Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 9 replies
  • Subscribers 27 subscribers
  • Views 11909 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HW Firewall Appliance with ISP Modem/Router and Apple Airport Extreme Wireless Router Configuration

Lawrence Elitzer

I am trying to figure out the best way to order these devices and where to do DHCP/NAT, what should be in bridged mode, etc... I would like to utilize my AP Extreme and would like my wireless clients to be behind the firewall. I am thinking ISP Modem/Router --> Firewall appliance (running XG) --> Wireless router? I would like to have the firewall behind the NAT so I don't get a bunch of noise that would have been rejected by NAT. Seems like the XG should probably be set up in bridged mode? I don't think I'd be missing out on any of the features not supported in that mode. So I would have DHCP/NAT on the ISP device and just have the wireless router act as an AP only? Also, not sure if this is a concern for bridge mode on the XG, but I would like at some point to have certain traffic (based on IP probably) go through to an always-on VPN (so the XG would act as a client), pretty sure this should be possible? Am I able to create VLANs based on IP addresses so I could segregate the wireless clients on the AP (e.g. my computer, phone, etc... from the IoT devices)?

Sorry for the pretty loaded question. I am new to the firewall realm and would like to learn more about them. I just purchased some HW for the firewall and will be installing XG Home on it when I figure out the general network map/structure. Thanks!



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    The XG firewall has NAT, just put the modem in bridge mode. NAT does not stop internet noise. The XG will offer better security than your ISP device, use the XG for your DNS, DHCP etc that will make life simpler and easier to manage. You are trying to make life very difficult for yourself with your proposed setup.

    For VLANs you will need seperate iP address ranges.

    Just create different SSIDs for the IoT devices and use clientless users to seperate the firewall rules for each user group.

    Ian

  • 0 in reply to rfcat_vk

    Alright I was just thinking that if I bridge the modem and have the firewall handle DHCP then the outside interface is going to get hit with random Internet scans that would normally get blocked by a router anyway (I’m talking about the WAN to LAN traffic that isn’t a response so would get blocked).

Reply
  • 0 in reply to rfcat_vk

    Alright I was just thinking that if I bridge the modem and have the firewall handle DHCP then the outside interface is going to get hit with random Internet scans that would normally get blocked by a router anyway (I’m talking about the WAN to LAN traffic that isn’t a response so would get blocked).

Children
  • 0 in reply to Lawrence Elitzer

    Hi,

    a router doesn't stop traffic, it is the firewall function which will stop any connection that is not have a current. If you don't have a WAN to LAN rule then all traffic that attempts to enter your firewall will be blocked.

    Ian

  • 0 in reply to rfcat_vk

    Doesn’t NAT act like a firewall though as it won’t let in any traffic that didn’t have an outgoing connection? I’ll try and set it up as you’ve said. I was just hoping to put it behind NAT since the traffic wouldn’t have reached my network anyway. That way I could really see what’s getting past NAT (which I would have had anyway without a HW FW) and trying to get in.

  • 0 in reply to Lawrence Elitzer

    Hi,

    the NAT was a way of expanding the available IP address ranges by providing hidden ranges from the internet that could be used multiple times. NAT provides token protection for those with equipment that does not have a stateful inspection firewall. A stateful inspection firewall checks on whether a valid connection exists, not the NAT.

    The XG has a NAT function and a stateful inspection function as well as a http proxy.

    Ian

  • 0 in reply to rfcat_vk

    Alrighty thanks. I get all that. I was just trying to limit the amount of traffic the firewall has to process. But I’ve got a fairly beefy system I hope so I’ll test it out and see how it goes. Thanks again for all your help.

  • 0 in reply to Lawrence Elitzer

    Hi Lawrence,

    I think you misunderstand the firewall performance, unless you are running 100s of users you will not stress it that much. Most of us home users have systems way more powerful than the commercial XG units. If you are running 1gb/1gb external connection then you might stress it occasionally otherwise no.

    Mine is a quad core E3 which gets to 5% on a busy day.

  • 0 in reply to rfcat_vk

    I've just been reading material and have been seeing that once you start enabling certain resource heavy features (or a lot of features in general) it begins to tax the system.

  • 0 in reply to Lawrence Elitzer

    Hi Lawrence,

    what is your reference and does it apply to the XG? I am running 13 rules for about 24 or so clientless users. iphones, ipads, IoT, windows server, macs of various types, andriod, sophos AP, wifi printers and VoIP phones so I don't understand where you are coming from?

     

    Ian

    Additional information:- Some information that might help you understand what I am talking about. The thread below is from one of the Sophos forums and it talks about hardware specification. Some of it is in German, but will give you an idea of throughput. My unit is similar to an XG 450.

    https://community.sophos.com/products/xg-firewall/f/hardware/94750/hardware-specs-of-xg-appliances