|
Installing a firewall behind the Hitron box
Hi All,
Apologies for the long winded introduction... I have a VMB account with one static IP address. I would like the Hitron to act as a modem and use a IPFire [1] as router. Currently I have this setup with my DSL connection (openreach modem). I discovered that I cannot change the HITRON mode to modem and was told that this is because I need to upgrade to multi-IP in order to do so. However, looking at this thread [2] I noticed that the recommendation is not to activate the modem mode. So I wonder if I really need to upgrade to multi-IP or if instead it is possible to configure my network so that the Hitron just acts as a modem and the have the routing/firewall/DHCP/PortForwarding/VPN/... performed by my raspberry PI running IPFire Note (in case it is useful): IPFire installation allows to select "static" as IP address setting for the interface to the internet (see image below) and requires to specify:
https://www.cableforum.uk/images/local/2022/07/1.png Thanks in advance! [1] https://www.ipfire.org/ [2] https://www.cableforum.uk/board/show...3707787&page=2 |
Re: Installing a firewall behind the Hitron box
I have SH5 in router mode and a second router behind that with no issues. I can connect to the SH5 or to the router. I guess I don't do things that fail with 2 routers/firewalls. I may also think about putting the IOT type devices on the hub network again isolating from internal network.
What I may do is turn off the guest on the router so it's only on the SH5 so guests will be unable to get to my private stuff inside the router. |
Re: Installing a firewall behind the Hitron box
im sure someone will correct me if im wrong as its been a good 2 years since i had a VMB account and could have changed (used to have residential + VMB and load balance them but once gig1 became available i just kept residential
The way static ips work on VMB is with a GRE tunnel and when you only have 1 static the hitron needs to be kept in router mode as the single ip is assigned to the hitron then the hitron shares this as any normal router would as with non static, But to go into modem mode you need the multiple static option as one of these IPs is always assigned to the hitron when in modem mode then the others you can do as you like so if you go for the 5 IP option 1 gets assigned to the hitron and then the other 4 you can assigned with a 3rd part firewall / router |
Re: Installing a firewall behind the Hitron box
That is correct the static IP addressing used by VM Business uses a GRE tunnel and means the Hitron cannot be in modem mode.
If you need the public IP address on one of your devices as opposed to only the Hitron, then you need the multi-static IP address option. The first IP address of the fixed range is on the Hitron you can put the second on your outer. In this mode the Hitron does not performa any form of NAT. This is exactly what I do. Works with the older servers as well as the newly launched VMB services I have this config with the Hitron Chita with the Business Gig1 option. |
Re: Installing a firewall behind the Hitron box
What are you actually trying to achieve? Do you run any servers on your network that need a direct connection from the internet to them, such a webserver on your network?
IPfire can sit behind a router usually. A common setup is to disable DHCP on the router and enable it on the IPfire box (which has a static IP on a different subnet). Your IPfire red port gateway points to the ISP router. From memory... an example setup would be: IPfire red port IP 172.31.213.2 (same subnet as the gateway below, ie .213.) Gateway 172.31.213.1 (or whatever your ISP router is) IPfire green porn IP 172.31.215.1 Gateway 172.31.213.2 Setup your DHCP on IPfire to give out whatever range of 172.31.215.* IP's you want and obviously setup DNS if you are using IPfire for that too and include that in the DHCP setup. You can assign static LAN IP's too for servers. From that point you can filter and log all outgoing traffic and use whatever IPfire features you want. It has been a long time since I had cable and never had a VM business connection so hopefully someone can confirm or correct this in case there is something of the VMB setup that stops this working. Usually you can forward ports in from a router to the firewall and beyond but again,m im not sure if something with VMB stops this. |
| All times are GMT +1. The time now is 03:14. |
Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2025, vBulletin Solutions Inc.
All Posts and Content are © Cable Forum