Quelle anzeigen

Description:

This document describes how a LANCOM R&S®Unified Firewall is integrated into an existing network where a LANCOM router operates as the gateway.

This scenario applies to the management of exactly one productive network. If you need to manage more than one network, LANCOM Systems recommends using one of the other scenarios to integrate a Unified Firewall (series connection or stand-alone operation).

When using an IPv4/IPv6 dualstack Internet connection in the LANCOM router and propagating the public IPv6 prefix in the LAN, IPv6 communication is not routed via the Unified Firewall. Instead network members can communicate with the Internet directly via IPv6.

Therefore IPv6 must not be used in this scenario!

Requirements:

LCOS as of version 10.20 ( download latest version )
LANtools as of version 10.20 ( download latest version )
LANCOM R&S®Unified Firewall with LCOS FX as of version 10.3
Configured and functional network including Internet access on the LANCOM router
Web browser for configuring the Unified Firewall.

The following browsers are supported:
- Google Chrome
- Chromium
- Mozilla Firefox

Important:
LANCOM router that supports a maximum of two ARF contexts, such as

LANCOM 883 VoIP
LANCOM 884 VoIP
LANCOM 730VA
LANCOM 730-4G(+)
LANCOM 1631E
LANCOM 1640E

cannot be used to implement the scenario described here, because these devices do not support a sufficient number of ARF contexts.

Scenario:

Current situation:

This document assumes a simple network scenario where a LANCOM router operates as a central gateway for the internal network services (e.g. DHCP) and also provides Internet access.
The Internet connection is implemented using the xDSL modem integrated in the LANCOM router or via the WAN interface (for devices without a modem).
The local network (IP address range 192.168.1.0/24) is connected via the Ethernet interface ETH-1 to a LANCOM switch, which the local network components (PC, notebook, server, etc.) are connected to. The other Ethernet interfaces of the LANCOM router (e.g. ETH-2 to ETH-4) are also set up for the local network (default setting).

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > Ist-Zustand.png

Target situation:

This way of integrating the Unified Firewall is also referred to as layer-3 loop.

The Unified Firewall is connected by its port eth0 to the port ETH-4 of the LANCOM router. The port eth1 of the Unified Firewall is connected to port ETH-3 of the LANCOM router.
The Unified Firewall operates as a DHCP client on port eth0 and thus obtains its IP parameters from the DHCP server of the LANCOM router.
On the LANCOM router and on the Unified Firewall, two intermediate networks are set up (UF-TRANSFER: 192. 168.11.0/24 and UF-CONNECT: 192.168.12.0/24).

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > Soll-Zustand2.png

Procedure:

The Unified Firewall must not yet be connected to the LANCOM router or to the network via a LAN cable!

1) Basic configuration steps on the LANCOM router:

1.1) Open the configuration for the router in LANconfig and switch to the menu item IPv4 → General → IP networks.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 1.png

1.2) Create that first intermediate network with a click on Add. This ensures that packets are sent from the productive network (here the INTRANET) to the Unified Firewall.

Save the following parameters:

Network name : Give the intermediate network a descriptive name.
IP address : Give it an IP address from the IP address range 192.168.11.0/24.
- Important: The following IP address ranges may not be used, since they are already used by the Unified Firewall by default:
  - 168.1.0/24
  - 168.2.0/24
  - 168.3.0/24
- Netmask : Set the subnet mask 255.255.255.0.
- Interface assignment : From the drop-down menu, select the logical interface LAN-3.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 2.png

1.3) Create that second intermediate network with a click on Add. This is used to receive packets from the Unified Firewall.

Save the following parameters:

Network name : Enter a descriptive name for the second intermediate network.
IP address : Give it an IP address from the IP address range 192.168.12.0/24.
- Important: The following IP address ranges may not be used, since they are already used by the Unified Firewall by default:
  - 168.1.0/24
  - 168.2.0/24
  - 168.3.0/24
- Netmask : Set the subnet mask 255.255.255.0.
- Interface assignment : From the drop-down menu, select the logical interface LAN-4.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 3.png

1.4) Switch to the menu IPv4 → DHCPv4 → DHCP networks.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 4.png

1.5) Create a new DHCP network and modify the following parameters:

From the drop-down menu for the Network name, select the second intermediate network.
Activate the DHCP server under DHCP server enabled by setting the drop-down menu to Yes.
For the first address and last address set an IP address from the second intermediate network (192.168.12.0/24). The same IP address must be set in both fields to ensure that the Unified Firewall always obtains this IP address.

Info:
It makes sense to assign a “fixed” IP address to the Unified Firewall so that port forwarding can be set up, if required.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 5.png

1.6) Navigate to the menu Interfaces → LAN → Ethernet ports.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 6.png

1.7) Assign the port ETH-3 to the interface LAN-3 and the port ETH-4 to the interface LAN-4.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 7.png

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 8.png

1.8) Navigate to the menu Interfaces → LAN → Port table.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 9.png

1.9) Make sure that no bridge groups are set for the logical interfaces LAN-3 and LAN-4 (Bridge group: none).

Info:
With WLAN routers, all interfaces are assigned to the bridge group 1 (BRG-1) by default.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 10.png

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 11.png

1.10) This concludes the configuration steps on the LANCOM router. Write the configuration back to the router.

2) Configuration steps on the Unified Firewall:

Connect port eth0 if the Unified Firewall to the port ETH-4 of the LANCOM router.

Important:
Do not connect port eth1 of the Unified Firewall to port ETH-3 of the LANCOM router yet!

2.1) Enter the IP address 192.168.12.253 followed by the port 3438 in the browser to access the web interface of the Unified Firewall (192.168.12.253:3438).

2.2) When the warning message regarding the certificate is displayed, first click on Advanced and then on Proceed to 192.168.12.253 (unsafe).

Info:
The warning about the insecure certificate can be removed by creating a web-server certificate on the Unified Firewall and then importing the certificate into the operating system.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF1.png

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF2.png

2.3) The Unified Firewall is still unconfigured, so the default access credentials can be entered.

User: admin
Password: admin

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF3.png

2.4) Set a new admin password for access to the web interface as well as a new support password for access to the command line and then click on Accept & Login.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF4.png

2.5) The setup wizard opens automatically. Click on Start setup in English.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF5.png

2.6) Since the Unified Firewall is to be configured manually, you now have to click on Cancel Wizard.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF6.png

2.7) Change to the menu Network → Connections → Network Connections and click on the “edit” icon for eth1 to modify the network.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF7.png

2.8) Edit the IP address and enter an IP address from the first intermediate network 192.168.11.0/24.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF8.png

2.9) Click the icon on the desktop to create a new network.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF9.png

2.10) Save the following parameters:

Name: Enter a descriptive name.
Interface: From the drop-down menu, set the interface to eth1.
Network IP: Enter the productive network 192.168.1.0/24 which is already available on the LANCOM router in CIDR notation (Classless Inter Domain Routing).

Info:
The productive network of the LANCOM router must be created as a desktop object on the Unified Firewall in order to permit communication via the firewall.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF10.png

2.11) Confirm the warning message by clicking on Save Anyway.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF11.png

2.12) On the desktop, click the network object created in step 2.10) and select the Connection Tool. Link the network object to the Internet object.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF12.png

2.13) Use the “+” icon to add the necessary protocols for the outgoing communications.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF13.png

2.14) Click on the Activate button to accept and enable the changes.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF14.png

2.15) Change to the menu Network → Routing → Routing Tables and click on the “edit” icon to modify the Table 254.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF15.png

2.16) Click on the “+” icon to create a new routing entry.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF16.png

2.17) Enter the following parameters and then click on OK.

Interface: Select eth1 from the drop-down menu.
Destination: Enter the productive network already available on the LANCOM router in CIDR
Gateway: Enter the IP address of the LANCOM router in the first intermediate network (see step 1.2).

Info:
This return route allows the productive network of the LANCOM router (192.168.1.0/24) to access the IP address of the Unified Firewall in the first intermediate network (192.168.11.0/24).

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF17.png

2.18) Save your changes to the Table 254.

Important:
After setting this route, the Unified Firewall can only be accessed using the IP address of the Unified Firewall in the first intermediate network (192.168.11.253). The current connection to the web interface is interrupted immediately after saving!

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > UF18.png

2.19) This concludes the configuration steps on the Unified Firewall.

Now connect port eth1 of the Unified Firewall to the port ETH-3 of the LANCOM router.

3) Subsequent configuration steps on the LANCOM router:

3.1) Open the configuration for the router in LANconfig and switch to the menu item IPv4 → General → IP networks.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 1.png

3.2) Mark the existing productive network (in this example the network INTRANET) and click on Edit.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 21.png

3.3) Set the Interface tag 1.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 22.png

3.4) Edit the first intermediate network (here UF-TRANSFER) and set the Interface tag 1.

Info:
The networks INTRANET and UF-TRANSFER must have the same interface tag in order to communicate with one another.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 23.png

3.5) Edit the second intermediate network (here UF-CONNECT) and set the Interface tag 2.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 24.png

3.6) Navigate to the menu IP Router → Routing → IPv4 routing table.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 25.png

3.7) Mark the existing default route for the Internet connection and click Edit.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 26.png

3.8) Change the routing tag to the value 2.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 27.png

3.9) Create an additional routing entry and enter the following parameters:

IP address : Enter the address 255.255.255.255.
Netmask : Enter the netmask 0.0.0.0.
Routing tag: Enter the routing tag 1.
Router: Enter the IP address of the Unified Firewall in the first intermediate network 192.168.11.0/24.
IP masquerading : Set the radio button to IP Masquerading switched off.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 28.png

3.10) Navigate to the menu IPv4 → DNS → Forwarding.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 29.png

3.11) Create an entry and enter the following parameters:

Domain: Enter the wildcard *, so that all DNS requests are forwarded.
Routing tag: Enter tag 1 to forward all requests from the INTRANET.
Remote site : Enter the IP address of the Unified Firewall in the first intermediate network (see step 2.8), so that all DNS queries from the productive network of the LANCOM router (in this example, the INTRANET) are forwarded to the Unified Firewall.

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 30.png

3.12) Create an additional entry and enter the following parameters:

Domain: Enter the wildcard *, so that all DNS requests are forwarded.
Routing tag: Enter the tag 2, so that DNS requests from the Unified Firewall from the second intermediate network can be answered.
Remote site : Enter any DNS server (in this example the Google DNS server 8.8.8.8).

LANCOM Support Knowledge Base EN > Manual setup of a Layer-3 loop between a LANCOM router and a LANCOM R&S®Unified Firewall (version 2) > 31.png

3.13) This concludes the configuration steps on the LANCOM router. Write the configuration back to the router.

4) Further steps: Configuring the UTM features:

The configuration of the UTM functions is described in the following articles: