internal subnet/firewall

[Guest]

[X_Ch4n]

Hi all,
i've to create a subnet for some external consultant. My lan is 192.168.0.0/24 (lan A), gateway 192.168.0.1. This works great.

Now i would like to create a new lan 192.168.200.0/24 with gw 192.168.200.1 (Lan B).

I setup endian with this 2 interfaces: green - 192.168.200.1, red 192.168.0.10. 192.168.0.254 is the default gateway for the red interface.

I want to setup in this way:
Lan B hosts can:
reach the internet
Lan B hosts cannot: ping, tracert or contact (in any way) Lan A hosts

Lan A hosts can: ping, tracert, reach in any way Lan B hosts

I setted up some firewall rules:
outgoing traffic:

• source: 192.168.200.0/24 - dest: 192.168.0.0/24 - services: any - DENY

Inter-zone traffic:

• source: 192.168.0.0/24 - dest: 192.168.200.0/24 - services: any - ALLOW
• source: 192.168.200.0/24 - dest: 192.168.0.254 - services: any - ALLOW
• source: 192.168.200.0/24 - dest: 192.168.0.2 - services: TCP+UDP/53 - ALLOW (my internal DNS)
• source: 192.168.200.0/24 - dest: 192.168.0.0/24 - services: any - DENY

Actually an host on lan B can ping or tracert a lan A Host.
What am i wrong? What is missing?

Please help.

Thank you

[juddyjacob]

im not sure exactly how you configured the red zone cause if im reading it correctly, you shouldnt have any internet access at all. The red zone is for your public address, dynamic or static. I think what you have done is NAT to the red with your green. That or you duel ip'd the green.

What you really want to do requires 3 interfaces. Green, Red, and blue or orange.  If you have a static ip, and or dynamic this would be the red. Green should be your network, and either blue or orange for your client.  note that all subnets need to be different.  If your circuit is dynamic, you really want to put the modem in bridged mode. This will allow your firewall to obtain the public ip directly.  You will have to request this through your isp provider.  You can NAT your red, but essentially you would be NAT to a NAT.

should be something like this
red 75.58.75.58 hypothetical public address
green 192.168.0/24
blue 192.168.200/24

now you can apply the interzone firewall rules. Keep in mind by default system access rules you will allways be able to ping all ips assigned to the firewall.  So if green is 192.168.0.1, no matter what blue will be able to ping just that address.  Im not really sure if that can be changed but it is not a risk as long as there are no system access rules provided for that zone, in this case blue. 

hope this helps...JJ

[juddyjacob]

I think I know what you did, you probally skipped the nat for green all together. All zones can talk to red, this is normal, and needed if they want internet access. Is your modem ip 192.168.0.254?

if your dynamic and dont want to go into bridged mode do this


modem----red (DHCP *dynamic)----green 192.168.101/24
                                                                \__blue 192.168.200/24
                                      
                                                       

[X_Ch4n]

Hi, thank you all for your answers.

What i've to do is to create a new network(192.168.200.0/24) inside my lan (192.168.0.0/24).
Actually i have a static IP assigned to a firewall that i can't manage, so i would like to create another firewall for external consultants. This firewall would have a red interface connected to my lan (ip: 192.168.0.10/24), and the green one to serve the clients (192.168.200.1/24).

All clients behind that fw can only go to the internet through this hops: fw green (192.168.200.1) -> red int (192.168.0.10) -> gateway of my lan (192.168.0.254) -> internet. They cannot connect to any host on my 192.168.0.0/24 lan except for the 192.168.0.254.

All the clients on my lan (192.168.0.0/24) CAN reach 192.168.200.0/24 hosts.

Is this possible?

Thanks in advance

[juddyjacob]

not in any reasonable matter in this circumstance. You really need the firewall on the edge. You can try to create a system access rule (not firewall rules) that denies all traffic to the other 253 addreses but that just seems like a lot of work for something that is not setup correctly.  The key in this is the currrent edge firewall that you cant manage.  This is the device that needs to be configured for the correct networks.  otherwise your just using NAT, and by defination you will have access to all address from red, not just the gateway IP.  you would have to treat the NAT as a public IP. Not to mention I dont see how you would be able to access the client network from your real lan, less a bunch of port forwarding rules and route statements on the real gateway.  Only other option I can think of is to have both firewalls on the edge, providing there are available public addresses.  then you would just need a single route statement on the main gateway to forward traffic to the client.  Still would need 3 interfaces.

source via 192.168.0/24   destination 192.168.200/24. via 192.168.0.10

both the default routes for the networks would be the new public address, but there wouldn't be any nodes passing traffic behind the new firewall green address unless you change the default gateways if the workstations.