Setup the FSG behind a Router

From OpenFSG

Setting up the FSG behind a router is a very common configuration. This configuration would be useful to you if you have a router that already has computers hooked up to it or connected wirelessly.

Note: Setting up the FSG in this manner prevents computers connected to the router from accessing printers on the FSG: USB Printer through the WAN

Contents 1 Connection Diagram 2 Software Settings 2.1 Router 2.1.1 Open Router Firewall 2.1.1.1 Option 1: DMZ 2.1.1.2 Option 2: Opening Ports at Router 2.1.1.3 Example: open port 21 2.2 FSG 2.2.1 WAN Config 2.2.2 LAN Config 2.2.3 DHCP Server 2.2.4 Services

Connection Diagram

____________
  Router   |
WAN port---|<-----> Outside Connection (DSL or Cable modem)
           |
LAN ports--|<----> Computer 1          ______________
         |-|<----> Computer 2          |    FSG     |
         |-|<------------------------> |--WAN port  |
           |                           |            |
Wireless   |< . . . > Laptop           | LAN ports--| <----> Computer 3
------------                           --------------

Using this configuration gives two levels of control and three levels of access:

• access from "inside". For computer 3 none of the services need to be accessed through the WAN port.
• access through the WAN port (FSG option).
• access from the internet (Router option to open ports).

If you close access through the WAN port for a service, only computer 3 can access this service.

Opening access through the WAN port, but having no port on the router pointing to this service, gives the internal computers (computer 1, 2, and 3) access to this service, but not from the internet.

Opening access through the WAN port of the FSG, opening a port on the router and redirecting it to the FSG on the service's port makes the service available to any computer on the internet.

Note. I am not sure how this works in combination with a VPN. anyone?

Software Settings

Router

Make sure the DHCP range leaves some room for static IPs

Example: Starting Address: 192.168.1.100 Max DHCP Users: 50

Open Router Firewall

Is ussual that the router has an internal firewall to block communication between external net (Internet) and the equipment connected to the router. Is a good idea to have this firewall 'on', but then you must do some sets to have the FSG running properly.

Option 1: DMZ

CAUTION : DON'T USE THIS DMZ SOLUTION.

You can use this option to make a test only if you think you have a problem related to the firewall Router. But this solution leaves the FSG dangerously nude to the world.

If you want to use this option, get into Router configuration page, enable the DMZ, and add the address of the FSG to the DMZ list: i.e.:'

Public IP address: your public IP Client PC IP address: 192.168.1.2

Option 2: Opening Ports at Router

The good solution is to open to the adress that FSG has, the necessary "doors" (and only the necessary "doors")in that firewall for the services that you want to be 'seen' from the outside. These "doors" are TCP and UDP ports. Here is a list of ports that are used typically for each service:

• CIFS (Samba) --> TCP 139 and TCP 445
• FTP --> TCP 21
• SSH --> TCP 22
• web
  • (http) --> TCP 80
  • (https) --> TCP 443
• FSG info page--> TCP 8080
• email
  • (POP3) --> TCP 110
  • (SMTP) --> TCP 25
  • (IMAP4) --> TCP 143
• VPN server:
  • PPTP --> TCP 1723
  • L2TP --> UDP 1701
    • L2TP and IPSec --> UDP 500
• SQL server --> TCP 3306
• Subversion --> 3690

REMEMBER: open only the ports you know you need to use. Hackers are all aroud..!

Example: open port 21

This is the configuration you need to change on a 3Com Router: Get into the Router configuration page. Then, in the option Firewall/Virtual Server add the next:

Lan IP Adress  | Protocol Type |   Lan Port | Public Port  |  Enable    
 192.168.1.2   |      TCP      |      21    |    21        |  Enable 

---

FSG

WAN Config

Set the following options on the Page

Connection Type: "fixed ip address *"

IP address: 192.168.1.2 (Something not in the DHCP range of the above router)

Subnetwork Mask: 255.255.255.0

Default Gateway: 192.168.1.1 (IP Adresss of the above router)

DNS Servers: 192.168.1.1 (Same as the Default Gateway)

• Note: If your firmware version is less than 3.1.29 you will need to update it first, otherwise you will receive a message: 'Error: Cannot write configuration file'.

LAN Config

Set the following options on the Page

IP Address: 192.168.2.1 (Something with at least one of the middle two numbers different than the above routers IP address)

Subnet Mask: 255.255.255.0

Remark that all computers using one of the LAN ports of the FSG must have an IP address in the subnet of the LAN config. In the above example the IP address must start with 192.168.2. If the subnet mask was 255.255.0.0 it was sufficient to start with 192.168.

If the IP address is not part of the subnet as specified, some or all functions will not work.

DHCP Server

Set the following options on the Page

Start DHCP Server: checked

Gateway: 192.168.2.1 (Same as the IP Address on the LAN config page)

DNS Server: 192.168.1.1 (Same as DNS Server on the WAN config page)

Subnetwork Mask: 255.255.255.0

IP Address Range: 192.168.2.100 - 192.168.2.200

Services

Check the "Open XX through the WAN" for each of the services you want to be able to access via any computer connected to the above Router. You'll probably want "Windows File Sharing (CIFS/SMB)" open on the WAN at the very least.

Note: If you want to access the Configuration pages via any of the computers connected to the router, you'll have to check "Access for configuration pages from the outside." on the HTTP service config page.