This document describes a way to integrate a LANCOM R&S® Unified Firewall into an existing network that uses a LANCOM router as the gateway.
Info
Please note, that this scenario is not supported by the LANCOM Management Cloud. A Unified Firewall can only be integrated in the LMC in standalone mode or series connection.
Hinweis
When using an IPv4/IPv6 dualstack Internet connection in the LANCOM router and propagating the public IPv6 prefix in the LAN, IPv6 communication is not routed via the Unified Firewall. Instead network members can communicate with the Internet directly via IPv6.
This document assumes a simple network scenario where a LANCOM router operates as a central gateway for the internal network services (e.g. DHCP) and also provides Internet access.
The Internet connection is implemented using the xDSL modem integrated in the LANCOM router or via the WAN interface (for devices without a modem).
The local network (IP address range 192.168.1.0/24)is connected via the Ethernet interface ETH-1to a LANCOM switch, which the local network components (PC, notebook, server, etc.) are connected to.
The other Ethernet interfaces of the LANCOM router (e.g. ETH-2 to ETH-4) are also set up for the local network (default setting).
This network scenario is to be extended with an additional component, a LANCOM R&S® Unified Firewall, and the least possibleconfiguration effort is to be used.
Image Removed
Image Added
Target situation:
This way of integrating the Unified Firewall is also referred to as a Layer-3 loop.
The firewall is connected to two Ethernet ports on the LANCOM router(in this case ETH-2 and ETH-4) and via an additional “transfer” network, which has to be configuredon the LANCOM router.
We will use the default networks, which are configured on the Unified Firewall with its factory default settings:
eth1:192.168.1.0/24
eth0:192.168.0.0/24
Since the existing local networkprovided by the LANCOM router already has the IP address range 192.168.1.0/24, connecting the firewall port ETH-1 to the LANCOM Ethernet port ETH-2means that the Unified Firewall is available to the local network under the address https://192.168.1.254:3438.
Image Removed
Image Added
Procedure:
1) Connect the Unified Firewall to the LANCOM router:
1.1) Connect the LANCOM router and the Unified Firewall using Ethernet cablesas shown in the illustration under “Target situation”:
LANCOM port ETH-2
<->
↔ Unified Firewall port eth1
LANCOM port ETH-4
<->
↔ Unified Firewall port eth0
1.2) Power up the Unified Firewalland wait a moment.
1.3) Check that you can reach the Unified Firewall on the local networkat the IP address 192.168.1.254(e.g.
per
via ping).
1.4) Open the configuration interface of the Unified Firewall in a browserwith the URL https://192.168.1.254:3438.
1.5) Carry out the basic configuration of the Unified Firewall. The procedureis described in Chapter 2, “Getting Started”of the Unified Firewalls User Manual.
2) First configuration steps on the LANCOM router:
2.1) In LANconfig, open the configuration dialog for the LANCOM router and switch to the menu item IPv4
->
→ General
->
→ IP networks.
2.2) Open the configuration of the existing network INTRANETby clicking Edit.
Image Removed
Image Added
2.3) Change the interface tagfrom 0to 1.
Image Removed
Image Added
2.4) Add a new IP networkand configure the following parameters:
Enter a descriptive name.
Set the IP addressand netmaskto 192.168.0.1and 255.255.255.0, respectively.
This is the IP address of the LANCOM router in the transfer network, which is connected to the port eth0 on the Unified Firewall.
Set the logical interface assignment to LAN-2.
Set the Interface tagto the value 2.
Image Removed
Image Added
2.5) Click OK to accept the values and then navigate to the menu Interfaces
->
→ LAN
->
→ Ethernet ports
->
→ ETH 4.
Since the LANCOM Ethernet port ETH-4 is connected to the Unified Firewall port eth0, which supports the local network 192.168.0.0/24, the LANCOM Ethernet port ETH-4 must also support the same IP network.
You achieve this by setting the interface used for the logical network to LAN-2.
Image Removed
Image Added
2.6) The configuration of the LAN interfacesin the LANCOM router should then appear as follows.
Image Removed
Image Added
2.7) Write the configuration back to the LANCOM router.
Info
The Unified Firewall is not yet fully integrated into the network. All of the Internet traffic still goes past the Unified Firewall without inspection.
This is changed in the final step 4 by modifying the routing rules in the LANCOM router.
3) Configuration steps on the Unified Firewall:
3.1) Basic network configuration:
3.1.1) Log in to the configuration interface of the Unified Firewall with administrator rights.
3.1.2) Navigate to the menu Network -> Network connectionsand editthe default network for the Ethernet interface eth0.
Enter a descriptive name for this network. From the perspective of the Unified Firewall, this network is on the WAN side, so we’ve given it the name WAN_LANCOM.
Set the Default Gatewayto theIP address of the LANCOM router in this network. In this example it is 192.168.0.1/24(see step 2.4).
Savethe changes.
Image Removed
Image Added
3.1.3) Editthe default network for the Ethernet interface eth1.
Enter a descriptive name for this network. From the perspective of the Unified Firewall, this network is on the LAN side, so we’ve given it the name LAN_LANCOM.
Savethe changes.
Image Removed
Image Added
3.1.4) Because the other two default networks (eth2 & eth3) are not required, you can delete these from the configuration.
Image Removed
Image Added
3.2) Configuring the packet filter in the Unified Firewall:
3.2.1) Setting up the packet filter configures the basic functionalityof the Unified Firewall.
The first thing to do is to create an Internet object using the desktop objects toolbar:
Give the new Internet object a descriptive name.
To set the connection, use the “+” symbol in the blue circleand select the WAN_LANCOMconnection created in step 3.1.2.
You then createthe Internet object.
Image Removed
Image Added
3.2.2) In the next step, add a networkto the configuration by means of the desktop objects toolbar.
Give the new network object a descriptive name.
Since the LAN represents the local network 192.168.1.0/24 from the perspective of the firewall, you must select the Ethernet interface eth1and enter the IP address range in the field Network IP.
You then createthe network object.
Image Removed
Image Added
3.2.3) On the desktop of the firewall configuration, click on the LAN network object and select the Link icon.
3.2.4) Use the mouse to click on the Internet objectyou created (a blue dashed line is drawn between the two objects).
Image Removed
Image Added
3.2.5) In the Connectiondialog, you can add one of the servicesfrom the selection list on the right-hand sideby clicking on the “+” characterin front of the service.
If you wish to add complete groups of services, click on the “+” character in front of the respective service group (e.g. “Internet”).
In this configuration example, the Unified Firewall should allow the outgoing communication of the protocols ICMP, SSH, HTTP and HTTPS to the Internet.
3.2.6) When you are ready, you createthe new connection rule.
Image Removed
Image Added
3.2.7) To put the configuration into effect, go to the menu bar and click the button Activate.
Image Removed
Image Added
Althoughthe Internet connection of the Unified Firewall is now set up, the status of the connection “WAN_LANCOM”in the menu Network -> Connections -> Network Connectionswill still be displayed with the status RED.
Image Removed
Image Added
Running a traceroute to the IP address 8.8.8.8(tracert 8.8.8.8) from a network PC shows that the data does not flow through the Unified Firewall; instead, the LANCOM router is forwarding the connection directly to the Internet. We will change this with the configuration steps that follow in step 4.
4) Final configuration steps on the LANCOM router:
With these final configuration steps, the Unified Firewall is integrated into the networkso that all Internet traffic flows through the firewalland is regulated by it.
4.1) In LANconfig, open the configuration dialog for the LANCOM routerand switch to the menu item IP router
->
→ Routing
->
→ IPv4 routing table.
4.2) Open the configuration of the existing default routeby clicking Edit.
Image Removed
Image Added
4.3) Change the routing tagfrom 0to 2.
Image Removed
Image Added
4.4) Add a new routing tagand configure the following parameters:
Assign the IP address255.255.255.255and the netmask 0.0.0.0.
Set the Interface tagto the value 1.
Enablethe route.
In the Routerfield you now enter the IP address of the Unified Firewallwhere it can be reached from the local network 192.168.1.0/24. In this example it is the address 192.168.1.254(see steps 1.3 and 1.4).
Switch the IP masquerading for this route off.
Image Removed
Image Added
4.5) The configuration of the two default routes should then look like this.
Image Removed
Image Added
4.6) Write the configuration back to the LANCOM router. All Internet traffic now passes through the Unified Firewall.
Note: this scenario is to disable the default route to the Unified Firewall and reconfigure the original default route back to the routing tag 0 (see the figure below). Image Removed
You can test this from the command-line interface on a network PC, for example, by executing a trace route to the public IP address 8.8.8.8 (tracert 8.8.8.8).
In the configurationof the Unified Firewall, the network connection WAN_LANCOM will now be displayed as active (green).
Image RemovedTip: If you need to remove the Unified Firewall from the communication and direct all Internet traffic exclusively via the LANCOM router again, all you have to do in