the double firewall scenario is not uncommon. Usually people try to
avoid it, as it adds more points of failure, but sometimes you have to
go that way.
I am not aware if the UTM can act as a transparent bridge. If it can,
I'd try to put it between the m0n0wall (then acting as the main
router) and the LAN. If the UTM fails, you can then simply bridge it
If the UTM always does NAT (and then probably has it's own DHCP
server), this are not quite that easy. If you use the m0n0wall as the
main router (as above), you cannot simply throw out the UTM in case of
a failure, because the LAN subnet will change (there will be a
different subnet between m0n0wall and UTM than in the LAN). Obviously,
if you can afford that in case of a failure all clients will have to
get new DHCP leases, that's okay. But you probably don't want that. So
in case of Double-NAT, I'd suggest that you use the UTM as the main
router and put the m0n0wall between it and the LAN. In case of a
failure, you will however not just need to swap a cable, but probably
also need to reconfigure the WAN interface of the m0n0wall (unless the
direct WAN connection is also done via DHCP). I'd suggest that, if you
need two separate configuration for "via UTM" and "direct connection",
you prepare them both (and test them) during a quite weekend or so.
With Double-NAT, things can get tricky when you need to access your
LAN from the Internet. Either you configure port forwarding always in
both devices, or you supply a wide prot forward range in on device and
the more specific NAT rules in the other. I do not recommend the
second approach, not only because of security reasons, but also
because a wide prot forward range can lead to issues. For example, the
typical Speedport (the standard German Telekom Modem/Router) will
experience intermittent DNS failures, because it will use forwarded
port for DNS requests.
Best regards, Klaus
> Hi dear list,
> I'm going to install a Sophos UTM. It has an integrated firewall, but I
> do not want to throw the m0n0wall out of the rack.
> The UTM's main purpose is scanning the traffic for viruses and trojans
> and managing the local installations of Sophos Endpoint Protection. I
> don't really need its firewall capabilities.
> Is there a possibility to design the network with some sort of
> redundancy? The m0n0wall box works without moving parts (Alix with CF
> card) so I think the UTM box will die before the m0n0wall box in the
> worst case. I hope both of them won't but if it is the case that the UTM
> has some sort of error I'd like to pop over a cable from the m0n0wall
> box to the switch to bridge the connection and can work with system
> which has a firewall at least.
> Does someone has a similar scenario and can share some insights?
> As always any help is appreciated. :)
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
Klaus mailto:ks at stock dash consulting dot com