help eliminate this double NAT

[bwana]

currently using verizon fios with the router they supply-a rebranded actiontec- MI424-WR. i run one of its lan ports to a 24 port HP gigabit switch that serves the facility. two access points are also connected to the switch. Everything is fine and all my ports on the actiontec are closed and it does the usual nat. But i need to open a port to the outside world so i can access one of the servers on the lan. Because i am paranoid about this, i want to put the server connected to the actiontec and put another firewall between the actiontec and the big HP switch that serves the LAN. This way I can access the server from the lan and the outside world and not worry if the server gets compromised. Another benefit is that i could add a public wifi network to the actiontec by plugging another access point into it. This would not expose the lan either.

The only problem i foresee is that the lan will be 'double natted' - I was going to use an old net gear router as the 'firewall' in between the actiontec and the HPswitch. Topology is thus:
Actiontec------>Firewall------>HP switch->LAN
.....\.......\
......\.......\
.......\.......V
........V......Public Access Point
.......Server


An alternative to the net gear 318 I have is the sonic wall TZ 105 for the firewall but do not really want to pay an annual subscription fee for security. Would the appliance be sufficient?
Is there a different device for this topology that would be better considered?

 

[azazel1024]

Put the actiontec in bridge mode and run your own router behind it that supports DMZ for the server. Or a router that supports VLANs and have the server on its own VLAN.

Multiple ways to do this, but if you don't want double NAT'd then eliminate the actiontec as a router. It can be placed in bridge mode with your own router behind it (off a LAN port) or you can get your own MoCA bridge to replace the Actiontec completely.

 

[bwana]

thank you for the suggestion. I have an older juniper net screen 25 but it's running v 4.0 of the firmware. Anyway, putting a server on a dmz is not something i would ever do. So if i do set the actiontec to bridged mode, then i need a router that can make a few vlans. i guess i have to spend some money for a new router/firewall.

 

[stevech]

thank you for the suggestion. I have an older juniper net screen 25 but it's running v 4.0 of the firmware. Anyway, putting a server on a dmz is not something i would ever do. So if i do set the actiontec to bridged mode, then i need a router that can make a few vlans. i guess i have to spend some money for a new router/firewall.

Cheaper/better? VLANs from a $50 gige lightly managed switch.
I have a Netgear GS108

 

[Dreamslacker]

What is your intended purpose of having the firewall?

Block LAN to Server access except certain clients?
Restrict access to the server from the internet (already achieved by selectively port-forwarding)?

Or do you intend to actually place public access wireless access points on the Actiontec LAN and you want to restrict access to the server?

If the latter is your intention, then it's rather easy to get the job done even with your existing equipment.

First of all, set a separate subnet for your LAN (alternatively, change the Actiontec LAN subnet).
Assuming the following:
The LAN is 192.168.1.x/24 and the Actiontec LAN interface is 192.168.2.254/24.
Your server is holding the IP 192.168.1.10.

Now put the firewall (you don't need subscription if A/V, IDS/IPS, Application filtering etc is not required unless the firewall will not function without an active subscription) between the Actiontec LAN and the HP switch.

Assign a static IP on the firewall interface connected to the Actiontec LAN, e.g. 192.168.2.253 and also on the interface connected to the HP switch for your LAN e.g. 192.168.1.254.

Now, make sure the firewall appliance is not NAT-ing. i.e. In strict routing mode. Set the firewall gateway to 192.168.2.254 (Actiontec IP) to establish the next hop.
Set an allow rule to strictly only allow traffic from 192.168.2.254 to the LAN subnet - 192.168.1.0/24.
Set a deny rule to strictly block traffic from 192.168.2.1 to 192.168.2.252 to the LAN subnet - 192.168.1.0/24.
Now, on the Actiontec, set a static route with destination as 192.168.1.0 and next hop gateway as 192.168.2.253 on LAN (this is the IP of your firewall).

If you need to port-forward any services to the server, simply add to the Actiontec but set the local host IP to the actual server IP.
E.g. If you need to forward 443 (HTTPS) to the server, then on the Actiontec, add a port forward with 443 on WAN forwarded to local port 443 on local host IP 192.168.1.10 (server IP).

 

[bwana]

Thank you dream slacker. Clearly explained and No VLANs!

One thing I am fuzzy on though

Assuming the following:
The LAN is 192.168.1.x/24 and the Actiontec LAN interface is 192.168.2.254/24.
Your server is holding the IP 192.168.1.10.

why should i set the actiontec LAN IP to 192.168.2.254 and not 192.168.1.254?
It will be the gateway for all the pc's and the server so they will need to see it. And they are ALL on 192.168.1.x and their subnet masks will be 255.255.255.0.

I understand that in your explanation you had set the outward facing IP of the firewall to 192.168.2.253 so it had to be on the same subnet as the actiontec. As you said here,

Assign a static IP on the firewall interface connected to the Actiontec LAN, e.g. 192.168.2.253 and also on the interface connected to the HP switch for your LAN e.g. 192.168.1.254.

Now, make sure the firewall appliance is not NAT-ing. i.e. In strict routing mode. Set the firewall gateway to 192.168.2.254 (Actiontec IP) to establish the next hop.

But if the actiontec is 192.168.2.253 and the server(NAS) connected to it is 192.168.1.10, then the server will not be able to find the actiontec. and it won't be on the network. i guess i should just try it and maybe set the subnet mask of the server to 255.255.0.0?
You did say this:

Now, on the Actiontec, set a static route with destination as 192.168.1.0 and next hop gateway as 192.168.2.253 on LAN (this is the IP of your firewall).

I found where to do this but the concept is confusing. In the actiontec there is an advanced tab which opens a page with several icons, one of which has two entries, routing and IP configuration. Clicking on new route allows me to enter destination, subnet mask, gateway and metric. If I am setting the gateway as 192.168.2.253 and the destination as 192.168.1.0, I am making a route from the LAN side of the HP switch to the outward facing IP of the firewall, this is where I am flummoxed. The packets will leave the LAN with a 192.168.1.x address in their header. They will flow through the netscreen firewall unmolested because of the rule i made. They will hit the actiontec and the static route will send them back to the netscreen?

 

[Dreamslacker]

Thank you dream slacker. Clearly explained and No VLANs!

One thing I am fuzzy on though

why should i set the actiontec LAN IP to 192.168.2.254 and not 192.168.1.254?
It will be the gateway for all the pc's and the server so they will need to see it. And they are ALL on 192.168.1.x and their subnet masks will be 255.255.255.0.

The reason for that is the firewall will be the gateway for the servers/ clients. i.e. They simply need to know that they send their traffic to the firewall and it will handle the rest. That's why the firewall on LAN (facing the clients and server) holds the old gateway IP.
By changing the Actiontec subnet instead, you do not need to manually change the IP settings for your server/ clients. This means less downtime on the server and less work.

I understand that in your explanation you had set the outward facing IP of the firewall to 192.168.2.253 so it had to be on the same subnet as the actiontec. As you said here,

But if the actiontec is 192.168.2.253 and the server(NAS) connected to it is 192.168.1.10, then the server will not be able to find the actiontec. and it won't be on the network. i guess i should just try it and maybe set the subnet mask of the server to 255.255.0.0?

As mentioned before, the server/ clients only need to know how to reach the firewall. The firewall will handle the routing - it simply needs to send all outbound traffic to the Actiontec. Do not set the subnet mask to 255.255.0.0 as this will create overlapping networks and cause problems.

You did say this:


I found where to do this but the concept is confusing. In the actiontec there is an advanced tab which opens a page with several icons, one of which has two entries, routing and IP configuration. Clicking on new route allows me to enter destination, subnet mask, gateway and metric. If I am setting the gateway as 192.168.2.253 and the destination as 192.168.1.0, I am making a route from the LAN side of the HP switch to the outward facing IP of the firewall, this is where I am flummoxed. The packets will leave the LAN with a 192.168.1.x address in their header. They will flow through the netscreen firewall unmolested because of the rule i made. They will hit the actiontec and the static route will send them back to the netscreen?

The static route rule on the Actiontec basically tells it that if it has any traffic bound for the 192.168.1.x IPs, send it to the Netscreen which it can contact at 192.168.2.253. Let the Netscreen handle the traffic from there.


Above all these, you MUST make sure that NAT is turned off on the firewall (Netscreen). Otherwise, this will not work. Also, ensure that the Netscreen is set to route all non-local traffic to 192.168.2.254 (Actiontec LAN).

You might have to manually specify the route as:
Destination: 0.0.0.0 (Subnet containing all known IP addresses), Next hop gateway: 192.168.2.254 subnet mask: 255.255.255.0 metric: 15 (in theory, any number from 1 onwards will do since you only have 1 gateway)

To give you an idea of how this works (a bit of a Wall-of-text here):

Let's say your server is holding the IP: 192.168.1.10.
If it needs to access an internet based server e.g. 8.8.8.8 (Google DNS), it sends the packet out to the gateway it knows and can reach - "LAN" on the Netscreen (192.168.1.254).

The Netscreen looks at it and says "I can't reach 8.8.8.8 on my local interface subnets so I shall forward it to the next-hop gateway @ 192.168.2.254 (Actiontec LAN IP)". The default route is to send all traffic to the next-hop gateway @ 192.168.2.254.

The Actiontec receives this and does an NAT translation to it's WAN IP and sends it out to the WAN gateway (ISP). To the rest of the internet outside your network, it just sees that a request has come out of your WAN IP and bound for 8.8.8.8 through the routing tables out there.

In effect, this is how NAT works and why it is also sometimes called a Masquerade - because the NAT router makes it looks like the traffic comes out of it instead of the clients behind it.

Now, when the requested data comes back to the Actiontec, it knows that the data needs to go to 192.168.1.10. It looks up it's routing table and sees that it can and should reach that IP by forwarding the traffic to 192.168.2.253 (Netscreen "WAN") and does so.

The Netscreen sees that the traffic is bound for a client (the server) on it's "LAN" subnet and accordingly sends that traffic out the interface.

Now, the firewall rule does not trigger because the Actiontec LAN IP is not denied in the rule that blocks 192.168.2.1 - 192.168.2.252 (basically all other clients directly under the Actiontec subnet).

 

[sinshiva]

i think where communication is being lost here is that OP wants the server on the lan closest to the wan, so in keeping with dreamslacker's suggestion, should have an IP in the 2.0/24 subnet.

dreamslacker, you like using weird IPs

also, you should check the routing table after setting the interface addresses on the second router; it may be such that the static routes are automatically generated when IPs are set on the interfaces and only the default route from the second lan and firewall rules restricting access need to be created on the router between the lans.

 

[Dreamslacker]

i think where communication is being lost here is that OP wants the server on the lan closest to the wan, so in keeping with dreamslacker's suggestion, should have an IP in the 2.0/24 subnet.

dreamslacker, you like using weird IPs

That's a weird combination. You usually want to protect the server from public access and placing it on the same subnet as the public wifi access APs defeats the purpose.

If the purpose of doing so is to prevent infected LAN clients from affecting the server, allowing access to the server through the firewall already defeats the purpose.
A server should always have its own endpoint protection (anti-malware and firewall) and that will, coupled with access policies, provide as much protection from LAN clients as possible.

At any going rate, it is certainly possible to place the server directly behind the Actiontec. It's just a matter of setting the correct server IP for that subnet and adding the appropriate firewall (Netscreen) rules to allow LAN to server IP access (and vice versa). The rest of the routing still applies.

As for IP addressing, it's just a simple example and as far as I can do without knowing what exactly he's using at the moment and what he really needs/ wants to do.

 

[htismaqe]

azazel1024 had the right suggestion several days ago.

Whether it's a router or a firewall, the server should be in a DMZ. Then it CAN be accessible from both the LAN and Internet but it's not freely accessible from either.

 

[LoneWolf]

To best answer this question, I need to understand how the server is utilized from the inside/outside.

Do you need access from the WAN to the server just to remote desktop in to it? Is it a web server that the world needs access to? Can you describe the desired function?