Setting up 4 firewalls behind a switch and router

[hillmanjohn2]

Hi all,

This is my first time doing this setup although I am not a newbie to networking. I am wondering because for my job I will need to remote into the management console of FortiGate, SonicWALL, Palo Alto, and WatchGuard firewalls to show customers I talk to and go through demos. So basically I want this setup and am not sure if I need to get a static IP from my ISP or if I can use the router and switch setup to assign static IPs on the backend in my network.

Setup

Internet (Comcast residential) - ZyXEL BRG‑35503 - WRT54G (this is what I have right now but may upgrade to business class) - HP Procurve 1700 8 port managed switch - each firewall.

Any suggestions would be great and please let me know if you need more info.

Thanks!

John

 

[sdifox]

I am confused. How are you going to show your customers the web interfaces of the firewalls?

 

[hillmanjohn2]

I am confused. How are you going to show your customers the web interfaces of the firewalls?

By remoting in. So for the FortiGate I have it setup as a ddns web login. For the SonicWall I can setup a web login also. Basically I want to have all 4 on my network and to be able to have them access the internet.

Not sure if I am going about this the correct way...

Let me know if that makes sense.

Thanks!

 

[sdifox]

Why are you hosting work stuff at home?

are you saying the cust9mer is going to look over your shoulder while you open a remote control session to your machine at home?

 

[hillmanjohn2]

Why are you hosting work stuff at home?

It's not company owned devices. I sell network security and want to be able to go through the setup and mgmt console with customer when I am on webexs with them. Its purely my choice and the vendors give me the products to use at home.

 

[hillmanjohn2]

Why are you hosting work stuff at home?

are you saying the cust9mer is going to look over your shoulder while you open a remote control session to your machine at home?

Sort of. I will have them on a webex and be sharing my screen so that they can see what I see when I log in.

 

[sdifox]

Stack virtual ips on the switch's uplink so your firewalls are on different subnet.
then just use your pc as remote host and manage each of the firewalls from there. Remote into pc, done.

 

[hillmanjohn2]

Stack virtual ips on the switch's uplink so your firewalls are on different subnet.
then just use your pc as remote host and manage each of the firewalls from there. Remote into pc, done.

Sweet! Thanks! So I dont actually need to get a static ip from my ISP and setup VLANS then? Sorry if I sound dumb... I am used to managing firewalls but not switches and routers... Right now I use my FortiGate as a router/firewall.

 

[sdifox]

Sweet! Thanks! So I dont actually need to get a static ip from my ISP and setup VLANS then? Sorry if I sound dumb... I am used to managing firewalls but not switches and routers... Right now I use my FortiGate as a router/firewall.

I guess you can setup the virtual ips in FortiGate and have it route properly. All setup is internal so no you dont really need static ip as long as you can remote to your pc.

 

[hillmanjohn2]

I guess you can setup the virtual ips in FortiGate and have it route properly. All setup is internal so no you dont really need static ip as long as you can remote to your pc.

Awesome! Thank you for the advice!!!

 

[sdifox]

I would have preferred to setup virtual ip stacki g on the router but I dont think your router does that. Which means you are going to have to run three firewallsbehind the main one. Not ideal.

 

[hillmanjohn2]

I would have preferred to setup virtual ip stacki g on the router but I dont think your router does that. Which means you are going to have to run three firewallsbehind the main one. Not ideal.

I have no problem getting a different router. Do you have one you could recommend? I am looking on ebay for less costly business class routers and they arent overly expensive.

 

[sdifox]

I have no problem getting a different router. Do you have one you could recommend? I am looking on ebay for less costly business class routers and they arent overly expensive.

Pfsense vm :awe:

 

[dave_the_nerd]

Use a VPN server on your router w/ DDNS, then you're "at home" and can hit the web-admin pages for the firewalls. There are custom firmwares like ddwrt or Tomato that can do this, or you can use pfsense, or you can just use a router that supports it out of the box like some of the higher-end enthusiast-class routers.

Install each firewall as a separate node on your network - not in between anything and anything else. If they have a separate LAN port for management, use that port.

If you need to generate load/traffic across each firewall, there are plenty of 4-port NICs and VMware whitebox articles/blog posts out there. You know what to do from there.

 

[hillmanjohn2]

Use a VPN server on your router w/ DDNS, then you're "at home" and can hit the web-admin pages for the firewalls. There are custom firmwares like ddwrt or Tomato that can do this, or you can use pfsense, or you can just use a router that supports it out of the box like some of the higher-end enthusiast-class routers.

Install each firewall as a separate node on your network - not in between anything and anything else. If they have a separate LAN port for management, use that port.

If you need to generate load/traffic across each firewall, there are plenty of 4-port NICs and VMware whitebox articles/blog posts out there. You know what to do from there.

Ok so this is the setup so far.

Cable Modem - WRT54G with Tomato FW - HP Procurve 1700-8 - FortiGate 30D on port 2 and SonicWALL TZ300 on port 3.

So how do I setup so that the FG and TZ can both have internet access? I haven't configured anything on the HP Procurve yet. Right now I am getting internet access from the TZ but not the FG.


Thanks!!

 

[sdifox]

Does tomatoe support vlan and virtual ip? And are the firewalls all connected to the router directly?

 

[hillmanjohn2]

No the router does it support either and I don't have anything connected at the moment. The HP Procurve 1700-8 supports both though so I was going to try hooking the switch into the router and then the firewalls into the switch.

Thanks for the help!

 

[sdifox]

No the router does it support either and I don't have anything connected at the moment. The HP Procurve 1700-8 supports both though so I was going to try hooking the switch into the router and then the firewalls into the switch.

Thanks for the help!

Then you just need to vlan and route properly. Remote into your pc through teamviewer or something then connect to the different firewalls that way.