Firebox II Basic Setup

I need help; I can't get any machine to get out the internet through my Firebox II

I got the Firebox II for a donation of $15; I am new to it and have set up several PIX 501 and 506 on my T1 without a problem, I reset the firebox II to factory defaults using the crossover cable.

Here is how I set it up Under Setup > Network Configuration > Interface Tab I setup the machine with the External Interface of my T1's external IP Default Gateway of my T1s router (Just as I do on my 501)

Under Setup > Network Configuration > WINS/DNS I put in the T1's DNS server just as in the Pix 501 One thing I noticed is reading the help it says for the DNS servers "These servers must be accessible from the Firebox Trusted interface"

Of curse my DNS servers are external

On Outgoing I have Allowed Internal Host Any and External Any

Still I can not get any external IP my name or IP...somehow I think I need to set up a route or I am having a DNS problem

Ed,

Reply to
gencode
Loading thread data ...

First, you have to do a couple things:

Are you using the DHCP service on the Firebox?

Are you using 192.168.x.y/24 for your internal network?

Did you select Routed or Drop-in mode?

If you can access the System Manager, selec the POLICY MANAGER:

Select Network, Setup in menu

External Interface: Static, assign a public IP - make sure that you enter the proper subnet (/24, /28, etc...), then enter the Default Gateway Public IP address.

Trusted Interface: Enter the IP of the LAN segment (such as

192.168.10.1/24) the .1 is the LAN IP of the firebox.

Optional Interface: Leave blank for now.

Select WINS/DNS tab: Enter your PUBLIC DNS Server IP addresses.

Select OK

Select the SKULL Icon, Blocked Sites, make sure that your LAN subnet is not listed or part of the blocked Sites ranges.

Select Setup, NAT Setup, make sure that you have the following:

Trusted-External (others are OK, just make sure that you have at least T~E)

Add a DNS rule:

Incoming: Disabled

Outgoing: Enabled and Allowed From Trusted to ANY From Optional to ANY

Add a FILTERED_HTTP rule Incoming: Disabled

Outgoing: Enabled and Allowed From Trusted to External

Both rules should have "Choose Dynamic NAT Setup" as Use Default Simple NAT.

Do the same for HTTPS, FTP, PING, POP-3 (if needed), and others.

Let me know if you need more help - you can email me via the address in my sig.

Reply to
Leythos

Yes

Routed

Yes, thats setup and working fine

enter the proper subnet

Yes, I am sure, that is fine

192.168.10.1/24)

That was done, it is fine

You mean the one that was given to us from the T1 provider? like

4.2.2.2 We do not have an interanl DNS server, just access the outside world...very basic, like a soho cofig

not listed or part of the blocked Sites ranges.

Nothing is listed

This I dont have, only one for FTP that was setup by default.

Realy I want "All outbound open", is that not the default?

If not how do I do this?

Thanks for the feedback,

Ed,

Reply to
gencode

I found the filter for "All Outgoing TCP", I figured the Green Arrow that says Outgoing was the same, but now I dont think it is, I still need to add in the web

Right now my policy I have these icons in this order from left to right FTP ICON Outgoing ICON Ping ICON Watchguard ICON

Ed,

Reply to
gencode

If you do the ALL you will not be secure.

You really need to use the Services as they were intended, this means you need to have proper rules:

HTTP HTTPS FTP PING DNS TRACEROUTE

The watchguard rules are hidden - don't mess with those until you know what you are doing.

You don't want to all ALL OUTBOUND, that would be a very bad thing.

Reply to
Leythos

Leythos, thnaks again for the response, it is much appreciated...the problem is this is going to be used on our ruel area neighborhood hotspot with about 20 houses, and some people have games and other apps that will be going out odd ports, so I need to allow all outbound traffic. Of course all inbound that was not initiated by the application should be blocked. this is the way the PIX 501 is setup, the problem with the PIX 501 is that it only has a 10 user license, so I wanted to do the same thing with the Firebox II as I do with the PIX.

Thanks again,

Ed,

Reply to
gencode

Leythos...I got it, I say what you said on the "Any" filter...when I clicked on it the warning was there...instrad I used the Outgoing TCP and UDP, thats what I wanted...thanks for your help.

One other thing...is there a way to see what IP is using the most bandwidth or to do QOS by IP on the Firebox II?

Ed,

Reply to
gencode

There is no means to see what "IP" is using any bandwidth on that unit - there is no QOS on the FB-II that I know of.

I think your approach is wrong with 20 houses:

I would setup a firewall as the border, then connect individual NAT appliances for each house - this will keep each home from being able to get INTO each other home (we do this in small offices with up to 30 different companies in the buildings).

Then, once you have a single fixed IP on the WAN side of the NAT units (inside the LAN of the FB-II) you can then control what fixed IP has what access. What I mean is that if House 1 has a fixed WAN IP of

10.10.0.1 and House 2 has a fixed WAN IP of 10.10.0.2, etc... then you can create 20 ANY rules that specifically allow 10.10.0.1 in/out, then 10.10.0.2, .... This means that each house has it's own ANY rule, which you can enable/disable without impacting the others. This permits you to test for abuse and it means that each home is at a fixed network location while their home LAN can do anything.

One thing - you want to make sure that each homes LAN subnet is different from the other homes, so, setup each home starting at

192.168.100.0/24, then 192.168.101.0/24.... until each home has it's own subnet.

By doing this from the start you will make your life easier when you find that you have to map inbound or VPN traffic to the home.

Reply to
Leythos

Super idea...but actually our houses are protected from each other...here is what we have

The firebox has its external WAN port connected to the T1, the internal LAN side of the firewall is on a 192.x.x.x netweork and is the gateway for all the houses, the LAN port is "only" connected to our main wireless bridge (DLink 2100 AP) that sends the signal out the main antenna, each house has their own antenna connected to a 2100AP wireless bridge, inside each house also has a Linksys SOHO router, the WAN side of the Linksys SOHO roter is on a fixed IP and on the

192.x.x.x address, the LAN side of each house is on its own internal 10.x.x.x network.

So there is a firewall between each house and gives the control over to the home user just as a cable modem config > SOHO would do.

At this time not much more control is needed and would prefer to give the control to the individual home user as cable modem would do...but if the need arises I will follow up more on your config.

Thanks for the help...the filter page is what I was missing, Ed,

Reply to
gencode

...also most of the houses have 2 or more computers, and when they file transfer from internal PC-PC or print on network printers I did not want the packets traveling 1/2 mile to the main DLink 2100AP bridge at our house and back their 2100AP...so including the firewall protection this is another reaon why we put in the Linksys WRT54G at each house, it puts everyone on there own 10.x.x.x.x network, they can transfer or do whatever they want on there own LAN at there house and not really affect the performance of the main wireless bridge on the 192.x.x.x network unless they are trying to get out the internet.

Once again, thanks, it has been running for 8hrs and working well...and no more 10 user limit :)

Ed,

Reply to
gencode

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.