Discussions

Use a Common Firewall for two Different Subnets

+
0 Votes
Locked

Use a Common Firewall for two Different Subnets

johnf
Hello,

I want to implement a security scheme in a new network configuration. There are two buildings for the client:

1. Office Building 1 (OB1) with address 10.0.0.0 / 255.255.255.0,
Gateway 10.0.0.1 ( Router1 Zyxel ). In OB1, is installed also the
domain controller ( 10.0.0.250 ) where the users of OB1 have already
joined to.

2. Office Building 2 (OB2) with address 10.0.1.0 / 255.255.255.0,
Gateway 10.0.1.167 ( Installed as Internal Address (lan) of a
Firewall ) Firewall wan1 device has address 192.168.5.199 and uses
192.168.5.2 as Router2 (Zyxel) address.

Router1 provides internet access for users of OB1 and Router2 provides internet access for users of OB2. In OB2 Firewall has configured for protection and web filtering for 10.0.1.0 network. Both buildings are connected through VPN implemented between Router1 and Router2.

I would like to know:

1. how to setup firewall protection of OB1 ( network 10.0.0.0 ) using Firewall Device in OB2 ( perhaps with some network re-configuration )
2. how to setup users in OB2 ( network 10.0.1.0 ) to join the domain implemented in Domain Controller which is part of network 10.0.0.0 in OB1

Thank you for your quick reply!

John.
  • +
    1 Votes
    John.Schupp

    First of all as long as there is a route to the domain controllers and the DNS servers serving OB2 have the correct SRV records I don't see a problem with just joining the computers in OB2 to the domain in OB1 - make sure before you join them that the VPN tunnel is up you can do this is by pinging the domain controller before you attempt to join it to the domain. It is unlikely that the tunnel being down would keep the machines from being able to join the domain but it doesn't hurt to have the tunnel established first. Remeber a VPN tunnel will time out even if its site to site eventually and will only come back up when "interesting traffic" is seen attempting to traverse it. If you want to use the same firewall in both locations the easiest way is to set the router in OB1 to use the firewall as the gateway of last resort. This should force the router to send internet bound traffic to the firewall for a route decision. You will then have to set an interface on the firewall to be in the same external network as the router in OB1 so that you can configure the router to deliver inbound traffic to the firewall for routing inside your network.

    Thats how it could be done - however i would not do it this way. There are several reasons - first of all the fact that you have two separate internet connections will make this tricky and needessly complex. The second thing is that communications between the two buildings will be slow. I don't know how big your organization is or what kind of equipment you are working with but given the information in your question i'm guessing you don't have a lot of money - that being said i would carefully consider buying another firewall for the first location it will save you a headache not only in network speed and efficiency but troubleshooting will be quicker and easier than if you go with the model you describe.

    Let me know if this helps.

    - J.Schupp

  • +
    1 Votes
    John.Schupp

    First of all as long as there is a route to the domain controllers and the DNS servers serving OB2 have the correct SRV records I don't see a problem with just joining the computers in OB2 to the domain in OB1 - make sure before you join them that the VPN tunnel is up you can do this is by pinging the domain controller before you attempt to join it to the domain. It is unlikely that the tunnel being down would keep the machines from being able to join the domain but it doesn't hurt to have the tunnel established first. Remeber a VPN tunnel will time out even if its site to site eventually and will only come back up when "interesting traffic" is seen attempting to traverse it. If you want to use the same firewall in both locations the easiest way is to set the router in OB1 to use the firewall as the gateway of last resort. This should force the router to send internet bound traffic to the firewall for a route decision. You will then have to set an interface on the firewall to be in the same external network as the router in OB1 so that you can configure the router to deliver inbound traffic to the firewall for routing inside your network.

    Thats how it could be done - however i would not do it this way. There are several reasons - first of all the fact that you have two separate internet connections will make this tricky and needessly complex. The second thing is that communications between the two buildings will be slow. I don't know how big your organization is or what kind of equipment you are working with but given the information in your question i'm guessing you don't have a lot of money - that being said i would carefully consider buying another firewall for the first location it will save you a headache not only in network speed and efficiency but troubleshooting will be quicker and easier than if you go with the model you describe.

    Let me know if this helps.

    - J.Schupp