Hardware Firewall Installation Help

Dsrt · 03-28-2005, 06:25 PM

Just purchased a Watchguard Firebox x500 hardware firewall. I am having major issues getting it set up on my network. Here's my network layout as it stands now.

I have a Netopia R5300 router. T1 comes from the wall to the Line1 port (I'm assuming via crossover cable). From there I have a cat5 (another assumption here that it's a straight through) cable going from the ethernet port on the back of the router to a patch panel, which then has a straight through cable going to my switch. That is obviously where the rest of my network ties in.

Where I'm confused is here. Do I need to run from the patch panel where the router comes in, to the external port on the firewall via a crossover cable, then from eth1 on the firewall to where the router used to hook in via a straight through cable?

I've never dealt with setting up a firewall before, so I'm pretty lost at this point. Feel free to ask me questions and I'll answer them the best that I can.

Thank you for your time and understanding.

David

m3trj · 03-29-2005, 05:00 AM

Don't use crossover, use standard straight through stuff. Also I'd say put the firewall between the T1 line and the router for maximum security.

Dsrt · 03-29-2005, 11:08 AM

I was actually starting to think along those lines but I was thinking about replacing the router all together.

Problem is, the router is controlled by our ISP so I don't have access to get in and change the setup. If I leave the router in the mix, then we have the problem of the router IP needing reconfigured.

I know with the firebox x series, I can set it up to run DHCP and port forwarding...that's pretty much what our current router is doing now.

If i put it on our side of the router, one of the main things I'm getting confused with is this: the cable coming from the router to the patch panel is a straight through cable...I know I need to plug the router into the firebox, but do I use a straight through? In either case, if I use a straight through or crossover, does it go into the external port or the trusted port?

m3trj · 03-29-2005, 11:10 AM

I don't know about ports, but just use straight through cable for everything in that set-up.

Dsrt · 03-29-2005, 11:23 AM

I'll give it a shot. Thanks for the feedback.

Dsrt · 03-29-2005, 01:40 PM

Ok, got the cabling and ports figured out...ran on the firewall with DHCP enabled for about a half hour. Firewall is now assigning IP's which is good, still haven't got the configuration down to allow incoming traffic to hit our web and email servers, but I'll get that going in time.

One question I do have is about a deny message in the logs that has me confused. The documentation says that by default, all outgoing is allowed all incoming is blocked. But, I keep seeing the message below with regularity:

03/29/05 10:14:07 Deny Eth1 UDP "Internal IP" "Gateway IP" 68 67 (wg_dhcp_server)

It's showing it as outgoing.

Anyone have any ideas on why this is popping up if all outgoing is allowed?

Thanks for the help.

m3trj · 03-29-2005, 02:02 PM

I'm not sure what the error message is.

As for your webserver, you'll want to set up port forwarding in the firewall.

As for the firewall assigning IP's, is it the router assigning the IP's through the firewall or is the firewall a router as well?

Dsrt · 03-29-2005, 02:08 PM

I've set up the firewall in "drop in" mode and configured DHCP on the firewall itself. Seeings how the computers will use the first DHCP server they find on a network for their IP, it works good...everyone hits the firewall first so it gets assigned an IP.

When it comes to the webserver, our ISP has set up the port forwarding in the router...I just have to figure out how to allow the traffic through the firewall on port 80 and port 443 because we're running SSL.

I have already natted the external IP of our exchange server to it's internal IP addy (that was never done by the ISP for some reason).

I think now it's just a lot of trial and error and picking the brains of those who know more about this than I do. lol

Dsrt · 03-29-2005, 02:55 PM

Ok, I think I've figured out the error message.

It has to do with the ARP Cache on each local machine. It appears that because of the cache, it's trying to poll the router for the DHCP request, but it encounters the firewall/DHCP first. It tries this a couple of times, then I no longer get the error from that IP addy.

I'm assuming that once all the machines have finally resolved their IP address through the firewall and updated the ARP on each computer, that these errors should go away.

I hope. haha

Member Login