You want a transparent firewall. I know the Netscreen's do this (like the NS5GT) - operate on Layer 2 but can write firewall policies. This way no network changes are needed so everrything works like before. You can use the 5GT for a DHCP server too if you prefer. There are probably other brands that work in L2 mode.
alan
Are you saying that you want something like this:
COMPANY INTERNAL NETWORK 10.0.0.0/8 | SIMPLE NAT ROUTER / FIREWALL | Secondary localized network 192.168.0.0/24
If this is the case, you can use a cheap NAT device like a Linksys, D- Link, Netgear, etc... a simple NAT router.
We have a number of training groups, each room sits behind a simple NAT Router and then to the DMZ where we have a couple servers that each room can access. Each room has a single server that provides DHCP, DNS, etc... Each room can hit the DMZ and their own network, but they can't reach the other rooms networks.
We do something like this for the Accounting department too - we use a firewall appliance with NAT and set the accounting department with it's own servers and workstations inside a protected network - they can access outbound to all company servers, but the company network resources can't get INTO their accounting network except as defined by the rules in the accounting firewall.
Hi all,
I have a question about firewalls/routers. I want to make an extra protection to a group of computers who are already part of a bigger network. I also want to make them independent, so i want to put them in an own domain and an own dhcp server.
If I should put them behind a router, then they are protected but the problem is, the computers in the bigger network wich they are part of also uses internal ip adresses so the computers in the extra protected network won't be able to connect to the computers in the bigger network were it is part of (the other way is forbidden offcourse, computers in the bigger network are not allowed to connect to shares of computers inside of the extra protected network). This is because internal ip's aren't routed over routers.
Has anyone an idea?
Good point, as most every firewall has a drop-in mode that allows the PUBLIC and PRIVATE IP ranges to be the same - you just create rules that pass through or not and you don't have to change anything in the network, just pass through what you want to where you want.
Talk to the "corporate" IT people. They should be the ones handling the internal routing tables (they will have to know about your new setup so that packets can even get back to you), and in our case are the ones who hand out subnets. We don't use DHCP for security reasons, but this sub-assignment of numbers is needed to prevent random (and possibly duplicate) assignment of addresses.
If you are saying that the company uses the same netmask (such as
255.255.0.0) all over the company LAN, then yes you have a bridging problem. A firewall running on the bridge can allow traffic in both directions, but can control it based on source or destination IP address AS WELL AS source or destination port numbers. It's a bit messy, but not all that hard. The normal situation is to be allocated a chunk or chunks of address space by "corporate" and to firewall on that.That's a windoze problem - easily handled by port blocking at the local router.
If you mean RFC1918 addresses or RFC3927, only the later (169.254.0.0/16) must be dropped by any router (though if you are using that address anywhere, you have MUCH bigger security problems). RFC1918 addresses are required to not cross the _external_ perimeter, but can be routed internally as needed.
Old guy
Um, this does not make a lot of sense. For starters, routers DO forward internal IP addresses. INTERNET routers do not, but if no routers did that at all, private internets would be kinda hard to build.
Perhaps your company has a policy where the routers do not forward internal IP's. In that case you may want to look into using a firewall that can be configured to work as a bridge rather than as a router.
Those simple devices are not always firewalls, they are simple NAT devices in almost every case - and they forward anything and everything.
Passing private addresses is up to the router vendor and the person that programs the router.
Yes! This is what i meant! I always thought the firewalls in those simple nat routers blocked all internal ip's trafic on the wan side.
SIMPLE nat routers, for some this is true. Dunno which models/brands or how common that is. Many WILL handle it no problem. And any GOOD nat routers can handle this no problem.
For instance Sonicwalls (what I use) can do this no problem. I would assume PIX, Watchgaurd, etc. do as well.
What type of vpn? PPTP? l2tp? ipsec?
would the users be vpn'ing from behind nat boxes on their home internet connections (It makes a difference!)
Many small firewall appliances allow users to connect to them as an ipsec end-point, few of them do PPTP as an end-point.
It sounds like you need a firewall, not a router. If you were to purchase any quality vendors firewall appliance, almost all of them act as PPTP end-points and also do ipsec end-point mapping.
The only thing you need to do is make sure that your subnet is not the same as the home users - which is a good reason to not use 192.168.0.x and 192.168.1.x for your network.
A typical appliance like a WatchGuard X700 runs about $1900 US. You can also get other vendors products in the same price range.
If you want a limited SOHO Firewall device, something that supports a limited number of connections and does ipsec without acting as a PPTP end-point, then you can get any VPN Router/Firewall combination from a bunch of different vendors. You can get these types of devices for less than $500 US in most locations.
If you have your remote users also use VPN Routers, you can setup their network (through the router) to connect router-router via ipsec tunnel and they will always be connected to your office. In this case, you want to make sure that everyone is on a different subnet, so you can route back to their networks.
Does anyone know a good router that passes private adresses, has a vpn server so users can login to the network from home (only a few connections needed). A built in 8 or 16 ports gbit switch is also welcome but I could put a separate switch to it if necesarry. And how many euro's does this router cost?
That is possible, what's the difference? That their nat router needs to support vpn passthrough? Or something else?
Well for starters, in many cases l2tp won't work at all if you are behind a nat box, even if you have vpn passthough.
There is vpn passthrough that works for IPSSEC, but even that is hit or miss (depends on if the NAT box at the client end does the passthru the same way the firewall expects it to - the problem is the original IP address is part of the payload - the nat box changes the IP, and it no longer matches the one in the payload...), and it (for most firewawlls) requires you to load the IPSEC client on the users box. I have seen more than a few boxes get hosed from VPN client installs.
PPTP is the simplest, but is the least secure. Can use it from basically any OS (windoze 95 on up) without needing any extra software. But believe it or not, some of the more secure boxes don't support it at all. (Sonicwall comes to mind)
Ok, so l2tp won't work since some users have nat routers. pptp is unsecure you say So only IPSEC seems usable. Are there free or opensource IPSEC clients/servers available for windows?
I thought you always needed to load an IPSEC vpn client? How do you connect if your router itself has no vpn client built in or you are connected without router?
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.