[Cialug] Firewall question

[Sean Flattery]

Hi Tom,

I'm on the mailing list digest, so someone may have already beat me to this
advice.

You can check routes by using the route command, and there should be a
default route from your clients to the firewall IP.  Another great tool to
use is traceroute, which is like ping but it tells you at which point in
the network your connection has problems.  Run traceroute on every device
you can using IP addresses (8.8.8.8 is a good one to use), where does it
drop?  Dig is another command that checks if you can get DNS info and
resolve names.  Maybe your clients can get out using IPs, but not hostnames.

Based on what you've provided, I assume your network is set up like this:
internet <--> modem <--> firewall <--> ap <--> all your clients

My initial guess is that your firewall/AP is not giving out the correct
DHCP information for clients to get to the internet.  Most APs are also
routers with firewalls that hand out DHCP.  Some can go into AP only mode,
disabling those other features.  How is yours setup?

Here's how I'd recommend to configure that so things work smoothly now, and
after a reboot/power outage.  Have your modem hand out DHCP, but give your
firewall a static IP outside the DHCP range and have the modem put that IP
into the DMZ (useful if you forward ports to internal services, or play
multiplayer games online).  Have your firewall handle DHCP for your
internal network, have your AP only be an AP (put in AP mode if it's
capable of more), and your clients should get DHCP and think of your
firewall as the edge of your network.

This setup gives you flexibility to plug your clients directly into the
modem if you need to, or to plug your AP into the modem and leave your
clients connected to the AP.  In case you need to troubleshoot the
firewall.  I'll also second the recommendation for pfSense, and nominate
the free Sophos UTM as well.


Thanks,
Sean


Date: Mon, 6 Mar 2017 16:24:13 -0600
> From: Tom Sellers <tsellers2009 at gmail.com>
> To: Central Iowa Linux Users Group <cialug at cialug.org>
> Subject: [Cialug] Firewall question
> Message-ID:
>         <CAGMb6GQXJLDuH2TjTQTb704c8HoUEX1ycDhr1ggCDnkForuw+w at mail.
> gmail.com>
> Content-Type: text/plain; charset=UTF-8
>
> I am trying to insert a firewall between my cable modem and my wireless
> access point.  The firewall is just a computer running a linux variant.
> (Devil
>
> I can ping the outside world from the firewall machine keyboard and resolve
> pings such as "ping www.yahoo.com" fine. The problem is that none of the
> machines connected to the wireless access point either by wire or wireless
> have any address resolution or internet access.
>
> Right now I have the network attached to my existing network for testing.
>
> For example:    Existing home network ---- firewall machine --- new
> wireless router --- 3 test machines (two wireless and 1 cabled)
>
> The firewall gets a DHCP address from my existing network as it would from
> my cable provider.  The other side of the firewall is set up with a fixed
> IP connected to one of the ports on the new wireless router (192.168.9.254)
> (wireless router is 192.168.9.1).
>
> I am not that familiar with all the command line IP commands but can verify
> the IPs of the various devices.  it seems to me there is a route missing
> that prevents the internal IP from talking to the external IP of the
> firewall.
>
> Anyone out there that can enlighten me as a somewhat inexperienced linux
> user?
> ------------------------------
>