch, then all workstations
    > connect to switch, router and workstation are using same subnet, like
    > 168.1.X.X
    >
    > What I want is to setup a firewall server (2 NIC cards) between Router and
    > swith.
    >
    > how do I setup this firewall without changing WAN router configuration?
    > Another word, if this case, two NIC cards will have same IP subnet, but how
    > is routing going to work?


    You need to change the layout as follows:

    Internet
    |
    WAN Router
    |
    Firewall (Your)
    |
    Switch
    |
    +----+---+----+---+---+
    | | | | | | Workstations
    A B C D E F ...

    If you don't have control over the router's config, use a router
    assigned IP on the WAN side of your firewall and use a different IP and
    subnet on the LAN side. Run your own DHCP service on the firewall
    itself, your workstations should be using Firewall as a gateway for
    them, add some appropriate SNAT/DNAT rules on the firewall.

    Hope that helps!
    --
    Dr Balwinder S "bsd" Dheeman Registered Linux User: #229709
    Anu's Linux@HOME Machines: #168573, 170593, 259192
    Chandigarh, UT, 160062, India Distros: Ubuntu, Fedora, Knoppix
    Home: http://cto.homelinux.net/~bsd/ Visit: http://counter.li.org/

  4. Re: firewall routing setup

    On Tue, 13 Feb 2007 10:36:22 -0500, steeles wrote:

    > Hi all,
    >
    > Thanks for the input. I have a difficult situation that needs all help.
    >
    > currently setup is WAN router connect to a switch, then all workstations
    > connect to switch, router and workstation are using same subnet, like
    > 168.1.X.X
    >
    > What I want is to setup a firewall server (2 NIC cards) between Router and
    > swith.
    >
    > how do I setup this firewall without changing WAN router configuration?
    > Another word, if this case, two NIC cards will have same IP subnet, but how
    > is routing going to work?


    Simple. Example. Use what ever ip addresses you have free in 168.x.x.x
    they don't have to be at either end it could be any.

    Setup a linux box as your firewall.
    Setup eth0 as 168.x.x.1
    Setup eth1 as 168.x.x.2
    Turn on forwarding
    Connect switch to eth1
    Connect router to eth0
    Finished


    --

    Regards
    Robert

    Smile... it increases your face value!


    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

  5. Re: firewall routing setup

    I thought about it. since those two IPs are in the same subnet, will it mess
    up existing routing?

    how to config it in bridging mode? Any more detail?

    Thanks.

    "Robert" wrote in message
    newsan.2007.02.13.22.40.52.926606@noplace.nowhere...
    > On Tue, 13 Feb 2007 10:36:22 -0500, steeles wrote:
    >
    >> Hi all,
    >>
    >> Thanks for the input. I have a difficult situation that needs all help.
    >>
    >> currently setup is WAN router connect to a switch, then all workstations
    >> connect to switch, router and workstation are using same subnet, like
    >> 168.1.X.X
    >>
    >> What I want is to setup a firewall server (2 NIC cards) between Router
    >> and
    >> swith.
    >>
    >> how do I setup this firewall without changing WAN router configuration?
    >> Another word, if this case, two NIC cards will have same IP subnet, but
    >> how
    >> is routing going to work?

    >
    > Simple. Example. Use what ever ip addresses you have free in 168.x.x.x
    > they don't have to be at either end it could be any.
    >
    > Setup a linux box as your firewall.
    > Setup eth0 as 168.x.x.1
    > Setup eth1 as 168.x.x.2
    > Turn on forwarding
    > Connect switch to eth1
    > Connect router to eth0
    > Finished
    >
    >
    > --
    >
    > Regards
    > Robert
    >
    > Smile... it increases your face value!
    >
    >
    > ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet
    > News==----
    > http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+
    > Newsgroups
    > ----= East and West-Coast Server Farms - Total Privacy via Encryption
    > =----




  6. Re: firewall routing setup

    steeles wrote:
    > I thought about it. since those two IPs are in the same subnet, will it mess
    > up existing routing?
    >
    > how to config it in bridging mode? Any more detail?
    >


    You need the bridge components in your kernel configuration.

    Create a bridge (it will probably be br0),
    Add both Ethernets to the bridge,
    Set an IP address to the bridge interface
    (not the component interfaces).

    For bridge firewalling, use the ebtables package.

    --

    Tauno Voipio
    tauno voipio (at) iki fi

  7. Re: firewall routing setup

    Thanks.

    So if I setup a bridge, in my case, can two same subnet stay together in a
    bridge?


    "Tauno Voipio" wrote in message
    news:1JGAh.208$FP.37@read3.inet.fi...
    > steeles wrote:
    >> I thought about it. since those two IPs are in the same subnet, will it
    >> mess up existing routing?
    >>
    >> how to config it in bridging mode? Any more detail?
    >>

    >
    > You need the bridge components in your kernel configuration.
    >
    > Create a bridge (it will probably be br0),
    > Add both Ethernets to the bridge,
    > Set an IP address to the bridge interface
    > (not the component interfaces).
    >
    > For bridge firewalling, use the ebtables package.
    >
    > --
    >
    > Tauno Voipio
    > tauno voipio (at) iki fi




  8. Re: firewall routing setup

    > "Tauno Voipio" wrote in message
    > news:1JGAh.208$FP.37@read3.inet.fi...
    >
    >>steeles wrote:
    >>
    >>>I thought about it. since those two IPs are in the same subnet, will it
    >>>mess up existing routing?
    >>>
    >>>how to config it in bridging mode? Any more detail?
    >>>

    >>
    >>You need the bridge components in your kernel configuration.
    >>
    >>Create a bridge (it will probably be br0),
    >>Add both Ethernets to the bridge,
    >>Set an IP address to the bridge interface
    >> (not the component interfaces).
    >>
    >>For bridge firewalling, use the ebtables package.
    >>
    >>--
    >>
    >>Tauno Voipio
    >>tauno voipio (at) iki fi

    >

    (-- top-posting corrected, TV --)

    >

    steeles wrote:
    > Thanks.
    >
    > So if I setup a bridge, in my case, can two same subnet stay
    > together in a bridge?


    Yes - a bridge connects the link-level network segments,
    and they are set up in the same IP-level subnet.

    The bridging firewall functions are not as extensive as
    the corresponding routing firewall (iptables) fucntions.
    I'd still seriously consider using a routing configuration,
    and changing the subnets to match.

    --

    Tauno Voipio
    tauno voipio (at) iki fi

  9. Re: firewall routing setup



    Tauno Voipio wrote:
    > Yes - a bridge connects the link-level network segments,
    > and they are set up in the same IP-level subnet.
    >
    > The bridging firewall functions are not as extensive as
    > the corresponding routing firewall (iptables) fucntions.
    > I'd still seriously consider using a routing configuration,
    > and changing the subnets to match.
    >


    You could also use iptables on top of bridge

    on FORWARD CHAIN

    but no nat

    netfilter on top bridge is supported by standard kernel since 3 or 4 years

    http://www.spenneberg.com/talks/linu...bridgewall.pdf

    we use this on devil-linux since January 2003

    http://www.devil-linux.org/

+ Reply to Thread