General discussion

  • Creator
  • #2210940

    Use a Common Firewall for two Different Subnets


    by johnf ·


    I want to implement a security scheme in a new network configuration. There are two buildings for the client:

    1. Office Building 1 (OB1) with address /,
    Gateway ( Router1 Zyxel ). In OB1, is installed also the
    domain controller ( ) where the users of OB1 have already
    joined to.

    2. Office Building 2 (OB2) with address /,
    Gateway ( Installed as Internal Address (lan) of a
    Firewall ) Firewall wan1 device has address and uses as Router2 (Zyxel) address.

    Router1 provides internet access for users of OB1 and Router2 provides internet access for users of OB2. In OB2 Firewall has configured for protection and web filtering for network. Both buildings are connected through VPN implemented between Router1 and Router2.

    I would like to know:

    1. how to setup firewall protection of OB1 ( network ) using Firewall Device in OB2 ( perhaps with some network re-configuration )
    2. how to setup users in OB2 ( network ) to join the domain implemented in Domain Controller which is part of network in OB1

    Thank you for your quick reply!


All Comments

  • Author
    • #2843571

      firewall configuration

      by john.schupp ·

      In reply to Use a Common Firewall for two Different Subnets

      First of all as long as there is a route to the domain controllers and the DNS servers serving OB2 have the correct SRV records I don’t see a problem with just joining the computers in OB2 to the domain in OB1 – make sure before you join them that the VPN tunnel is up you can do this is by pinging the domain controller before you attempt to join it to the domain. It is unlikely that the tunnel being down would keep the machines from being able to join the domain but it doesn’t hurt to have the tunnel established first. Remeber a VPN tunnel will time out even if its site to site eventually and will only come back up when “interesting traffic” is seen attempting to traverse it. If you want to use the same firewall in both locations the easiest way is to set the router in OB1 to use the firewall as the gateway of last resort. This should force the router to send internet bound traffic to the firewall for a route decision. You will then have to set an interface on the firewall to be in the same external network as the router in OB1 so that you can configure the router to deliver inbound traffic to the firewall for routing inside your network.

      Thats how it could be done – however i would not do it this way. There are several reasons – first of all the fact that you have two separate internet connections will make this tricky and needessly complex. The second thing is that communications between the two buildings will be slow. I don’t know how big your organization is or what kind of equipment you are working with but given the information in your question i’m guessing you don’t have a lot of money – that being said i would carefully consider buying another firewall for the first location it will save you a headache not only in network speed and efficiency but troubleshooting will be quicker and easier than if you go with the model you describe.

      Let me know if this helps.

      – J.Schupp

Viewing 0 reply threads