[Cialug] Firewall question

Tom Sellers tsellers2009 at gmail.com
Tue Mar 7 13:36:49 CST 2017 

I will try to get more detailed later (busy today) but the traceroute
command comes back with two lines.  both reference the base IP of the
router which is 192.168.9.1.  I agree that the problem is with not being
able to get to the internal firewall side which is 192.168.9.254 fixed IP.

If I am logged into the firewall machine I can ping by IP or name.

ie: ping 8.8.8.8 with a valid response  (also)
     ping www.google.com resolves and .properly as well.

I can ssh to the firewall at 192.168.9.254 without any issue and perform
the above commands without issue.

>From the local machine terminal window both commands fail.

Right now the wireless access point does not have an internet connection.
Just trying to route through the firewall to the existing network which
works fine.  When I tried to connect this wireless device to my cable modem
directly I crashed the whole network.  Firewall did not work.

On Tue, Mar 7, 2017 at 9:47 AM, Sean Flattery <sean.r.flattery at gmail.com>
wrote:

> Hi Tom,
>
> I'm on the mailing list digest, so someone may have already beat me to this
> advice.
>
> You can check routes by using the route command, and there should be a
> default route from your clients to the firewall IP.  Another great tool to
> use is traceroute, which is like ping but it tells you at which point in
> the network your connection has problems.  Run traceroute on every device
> you can using IP addresses (8.8.8.8 is a good one to use), where does it
> drop?  Dig is another command that checks if you can get DNS info and
> resolve names.  Maybe your clients can get out using IPs, but not
> hostnames.
>
> Based on what you've provided, I assume your network is set up like this:
> internet <--> modem <--> firewall <--> ap <--> all your clients
>
> My initial guess is that your firewall/AP is not giving out the correct
> DHCP information for clients to get to the internet.  Most APs are also
> routers with firewalls that hand out DHCP.  Some can go into AP only mode,
> disabling those other features.  How is yours setup?
>
> Here's how I'd recommend to configure that so things work smoothly now, and
> after a reboot/power outage.  Have your modem hand out DHCP, but give your
> firewall a static IP outside the DHCP range and have the modem put that IP
> into the DMZ (useful if you forward ports to internal services, or play
> multiplayer games online).  Have your firewall handle DHCP for your
> internal network, have your AP only be an AP (put in AP mode if it's
> capable of more), and your clients should get DHCP and think of your
> firewall as the edge of your network.
>
> This setup gives you flexibility to plug your clients directly into the
> modem if you need to, or to plug your AP into the modem and leave your
> clients connected to the AP.  In case you need to troubleshoot the
> firewall.  I'll also second the recommendation for pfSense, and nominate
> the free Sophos UTM as well.
>
>
> Thanks,
> Sean
>
>
> Date: Mon, 6 Mar 2017 16:24:13 -0600
> > From: Tom Sellers <tsellers2009 at gmail.com>
> > To: Central Iowa Linux Users Group <cialug at cialug.org>
> > Subject: [Cialug] Firewall question
> > Message-ID:
> >         <CAGMb6GQXJLDuH2TjTQTb704c8HoUEX1ycDhr1ggCDnkForuw+w at mail.
> > gmail.com>
> > Content-Type: text/plain; charset=UTF-8
> >
> > I am trying to insert a firewall between my cable modem and my wireless
> > access point.  The firewall is just a computer running a linux variant.
> > (Devil
> >
> > I can ping the outside world from the firewall machine keyboard and
> resolve
> > pings such as "ping www.yahoo.com" fine. The problem is that none of the
> > machines connected to the wireless access point either by wire or
> wireless
> > have any address resolution or internet access.
> >
> > Right now I have the network attached to my existing network for testing.
> >
> > For example:    Existing home network ---- firewall machine --- new
> > wireless router --- 3 test machines (two wireless and 1 cabled)
> >
> > The firewall gets a DHCP address from my existing network as it would
> from
> > my cable provider.  The other side of the firewall is set up with a fixed
> > IP connected to one of the ports on the new wireless router
> (192.168.9.254)
> > (wireless router is 192.168.9.1).
> >
> > I am not that familiar with all the command line IP commands but can
> verify
> > the IPs of the various devices.  it seems to me there is a route missing
> > that prevents the internal IP from talking to the external IP of the
> > firewall.
> >
> > Anyone out there that can enlighten me as a somewhat inexperienced linux
> > user?
> > ------------------------------
> >
> _______________________________________________
> Cialug mailing list
> Cialug at cialug.org
> http://cialug.org/mailman/listinfo/cialug
>

More information about the Cialug mailing list