Setup the FSG behind a Router
Setting up the FSG behind a router is a very common configuration. This configuration would be useful to you if you have a router that already has computers hooked up to it or connected wirelessly.
Note: Setting up the FSG without the second lan cable prevents computers connected to the router from accessing printers on the FSG: USB Printer through the WAN
Contents |
Connection Diagram
____________
Router |
WAN port---|<-----> Outside Connection (DSL or Cable modem)
|
LAN ports--|<----> Computer 1 ______________
|-|<----> Computer 2 | FSG |
|-|<------------------------> |--WAN port | (this first cable is needed)
|-|<------------------------> |--LAN port | (this second cable is optional)
| | |
| | LAN ports--| <----> Computer 3
Wireless |< . . . > Laptop | LAN ports--| <----> Computer 4
------------ --------------
Connection with 1 or 2 cables
You can connect Router to FSG with 1 or 2 cables.
- The first cable (Router LAN port <---> FSG WAN port) is needed.
- The second cable (Router LAN port <---> FSG LAN port) is optional.
Depending on if you use this second cable or not, diferent computers will have access to diferent places. Here is the explanation.
Connection without second lan cable
Using this configuration gives two levels of control and three levels of access:
- access from "inside". For computer 3 none of the services need to be accessed through the WAN port.
- access through the WAN port (FSG option).
- access from the internet (Router option to open ports).
If you close access through the WAN port for a service, only computer 3 can access this service.
Opening access through the WAN port, but having no port on the router pointing to this service, gives the internal computers (computer 1, 2, and 3) access to this service, but not from the internet.
Opening access through the WAN port of the FSG, opening a port on the router and redirecting it to the FSG on the service's port makes the service available to any computer on the internet.
Note. I am not sure how this works in combination with a VPN. anyone?
Connection with second lan cable
- access from "inside" means now all computers connected directly to the router and fsg-lan have full access to services at the fsg-lan ports
- access from the internet (Router option to open ports: port forewarding) need enabled services at fsg-wan port.
Software Settings
Router
Make sure the DHCP range leaves some room for static IPs
- Example: Starting Address: 192.168.1.100 Max DHCP Users: 50
Open Router Firewall
Is ussual that the router has an internal firewall to block communication between external net (Internet) and the equipment connected to the router. Is a good idea to have this firewall 'on', but then you must do some sets to have the FSG running properly.
Option 1: DMZ
CAUTION : DON'T USE THIS DMZ SOLUTION.
- You can use this option to make a test only if you think you have a problem related to the firewall Router. But this solution leaves the FSG dangerously nude to the world.
If you want to use this option, get into Router configuration page, enable the DMZ, and add the address of the FSG to the DMZ list: i.e.:'
- Public IP address: your public IP Client PC IP address: 192.168.1.2
Option 2: Opening Ports at Router
The good solution is to open to the adress that FSG has, the necessary "doors" (and only the necessary "doors")in that firewall for the services that you want to be 'seen' from the outside. These "doors" are TCP and UDP ports. Here is a list of ports that are used typically for each service:
- CIFS (Samba)
- TCP 139 and TCP 445
- UDP 135, 137 and 138
- FTP --> TCP 21
- SSH --> TCP 22
- web
- (http) --> TCP 80
- (https) --> TCP 443
- FSG info page--> TCP 8080
- email
- (POP3) --> TCP 110
- (SMTP) --> TCP 25
- (IMAP4) --> TCP 143
- VPN server:
- PPTP --> TCP 1723
- L2TP --> UDP 1701
- L2TP and IPSec --> UDP 500
- SQL server --> TCP 3306
- Subversion --> 3690
- Torrent client of FSG --> TCP 2706.
REMEMBER: open only the ports you know you need to use. Hackers are all aroud..!
Example: open port 21
This is the configuration you need to change on a 3Com Router: Get into the Router configuration page. Then, in the option Firewall/Virtual Server add the next:
Lan IP Adress | Protocol Type | Lan Port | Public Port | Enable 192.168.1.2 | TCP | 21 | 21 | Enable
FSG
WAN Config
Set the following options on the Page
- Connection Type: "fixed ip address *"
- IP address: 192.168.1.2 (Something not in the DHCP range of the above router)
- Subnetwork Mask: 255.255.255.0
- Default Gateway: 192.168.1.1 (IP Adresss of the above router)
- DNS Servers: 192.168.1.1 (Same as the Default Gateway)
- Note: If your firmware version is less than 3.1.29 you will need to update it first, otherwise you will receive a message: 'Error: Cannot write configuration file'.
LAN Config
Set the following options on the Page
- IP Address: 192.168.2.1 (Something with at least one of the middle two numbers different than the above routers IP address)
- Subnet Mask: 255.255.255.0
Remark that all computers using one of the LAN ports of the FSG must have an IP address in the subnet of the LAN config. In the above example the IP address must start with 192.168.2. If the subnet mask was 255.255.0.0 it was sufficient to start with 192.168.
If the IP address is not part of the subnet as specified, some or all functions will not work.
DHCP Server
Set the following options on the Page
- Start DHCP Server: checked
- Gateway: 192.168.2.1 (Same as the IP Address on the LAN config page)
- DNS Server: 192.168.1.1 (Same as DNS Server on the WAN config page)
- Subnetwork Mask: 255.255.255.0
- IP Address Range: 192.168.2.100 - 192.168.2.200
Services
Check the "Open XX through the WAN" for each of the services you want to be able to access via any computer connected to the above Router. You'll probably want "Windows File Sharing (CIFS/SMB)" open on the WAN at the very least.
Note: If you want to access the Configuration pages via any of the computers connected to the router, you'll have to check "Access for configuration pages from the outside." on the HTTP service config page.
