Firewall in network

[pthomass]

I really don't understand it anymore. I tried to set it in NAT mode all over again and made sure that the internal and external interface were on the same subnet. The internal interface was set on 172.17.120.x and DHCP enabled. And I made some more changes like DNS servers and firewall policies.

All of a sudden I was able to see the Novell server and enter it's shares. But the next day that didn't work anymore. No changes were made.

How do you control access to the LaCie drives and other resources in the network that's behind the firewall (your network) then?

As I'm testing it only on my computer,my computer is the only device behind the firewall.

So in general, the computers behind the firewall need to log on to the novell server and this is external. External computers that want to VPN into the internal network need to use a username and pasword to pas the firewall. These acounts are set in the firewall.

[homecomputeraid]

Pthomas,

In NAT mode, the inside and outside interface address should not be in the same subnet range. Please see page 19 of your user manual and note that the mask is 255.255.255.0 for both subnets, and the IP's assigned are 192.168.1.x and 192.168.100.x making them different subnets.

I have no idea how it could possibly have worked with them being in the same subnet. That should only occur if you're using transparent mode.

[pthomass]

I meant that the internal and external had 255.255.255.192 as netmask but the external and internal IP's were different. e.g. 172.17.120.x and 193.xxx.xxx.xxx

Maybe it is best to follow the example and make the netmask the same but the IP 192.168.1.x and 192.168.100.x bu then with our IP's ???

[homecomputeraid]

The external IP has to be on the same subnet (the one we deleted for security reasons) as the School's network. It must be a valid IP on that subnet, and must not conflict with any other IP on that network. Unless you know for sure that you have a valid static IP to assign to it, use DHCP. The inside IP can be any private address range you choose.

10.0.0.0 - 10.255.255.255 (10/8 prefix) I recommend 255.255.255.0 mask

172.16.0.0 - 172.31.255.255 (172.16/12 prefix) I recommend 255.255.255.0

192.168.0.0 - 192.168.255.255 (192.168/16 prefix) 255.255.255.0

Back to the larger question at hand... How to best control access to your resources. Is it possible for you to keep everything on the School's network and control access using the Novell Servers? I see a bit of a conundrum in using a firewall and VPN for your situation. If you restrict access to your subnet using a firewall, how will you authenticate users on that subenet since there is no server?

[pthomass]

It's like this. Our project leader is concerned that students can get on our network and acces the LaCie drives. I said a thousand times that they can't because they need a pasword and username. But he stil wants to use a firewall.

If you restrict access to your subnet using a firewall, how will you authenticate users on that subenet since there is no server?

When in transparent mode,the computers are able to logon to novell even though he is externally located. So it must be able to do this in NAT. As I mentioned before, I was able to do this but the next day it didn't work anymore. Still trying to figure that out.

When this works, we can authenticate users.

[homecomputeraid]

When in transparent mode,the computers are able to logon to novell even though he is externally located. So it must be able to do this in NAT.

That is not a true statement Peter. As I exlained in my PM to you, using the firewall in transparent mode gives all interfaces the ability to be on the same subnet. The firewall is no longer routing, just filtering traffic. Unless you're an expert at setting up firewall rules (possibly even if you are), I feel that it would be a very ineffective way to control access.

Having all on the same subnet is what gave you the ability to get to the Novell servers. I don't know how it could possibly have worked in NAT mode, unless you allowed traffic which is required for Novell authentication through.

Despite your project leads concerns, I feel that controlling access using Novell logins is your most effective protection for the data. If he wants you to get your own Novell Server, and to have you become a Novell/Network Administrator, and to have you work closely with the existing Network Administrator on the School Network to try to get this to work, then you can carry on with the firewall.

In order for authentication to occur through the firewall, it is my opinion that you'd be opening your firewall pretty wide and defeating its purpose. It will also be a lot of work! I'll do the best I can to help, if you choose to utilize the firewall option. I have only limited knowledge of Novell, and I don't know what protocols and ports you'd have to allow through the firewall though.

Ted

[homecomputeraid]

pthomas pm'ed me and he is going to go with transparent mode for now.