Hardware firewall recommendations?

[dimitrifrom31]

I'm about to purchase my 1st hw firewall, was wondering if you guys had any recommendation based on your experience.

 

It will be connected on a 1Gbps link and about 10 dedicated machines. Main goal bing to block ddos attacks as much as possible.

[ECF]

I would say that you can't go wrong with a Cisco product.

[dimitrifrom31]

Is the traffic throughput total traffic or the traffic you can allow (vs traffic blocked)?

 

Can sound like idiot question but never used hw fw before so im wondering as it's not clear enough and as I will get 1Gbps bw Im not sure if I really need a 1Gbps throughput fw as they are horribly expensive.

[CobbyJUK]

i would recommend the firebox 750e, its really easy to configure, perfect for gaming.

 

http://www.watchguard.com/products/core-e/overview.asp

 

and they are a good price.

 

highly recommend.

[dimitrifrom31]

i would recommend the firebox 750e, its really easy to configure, perfect for gaming.

 

http://www.watchguard.com/products/core-e/overview.asp

 

and they are a good price.

 

highly recommend.

 

the product is discontinued but I can probably purchase second hand one. Looks interesting but their support program is a bit confusiing, do you pay a monthly fee and if yes how much to get access to updates etc?

[CobbyJUK]

i got mine from ebay, i knew someone from the datacenter who had one, was really easy to setup and configure. think i paid ?150. really good, you need to keep the same ip gateway for it to work or it can get a bit complicated though.

 

i dont pay any monthly fee.

[dimitrifrom31]

i got mine from ebay, i knew someone from the datacenter who had one, was really easy to setup and configure. think i paid ?150. really good, you need to keep the same ip gateway for it to work or it can get a bit complicated though.

 

i dont pay any monthly fee.

 

Funny, I actually bought one yesterday... on ebay.. and for $149

Was so cheap compared to other fw with a 1Gbps+ throughput that I did not hesitate much.

 

What do you mean exactly by "keep the same ip gateway", I'm not sure to get it, you mean by network default gateway?

 

Good that you can get it to run without subscribing then.

 

thanks for your recommendation!

[CobbyJUK]

yeah i ment default gateway yeah no subscription needed, really easy to use, all there software is on there site, all you need is the manager.

[dimitrifrom31]

Thanks, do you know if it can manage different public IP's with different subnets on a same WAN port by any chance?

 

I just received it but can't find that in the documentation

[CobbyJUK]

there is loads online, you need to find out what version of firmware you have to get the manager

 

http://www.watchguard.com/help/docs/v72FireboxXEdgeUserGuide.pdf

 

thats the docs

 

http://www.watchguard.com/help/docs/wsm/11/en-US/index_Left.html#CSHID=en-US%2Finstallation%2Fmgmt_station_setup_wsm.html|StartTopic=Content%2Fen-US%2Finstallation%2Fmgmt_station_setup_wsm.html|SkinName=WSM%20%28en-US%29

 

you will need to register, its all free, then download the correct manager for your firmware.

 

https://www.watchguard.com/archive/softwarecenter.asp

 

one you have the manager connected its very easy to configure,

[dimitrifrom31]

It appears that mine is running fireware 10.2 and thus has no WEB UI.

According to doc WEB UI is available for fireware 11.X + only.

 

Apparently you cannot upgrade without subscribing to livesecurity service?

That does not make sense...

[CobbyJUK]

im using the same version, you can download the manager then connect to the device

 

http://immortal-servers.com/downloads/WSM10_2b.exe

 

the manager is fine, as long as you have set the server up correctly via the web side.

[dimitrifrom31]

I got that manager but you cant get WEB UI with that version right? So you can only manage it with the manager software?

 

I shipped the firewall to the dc and the tech I hired told me so

 

 

 

again thank you for your time

[dimitrifrom31]

The firewall is now up and running, 8 servers are behind it and im preparing them as remote servers however im only having issues.

 

I tried different combo to figure out the only one that was "working" was to put the local IP as the server IP and the public IP as the "hardware firewall ip" in the TCA server config.

 

It seems to work fine but whenever I create a server im receiving a tca email plugin 403 error. Apparently TCA is receiving packets from the firewall IP which is not "white listed" since I did not add it into the servers configurations (if doing so then no remote is working...)

 

Now if I use the resend email tool it works fine and the email goes through...

 

 

How is your setup with the firebox if you do't mind?

 

 

Here is mine at the moment:

 

remote 001: Local IP = 192.168.5.10

remote 002: Local IP = 192.168.5.11

remote 003: Local IP = 192.168.5.12

remote 004: Local IP = 192.168.5.13

remote 005: Local IP = 192.168.5.14

remote 006: Local IP = 192.168.5.15

remote 007: Local IP = 192.168.5.16

remote 008: Local IP = 192.168.5.17

=>each remote monitor only has a local IP assigned (no public IP as this is handled by firewall).

 

Firewall: local IP = 192.168.5.1 Public IP = 87.X.X.2

 

Firewall is routing traffis as follows:

Public IP Local IP

87.X.X.20 => 192.168.5.10

87.X.X.21 => 192.168.5.11

87.X.X.22 => 192.168.5.12

87.X.X.23 => 192.168.5.13

87.X.X.24 => 192.168.5.14

87.X.X.25 => 192.168.5.15

87.X.X.26 => 192.168.5.16

87.X.X.27 => 192.168.5.17

 

and in the remote 001 TCA configuration I got:

monitor IP = 192.168.5.10

HW Firewall IP = 87.X.X.2

 

 

Another cons with a setup including a firewall:

- you have to use local IP's in game servers configurations which can be confusing for customers.

- you have to add the public IP in the TCA servers > Configure IP's else they will be displayed with their local IP to customers on control panel.

- You also have to edit welcome emails so it uses %iphostname% instead of %serverip%

[CobbyJUK]

ahh you will need to allow the ports, what i did, i just open all ports, i cant rember the range off hand it was like 1 - 80000 somthing silly like that. and that will allow the rdp, or open the rdp port, i had issues before my firewall with empty packets and ddos's so thats all i use the firewall for, and then i just use a software firewall for the ports.

[Admin-Nation-Servers]

You shouldn't have to use Network Address Translation when you have a hardware firewall. You should be able to use public or Inside global IP addresses on the actual servers.

[dimitrifrom31]

YOu mean DHCP?

 

Well I allwoed all the traffic to go through then I have set Address translation so Im using local Ip's on machine/game servers and Firewall is routing the traffic from the global to the local IP.

 

Was a bit of a pain to figure out a proper setup for TCAdmin but once you got it that's fine.

 

One pro being that I can easily change/switch Ip's without reconfiguring the game servers themselves, only need to change the firewall rule.

[Admin-Nation-Servers]

No I mean NAT.

 

There are four types of NAT:

1. Dynamic NAT

- Pool of public IP addresses mapped while external connections are being made

EX: 173.1.1.2 is mapped for the moment to 192.168.1.3

2. Static NAT

- 1 Global Ip per local ip

EX: 173.1.1.2 is mapped specifically and always to 192.168.1.5

3. NAT Overload

- 1 or more (Usually one) Global/Public IP to represent the entire network through dynamic UDP/TCP Ip & port Mappings

EX: 173.1.1.2, TCP port 852 is mapped for the moment to 192.168.1.54, TCP 623

4. NATPT

This is not important for this case as it deals with translating ipv6 and ipv4 addresses and ports

 

NAT was originially created to reduce the demand of IPv4 addresses

 

You can setup DHCP to lease public addresses to the equipment/servers in your network that are in your assigned block (The range of public ipv4 addresses assigned to you). This will fix your problem with local addresses.