DComTalk.com

I need help; I can't get any machine to get out the internet through
my Firebox II

I got the Firebox II for a donation of $15; I am new to it and have set
up several PIX 501 and 506 on my T1 without a problem, I reset the
firebox II to factory defaults using the crossover cable.


Here is how I set it up
Under Setup > Network Configuration > Interface Tab
I setup the machine with the External Interface of my T1's external
IP
Default Gateway of my T1s router
(Just as I do on my 501)

Under Setup > Network Configuration > WINS/DNS
I put in the T1's DNS server just as in the Pix 501
One thing I noticed is reading the help it says for the DNS servers
"These servers must be accessible from the Firebox Trusted
interface"

Of curse my DNS servers are external


On Outgoing I have Allowed Internal Host Any and External Any


Still I can not get any external IP my name or IP...somehow I think I
need to set up a route or I am having a DNS problem

Ed,

In article <1134572976.288685.44220@z14g2000cwz.googlegroups.com>,
google@gencode.com says...

I need help; I can't get any machine to get out the internet through
my Firebox II

I got the Firebox II for a donation of $15; I am new to it and have set
up several PIX 501 and 506 on my T1 without a problem, I reset the
firebox II to factory defaults using the crossover cable.


Here is how I set it up
Under Setup > Network Configuration > Interface Tab
I setup the machine with the External Interface of my T1's external
IP
Default Gateway of my T1s router
(Just as I do on my 501)

Under Setup > Network Configuration > WINS/DNS
I put in the T1's DNS server just as in the Pix 501
One thing I noticed is reading the help it says for the DNS servers
"These servers must be accessible from the Firebox Trusted
interface"

Of curse my DNS servers are external


On Outgoing I have Allowed Internal Host Any and External Any


Still I can not get any external IP my name or IP...somehow I think I
need to set up a route or I am having a DNS problem

First, you have to do a couple things:

Are you using the DHCP service on the Firebox?

Are you using 192.168.x.y/24 for your internal network?

Did you select Routed or Drop-in mode?

If you can access the System Manager, selec the POLICY MANAGER:

Select Network, Setup in menu

External Interface: Static, assign a public IP - make sure that you
enter the proper subnet (/24, /28, etc...), then enter the Default
Gateway Public IP address.

Trusted Interface: Enter the IP of the LAN segment (such as
192.168.10.1/24) the .1 is the LAN IP of the firebox.

Optional Interface: Leave blank for now.

Select WINS/DNS tab: Enter your PUBLIC DNS Server IP addresses.

Select OK

Select the SKULL Icon, Blocked Sites, make sure that your LAN subnet is
not listed or part of the blocked Sites ranges.

Select Setup, NAT Setup, make sure that you have the following:

Trusted-External
(others are OK, just make sure that you have at least T~E)

Add a DNS rule:

Incoming: Disabled

Outgoing: Enabled and Allowed
From Trusted to ANY
From Optional to ANY

Add a FILTERED_HTTP rule
Incoming: Disabled

Outgoing: Enabled and Allowed
From Trusted to External

Both rules should have "Choose Dynamic NAT Setup" as Use Default Simple
NAT.

Do the same for HTTPS, FTP, PING, POP-3 (if needed), and others.

Let me know if you need more help - you can email me via the address in
my sig.




--

spam999free@rrohio.com
remove 999 in order to email me

Are you using 192.168.x.y/24 for your internal network?
Yes

Did you select Routed or Drop-in mode?
Routed

Are you using the DHCP service on the Firebox?
Yes, thats setup and working fine

External Interface: Static, assign a public IP - make sure that you
enter the proper subnet

Yes, I am sure, that is fine

Trusted Interface: Enter the IP of the LAN segment (such as
192.168.10.1/24)

That was done, it is fine

Enter your PUBLIC DNS Server IP addresses
You mean the one that was given to us from the T1 provider? like

4.2.2.2 We do not have an interanl DNS server, just access the outside
world...very basic, like a soho cofig

Select the SKULL Icon, Blocked Sites, make sure that your LAN subnet is
not listed or part of the blocked Sites ranges.

Nothing is listed

Add a FILTERED_HTTP rule
Incoming: Disabled

Outgoing: Enabled and Allowed
From Trusted to External
This I dont have, only one for FTP that was setup by default.

Realy I want "All outbound open", is that not the default?

If not how do I do this?


Thanks for the feedback,

Ed,

I found the filter for "All Outgoing TCP", I figured the Green Arrow
that says Outgoing was the same, but now I dont think it is, I still
need to add in the web

Right now my policy I have these icons in this order from left to right
FTP ICON
Outgoing ICON
Ping ICON
Watchguard ICON

Ed,

In article <1134590422.038949.299760@g49g2000cwa.googlegroups.com>,
google@gencode.com says...

I found the filter for "All Outgoing TCP", I figured the Green Arrow
that says Outgoing was the same, but now I dont think it is, I still
need to add in the web

Right now my policy I have these icons in this order from left to right
FTP ICON
Outgoing ICON
Ping ICON
Watchguard ICON

If you do the ALL you will not be secure.

You really need to use the Services as they were intended, this means
you need to have proper rules:

HTTP
HTTPS
FTP
PING
DNS
TRACEROUTE

The watchguard rules are hidden - don't mess with those until you know
what you are doing.

You don't want to all ALL OUTBOUND, that would be a very bad thing.

--

spam999free@rrohio.com
remove 999 in order to email me

Leythos, thnaks again for the response, it is much appreciated...the
problem is this is going to be used on our ruel area neighborhood
hotspot with about 20 houses, and some people have games and other apps
that will be going out odd ports, so I need to allow all outbound
traffic. Of course all inbound that was not initiated by the
application should be blocked. this is the way the PIX 501 is setup,
the problem with the PIX 501 is that it only has a 10 user license, so
I wanted to do the same thing with the Firebox II as I do with the PIX.

Thanks again,

Ed,

Leythos...I got it, I say what you said on the "Any" filter...when I
clicked on it the warning was there...instrad I used the Outgoing TCP
and UDP, thats what I wanted...thanks for your help.

One other thing...is there a way to see what IP is using the most
bandwidth or to do QOS by IP on the Firebox II?

Ed,

....also most of the houses have 2 or more computers, and when they file
transfer from internal PC-PC or print on network printers I did not
want the packets traveling 1/2 mile to the main DLink 2100AP bridge at
our house and back their 2100AP...so including the firewall protection
this is another reaon why we put in the Linksys WRT54G at each house,
it puts everyone on there own 10.x.x.x.x network, they can transfer or
do whatever they want on there own LAN at there house and not really
affect the performance of the main wireless bridge on the 192.x.x.x
network unless they are trying to get out the internet.

Once again, thanks, it has been running for 8hrs and working well...and
no more 10 user limit :)

Ed,

In article <1134620590.763016.285470@g44g2000cwa.googlegroups.com>,
google@gencode.com says...

Leythos...I got it, I say what you said on the "Any" filter...when I
clicked on it the warning was there...instrad I used the Outgoing TCP
and UDP, thats what I wanted...thanks for your help.

One other thing...is there a way to see what IP is using the most
bandwidth or to do QOS by IP on the Firebox II?

There is no means to see what "IP" is using any bandwidth on that unit -
there is no QOS on the FB-II that I know of.

I think your approach is wrong with 20 houses:

I would setup a firewall as the border, then connect individual NAT
appliances for each house - this will keep each home from being able to
get INTO each other home (we do this in small offices with up to 30
different companies in the buildings).

Then, once you have a single fixed IP on the WAN side of the NAT units
(inside the LAN of the FB-II) you can then control what fixed IP has
what access. What I mean is that if House 1 has a fixed WAN IP of
10.10.0.1 and House 2 has a fixed WAN IP of 10.10.0.2, etc... then you
can create 20 ANY rules that specifically allow 10.10.0.1 in/out, then
10.10.0.2, .... This means that each house has it's own ANY rule, which
you can enable/disable without impacting the others. This permits you to
test for abuse and it means that each home is at a fixed network
location while their home LAN can do anything.

One thing - you want to make sure that each homes LAN subnet is
different from the other homes, so, setup each home starting at
192.168.100.0/24, then 192.168.101.0/24.... until each home has it's own
subnet.

By doing this from the start you will make your life easier when you
find that you have to map inbound or VPN traffic to the home.


--

spam999free@rrohio.com
remove 999 in order to email me

Super idea...but actually our houses are protected from each
other...here is what we have

The firebox has its external WAN port connected to the T1, the internal
LAN side of the firewall is on a 192.x.x.x netweork and is the gateway
for all the houses, the LAN port is "only" connected to our main
wireless bridge (DLink 2100 AP) that sends the signal out the main
antenna, each house has their own antenna connected to a 2100AP
wireless bridge, inside each house also has a Linksys SOHO router, the
WAN side of the Linksys SOHO roter is on a fixed IP and on the
192.x.x.x address, the LAN side of each house is on its own internal
10.x.x.x network.

So there is a firewall between each house and gives the control over to
the home user just as a cable modem config > SOHO would do.

At this time not much more control is needed and would prefer to give
the control to the individual home user as cable modem would do...but
if the need arises I will follow up more on your config.

Thanks for the help...the filter page is what I was missing, Ed,