Firewall in network

[pthomass]

Hi,

We have a little network here and we would like to seperate it from the main network by a firewall. Let me first explain what the idea is.

We work at a school. From the school we get an IP-range to use for our business.

The range is from [edit]removed for security reasons until [edit]removed for security reasons. (first and last included) and the subnetmask is 255.255.255.192

I have a D-link firewall the DFL-500. I have put it in transparent mode but have a problem.

I'm testing it on my computer and at this moment it is connected between my computer and my network-cable. As you can see, I can get onto the internet (otherwise I couldn't type this).

In our network there are Lacie-drives. These are ethernetdrives and are used for network storage and backup. With the firewall in place I can no longer get into the drives. I can ping to the drives and via Internet Explorer I can log into the drives but I cannot seem to find them via windows explorer.

Another problem that is related to the previous is that all our computer first need to loggon to a novell server by username and pasword. And as the previous problem explains, I cannot loggon to the server.

I think that these 2 problems are different because the LaCie drives need to be found through windows explorer but the Noveel server needs to be found before windows is fully loaded.

I hope someone can help me,

Best regards

Peter Thomassen

[homecomputeraid]

What operating systems? Windows 98 requires WINS Server access, and Windows 2000 and newer require DNS Server access. Those are both broadcast based protocols which will not traverse a router unless you specifically configure the router to do so. I can provide more info later in the day.

[pthomass]

Hi homecomputeraid,

Thank your for your reply, and I think that you may have given the answer already. I went an d took al closer look at my firewall and discovered that there was a primary and secondary DNS in the firewall but it didn't resemble my DNS servers. So I put in the correct DNS servers and I'm able to get onto my Lacies and loggon with the novell server.

Problem with the whole thing is that I'm working here for about 4 weeks and have to solve their problems with their network. The firewall they gave me has a firmware version 2.36 and the manual they gave me is for the 2.26. The interface has changed during the firmware change and I have to solve things myself. And so it seems I've overseen the DNS servers.

So thank you for your reply

Best regards

Peter Thomassen

[homecomputeraid]

Hi Peter,

You can probably get the latest manual from their web site. I didn't find DFL-500 there though. Is there anything missing from the model #?

Glad we were able to help!

Sincerely,

[pthomass]

I searched their entire network, did find the devcie but the manual is out of date. It stil is for the 2.26 version.

I got the whole thing working now, only thing I have to found out is how to get through the firewall from the outside with a password and username.

Best regards

[homecomputeraid]

What do you want to have access to once you're through the firewall? It sounds like you want to set up VPN? Does your firewall support that?

[pthomass]

As I mentioned before, we are located at a school. In our business network, there are 2 LaCie drives. When giving classes to students, we are outside the network but sometimes need to have data that is located on the LaCie's. I first said that one could use a USB stick to get the data needed for the classes, but they really want to do it over the network.

My firewall provides VPN, but I didn't really tried this. Is there no other way to do this?

[pthomass]

Let me explain the firewall.

It has 2 modes: transparent and Nat/Route mode?

When in transparent mode, it is just a simple firewall that lets traffic go out but not in. Unless requested from internal network.

When in Nat/route mode there are several option including VPN.

Until now I'm only able to set the transparent mode. For the nat/route mode I need to set more settings than I can handle :blink:

When my pc is connectet to the network thes are my settings:

DHCP enabled

IP: [edit]Removed for security reasons

Netmask: 255.255.255.192

Gateway: [edit]removed for security reasons

When setting the firewall between my pc and the network I need to set an internal interface and an external interface?

The external interface can be set to DHCP enabled.

I can also let the firewall act as a DHCPserver regarding its internal network. But the settings for this???

If I set the DHCPserver of the firewall, can I do it like this?

Starting IP: 192.168.1.1

Ending IP: 192.168.1.254

Netmask: 255.255.255.0

DNS: same as before : Removed

Gateway: 192.168.1.99

The internal interface is then set to 192.168.1.99 being the gateway and the netmask is 255.255.255.0.

I do not know if these settings are correct in any way:

Is it possible to set a different netmask?

Do I have to use the same DNS servers for the DHCP as the external DHCP?

Is the gateway the same IP as the internal IP of the firewall?

Can I take the IP range I mentioned or do I need to use the IP range that my school provided me? If so, I guess that I also need to use their netmask being 255.255.255.192.

I hope that you can still follow me in my explanation. :blush:

Best regards

Peter

Removed DNS IP's - scuzzman

[homecomputeraid]

Peter,

Is there data on the Lacie drives that needs to be protected? Is that why they're on a separate network behind a firewall?

If not, could you move them to the network the students have access to?

If so, you'll want to control access as strictly as you can.

Does the subnet the Lacie drives are on have its own domain controllers, DNS servers and/or WINS servers?

I recommend using the default values for the "inside" network on your firewall, including the default subnet mask. You may want to get a static IP assigned for the "outside" IP of the firewall.

The address you put for when your computer is connected to the network looks like a valid Internet IP. I'm going to edit it out. Be careful about putting such information on public web pages.

It sounds to me like the TCP/IP stuff is relatively new to you, but you have some responsibility for it? Have you read my Networking Fundamentals tutorials at the top of this forum? They may help you gain some understanding of TCP/IP for your work. They're relatively short.

[pthomass]

I've played some more with the firewall and came up with the following:

I've set it in NAT/ROUTE mode. The firewall's internal interface is DHCP enabled and does this with subnet 255.255.255.0 and the external is 255.255.255.192

I can surf on the internet. BUT, only if my EXTERNAL interface gets it's IP and such from the external DHCP server. When I fill in the IP and stuff manually, I can no longer surf on the internet. Another strange thing that happend is that at first I was able to connect to my LaCie drives and to my Novell server, but all of a sudden it wasn't able anymore to do this. Don't understand why I could do it at first but now I can't.

Second I made a VPN - PPTP connection with a Win2000 computer. First made sure that a certain user with pasword could connect through VPN, then set up the Win2000 computer to make a PPTP connection. I was able to connect and loggin from the Win2000 computer to the external interface of the firewall. But untill now I don't know how I can get on a computer that is located on the internal interface of the firewall. Still figuring that out.

Could some of these little problem's have anything to do with the difference in subnet's ?

[homecomputeraid]

I can surf on the internet. BUT, only if my EXTERNAL interface gets it's IP and such from the external DHCP server. When I fill in the IP and stuff manually, I can no longer surf on the internet.

You should not randomly choose an IP on a static network and assign it to the outside Interface of the router. You should obtain a static IP with all the required information (subnet mask, DNS Server(s), WINS Server(s) (if applicable) from your network administrator).

But untill now I don't know how I can get on a computer that is located on the internal interface of the firewall.

Please define what you mean by "get on a computer." Do you mean browsing to it through Network Neighborhood? Reaching a shared resource? Taking control with Remote Desktop or Terminal Services?

Could some of these little problem's have anything to do with the difference in subnet's ?

No. The problems are a result of adding a firewall to your network. Firewalls are supposed to, by their very nature, restrict traffic. I'm not sure it's the right solution for your situation, but I'd almost need a visio drawing of your network to help you determine that.

[edit]If you are able to post some kind of drawing, please do not post your real IP addresses. You could PM them to me.

[pthomass]

You should not randomly choose an IP on a static network and assign it to the outside Interface of the router.  You should obtain a static IP with all the required information (subnet mask, DNS Server(s), WINS Server(s) (if applicable) from your network administrator). 

I'm going to set our DHCP so that we will have about 15 to 20 IPadresses the can be used static.

Please define what you mean by "get on a computer."  Do you mean browsing to it through Network Neighborhood?  Reaching a shared resource?  Taking control with Remote Desktop or Terminal Services?

With Network Neighborhood and to reach a share. I've shared some folders on my PC, but I can't seem to find them when using the PPTP.

No.  The problems are a result of adding a firewall to your network.  Firewalls are supposed to, by their very nature, restrict traffic.  I'm not sure it's the right solution for your situation, but I'd almost need a visio drawing of your network to help you determine that.

[edit]If you are able to post some kind of drawing, please do not post your real IP addresses.  You could PM them to me.

I'll send you a drawing that I made. Check your PM's

Best regards

Peter

[pthomass]

I don't know how to edit me previous message so, I don't see a edit button. So I'll just put a new reply.

I just managed to set a PPTP connection from an external computer through the firewall. I can ping to a computer on the internal side of the firewall. But how can I see the computer and/or it's shared documents? I shared a folder to see if it works. But I cannot see it.

[homecomputeraid]

Thanks for the drawing.

I think you're heading in the right direction with VPN. Once the VPN Connection is made, can you ping the devices you're trying to get to?

Name resolution will not work on the protected subnet unless you get a DNS Server running on it. If you don't intend to do that, you can communicate via IP Addresses.

For example, if your Lacie Drive is 192.168.1.51, you would to Start, Run, and type \\192.168.1.51 in the Open dialogue. Then hit Enter. Do this on the PC that you want to use to connect, after it's VPN'ed into the protected network. This should bring up a window containing all visible shared resources on that device.

[pthomass]

When the VPN connection is made, it says:

TCP/IP CP is connected

IPX/SPX or compatible CP reported error 733.This computer and the external computer didn't made an agreement about PPP-driverprotocols

Click ACCEPT to make the connection as it is at this moment.

(I just translated thsi from Dutch to Englisch)

Then when I ping to a computer on the internal interface of the firewall I get a good ping from around 6 ms per package.

C:\>ping 192.168.1.5 (this is the computer behind the firewall)

But when I go to Start - RUN - \\192.168.1.5 then I get a message

\\192.168.1.5

Cannot find networkname

When I ping to another IP adres (192.168.1.4 or 192.168.1.6) it says Time out and then it says that the firewall said that the host could not be found. And that is correct, there is at this moment only one computer on the internal network of the firewall.

So I can ping, but still cannot get onto the computer.

[pthomass]

Sorry for the new message, but I cannot EDIT my previous message.

I just configured the DFL's VPN connection. Maybe I should explain how that goes too?!!

VPN -> PPTP : here I must set a Starting IP and an Ending IP and define a user group that may have acces through the VPN.

In the user manual it says that the starting and ending IP are adresses that the DFL will give to the remote client that wants to acces the VPN. I 've set this to 192.168.1.200 - 192.168.1.209 . Next I had to set these adresses into the firewall as external IP's and make a policy that these external adresses may acces al internal IP or some specific internal IP's.

Next I tried again to connect through the VPN from the external computer. Only thing that changed is that when I do Start-Run and \\192.168.1.5 I get a message:

\\192.168.1.5 :

Loggin error: the user does not have permission to use the requested loggintype for this computer.

Before he said that he couldn't find the networkname. So now I guess I'm closer, or am I imagining it :unsure:

In the meantime I'll see what I can find about the error

One more thing, the computer that is located "behind" the firewall is an Win XP computer and it's firewall is enabled. I'll try what happens when I shut it down. If this should solve the problem, what can I do to enable it and still make the whole thing to work.

[homecomputeraid]

If you're using IPX/SPX (Novell) to control access to resources, this could be problematic when you VPN.

If it's just the Windows Firewall (if it works when the firewall is off), you can turn the firewall back on and create an exception for file and print sharing. Be aware that that allows a LOT of access through the firewall though.

[pthomass]

It doesn't work with the firewall of.

We do need to logon to Novell when starting our computers.

[homecomputeraid]

I'm not a Novell guru, but I've worked with it a little. I'm pretty sure that you have to stay in contact with a Novell Server to access shares controlled by those Servers. Are you able to get a Novell Server that interacts with the School's Servers on your network behind the firewall somehow? This is pretty kludgy. A better solution should be engineered. Wanna fly me to Europe to help?

[pthomass]

I would if I could :lol:

I'm out of ideas at the moment to get the connection from behind the firewall to the Novell and from outside the firewall to the inside. Why can I ping to the inside, but can't get to the shared folders? Why does it work to get to the Novell when I'm in transparent mode, but not in NAT/ROUTE??

I hope you can get any further with all the data I sent you (PM) you yesterday.

Best regards

Peter

[homecomputeraid]

Peter,

It sounds like the problem isn't with getting to an IP Address, it's with accessing a shared resource. If you have a resource protected by limiting access on a Novell network, the user accessing the protected resource must be authenticated to the server and his or her permission to access the resource has to be confirmed. That's the purpose of having a Network Operating System like Novell or Windows.

Let me try to explain. If you have a folder called UrgentStuff on a computer named StuffStorage which has an IP address of 192.168.1.51, your computer (the one you're using to try to access the share over the network) first tries to resolve the address and get to it over the network. Assuming that goes ok, StuffStorage will figure out whether the resource you're trying to access is shared or not. Once StuffStorage figures out that UrgentStuff is shared, it will make sure you have access to it by checking your credentials against a network login. These credentials are stored on a server. If you're VPN'ed in, depending on how your VPN is set up, this last step may fail. So, while you may be able to ping 192.168.1.51, that doesn't mean you'll be able to access shared resources on it.

[pthomass]

I think I understand. The Novell server is not aware of the computer that is behind the firewall, so it cannot allow a connection between the two.

What if I try to solve it another way. I know that the firewall , in transparent mode, is able to block incoming traffic, and still lets the computer logon to Novell and see the LaCie drives.

At first I made the firewall act like a DHCPserver on its internal interface. What if I make the firewall, in NAT/ROUTE mode, behave like it was transparent. Internal computers can logon to novell, etc... So this means that the subnets are the same.

If they are the same, and the computers are able to logon to Novell, the server will be aware of their excistence. So maybe than I can VPN through the firewall.

I hope you understand my explanation and I hope it works, on monday I will give it another go. If that doesn't work, I'll stick to the transparent mode, and then when we have to teach students, we'll make sure we have a USB-datastick with us :lol:

If you might have another idea, you thoughts are welcome. I'll let you know how it went on monday.

Peter

[homecomputeraid]

I'd like to look at the Router's documentation to see how Transparent Mode is defined. I've been unable to find the documentation on the Internet. Would you be able to send me a link to the document on the vendor's site?

[pthomass]

Here is the link to all documentation on the firewall.

http://www.dlink.com.au/tech/drivers/files...wall/dfl500.htm

And this is the link to the manual

http://www.dlink.com.au/products/routers/d...FL-500_0628.zip

I'd like to remind you that I have a higher firmware then the manual describes. But to know what the transparent mode, this is not so important.

Peter

[homecomputeraid]

Peter,

I was asking how transparent mode is defined for my edification, not yours. :)

It looks like a pretty capable device. I do recommend NAT mode.

I'm going to bring some of what you sent in your PM into this thread as it seems relevant:

The network behind the firewall doesn't have it's own novell server

How do you control access to the LaCie drives and other resources in the network that's behind the firewall (your network) then?

I had to set up useraccounts for VPN on the firewall.

That means the only authentication going on for incoming users is from the firewall itself.

I read something about a radius server but I don't really understand what that means. Do I have to use my novell as radius server for the firewall?

RADIUS can run on many different platforms, but you'll want your RADIUS Server to have access to domain account information so you're not duplicating the work of administering users, or giving access to someone who should no longer have it. If you're still running IPX/SPX, I suspect you're running an old version of Novell (4.11 or earlier?). Here's a link for setting RADIUS up on a newer version from Novell's web site: http://www.novell.com/coolsolutions/tip/8019.html. Please do not attempt to do this yourself. If you decide to have a Novell and/or RADIUS Server on your subnet, it must be carefully coordinated with the school's network administrator.

VPN seems like a possible solution, but you have to work on how tunneled (VPN'ed) traffic will be given access to shared resources.