1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

configuring home network with firewall and wireless router

Discussion in 'Networking' started by sevichay, Sep 1, 2016.

Thread Status:
Not open for further replies.
Advertisement
  1. sevichay

    sevichay Thread Starter

    Joined:
    Sep 1, 2016
    Messages:
    5
    Although this post isn't strictly related to an issue on my computer, perhaps it can still be addressed as it deals with the general security of a network. The physical setup of the network (which does provide for fully functional internet access) is as follows in terms of wire connectivity:

    The wireless router is connected via an ethernet cable on its WAN port to a LAN port on a wired firewall. This wired firewall is connected to the modem via ethernet from WAN to WAN.

    This configuration as previously stated provides for internet access. My question however, is if the external IP address on the wireless router is protected by the built-in security features of the wired firewall (once having enabled them in the firewall's web-based utility), or if the firewall is simply acting as a switch, in that it successfully relays the connection from the modem to the router without implementing its security features in the process.

    If it is the latter, then I ask how to configure this setup so that the wireless router utilizes the firewall's security features properly.
     
  2. sevichay

    sevichay Thread Starter

    Joined:
    Sep 1, 2016
    Messages:
    5
    One note I might add is that the two routers are in bridge mode together as opposed to double NAT
     
  3. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,218
    As I understand it, your network is like this:

    modem -> wired router -> wireless router

    Then the firewall on wired is active and the firewall on the wireless is active. ( You actually did not say whether you turned on the firewall on the wireless. ) Having 2 firewalls active is not commonly done in a home setting, but is useful in a situation where you want to run a public web server. A web server PC is then plugged into your wired router and port forwarding configured. And all the PC's directly plugged into the wired router is considered as part of a DMZ ( demilitarized zone ). And all PC's connected into the wireless router is considered a private LAN. An attacker would have to penetrate another firewall to get to the PC's in your private LAN, having first compromised your web server and installing attack tools. The DMZ therefore houses untrusted PCs. Just remember that a public web server is online 24x7x365, and anything can happen when the public can reach it.

    The reason why 2 routers with active firewalls are not commonly used, is because when both firewalls can have firewall rules specified, it might get confusing configuring them. If you are using home consumer routers, most don't offer configurable firewall rules feature.
     
    Last edited: Sep 2, 2016
  4. sevichay

    sevichay Thread Starter

    Joined:
    Sep 1, 2016
    Messages:
    5
    Thank you for the reply and explanation. One further point I might add is that the wireless router offers no security whatsoever which is the reason the firewall was added. There are no settings on the the wireless router to add a firewall however, which leaves the network vulnerable to DoS attacks among many other things. My question now is if the wired firewall would in theory filter out these attacks before they reached the modem after having hit the wireless router's external IP address.
     
  5. sevichay

    sevichay Thread Starter

    Joined:
    Sep 1, 2016
    Messages:
    5
    there are no devices connected to the wired firewall, only the wireless router
     
  6. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,218
    I don't understand what you mean when you say the wired firewall would filter out attacks before they reach the modem.

    The attacks reach the modem first. Then the wired router get the traffic. And the wired router's firewall filters it out.
     
  7. sevichay

    sevichay Thread Starter

    Joined:
    Sep 1, 2016
    Messages:
    5
    Thanks again for the clarification. I failed to understand that the packets reach the modem first. Does it matter whether the wireless router is in bridge mode with the wired firewall or if it operates in a double NAT configuration in order for the firewall's security features to work? I ask this because the wired firewall's web-based utility becomes inaccessible when the routers are in bridge mode.
     
  8. lunarlander

    lunarlander

    Joined:
    Sep 21, 2007
    Messages:
    9,218
    Don't worry about bridge vs double NAT. Functionally there is no difference. Except that you will get the wireless router's DHCP that hands out ip addresses.
     
  9. zx10guy

    zx10guy Trusted Advisor Spam Fighter

    Joined:
    Mar 30, 2008
    Messages:
    5,942
    Posting up of the specific makes and models of the devices you're talking about will help immensely in figuring out what you're trying to do.

    But to clarify the confusion of what bridging is, it is important to know what bridging does as it's not the same as NAT. Bridging operates in layer 2 of the OSI model. It's a device which is a step up from a hub but not quite a switch. A hub is a layer 1 device and can be analogous to a splitter or tap on a wire. Data that goes in one port of a hub gets transmitted to all ports on the hub regardless of whether the data is meant to go to a specific device/port. A switch adds intelligence to moving data by directing data destined to a specific device to a specific port where the device is connected. A switch makes a network more efficient and therefore perform better. A bridge is a device somewhere between a hub and a switch. A bridge connects to LAN segments together but only forwards data to a destination it knows is on the other side of the bridge.

    Things get confusing when you look at a bridge and say well isn't that also what a modem does? Well no. A modem is a device which translates two different physical connection types so they can be connected together. An example of this is a cable Internet modem. This device takes a coax connection and translates it to an Ethernet connection. Since we're talking about physical connections this is a layer 1 discussion so modems are a layer 1 device. When you have combo devices like a cable or DSL modem which has a built in router which operates in layer 3 mode, you have to place the device into bridge mode if you want to turn off the router/firewall functionality of the device. The way these devices work is once the device is in bridged mode, you can no longer access the management functions of the device and to regain management functions of the device you have to do a hard reset of the device to its factory default operation.

    When I had DSL service, the supplied Westell DSL modem was also a router. I placed the modem into bridged mode as I had no use for the layer 3 and above functionality of the Westell. This simplified the network configuration of placing my own firewall behind the Westell.

    One of the other reasons why using SOHO routers/firewalls are not recommended as stated by lunarlander is the NAT functionality of these devices. I personally haven't seen the option to turn off NAT on SOHO devices I've laid eyes on. Why is this important? The NAT used on SOHO devices does what's called a NAT overload. The device takes a pool of address/subnet and translates it to a single IP address. This is no problem when you have network traffic which originates from the pool/subnet going out. It is a problem when you want to communicate to a device in the pool/subnet from the side with the single IP. Port forwarding was created to deal with this problem. But port forwarding only works on a per network communication port basis. This means if you have a device on the pool/subnet side you want to reach say a web server, you have to create a port forward rule on port 80. But you also want to administer the server remotely via Windows RDP. Well now you have to create another forward rule using port 3389. So that's two port forward rules. Depending on the complexity of your router/firewall, you may have to create two firewall access control list rules to allow that traffic through. But many if not most SOHO router/firewalls will dynamically generate those rules for you. But wait. I have another server or workstation in that same subnet I want to administer via Windows RDP. I have to create another port forward rule on 3389. But I can't because I already used up that port for the web server port forward rule. What do I do now? Well, I have to change the operating port of the workstation RDP service to operate on something like 43389. So this requires me to do a configuration change on the workstation and then more added rules on the router/firewall. If the NAT functionality could have been turned off, much of the complexity I mentioned above would be eliminated.

    In my home network, I have a mixture of NAT overload operations and just straight IP routing without NAT complications. The firewalls I use allow the ability to do multiple functions at the same time: classical straight IP routing, NAT overload, pool of addresses to pool of addresses NAT, and one to one static NATs. This is one of the reasons why business/enterprise class devices cost more.
     
  10. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/1177316

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice