Allowing me to use a hardware firewall alongside my Netgear DG834GT

DJMK4 · 1 Oct 2009 at 10:19

Hi,

I have aqquired a hardware firewall (SonicWall TZ150) which I am configuring on my home network, however I am having a few problems when working alongside my Netgear DG834GT router.

At the moment the layout is:

Workstations (192.169.0.0/24) > SonicWall TZ150 (LANIP 192.168.0.100, WAN IP 192.168.0.100, Default gateway is the netgear IP 192.168.0.1) > Netgear DG834GT Router and access point (LANIP 192.168.0.1, WANIP = xxx.xxx.xxx.xxx) > Internet

I want the router to be used as the router obviously, the modem and the access point as without this, the laptops in my house can not use wireless.

I have connected it up as per below (the wired connections using the switch on the TZ150, the wireless is outside of the protected zone). If i connect a pc up to the TZ150, I can ping the firewall, but cannot access the web or ping my router (192.168.0.1), how would I get this to work? would I have to turn off NAT, DHCP and firewall off on my netgear router resulting in the gateway address of the TZ150 pointing to the netgear and the TZ150 acting as the DHCP server for the rest of my LAN?

Any help appriciated

Thanks

#Chri5# · 1 Oct 2009 at 10:30

Running a NAT'd router in front of a SonicWall makes life hard.

Normally, the WAN side is the Internet and there's nothing trusted on it.

Also, the WAN side will be in a different subnet to the WAN side. Eg LAN is 192.168.0.x, but the WAN would be 78.x.x.x (or something from your ISP).

I have a TZ150 Wireless at home and my setup is:

LAN : 192.168.2.x (TZ150 is 192.168.2.1)
TZ150 WAN IP : 78.x.x.226
WAN Default Gateway : 78.x.x.225 (a Speedtouch 546 in No-NAT with firewall off)

DJMK4 · 1 Oct 2009 at 10:42

#Chri5# said:
Running a NAT'd router in front of a SonicWall makes life hard.

Normally, the WAN side is the Internet and there's nothing trusted on it.

Also, the WAN side will be in a different subnet to the WAN side. Eg LAN is 192.168.0.x, but the WAN would be 78.x.x.x (or something from your ISP).

I have a TZ150 Wireless at home and my setup is:

LAN : 192.168.2.x (TZ150 is 192.168.2.1)
TZ150 WAN IP : 78.x.x.226
WAN Default Gateway : 78.x.x.225 (a Speedtouch 546 in No-NAT with firewall off)

So to clarify:

Netgear - No NAT/No Firewall config, LAN IP 192.168.0.1, WAN IP: Dynamic from ISP (Although it will use a static IP each time), what about the access point on the router? shall I just leave this as it is meaning that any devices connected over wireless will not be in the protected zone? What about DHCP on this router? assuming that wireless devices will still be connecting to it, should I leave it enabled?

TZ150 -
LAN IP 192.168.2.1
WAN IP 192.168.2.100 (As my netgear is using the static IP address from ISP?)
WAN Default Gateway 192.168.0.1??

#Chri5# · 1 Oct 2009 at 11:08

I don't think the TZ150 supports transparent mode, so the LAN and WAN interface need to be in different subnets.

Are you really keen on using the TZ150?

DJMK4 · 1 Oct 2009 at 11:11

#Chri5# said:
I don't think the TZ150 supports transparent mode, so the LAN and WAN interface need to be in different subnets.

Are you really keen on using the TZ150?

IIRC my TZ150 does suppor transparent mode, its listed in the WAN interface dropdown.

Well sell and support SonicWall products in work to our customers for Network security and site-site VPN solutions. I was given a TZ150 with enhanced firmware to play around with, I have also been given a Cisco router which im going to mess about on. I can configure them easy using a Zyxel modem or router infront of it, but having a few problems with it alongside a Netgear with wireless.

Its more to learn tbh.

How did you end up with yours?

#Chri5# · 1 Oct 2009 at 11:16

You could try transparent mode. Or...

TZ150 LAN IP : 192.168.2.1 / 255.255.255.0
TZ150 WAN IP : 192.168.1.2 / 255.255.255.0

Then have you NetGear on 192.168.1.1, so that becomes the default gateway for your TZ150. If you left the NetGear running NAT/DHCP, WiFi clients can connect but there would be the TZ150 between them and the cabled PCs which could be a problem.

Life is much easier if you could put everything on the LAN side of the TZ150 but then you'd need a seperate WiFi (allowing you to use the NetGear as router, assuming it can do no-NAT)

DJMK4 · 1 Oct 2009 at 11:33

Just finishing off a visio network diagram, will post it to make sure its ok

DJMK4 · 1 Oct 2009 at 11:42

does this look correct? Only concern is not having the wireless in the protected zone? is there anyway to achieve this with the current set-up until I get a dedicated Wireless access point?

wij · 1 Oct 2009 at 13:31

Well no, your WAN IP needs to be in the same subnet as the Netgear, so that diagram won't work.

If the Netgear is 192.168.0.x you need the WAN interface of the sonicwall to have an ip in the same subnet, i.e. 192.168.0.2 /24 with its gateway being the IP of the Netgear i.e. 192.168.0.1

I don't know why you don't just save yourself the trouble and get a proper ADSL ethernet modem, put the public IP to the WAN/untrust interface on the sonicwall and then you could use the Netgear as a WIFI ap behind the sonicwall (disable DHCP etc and just plug one of its switch ports into the sonic wall).

DJMK4 · 1 Oct 2009 at 13:48

wij said:
Well no, your WAN IP needs to be in the same subnet as the Netgear, so that diagram won't work.

If the Netgear is 192.168.0.x you need the WAN interface of the sonicwall to have an ip in the same subnet, i.e. 192.168.0.2 /24 with its gateway being the IP of the Netgear i.e. 192.168.0.1

I don't know why you don't just save yourself the trouble and get a proper ADSL ethernet modem, put the public IP to the WAN/untrust interface on the sonicwall and then you could use the Netgear as a WIFI ap behind the sonicwall (disable DHCP etc and just plug one of its switch ports into the sonic wall).

I should be able to obtain an ADSL2+ modem but I dont understand your concept about setting the WAN interface of the sonicwall the same as the ADSL modem, surely as I only have a single static IP from my ISP, this is going to be used on the ADSL modem as soon as I select the WAN interface to "obtain dynamically from ISP"???

Also, if i use my netgear inside the protected zone, just turn off all features (DHCP, Firewall etc) and just get it to act as a standard router?

iaind · 1 Oct 2009 at 13:50

Sounds like a bit of a pointless setup to me...

For it to work effectively you want your public IP on the Sonicwall but as you're on dynamic you're only going to have one IP

DJMK4 · 1 Oct 2009 at 13:59

iaind said:
Sounds like a bit of a pointless setup to me...

For it to work effectively you want your public IP on the Sonicwall but as you're on dynamic you're only going to have one IP

Even if I register with a service such as Dynamic DNS?

OK, so if I do it the otherway and have the Public IP address on my SonicWall's WAN interface, what am I going to set the Routers WAN interface as? a private address? 192.168.X.X

iaind · 1 Oct 2009 at 14:05

Then how would the netgear talk to the outside world?

You're only gaining the SPI type features of the sonicwall by doing it this way, and if you want to open any ports for P2P etc, you're going to need to open the ports on both boxes. A double-NAT setup is a bad idea - chuck the sonicwall on ebay and get an ADSL router with a better firewall if you're that concerned about security.

Remember, with a NAT setup the only traffic that can get in further than the router is traffic through ports you've specifically opened, so firewall's have a limited use in this sort of setup.

DJMK4 · 1 Oct 2009 at 14:09

iaind said:
Then how would the netgear talk to the outside world?

You're only gaining the SPI type features of the sonicwall by doing it this way, and if you want to open any ports for P2P etc, you're going to need to open the ports on both boxes. A double-NAT setup is a bad idea - chuck the sonicwall on ebay and get an ADSL router with a better firewall if you're that concerned about security.

Remember, with a NAT setup the only traffic that can get in further than the router is traffic through ports you've specifically opened, so firewall's have a limited use in this sort of setup.

How am I using a double NAT set-up, im not, the router has a NO-NAT configuration? Chucking the SonicWall on ebay is not an option as it is works equipment I have at home for learning purposes.

All I want to know is that If I set the SonicWalls WAN Interface to use the public IP address from my ISP, what the hell am I supposed to set as my routers WAN interface as usually this is picks up the public IP from my ISP?

iaind · 1 Oct 2009 at 14:11

Unless you have 2 or more static IPs from your ISP (One for the netgear and one for the sonicwall) then double nat is the only way you can do it. The other option is transparent mode (or drop in mode as some call it) on the sonicwall.

Double NAT or transparent firewall, you're still not gaining any added security TBH

DJMK4 · 1 Oct 2009 at 14:13

iaind said:
Unless you have 2 or more static IPs from your ISP (One for the netgear and one for the sonicwall) then double nat is the only way you can do it. The other option is transparent mode (or drop in mode as some call it) on the sonicwall.

Double NAT or transparent firewall, you're still not gaining any added security TBH

What about using Dynamic DNS as I suggested a few posts up? There must be a way of doing it.

iaind · 1 Oct 2009 at 14:17

DNS of any sort wont help you on the IP level

DJMK4 · 1 Oct 2009 at 14:21

iaind said:
DNS of any sort wont help you on the IP level

There has to be a way of doing this, im sure there are many people out there with a single static IP on there connection and a hardware firewall behind a router.

If I use transparent mode or double nat, what exactly am i going to be losing (as you said)?

iaind · 1 Oct 2009 at 14:25

DJMK4 said:
There has to be a way of doing this, im sure there are many people out there with a single static IP on there connection and a hardware firewall behind a router.

Trust me, I do this for a living

You can configure it using double-nat or transparency but its a relatively pointless setup. Transparency is really designed to be transparent in the middle of a network of public IPs. Double-NAT is a no-no.

If you just want to do it to learn the interface and things then it will work, but its not going to reflect a real world configuration.

If you think its going to give you anything in the way of security then it wont - unless you're hosting servers and have it proprely configured with a public IP and using the UTM features, its not going to do anything other than cause extra complication

DJMK4 · 1 Oct 2009 at 14:34

iaind said:
Trust me, I do this for a living

You can configure it using double-nat or transparency but its a relatively pointless setup. Transparency is really designed to be transparent in the middle of a network of public IPs. Double-NAT is a no-no.

If you just want to do it to learn the interface and things then it will work, but its not going to reflect a real world configuration.

If you think its going to give you anything in the way of security then it wont - unless you're hosting servers and have it proprely configured with a public IP and using the UTM features, its not going to do anything other than cause extra complication

I work in this sector too, but im learning unfortunatly as my background is more VoIP based. Iv just had a word with my collegue in work and has just said it is possible :\ thats why im so confused. ADSL Modem- WAN interface public IP from the ISP, LANIP 192.168.1.1, NO NAT, NO Firewall.

SonicWall - WANIP 192.168.1.2, WAN Gateway 192.168.1.1, LANIP 192.168.1.100.

Port forwarding can be set-up on the router to get to the management interface of the SonicWall?