Description:

This document describes how a LANCOM R&S®Unified Firewall is integrated into an existing network where a LANCOM router operates as the gateway.

This scenario applies to the management of exactly one productive network. If you need to manage more than one network, LANCOM Systems recommends using one of the other scenarios to integrate a Unified Firewall ( series connection or stand- alone operation ).

When using an IPv4/IPv6 dualstack Internet connection in the LANCOM router and propagating the public IPv6 prefix in the LAN, IPv6 communication is not routed via the Unified Firewall. Instead network members can communicate with the Internet directly via IPv6.

Therefore IPv6 must not be used in this scenario!



Requirements:

Important:
LANCOM router that supports a maximum of two ARF contexts, such as

  • LANCOM 883 VoIP
  • LANCOM 884 VoIP
  • LANCOM 730VA
  • LANCOM 730-4G(+)
  • LANCOM 1631E
  • LANCOM 1640E

cannot be used to implement the scenario described here, because these devices do not support a sufficient number of ARF contexts.


Scenario:

Current situation:

  • This document assumes a simple network scenario where a LANCOM router operates as a central gateway for the internal network services (e.g. DHCP) and also provides Internet access .
  • The Internet connection is implemented using the xDSL modem integrated in the LANCOM router or via the WAN interface (for devices without a modem).
  • The local network (IP address range 192.168.1.0/24) is connected via the Ethernet interface ETH-1 to a LANCOM switch, which the local network components (PC, notebook, server, etc.) are connected to. The other Ethernet interfaces of the LANCOM router (e.g. ETH-2 to ETH-4) are also set up for the local network (default setting).

Target situation:

This way of integrating the Unified Firewall is also referred to as layer-3 loop.

  • The Unified Firewall is connected by its port eth0 to the port ETH-4 of the LANCOM router. The port eth1 of the Unified Firewall is connected to port ETH-3 of the LANCOM router.
  • The Unified Firewall operates as a DHCP client on port eth0 and thus obtains its IP parameters from the DHCP server of the LANCOM router. 
  • On the LANCOM router and on the Unified Firewall, two intermediate networks are set up (UF-TRANSFER: 192. 168.11.0/24 and UF-CONNECT: 192.168.12.0/24).


Procedure:

The Unified Firewall must not yet be connected to the LANCOM router or to the network via a LAN cable!

1) Basic configuration steps on the LANCOM router:

1.1) Open the configuration for the router in LANconfig and switch to the menu item IPv4 → General → IP networks .

1.2) Create that first intermediate network with a click on Add. This ensures that packets are sent from the productive network (here the INTRANET) to the Unified Firewall.

Save the following parameters:

  • Network name : Give the intermediate network a descriptive name.
  • IP address : Give it an IP address from the IP address range 192.168.11.0/24.
    • Important: The following IP address ranges may not be used, since they are already used by the Unified Firewall by default:
      • 168.1.0/24
      • 168.2.0/24
      • 168.3.0/24
    • Netmask : Set the subnet mask 255.255.255.0,
    • Interface assignment : From the drop-down menu, select the logical interface LAN-3.

1.3) Create that second intermediate network with a click on Add. This is used to receive packets from the Unified Firewall.

Save the following parameters:

  • Network name : Enter a descriptive name for the second intermediate network.
  • IP address : Give it an IP address from the IP address range 192.168.12.0/24.
    • Important: The following IP address ranges may not be used, since they are already used by the Unified Firewall by default:
      • 168.1.0/24
      • 168.2.0/24
      • 168.3.0/24
    • Netmask : Set the subnet mask 255.255.255.0,
    • Interface assignment : From the drop-down menu, select the logical interface LAN-4.

1.4) Switch to the menu IPv4 → DHCPv4 → DHCP networks .

1.5) Create a new DHCP network and modify the following parameters:

  • From the drop-down menu for the Network name , select the second intermediate network.
  • Activate the DHCP server under DHCP server enabled by setting the drop-down menu to Yes.
  • For the first address and last address set an IP address from the second intermediate network (192.168.12.0/24). The same IP address must be set in both fields to ensure that the Unified Firewall always obtains this IP address.

Info:
It makes sense to assign a “fixed” IP address to the Unified Firewall so that port forwarding can be set up, if required. 

1.6) Navigate to the menu Interfaces → LAN → Ethernet ports .

1.7) Assign the port ETH-3 to the interface LAN-3 and the port ETH-4 to the interface LAN-4.

1.8) Navigate to the menu Interfaces → LAN → Port table .

1.9) Make sure that no bridge groups are set for the logical interfaces LAN-3 and LAN-4 (Bridge group: none ).

Info:
With WLAN routers, all interfaces are assigned to the bridge group 1 (BRG-1) by default.

1.10) This concludes the configuration steps on the LANCOM router. Write the configuration back to the router.



2) Configuration steps on the Unified Firewall:

Connect port eth0 if the Unified Firewall to the port ETH-4 of the LANCOM router.

Important:
Do not connect port eth1 of the Unified Firewall to port ETH-3 of the LANCOM router yet!

2.1) Enter the IP address 192.168.12.253 followed by the port 3438 in the browser to access the web interface of the Unified Firewall (192.168.12.253:3438).

2.2) When the warning message regarding the certificate is displayed, first click on Advanced and then on Proceed to 192.168.12.253 (unsafe).

Info:
 The warning about the insecure certificate can be removed by creating a web-server certificate on the Unified Firewall and then importing the certificate into the operating system.

2.3) The Unified Firewall is still unconfigured, so the default access credentials can be entered.

  • User: admin
  • Password: admin

2.4) Set a new admin password for access to the web interface as well as a new support password for access to the command line and then click on Accept & Login.

2.5) The setup wizard opens automatically. Click on Start setup in English.

2.6) Since the Unified Firewall is to be configured manually, you now have to click on Cancel Wizard.

2.7) Change to the menu Network → Connections → Network Connections and click on the “edit” icon for eth1 to modify the network.

2.8) Edit the IP address and enter an IP address from the first intermediate network 192.168.11.0/24.

2.9) Click the icon on the desktop to create a new network.

2.10) Save the following parameters:

  • Name: Enter a descriptive name.
  • Interface: From the drop-down menu, set the interface to eth1.
  • Network IP: Enter the productive network 192.168.1.0/24 which is already available on the LANCOM router in CIDR notation ( Classless Inter Domain Routing).

Info:
The productive network of the LANCOM router must be created as a desktop object on the Unified Firewall in order to permit communication via the firewall.

2.11) Confirm the warning message by clicking on Save Anyway .

2.12) On the desktop, click the network object created in step 2.10) and select the Connection Tool. Link the network object to the Internet object.

2.13) Use the “+” icon to add the necessary protocols for the outgoing communications.

2.14) Click on the Activate button to accept and enable the changes.

2.15) Change to the menu Network → Routing → Routing Tables and click on the “edit” icon to modify the Table 254.

2.16) Click on the “+” icon to create a new routing entry.

2.17) Enter the following parameters and then click on OK.

  • Interface: Select eth1 from the drop-down menu.
  • Destination: Enter the productive network already available on the LANCOM router in CIDR
  • Gateway: Enter the IP address of the LANCOM router in the first intermediate network (see step 1.2).

Info:
This return route allows the productive network of the LANCOM router (192.168.1.0/24) to access the IP address of the Unified Firewall in the first intermediate network (192.168.11.0/24). 

2.18) Save your changes to the Table 254.

Important:
After setting this route, the Unified Firewall can only be accessed using the IP address of the Unified Firewall in the first intermediate network (192.168.11.253). The current connection to the web interface is interrupted immediately after saving!

2.19) This concludes the configuration steps on the Unified Firewall.

Now connect port eth1 of the Unified Firewall to the port ETH-3 of the LANCOM router.



3) Subsequent configuration steps on the LANCOM router:

3.1) Open the configuration for the router in LANconfig and switch to the menu item IPv4 → General → IP networks .

3.2) Mark the existing productive network (in this example the network INTRANET) and click on Edit.

3.3) Set the Interface tag 1.

3.4) Edit the first intermediate network (here UF-TRANSFER) and set the Interface tag 1.

Info:
The networks INTRANET and UF-TRANSFER must have the same interface tag in order to communicate with one another.

3.5) Edit the second intermediate network (here UF-CONNECT) and set the Interface tag 2.

3.6) Navigate to the menu IP Router → Routing → IPv4 routing table .

3.7) Mark the existing default route for the Internet connection and click Edit.

3.8) Change the routing tag to the value 2.

3.9) Create an additional routing entry and enter the following parameters:

  • IP address : Enter the address 255.255.255.
  • Netmask : Enter the netmask 0.0.0.
  • Routing tag: Enter the routing tag 1.
  • Router: Enter the IP address of the Unified Firewall in the first intermediate network 192.168.11.0/24.
  • IP masquerading : Set the radio button to IP Masquerading switched off.

3.10) Navigate to the menu IPv4 → DNS → Forwarding .

3.11) Create an entry and enter the following parameters:

  • Domain: Enter the wildcard *, so that all DNS requests are forwarded.
  • Routing tag: Enter tag 1 to forward all requests from the INTRANET.
  • Remote site : Enter the IP address of the Unified Firewall in the first intermediate network (see step 2.8), so that all DNS queries from the productive network of the LANCOM router (in this example, the INTRANET) are forwarded to the Unified Firewall.

3.12) Create an additional entry and enter the following parameters:

  • Domain: Enter the wildcard *, so that all DNS requests are forwarded.
  • Routing tag: Enter the tag 2, so that DNS requests from the Unified Firewall from the second intermediate network can be answered.
  • Remote site : Enter any DNS server (in this example the Google DNS server 8.8.8.8).

3.13) This concludes the configuration steps on the LANCOM router. Write the configuration back to the router.



4) Further steps: Configuring the UTM features:

The configuration of the UTM functions is described in the following articles:

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2019-2024 LANCOM Systems GmbH