April 1st, 2012, 04:03 PM
Running firewall on a switch
I have a project I'm working on as kind of a noob, and I need some help. I have a network switch, and what I'm supposed to do is have the ethernet coming on on one port, the box that will function as the firewall on another (I'll be using Vyatta but that's not particularly important here), and anything else that will be plugged in will need to run through that firewall.
There was mention of VLAN tagging, but I'm not 100% how that works or how it would be useful, and I've had a lot of trouble finding anything useful online.
My hunch is I think I need to set up the incoming ethernet and the Vyatta box on one VLAN and then anything that's going to go through it on another, and...then do something with tagging. Tag the packets coming from the firewall? I don't entirely understand what I need to do to get this working.
And please understand that I was specifically asked to do it his way, because the firewalls we use in prod are hooked up this way, so I'm not interested in doing it any other way; this is how my job wants it done.
Any help you can give is greatly appreciated.
April 2nd, 2012, 10:12 PM
What exactly is the purpose of the firewall? (ie. what is the firewall going to protect?)
It sounds like one port on the switch is uplinked to whatever you are protecting *from*, and the firewall and the rest of your devices plugged into the rest of the ports on the switch. Is this a correct assumption?
If so, you will need to create two vlans on the switch. For example: vlan 100 will be for the port that you want to protect from, and vlan 200 will be the vlan for the rest of the switch ports.
Either the firewall will need to have two NICs (one per vlan on the switch), or the NIC and your OS must be able to create vlan sub-interfaces.
Let us know if I'm on the right track with what you need and I can help further with your design.
April 2nd, 2012, 11:15 PM
The firewall is used to separate an intranet from the internet, essentially. The internal network needs access to the internet, but we don't want external sources to have access to our internal stuff. So essentially, yes, your assumption was correct.
For my home project, I'll just be using it to set up some packet filtering and firewall rules for practice.
For the way we have things set up, I only need one NIC for the firewall (I've been told this explicitly). The use of 2 VLANs is what I thought I would need, so I'm at least on the right track there. The guy who's working with me said something about tagging the VLAN and using that as a way to filter packets (?).
April 3rd, 2012, 12:34 AM
Ok. Which switch is it that you are using (brand/model)? Also, have you confirmed that the firewall is capable of creating vlan sub-interfaces?
Essentially, you'll have one access port in vlan 100 for the incoming external network cable, a single port that goes to the firewall that is configured in 802.11q 'trunk' mode that will carry both vlan 100 and vlan 200, and the rest of the switch in access mode for vlan 200 (the internal vlan).
Then on the firewall, you configure the physical nic to have two sub interfaces. This then configures each sub interface into the two separate vlans. You proceed to apply the appropriate IP addressing information to each sub-int, and apply your firewall rules.
April 3rd, 2012, 12:44 PM
Ahh, that makes sense.
Yes, the switch I'm using has that capability. It's a Dell PowerConnect 5448. The firewall I'm using is Vyatta, which is based on Debian; setting up sub-interfaces should, I think, be fairly simple if I understand how that works correctly...that's just all set up with ifconfig, correct?
April 3rd, 2012, 02:00 PM
How many ports does the firewall have? You can simplify your design by plugging the "outside" network in to port 1 and the "inside" network into port 2. Then you don't need to worry about VLAN tagging at all.
April 3rd, 2012, 07:04 PM
As mentioned earlier in the thread, only one, and I was specifically asked to do it this way.
April 4th, 2012, 12:02 PM
Ahh, missed that word. Oops.