Sign in with
Sign up | Sign in
Your question

Basic Adding-Firewall-to-Network Design Question (with Diagrams)

Tags:
  • Networking
  • Office
  • Business Computing
  • Design
  • Basic
  • Firewalls
Last response: in Networking
Share
August 21, 2014 3:25:16 PM

Hello folks,

I'm trying to insert a Firewall into my small office network between a Comcast Business Class Gateway (an SMC-D3G) and an Apple Airport Extreme device.

The Airport Extreme is in Bridge mode, so it is just passing thru the DHCP responsibilities from the Comcast cable modem. The Airport is responsible for the office WIFI network.

The firewall is a Zyxel USG20W, which I have come to like very much (I have been using them on my 7 retail locations that I own).

I've attached a diagram of both the CURRENT and the PROPOSED network.

Couple of Questions. Answer any that strike your fancy:

1. I assume I need to take the DHCP responsibility away from the Comcast modem and place it at the Zyxel firewall. Yes?

2. Should I use an IP subnet from the Comcast to the Zyxel Firewall like a 192.168.1.x? I plan to CONTINUE to use a 10.1.10.x subnet from the Firewall to the internal wired network.

3. I really like the Airport extreme for the wireless network. I know it adds complexity to keep it there, but what do a lose/gain by doing so? I could use the Zyxel for wireless but it has not been consistent in all my retail locations, and the Apple has been solid.

4. I have a wired networkable printer (Brother 9970CDW) on the 10.1.10.x wired subnet. I can print to it from my wireless laptop (which is also on a 10.1.10.x WIRELESS subnet). I know that is somehow not right, and I assume I can allow the new firewall to allow access from the WLAN to the LAN segments, and should do that rather than have the wired and wireless subnets be the same IP subnets with different devices handing out DHCP addresses (currently the Comcast modem handing out for wired and the Apple Airport for wireless). (What idiot set up this network? ;-) Bottom line question here is - how should the two subnets be set up so I can see the printer (or NAS drives) from the wireless segment, and is my current repeating of subnet addresses inherently wrong?

Other suggestions/criticism welcomes.

Vae Victus

More about : basic adding firewall network design question diagrams

August 21, 2014 4:13:04 PM

You can do it the way you have drawn but the firewall does not do much other than protect traffic from the internet to the lan. You can not restrict the traffic between the lan devices.

I would connect the switch to the firewall and the apple to the switch. That way all the traffic is not going though the apple unless it really has to. A switch generally is a simpler device and can handle more traffic with no delays.

To restrict wireless and wired traffic you are going to have to use a different design. First step unless you want to get real fancy with vlan tags is to connect the apple to a different port on the firewall than the switch. Now if you want to keep the ip addresses the same you can run the firewall in layer2 mode....I think most you can. You would put both ports on the same vlan in the firewall and then you can define rules between them. This tends to be a little strange to configure. The other option is to define a completely different subnet for the wireless say 10.100.100.x/24 and assign the gateway and dhcp server to the firewall for that vlan. The traffic would then route between the 2 networks via the firewall. You could then put in whatever rules you need. This tends to be the more common firewall configuration but there is some software that does not work if it is dependent on being in the same subnet, I have seen security cameras that require the camera and controller pc be on the same subnet.

Be aware if you are running VoIP soft clients on the wireless pc and want them to open calls with your VoIP phone system you will need some very special rules. The firewall must dynamically open ports between the end client machines since the ports are random as each call is setup. The firewall will need a feature that is called ALG. Generally it works best on a IP phone system that uses SIP.
August 22, 2014 6:15:14 AM

bill001g said:
You can do it the way you have drawn but the firewall does not do much other than protect traffic from the internet to the lan. You can not restrict the traffic between the lan devices.

I would connect the switch to the firewall and the apple to the switch. That way all the traffic is not going though the apple unless it really has to. A switch generally is a simpler device and can handle more traffic with no delays.

The other option is to define a completely different subnet for the wireless say 10.100.100.x/24 and assign the gateway and dhcp server to the firewall for that vlan. The traffic would then route between the 2 networks via the firewall. You could then put in whatever rules you need. This tends to be the more common firewall configuration but there is some software that does not work if it is dependent on being in the same subnet, I have seen security cameras that require the camera and controller pc be on the same subnet.


Great response: thank you for taking the time.

I updated the diagram of the Future solution here.

Re: Separating Wireless and Wired networks: So the Zyxel firewall, as shown in the diagram, has a distinct LAN segment on Port 3 that I can put the Airport Extreme wifi on, with a different subnet address. I can then allow traffic between the two segments in the Zyxel firewall rules. This seems to be the simplest solution since the wireless clients are in and out of the office and there is nothing on the wifi network today that would need to be reconfigured.

As soon as I can get the login credentials from Comcast for the cable modem (which they did not give me when they installed it), I can try this out. I'll report back.
!