NETGEAR is aware of a growing number of phone and online scams. To learn how to stay safe click here.
Forum Discussion
Help configuring FVS336Gv2
I recently purchased a FVS336Gv2 and need a bit of help making sure I configure it properly. I currently have 5 static IPs from my ISP that I use on various WWW servers. These 5 servers, all running Linux, are all cabled to a small switch (SW1) that is also has the RJ45 coming from my ISP. Each server is running its own firewall program through the Linux applications. One of the servers not only serves up pages to my clients, but also acts as the firewall/router for all the desktops in the office. A second interface on the server connects to a larger switch that all my desktops are cabled to. And the desktops use the internal IP of the server as their gateway.
My goal is to use the FVS336G as a single firewall between all my servers and my ISP. Pre-sales from my vendor said that this would not be a problem and they recommended this device for the task. I would also like to run a cable from the switch to the FVS336G so that traffic from my desktop no longer routes through a server but directly through the FVS336G.
Can I simply connect SW1 into a LAN port and my ISP cable into a WAN port and have Internet connectivity back with the firewall enabled?
Any help is appreciated...
Mark
My goal is to use the FVS336G as a single firewall between all my servers and my ISP. Pre-sales from my vendor said that this would not be a problem and they recommended this device for the task. I would also like to run a cable from the switch to the FVS336G so that traffic from my desktop no longer routes through a server but directly through the FVS336G.
Can I simply connect SW1 into a LAN port and my ISP cable into a WAN port and have Internet connectivity back with the firewall enabled?
Any help is appreciated...
Mark
10 Replies
- Yes, just as you described. You'll have to make sure that all PC's and servers use the FVS LAN IP as the default gateway.
BeagleIL wrote: Can I simply connect SW1 into a LAN port and my ISP cable into a WAN port and have Internet connectivity back with the firewall enabled?
It's going to be a tiny bit more complicated than this ...
The servers will currently have public ip addresses, these will need to be changed to private and the firewall configured for Multi-NAT
http://kb.netgear.com/app/answers/detail/a_id/995- OK. I believe I've got the hand of setting up the Multi-NAT. I create an inbound rule for each of my public IP addresses that points that traffic to the internal IP address of the corresponding server. This will allow those servers to actually be behind the firewall. And as an added benefit, those servers can now have a single IP interface on the internal network as opposed to having both an internal interface and an external (public) interface.
Now for my next question... I forgot/neglected to say that one of those servers has an application on it where it is making secure outgoing web services calls to one of my clients. That client has programmed into their firewall, the public IP address of my server. So am I able to also create an "outbound" rule such that if that server performs the call through the local IP address to the FVS336, that the FVS336 send it out over the WAN using the server's previous public IP address instead of the public IP that I've programmed on the FVS336's WAN1 interface? that the FVS336 send it out over the WAN using the server's previous public IP address instead of the public IP that I've programmed on the FVS336's WAN1 interface?
Not clear what you mean........- I was afraid of that... Through more perusing of the forum and talking with Netgear support, I think I've got the inbound configuration working using inbound rules. You can see their proposed configuration at this link:
http://data.express-evaluations.com/nt2.pdf
It is my understanding that the FVS336 will multi-nat on the WAN1 port and pass the HTTP traffic for servers 43, 44 and 45 to the appropriate private IP based upon the rules.
My next issue is that one of the WWW servers, that used to have its own public IP interface of 216.XXX.XXX.44, sometimes need to connect to my client. My client is expecting that traffic ONLY from 216.XXX.XXX.44. But if I understand the proposed configuration, all traffic originating from my internal network is going to have the 216.XXX.XXX.42 address as defined for the WAN1 port.
The FVS336 is currently set up for NAT routing as I have other desktops that will also be routing through it. If I switch to "Classical" routing under "WAN Mode", then do I face issues with the desktops routing properly?
And my overall question is if I can set an outbound rule so that traffic that originates on an internal IP, 192.168.1.11, will go out over the WAN as if it was coming from 216.XXX.XXX.44 instead of the current WAN1 address of 216.XXX.XXX.42?
Sorry if I'm not making this clear or if it is entirely too convoluted. - Remote may see as source coming from WAN side of ip so in order have source full see the server public ip you want to use classical routing
- Check out the NAT IP on Outbound Rules.
adit wrote: Check out the NAT IP on Outbound Rules.
This looks like it may be exactly what I want. And I'm guessing that this allows me to keep the router in "NAT" mode so that the rest of my desktop users will all route properly.
Interesting that the Netgear Support person I spoke with didn't suggest it. She did have to put me on hold for about 5 minutes to get input from someone else.- I forgot about top off my ahead earlier
NAT IP: Specifies whether the source address of the outgoing packets on WAN should be assigned WAN interface address OR different one.
NAT single IP is on: The Interface to which the NAT IP belongs to. All the outgoing packets on WAN will be routed through the specified WAN interface only.
v WAN Interface Address: All the outgoing packets on WAN will be assigned WAN interface address.
v Single Address: All the outgoing packets on WAN will be assigned the specified IP address.
Note: This option will be available only when WAN mode is "NAT". The IP address specified should fall under the WAN subnet. - Just wanted to give a quick update! I put my FVS336G into my network last evening, programmed with the inbound rules for Multi-NAT on WAN1, and outbound rules for NAT-IP. Works perfectly!
I went years having my Linux WWW servers all running firewall programs. And also running DenyHosts as daemons, as I was constantly getting SSH attacks. Having the ability to run a single firewall along with simplifying my network wiring is going to make life a lot easier!
Thanks for all the help and patience!
NETGEAR Academy
Boost your skills with the Netgear Academy - Get trained, certified and stay ahead with the latest Netgear technology!
Join Us!
