RFC1918 FW hosts internet connectivity?

[Dooling37]

Hi all,
(I've posted a few topics along these lines since I started building out my home network a few months ago... it's almost complete, but I'm stumped yet again)

Basically, I want to know if I can connect a firewall (PIX 506E) to a switch (which is uplinked to my home cable modem), manually assign its external interface an RFC1918 address, and have the host(s) behind it still connect outbound to the Internet. The reason I need to assign its external interface a private address is that I need to save my single external/public IP address, from my cable provider, for the wireless router, which serves the rest of my internal network (which is off another port on the switch).

Roughly:
ISP/Internet
|
Cable modem
|
Switch -- RFC1918-address Firewall -- protected host(s)
|
(external/public IP)
Wireless router
| | | |
Internal systems

Does this make sense?
Should I set the firewall's external interface default route to the ISP's gateway as identified by the cable modem? Or would it be possible to route it's traffic thru the wireless router (although this precludes the option of putting the FW & wireless router on separate VLANs, which was the original intention)?


Thanks much for your input...

 

[cpals]

From my understanding... you should put the external IP on the PIX and then you could plug your wireless router (with a private IP) into one of the ports on the PIX and a switch for your protected hosts on a different port on the PIX. This sound about right? Correct me if I'm thinking through this wrong.

 

[spidey07]

From what I'm getting at the diagram - no. If the provider is giving you a single public address then that's all you have to work with. Best to let the 506e handle everything...it sounds like you're trying to do a very typical 3 arm firewall (one external interface/IP, one internal/IP, one DMZ) which is easy to do. I believe the 506 can do trunking to provide what you need.

But to the original question - no.

 

[Dooling37]

Thank you both for the responses. Unfortunately, the 506E only has two interfaces, so I can't put the protected hosts and normal internal network both behind it. (since I want to keep them separated) Ideally I would have thought of this situation before buying the FW & purchased a 3-homed system, but (for the time-being, at least), I'm stuck with this dual-interface solution.

Unfortunately it sounds like it's not going to work the way I'd hoped..

 

[Fardringle]

Regardless of the exact configuration you use, the device connected directly to the cable modem needs to be given the ISP's IP, DNS and Gateway information or it won't be able to communicate with the ISP's network, and therefore nothing attached to it will be able to access the Internet.

Leave everything physically wired according to your diagram, but give the 506E the ISP's external IP address and set it up as a DHCP server with a private IP address range. Connect the wireless router's WAN/Internet port to one port on the switch and let it serve as a DHCP server with a different address range than the 506E for our "internal" systems. Connect your "Internet" machines directly through the other ports on the switch and let them get IP addresses directly from the 506E. It's not quite the same as truly isolating them from each other the way Spidey mentioned but it will still keep the internal and Internet machines from interacting with each other.

 

[Dooling37]

Originally posted by: Fardringle
Leave everything physically wired according to your diagram, but give the 506E the ISP's external IP address and set it up as a DHCP server with a private IP address range. Connect the wireless router's WAN/Internet port to one port on the switch and let it serve as a DHCP server with a different address range than the 506E for our "internal" systems. Connect your "Internet" machines directly through the other ports on the switch and let them get IP addresses directly from the 506E.

I kind of follow your suggestion, except... will it be possible for both the hosts behind the firewall, and the hosts behind the wireless router to then access the Internet? i.e., can both the FW external interface and the wireless router external interface be assigned internal addresses, and as long as they are given the ISP's gateway/DNS information, all hosts behind them will be able to connect?

so, roughly:
ISP/Internet
|
Cable modem
|
external/public-addressed Switch -- RFC1918-addressed Firewall -- protected host(s)
|
RFC1918-addressed Wireless router
| | | |
Internal systems


Thank you very much..

 

[Fardringle]

Yes, Dooling. As long as the wireless router gets valid IP/DNS info from the 506E, any clients attached to it will be able to access the Internet as well.

 

[rathsach]

I'm not sure I got it right, as I find your description a wee bit cryptic 🙂.. But wouldn't you have to split up the switch in different vlans for this to work? Otherwise you'd have 2 dhcp servers giving addresses in two different scopes on the same vlan.. Kinda messy..

The 506E.. Can't that run with subinterfaces with vlan tagging (old school PIX "trunk")

 

[Dooling37]

Thank you all for the responses -- I'm trying to set this up this week.

rathsach -- yes, I think I will need to set up separate VLANs for the Pix & WAP. I don't think this should cause any problems for my plan..

 

[VirtualLarry]

I have something similar set up, I set up a "nested" network, with two (really three) routers.

My main Verizon-supplied Westell DSL modem and wireless router combo is connected to my ISP, and hands out IPs on the wireless and wired ports, DHCP server set to hand out 192.168.1.200-250 addresses, and then I have my Netgear wireless-N router's WAN port plugged into a switch port on the Westell. Netgear is configured with a static WAN IP of 192.168.1.2, LAN IP of 192.168.2.1, and hands out IPs on the wireless and wired ports in the range of 192.168.2.x. I have a gigabit switch plugged into the lan ports of the Netgear, and I have my wired PCs plugged into the gigabit switch.

I also have another Netgear N router, set up as a WDS node, with a static LAN IP of 192.168.2.2, and WAN disabled. All PCs can access the internet, but PCs connected to the wireless part of the Westell router CANNOT access the rest of my machines on the private 192.168.2.x LAN.