Description:

This article describes how routing via an intermediate network is set up between the networks of a LANCOM R&S®Unified Firewall and a LANCOM router.


Requirements:


Scenario:

  • The Unified Firewall is configured with the network 192.168.1.0/24.
  • A router is configured with the network 192.168.20.0/24.
  • The Unified Firewall and the router should be configured with the intermediate network 192.168.99.0/24 and routing should be set up between the networks of the unified firewall and the router.

The LANCOM router cannot be located in the local network with the unified firewall, otherwise the router would send the response packets directly to the devices in this network and not to the Unified Firewall. The Unified Firewall would then discard any further packets that belong to the same session.

The same applies in the other direction. The Unified Firewall cannot be in the network of the LANCOM router.

Diagram displaying the configuration settings for Unified Firewall and LANCOM router, including IP addresses for local and remote networks.



Procedure:

1) Configuration steps on the Unified Firewall:

1.1) Connect to the Unified Firewall, go to the menu Network → Connections → Network Connections and click the “pencil” icon to edit the settings for a previously unused interface (in this example eth3).

If the currently assigned IP address of the selected interface (default setting for eth3 is 192.168.3.254) should be used for the intermediate network, you can skip the steps 1.1 – 1.3.

A screenshot of a network configuration interface showing various connection types and statuses such as PPP Connections, WWAN Connections, and DHCP Interfaces with indications of their interface types like eth0 and their network statuses as static or dynamic.

1.2) Click the “pencil” icon to adjust the stored IP address.

Image of a network settings interface showing details for an Ethernet LAN connection, including options like connection type, status, and IP addresses.

1.3) Enter an IP address from a previously unused network in CIDR notation (Classless Inter Domain Routing), which is to operate as an intermediate network between the Unified Firewall and the separate router (in this example 192.168.99.254). Then click Save.

Image showing a user interface for network settings with options like LAN connection, network status, and reset button visible.

1.4) Change to the menu Network → Routing → Routing Tables and click the “pencil” icon to edit Table 254.

Screenshot showing a network configuration interface with various sections including Routing Tables, Firewall, Monitoring Statistics, Connections, DHCP interfaces, and DNS Accounts.

1.5) Click the “+” icon to create a new routing entry.

Screenshot of a technical UI displaying the 'TableRoutingTable' and 'WSavedversion' configuration settings.

1.6) Modify the following parameters and then click OK:

  • Interface: Select the interface chosen in step 1.1, which is in the intermediate network (in this example eth3).
  • Destination: Enter the network address of the target network to be reached via the router, in CIDR notation (in this example 192.168.20.0/24).
  • Gateway: Enter an available IP address from the intermediate network to be used by the router (in this example 192.168.99.253).

A screen capture of the 'EditRoute' interface showing settings for 'Interface eth x' with a 'typeunicast' configuration.

1.7.) Click Save.

Image displays a partial view of a technical user interface with scattered, unclear text possibly related to configuration settings.

1.8) Click the button to create a network.

Screenshot of a technical user interface displaying firewall settings.

1.9) Modify the following parameters and then click Create:

  • Name: Enter a descriptive name (in this example Network-behind-Gateway).
  • Interface: From the drop-down menu, select the interface connected to the intermediate network (in this example eth3).
  • Network IP: Enter the network address of the target network to be reached via the router, in CIDR notation (in this example 192.168.20.0/24).

An image of a technical configuration interface with options such as gateway settings, login permissions, network type, and security exemptions.

1.10) Click the local network object on the desktop (in this example INTRANET), select the connection tool, and click the network object for the remote network created in step 1.9.

1.11) Select the protocols required for communication and add them using the “+” icon. Then click Create.

The Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication.

An image of a complex network configuration interface displaying various settings such as NAT rules, URL content filters, application filters, and traffic shaping options, with options to edit actions and schedules. Image of a blurred or partial view of a technical user interface, showing fragmented words and possibly menu options.

1.12) Finally, implement the changes by clicking Activate.

Standard Alt-Text für alle Bilder in diesem Dokument



2) Configuration steps on the LANCOM router:

If you are using a router from another manufacturer, use the manual or approach the manufacturer for information about the appropriate procedure.

2.1) Using LANconfig, connect to the router, switch to the menu Interfaces → LAN → Ethernet ports and choose a previously unused Ethernet port off (in this example ETH 4).

Image showing a technical user interface with options related to network configuration, including MAC address, VLAN settings, LAN bridge settings, and Ethernet options.

2.2) From the drop-down menu for Interface usage, select a previously unused logical interface (in this example LAN-2).

Screenshot of a networking device interface showing options for Ethernet ports configuration, transfer mode, and MDI mode settings.

2.3) Navigate to the menu Interfaces → LAN → LAN bridge.

Image showing a detailed technical configuration menu with options for MAC addresses, theme interface settings, WAN, LAN bridging, and local network authentication settings.

2.4) Go to the Port table menu.

Screenshot of LANbridge configuration menu with options to select connection types for LAN and tunnel interfaces, including bridge and isolated router modes, and settings for LAN port parameters and protocol filters.

2.5) Make sure that the logical interface assigned in step 2.2 (in this example LAN-2) is not assigned to a bridge group.

Image of a technical configuration interface displaying options for LAN settings, private mode, and point-to-point port configurations.

2.6) Switch to the menu IPv4 → General → IP networks.

Screenshot of a network configuration interface displaying options to define IPv4 networks, manage loopback addresses, and configure alternative addresses and DHCP settings.

2.7) Click Add to create a new network.

Screenshot displaying a complex technical user interface with various network configuration options and settings, including labels for IP networks, WAN access, and security features.

2.8) Change the following parameters:

  • Network name: Enter a descriptive name (in this example INTER-NETWORK).
  • IP address: Enter the gateway IP address from the intermediate network set in step 1.6 (in this example 192.168.99.253).
  • Netmask: Enter the corresponding subnet mask.
  • Interface assignment: From the drop-down menu, select the logical interface that was set in step 2.2 (in this example LAN-2).

Image showing a partial view of a technical configuration menu for network settings, including fields for network type and address checking options.

2.9) Navigate to the menu IP Router → Routing → IPv4 routing table.

Screenshot of a network management interface showing details like routing table, date and time, load balancing settings, and additional IP routing configurations.

2.10) Click Add to create a new routing entry.

Image displaying a complex IPv4 routing table interface, featuring columns for address, netmask, tag, enable state, and router RIP stance, with options for default routes and template blocking for private networks.

2.11) Change the following parameters:

  • IP address: Enter the network address of the network with the Unified Firewall (in this example 192.168.1.0).
  • Netmask: Enter the corresponding subnet mask.
  • Router: Enter the IP address of the Unified Firewall in the intermediate network assigned in steps 1.2 - 1.3 (in this example 192.168.99.254).
  • IP masquerading: Select the option IP masquerading switched off.

Image displaying a partial view of a technical configuration menu related to IP routing, including options for enabling routes, network reachability conditions, IP masquerading settings, and route propagation via RIP protocol.

2.12) This concludes the configuration steps on the LANCOM router. You can now write the configuration back to the device.

The firewall in LANCOM routers uses an implicit allow-all strategy. Communication is therefore permitted until it is prevented.

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH