Networking #101

Hello,

Right - need a little help please! My networking is a bit poor. I know the basics IP, DHCP, DNS and all that.

My scenario is:

Current:

Linksys Router connecting to a 1Gb switch which provides connectivity to the wired LAN. Linksys is acting as the DHCP server on 192.168.1.x.

I now want to put in a hardware firewall (Watchguard).

It has a WAN (external) interface and Trusted (LAN) interface.

In the config of the external interface I've set to DHCP because my router is the DHCP server.

I tried setting up the trusted also as a 192.168.1.x but it complained because they were the same - obviously you can't have two of the same network ranges.

So I could setup the trusted as 192.168.10.x but the router is acting as the DHCP so do client PC's get their IP address as I've just said the trusted is 192.168.10.x?

Is the firewall between the router and the modem, or between the router and the switch? If the latter, does the firewall have DHCP server capability?

Quote:

Originally Posted by JohnHorb

Is the firewall between the router and the modem, or between the router and the switch? If the latter, does the firewall have DHCP server capability?

Ahh - ok - to clarify - it's a Linksys WAG325N ADSL Modem / Router.

So it currently goes:

• ISP IP 62.x.x.x to internet connection on WAG325N
• WAG325N is the DHCP Server for client PCs.
• WAG325N connects to 1Gb switch where other PC's are connected.

So my theroy was to place it as so:

<Internet> <WAG325N> <Firewall> <Switch>

Yes the firewall has DHCP capability for trusted LAN.

In that case, just set the trusted interface to (say) 192.168.10.1 and make it the DHCP server for the LAN. You can either leave the router as DHCP server JUST for the firewall external interface, or give the firewall external interface a static IP of (say) 192.168.1.2 (if the router is 192.168.1.1).

Your client PCs will then all get 192.168.10.x addresses.

Alternatively, if you have any static IPs on the LAN, switch everything round so the LAN remains on 192.168.1.x and give the router and firewall external interfaces 192.168.10.x addresses.

(All this assumes you are using a subnet mask of 255.255.255.0)

Right - all becomes a bit clearer now. Yes I do have some static addresses - my PC because I can RDP to it from elsewhere on the LAN and also a static on the NAS device.

Also - the firewall has a DHCP relay feature so I can still use the Linksys as the DHCP server if required - I assume I tick the box to enable and provide 192.168.1.1 which is the IP of the Linksys.

Quote:

Originally Posted by LSainsbury

Also - the firewall has a DHCP relay feature so I can still use the Linksys as the DHCP server if required - I assume I tick the box to enable and provide 192.168.1.1 which is the IP of the Linksys.

Not sure about that, TBH, as I've never used DHCP relay. Would you not have to configure the routet so that it dishes out 192.168.1.x addresses for the clients, but set it's own address is 192.168.10.x to allow it to talk to the firewall's external interface?

[Jon T]

I agree with JohnHorb(post #4)

I'd forget the DHCP relay, i think this could cause more trouble than it's worth.

Are you putting the Watchguard in for your own training, or to beef up your network security? Can you turn off the router part of your ADSL router/modem? I ask this because otherwise your going to have lots of fun with double NATing.

Edit: This explains double NATing better: http://support.iprimus.com.au/index....517&Itemid=214

Quote:

Originally Posted by Jon T

I agree with JohnHorb(post #4)

I'd forget the DHCP relay, i think this could cause more trouble than it's worth.

Are you putting the Watchguard in for your own training, or to beef up your network security? Can you turn off the router part of your ADSL router/modem? I ask this because otherwise your going to have lots of fun with double NATing.

Edit: This explains double NATing better: http://support.iprimus.com.au/index....517&Itemid=214

Relay - ok no worries. Loolks like a bit of re-jigging of IP addresses then!

Training / Security - Err - a bit of both to be honest. We use these on customer sites so just trying to gain a bit more knowledge but fell at the first hurdle!

Not sure how to disable the router part of the Linksys.

The other issue is that it's a wireless router and I want to keep the wireless part enabled - I know it won't be protected by the Watchguard...

[Jon T]

If you want to retain the wireless connectivity of the linksys then your going to have to keep the router part of the Linksys turned on.

In the end, your going to have two subnets, one for the wired PC's, and the other for the wireless. Also be aware that your wired PC's won't show up in network neigbourhood on your wireless PC's and vice versa.

Did you read the link in my last post about double NAT, part the bit about sending email.

Quote:

Originally Posted by Jon T

If you want to retain the wireless connectivity of the linksys then your going to have to keep the router part of the Linksys turned on.

In the end, your going to have two subnets, one for the wired PC's, and the other for the wireless. Also be aware that your wired PC's won't show up in network neigbourhood on your wireless PC's and vice versa.

Did you read the link in my last post about double NAT, part the bit about sending email.

Yeah - that's true...ok - might have to invest in to a el'cheapo router and turn the Linksys into a pure access point only.

NAT - yeah - I understood what you meant.

Thanks for the advice all!

[RDDearing]

Not to throw a stone into the pond but wouldn't the following make more sense:

switch <- (subnet1) -> router <- (subnet2) -> watchguard <- -> modem

This way all wired and wireless clients are on the same subnet. I always thought a firewall should go at the edge...

Quote:

Originally Posted by RDDearing

Not to throw a stone into the pond bur wouldn't the following make more sense:

switch (subnet1) -> router -> watchguard -> modem

^

Because my router and modem are currently in one combined unit.

[RDDearing]

Ahh, sorry...

Quote:

Originally Posted by RDDearing

Ahh, sorry...

Don't be....all donations gratefully received!

I always thought it went:

ISP >> ADSL Router >> Firewall >> Switches >> Internal LAN Devices

[Jon T]

Quote:

Originally Posted by LSainsbury

Don't be....all donations gratefully received!

I always thought it went:

ISP >> ADSL Router >> Firewall >> Switches >> Internal LAN Devices

The problem then lies in the fact that your ADSL router is a NAT firewall by default.

RDDearing is spot on with what he's said. That's what I was getting at when asked if you could turn the NAT/Firwall off on the linksys and use it just as a modem/bridge.

TBH, if your wanting to tinker with things for self education you may be better at some point getting a plain ADSL modem with ethernet output. You've then got more configuration flexibility.