Firewall help? Anyone

[SirGeeO]

Astaro Security Gateway is the firewall (a linux based firewall that transforms a PC into a hardware/software firewall) - I know, I know....I inquired about linux "here"?...yep!, AT has a better forum support IMO.

Down to what I need help with...
I'am trying to install this firewall between my "MAIN" router and my modem.
Modem > Firewall > Router, etc. However, 'sometimes' the DHCP of the router fails to connect to the firewall. And when it does it shows a gateway address of the modem. I don't have the firewall bridging no connections. I have it set to DHCP on the WAN for the firewall. When I config the LAN to either be DHCP or Static, is what's getting me confused. Like I say, the router sometimes fail to connect to the firewall, and then when it does, I get no internet, but it does show me connected to the network (through Vista's Network & Sharing). I know I'm getting internet still through the modem, even through the firewall, the problem is when it's getting to the router, that nothing happens.

I wonder if I'm doing something wrong with the IP Ad's / Subnets. DHCP Discover shows in the 'routers' log that it keeps failing to connect. Can anyone by chance, help me with this small problem....I'm fairly familiar with PC's, but when it comes down to TCP/IP configging, sometimes I get lost. If you need to know more info, just ask, I check this site several times a day.

Modem:
-WAN- PPPoE to ISP, Dynamic Connection
-LAN- 192.168.1.1 (255.255.255.0), DHCP Server**, DHCP Start-End [192.168.1.5 - "".1.10] (same subnet mask)
-DNS addresses are entered
-NAT is active

Firewall:
-WAN (eth1)- DHCP from modem
-LAN (eth0)- 192.168.1.2 [<--Firewall's LAN Address], /24 subnet mask, DHCP Server** Start-End [192.168.1.50 - "".1.99] (same subnet mask, /24)
-DNS config'd
-NAT is active
-I even added static entries for the router

Router:
-WAN- DHCP (shows modem's gateway address)
-LAN- 192.168.1.10 [<--address], /24 subnet mask, DHCP Server** Start-End [192.168.1.200 - "".1.254] (same subnet)
-DNS numbers entered

** - I'm starting to realize, 2 of these should not be a server, or maybe they should?

I let windows try to run a diagnostic, and it only mentions the DNS Server (numbers), weren't resolved. And it's something that it says have to be manually fixed. So I'm kind of speculating it's the router with the wrong IP address/subnet mask, and it should NOT be doing DHCP server duties, or maybe I'm wrong again.?

Anyone's help is greatly appreciated, thanx in advance.

 

[kt]

You have *3* DHCP servers running on the same LAN? That's not the only issue. Is there a reason you have the router in there?

 

[Pantlegz]

Ya, setup static IP's for the firewall/router the only DHCP should be the LAN ports on your router. And why double NAT? unless there's a reason to NAT to the modem, don't.

 

[SirGeeO]

To KT: The router is a wireless one, so it provides the PC's with wi-fi connection that aren't hardwired. As to DHCP servers, it's like, each device is giving DHCP to the next device for it's "WAN" connection. Sorta like Modem(Wan-PPPoE, LAN 192.168.1.1) gives DHCP to Firewall (firewall's WAN is 192.168.1.5 - LAN is 192.168.1.2) which gives it to the router's (WAN is 192.168.1.9 - LAN is 192.168.1.10) ....I thought it looked kind of messy and alot of tutorials I've read didn't explicitly state that this could NOT be done. IDK, guess I shouldn't then huh?

To Legz: Setting them up staticly seemed to give me more of a headache actually. Maybe they need to be different IP's (ex. modem - 192.168.1.1, firewall - 192.168.2.1, router - 192.168.2.10)???? or is that wrong again?..lol...it's frustrating me with the numbers, and I've never been a good student, so to say, in math. So learning this is just another curve for me, I know somewhere I'm going wrong, it's just where?...

any others ideas?

 

[kstornado]

Change the settings on your wireless router so that it acts only as an access point. Turn off DHCP on it as well.

On the firewall, change the LAN segment to something like 192.168.2.0/24.

 

[SirGeeO]

^I thought something like that, but then wouldn't the router need to be changed from 192.168.1.10 (on it's LAN) ?....or should that stay the same as well

Anyway, I'm going to try all your suggestions in a few minutes, and I'll get back with a report of what happens.

Edit: I also see that I'm running some cat 5's, and I have a cat 5 patch cable. (from the firewall to the modem) The one from the firewall's 2nd NIC to the router is a Cat 5e. Could this be a problem that went very much underseen for me?...

 

[Pantlegz]

The modem to the firewall both sides need to be on the same network. The firewall to the router need to be on the same network, but not the same network as the other. The LAN needs to be something other than those 2 for the DHCP pool.

The easiest example I could think of would be Router->firewall 192.168.1.1 and 1.2. Firewall -> Router 192.168.2.1 and 2.2. And the LAN could have a DHCP pool of 192.168.3.1-254

 

[SirGeeO]

Hey!!!! got it working....much to the knowledge of the guys above. Simply put
Modem - (WAN: PPPoE) [LAN: 192.168.8.1/24] - No DHCP Server
Firewall - (Static WAN: 192.168.8.10) [LAN: 192.168.1.1/24] - DHCP for 192.168.1.2 - 1.254
Router - (DHCP WAN: 192.168.1.2) [LAN: 192.168.2.1/24] - DHCP for 192.168.2.50 - 2.100

It all worked out (that above explanation was only for those who come around like me searching for resolved answers to the most minute, yet head-hitting problems)

Alright, now the only problem I'm seeming to have (yet, I haven't done firewall tests and etc.), is the PING from the modem through the firewall through to the router and the PC's connected behind that. The PING is awful, 255 ms on speakeasy, 200+ on speedtest.

http://www.speedtest.net/result/709564383.png
* QUICK NOTE: ^that's friggin' crazy, earthlink "says" I get 6.0 Mbps, and 750 (or something like that) Kbps uplink ... how in the world am I getting above 10,000 in down????? :smh:

I'm thinking, maybe packet filters need to be made to adjust? Or is this more a QoS problem? BTW, all interface cards ARE 10/100, with the Cat5e's running from all WAN ports on all devices (PC's hard-wired have regular cat-5).



Edit: Back with results from ping test...this is interesting

http://www.pingtest.net/result/9917916.png

packet loss, because maybe the firewall is dropping them or rejecting them?...

 

[Pantlegz]

most good firewalls will block icmp by default. Actually, a good firewall would lock everything down and you have to open up specific ports.

 

[imagoon]

Hey!!!! got it working....much to the knowledge of the guys above. Simply put
Modem - (WAN: PPPoE) [LAN: 192.168.8.1/24] - No DHCP Server
Firewall - (Static WAN: 192.168.8.10) [LAN: 192.168.1.1/24] - DHCP for 192.168.1.2 - 1.254
Router - (DHCP WAN: 192.168.1.2) [LAN: 192.168.2.1/24] - DHCP for 192.168.2.50 - 2.100

It all worked out (that above explanation was only for those who come around like me searching for resolved answers to the most minute, yet head-hitting problems)

Alright, now the only problem I'm seeming to have (yet, I haven't done firewall tests and etc.), is the PING from the modem through the firewall through to the router and the PC's connected behind that. The PING is awful, 255 ms on speakeasy, 200+ on speedtest.

http://www.speedtest.net/result/709564383.png
* QUICK NOTE: ^that's friggin' crazy, earthlink "says" I get 6.0 Mbps, and 750 (or something like that) Kbps uplink ... how in the world am I getting above 10,000 in down????? :smh:

I'm thinking, maybe packet filters need to be made to adjust? Or is this more a QoS problem? BTW, all interface cards ARE 10/100, with the Cat5e's running from all WAN ports on all devices (PC's hard-wired have regular cat-5).



Edit: Back with results from ping test...this is interesting

http://www.pingtest.net/result/9917916.png

packet loss, because maybe the firewall is dropping them or rejecting them?...

You missed a step, the router should be running as an access point with DHCP disabled. No reason to double NAT.