[ previous ] [ next ] [ threads ]
 From:  Joschka Blohm <admin at zpt dash muenster dot de>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Double firewall
 Date:  Sun, 23 Feb 2014 22:39:23 +0100
Hi Klaus,

thank you for pointing me to the transparent mode. That was it for what 
I was looking for.
The documentation on this feature is a bit, uhmm, scarce... I might have 
to tinker around with this.

Last but not least I do not have to kill the m0n0wall box. That's very 
important for me.



P.S.: I have no high critical environment despite stating that I'd like 
to have some redundancy. I just do not want to be dependent on one 
single device.

Am 23.02.2014 14:27, schrieb Klaus Stock:
> Hi Joschka,
> the double firewall scenario is not uncommon. Usually people try to
> avoid it, as it adds more points of failure, but sometimes you have to
> go that way.
> I am not aware if the UTM can act as a transparent bridge. If it can,
> I'd try to put it between the m0n0wall (then acting as the main
> router) and the LAN. If the UTM fails, you can then simply bridge it
> manually.
> If the UTM always does NAT (and then probably has it's own DHCP
> server), this are not quite that easy. If you use the m0n0wall as the
> main router (as above), you cannot simply throw out the UTM in case of
> a failure, because the LAN subnet will change (there will be a
> different subnet between m0n0wall and UTM than in the LAN). Obviously,
> if you can afford that in case of a failure all clients will have to
> get new DHCP leases, that's okay. But you probably don't want that. So
> in case of Double-NAT, I'd suggest that you use the UTM as the main
> router and put the m0n0wall between it and the LAN. In case of a
> failure, you will however not just need to swap a cable, but probably
> also need to reconfigure the WAN interface of the m0n0wall (unless the
> direct WAN connection is also done via DHCP). I'd suggest that, if you
> need two separate configuration for "via UTM" and "direct connection",
> you prepare them both (and test them) during a quite weekend or so.
> With Double-NAT, things can get tricky when you need to access your
> LAN from the Internet. Either you configure port forwarding always in
> both devices, or you supply a wide prot forward range in on device and
> the more specific NAT rules in the other. I do not recommend the
> second approach, not only because of security reasons, but also
> because a wide prot forward range can lead to issues. For example, the
> typical Speedport (the standard German Telekom Modem/Router) will
> experience intermittent DNS failures, because it will use forwarded
> port for DNS requests.
> Best regards, Klaus
>> Hi dear list,
>> I'm going to install a Sophos UTM. It has an integrated firewall, but I
>> do not want to throw the m0n0wall out of the rack.
>> The UTM's main purpose is scanning the traffic for viruses and trojans
>> and managing the local installations of Sophos Endpoint Protection. I
>> don't really need its firewall capabilities.
>> Is there a possibility to design the network with some sort of
>> redundancy? The m0n0wall box works without moving parts (Alix with CF
>> card) so I think the UTM box will die before the m0n0wall box in the
>> worst case. I hope both of them won't but if it is the case that the UTM
>> has some sort of error I'd like to pop over a cable from the m0n0wall
>> box to the switch to bridge the connection and can work with system
>> which has a firewall at least.
>> Does someone has a similar scenario and can share some insights?
>> As always any help is appreciated. :)
>> Regards
>> Joschka
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
>> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch

Diese E-Mail und eventuelle Anlagen können vertrauliche und/oder 
rechtlich geschützte Informationen enthalten. Wenn Sie nicht der 
richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, 
informieren Sie bitte sofort den Absender und vernichten Sie diese 
E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser 
E-Mail sind nicht gestattet.

This e-mail and any attachments may contain confidential and/or 
privileged information. If you are not the intended recipient (or have 
received this e-mail in error) please notify the sender immediately and 
destroy this e-mail. Any unauthorized copying, disclosure or 
distribution of the material in this e-mail is strictly forbidden.