Allowing me to use a hardware firewall alongside my Netgear DG834GT

[DJMK4]

Hi,

I have aqquired a hardware firewall (SonicWall TZ150) which I am configuring on my home network, however I am having a few problems when working alongside my Netgear DG834GT router.

At the moment the layout is:


Workstations (192.169.0.0/24) > SonicWall TZ150 (LANIP 192.168.0.100, WAN IP 192.168.0.100, Default gateway is the netgear IP 192.168.0.1) > Netgear DG834GT Router and access point (LANIP 192.168.0.1, WANIP = xxx.xxx.xxx.xxx) > Internet

I want the router to be used as the router obviously, the modem and the access point as without this, the laptops in my house can not use wireless.

I have connected it up as per below (the wired connections using the switch on the TZ150, the wireless is outside of the protected zone). If i connect a pc up to the TZ150, I can ping the firewall, but cannot access the web or ping my router (192.168.0.1), how would I get this to work? would I have to turn off NAT, DHCP and firewall off on my netgear router resulting in the gateway address of the TZ150 pointing to the netgear and the TZ150 acting as the DHCP server for the rest of my LAN?

Any help appriciated

Thanks

 

[DJMK4]

Running a NAT'd router in front of a SonicWall makes life hard.

Normally, the WAN side is the Internet and there's nothing trusted on it.

Also, the WAN side will be in a different subnet to the WAN side. Eg LAN is 192.168.0.x, but the WAN would be 78.x.x.x (or something from your ISP).

I have a TZ150 Wireless at home and my setup is:

LAN : 192.168.2.x (TZ150 is 192.168.2.1)
TZ150 WAN IP : 78.x.x.226
WAN Default Gateway : 78.x.x.225 (a Speedtouch 546 in No-NAT with firewall off)

So to clarify:

Netgear - No NAT/No Firewall config, LAN IP 192.168.0.1, WAN IP: Dynamic from ISP (Although it will use a static IP each time), what about the access point on the router? shall I just leave this as it is meaning that any devices connected over wireless will not be in the protected zone? What about DHCP on this router? assuming that wireless devices will still be connecting to it, should I leave it enabled?


TZ150 -
LAN IP 192.168.2.1
WAN IP 192.168.2.100 (As my netgear is using the static IP address from ISP?)
WAN Default Gateway 192.168.0.1??

 

[DJMK4]

I don't think the TZ150 supports transparent mode, so the LAN and WAN interface need to be in different subnets.

Are you really keen on using the TZ150?

IIRC my TZ150 does suppor transparent mode, its listed in the WAN interface dropdown.

Well sell and support SonicWall products in work to our customers for Network security and site-site VPN solutions. I was given a TZ150 with enhanced firmware to play around with, I have also been given a Cisco router which im going to mess about on. I can configure them easy using a Zyxel modem or router infront of it, but having a few problems with it alongside a Netgear with wireless.

Its more to learn tbh.

How did you end up with yours?

 

[DJMK4]

Just finishing off a visio network diagram, will post it to make sure its ok

 

[DJMK4]

does this look correct? Only concern is not having the wireless in the protected zone? is there anyway to achieve this with the current set-up until I get a dedicated Wireless access point?

 

[DJMK4]

Well no, your WAN IP needs to be in the same subnet as the Netgear, so that diagram won't work.

If the Netgear is 192.168.0.x you need the WAN interface of the sonicwall to have an ip in the same subnet, i.e. 192.168.0.2 /24 with its gateway being the IP of the Netgear i.e. 192.168.0.1

I don't know why you don't just save yourself the trouble and get a proper ADSL ethernet modem, put the public IP to the WAN/untrust interface on the sonicwall and then you could use the Netgear as a WIFI ap behind the sonicwall (disable DHCP etc and just plug one of its switch ports into the sonic wall).

I should be able to obtain an ADSL2+ modem but I dont understand your concept about setting the WAN interface of the sonicwall the same as the ADSL modem, surely as I only have a single static IP from my ISP, this is going to be used on the ADSL modem as soon as I select the WAN interface to "obtain dynamically from ISP"???

Also, if i use my netgear inside the protected zone, just turn off all features (DHCP, Firewall etc) and just get it to act as a standard router?

 

[DJMK4]

Sounds like a bit of a pointless setup to me...

For it to work effectively you want your public IP on the Sonicwall but as you're on dynamic you're only going to have one IP

Even if I register with a service such as Dynamic DNS?

OK, so if I do it the otherway and have the Public IP address on my SonicWall's WAN interface, what am I going to set the Routers WAN interface as? a private address? 192.168.X.X

 

[DJMK4]

Then how would the netgear talk to the outside world?

You're only gaining the SPI type features of the sonicwall by doing it this way, and if you want to open any ports for P2P etc, you're going to need to open the ports on both boxes. A double-NAT setup is a bad idea - chuck the sonicwall on ebay and get an ADSL router with a better firewall if you're that concerned about security.

Remember, with a NAT setup the only traffic that can get in further than the router is traffic through ports you've specifically opened, so firewall's have a limited use in this sort of setup.

How am I using a double NAT set-up, im not, the router has a NO-NAT configuration? Chucking the SonicWall on ebay is not an option as it is works equipment I have at home for learning purposes.

All I want to know is that If I set the SonicWalls WAN Interface to use the public IP address from my ISP, what the hell am I supposed to set as my routers WAN interface as usually this is picks up the public IP from my ISP?

 

[DJMK4]

Unless you have 2 or more static IPs from your ISP (One for the netgear and one for the sonicwall) then double nat is the only way you can do it. The other option is transparent mode (or drop in mode as some call it) on the sonicwall.

Double NAT or transparent firewall, you're still not gaining any added security TBH

What about using Dynamic DNS as I suggested a few posts up? There must be a way of doing it.

 

[DJMK4]

DNS of any sort wont help you on the IP level

There has to be a way of doing this, im sure there are many people out there with a single static IP on there connection and a hardware firewall behind a router.

If I use transparent mode or double nat, what exactly am i going to be losing (as you said)?

 

[DJMK4]

Trust me, I do this for a living

You can configure it using double-nat or transparency but its a relatively pointless setup. Transparency is really designed to be transparent in the middle of a network of public IPs. Double-NAT is a no-no.

If you just want to do it to learn the interface and things then it will work, but its not going to reflect a real world configuration.

If you think its going to give you anything in the way of security then it wont - unless you're hosting servers and have it proprely configured with a public IP and using the UTM features, its not going to do anything other than cause extra complication

I work in this sector too, but im learning unfortunatly as my background is more VoIP based. Iv just had a word with my collegue in work and has just said it is possible :\ thats why im so confused. ADSL Modem- WAN interface public IP from the ISP, LANIP 192.168.1.1, NO NAT, NO Firewall.

SonicWall - WANIP 192.168.1.2, WAN Gateway 192.168.1.1, LANIP 192.168.1.100.

Port forwarding can be set-up on the router to get to the management interface of the SonicWall?

 

[DJMK4]

Erm - with a public IP on the WAN of the Netgear and a private IP on the inside, that is NAT.

That's effectively transparency you've described, which as I said above will work but is pretty pointless in terms of functionality/security. Port forwarding not necessary for management as you'll be on the same subnet

What features EXACTLY are going to be rendered pointless? you have not specified. Also, the Netgear is going to be used as an Access point only, and will be located on the inside of the LAN, their will be a dedicated Zyxel modem at the top end, connecting to my ISP, then the sonicwall connected to the Zyxel.

 

[DJMK4]

I misunderstood - I thought you were going to use the netgear as an ADSL modem, do you just want to use it as a wireless access point?

So its going to be a proper ADSL modem connected to the firewall? That should allow you to use a public IP on the WAN of the firewall. Slight overkill at home but at least it will work!

As for using the netgear as a WAP, just connect the firewall to the internal connection on the netgear, you dont need to use the WAN at all

lol! no worries, I was going to use the Netgear as my router/modem but thought it would be a lot easier just to use a single port Zyxel router at the top end. Then stick the netgear in a basic AP mode and stick it in the protected zone inside the LAN with DHCP off or DHCP pass through and connect it straight to the SonicWall's switch, that way laptops can connect via wireless to the Access point.

So im still going to have to set the SonicWall's WAN IP as the public IP from my ISP? What about the WAN interface of the Zyxel? private? also the LANIP of Zyxel will be in the same subnet as the LAN IP of the SonicWall?

What if I need to connect to my router remotely? if it doesnt have a public IP address how am I going to connect to it?

im sorry if im confused, but I got a bunch of people telling me to do it one way, then other people telling me to do it another way.

 

[DJMK4]

So its going to be a proper ADSL modem connected to the firewall? That should allow you to use a public IP on the WAN of the firewall. Slight overkill at home but at least it will work!

Just to clarify this above statement, if im setting the SonicWall's WAN interface as the public IP address (provided by my ISP) whats going to happen to the IP that my ADSL Modem is going to pick up as it would normally pick up the public IP address for itself from my IP address, also, im assuming this ADSL modem will still be in No-NAT/No Firewall mode for this to work.

 

[DJMK4]

It basically works as a PPPoA to PPPoE bridging device.

There is no routing, NAT, firewall etc.

It syncs the line and provides a PPPoE server for the Sonicwall to login through.

Ahh I see, fair enough, so just use the SonicWall with NAT with PPPOE on the WAN interface, give that interface the Public IP.

Bearing in mind that I am on a BE connection, and the way BE works is that I dont have to enter any usernames/passwords at the authentication level on my current netgear.

I will have a look later.

 

[DJMK4]

Cool, thanks for everyones help on this, as I mentioned the way we usually configure it is different as customers have multiple public IP's rather than a single static IP.

 

[DJMK4]

hmm, think I have found a flaw with these Zyxel's in routing mode, wont let me configure WAN unless I enter a username and password I can put it into bridge mode.

 

[DJMK4]

Bridge mode on PPoA still requires username/password, there is also a RFC 1483 bridge mode which doesnt require authentication. Going to look into this.

EDIT: Going to ditch the Zyxel modem I have as it doesnt support Annex M, which will cause problems. Going to have to look for an alternative modem, there is a Draytek Vigor 120, anything else? What about the Linksys AM200?