[ previous ] [ next ] [ threads ]
 From:  Klaus Stock <ks at stock dash consulting dot com>
 To:  Joschka Blohm <admin at zpt dash muenster dot de>
 Cc:  "m0n0wall at lists dot m0n0 dot ch" <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Double firewall
 Date:  Sun, 23 Feb 2014 14:27:05 +0100
Hi Joschka,

the double firewall scenario is not uncommon. Usually people try to 
avoid it, as it adds more points of failure, but sometimes you have to 
go that way.

I am not aware if the UTM can act as a transparent bridge. If it can, 
I'd try to put it between the m0n0wall (then acting as the main 
router) and the LAN. If the UTM fails, you can then simply bridge it 

If the UTM always does NAT (and then probably has it's own DHCP 
server), this are not quite that easy. If you use the m0n0wall as the 
main router (as above), you cannot simply throw out the UTM in case of 
a failure, because the LAN subnet will change (there will be a 
different subnet between m0n0wall and UTM than in the LAN). Obviously, 
if you can afford that in case of a failure all clients will have to 
get new DHCP leases, that's okay. But you probably don't want that. So 
in case of Double-NAT, I'd suggest that you use the UTM as the main 
router and put the m0n0wall between it and the LAN. In case of a 
failure, you will however not just need to swap a cable, but probably 
also need to reconfigure the WAN interface of the m0n0wall (unless the 
direct WAN connection is also done via DHCP). I'd suggest that, if you 
need two separate configuration for "via UTM" and "direct connection", 
you prepare them both (and test them) during a quite weekend or so.

With Double-NAT, things can get tricky when you need to access your 
LAN from the Internet. Either you configure port forwarding always in 
both devices, or you supply a wide prot forward range in on device and 
the more specific NAT rules in the other. I do not recommend the 
second approach, not only because of security reasons, but also 
because a wide prot forward range can lead to issues. For example, the 
typical Speedport (the standard German Telekom Modem/Router) will 
experience intermittent DNS failures, because it will use forwarded 
port for DNS requests.

Best regards, Klaus

> Hi dear list,

> I'm going to install a Sophos UTM. It has an integrated firewall, but I
> do not want to throw the m0n0wall out of the rack.
> The UTM's main purpose is scanning the traffic for viruses and trojans
> and managing the local installations of Sophos Endpoint Protection. I 
> don't really need its firewall capabilities.
> Is there a possibility to design the network with some sort of 
> redundancy? The m0n0wall box works without moving parts (Alix with CF 
> card) so I think the UTM box will die before the m0n0wall box in the 
> worst case. I hope both of them won't but if it is the case that the UTM
> has some sort of error I'd like to pop over a cable from the m0n0wall 
> box to the switch to bridge the connection and can work with system 
> which has a firewall at least.

> Does someone has a similar scenario and can share some insights?
> As always any help is appreciated. :)

> Regards

> Joschka

> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Best regards,
 Klaus                            mailto:ks at stock dash consulting dot com