# 2 Hardware Firewall?



## FireFox (Dec 31, 2014)

It is possible to use two Firewalls together?

I have a Netgear Firewall and I would like to build an IpCop Firewall with an old pc that I have laying around,
which are the advantages and disadvantages, any benefits?

Cheers.


----------



## newtekie1 (Dec 31, 2014)

Yes it is possible, but not recommended.


----------



## Steevo (Dec 31, 2014)

What do you hope to gain? Double NAT traversal doesn't really add any extra security, and unless you are adding a secondary subnet with other rights or privileges there is no purpose for it. It may slow your connection however, as each time it takes a number of ms to scan each packet, plus another failure point for the network.


----------



## FireFox (Dec 31, 2014)

Steevo said:


> It may slow your connection however, as each time it takes a number of ms to scan each packet, plus another failure point for the network.



that was my concern.


----------



## remixedcat (Jan 1, 2015)

Use one as the router and one as a switch. Thing is VLANs won't work without a managed switch. "dumb switches" don't pass VLANs over from the router. YOU MUST HAVE A MANAGED SWITCH WITH TRUNK PORTS.


----------



## FireFox (Jan 1, 2015)

This is what I have:

Telekom Speedport W 921V  
(it's a Modem Router, I have it setup just as Modem)

SPEC Here:
http://mobil.idealo.de/preisvergleich/OffersOfProduct/2806329_-speedport-w-921v-telekom.html

Next:

Brand NETGEAR Series ProSafe
Model FVS318N-100NAS

SPEC

Firewall Type Gen 2 Stateful Filter

Type Wired + WirelessWireless 

Technology IEEE 802.11b/g/n

Frequency Band 2.4GHz

Simultaneous Sessions 6000

Throughput 95 Mbps

Ports1 x 10/100/1000M

WAN 8 x 10/100/1000M LAN 

LAN Ports 8 x RJ-45

WAN Ports1 x RJ 45

Wired Speed 10/100/1000 Mbps

Encryption Standard DES, 3DES, AES

VPN
Box-to-box, client-to-box, authentication (MD5, SHA-1), Manual Key, shared secret, key management (IKE, Diffie-Hellman, manual), X.509 certificate support, DES, 3DES and AES IPsec encryption


Features
Protocol: Network: IP routing, TCP/IP, UDP, ICMP, PPPoE IPV4/IPV6 support IP addressing: DHCP (client and server) Routing: RIP v1, RIPv2 (static routing, dynamic routing) VPN/security: IPsec (ESP), IKE, PKI, HTTPS Application: IPsec pass-through, H.323, Instant Messenger, RealPlayer, QuickTime, DialPad, SIP proxy, two-factor authentication Functions: VPN Wizard to simplify configuration of IPsec VPNs Auto Detect to automatically detect ISP address type (static, dynamic, PPPoE) Port range forwarding Port triggering Enable/disable WAN ping DNS proxy MAC address cloning/spoofing Network Time Protocol NTP support Diagnostic tools (ping, DNS lookup, trace route, other) Port/service Auto-Uplink on switch ports L3 Quality of Service (QoS) LAN-to-WAN and WAN-to-LAN (ToS) b/g/n Wireless Interface 2.4Ghz SIP ALG GUI-selectable DMZ port Firewall: Stateful packet inspection (SPI), DoS attack detection/logging, dropped packet log, security event log, email log 95 Mbps LAN-WAN Throughput 6000 Concurrent Connections Hardware: 300 MHz 32-bit RISC CPU 32-bit RISC CPU 32 MB Flash, 128MB DRAM.

My setup goes this way: 

Speedport W 921V  as Modem - Netgear managed Firewall.


----------



## Aquinus (Jan 1, 2015)

Knoxx29 said:


> I have a Netgear Firewall and I would like to build an IpCop Firewall with an old pc that I have laying around,
> which are the advantages and disadvantages, any benefits?


Zero benefits. Ditch the current router and build a gateway to do everything instead. There is no reason to isolate your network within two levels of private network space. That's only going to add latency and screw with NAT. I would get that old PC, get two network cards in it, and make it your router and firewall and use the old router strictly as a wireless AP. That's how my network is setup, granted my gateway is Debian and I manage IP tables, DHCP, and BIND by hand.

Either way, don't over-complicate it. If it's harder for you to figure out, there is a good bet its harder for the routers to figure out as well, so keep it simple.


----------



## qubit (Jan 1, 2015)

I've run IPCop before and it's an excellent firewall with great reliability. However, the inner firewall (IPCop in this case) won't have anything to block so will be redundant. You'd be better off switching off the Netgear firewall and letting IPCop do all the work and will be more secure than with the Netgear one.

Having two firewalls going will only give you all the problems described by the others, above. Perhaps the one case where there may be a slight benefit is if you want to use certain features of IPCop that the Netgear firewall doesn't have. Still just turn off the Netgear one if you're going to do this.


----------



## remixedcat (Jan 1, 2015)

Aquinus said:


> Zero benefits. Ditch the current router and build a gateway to do everything instead. There is no reason to isolate your network within two levels of private network space. That's only going to add latency and screw with NAT. I would get that old PC, get two network cards in it, and make it your router and firewall and use the old router strictly as a wireless AP. That's how my network is setup, granted my gateway is Debian and I manage IP tables, DHCP, and BIND by hand.
> 
> Either way, don't over-complicate it. If it's harder for you to figure out, there is a good bet its harder for the routers to figure out as well, so keep it simple.




Well I have VLANs to isolate guest traffic and have shaping rules on it. but it's all on the same hardware though.


----------



## hat (Jan 1, 2015)

Really no benefits, unless you're worried about security or something. Then there's no benefit to having 2 firewalls, only the benefit of having one firewall that's better than the one you already had. There is really no reason to turn an old PC into a router unless you want advanced security features, or some sort of convenience feature like a router that can also run a *real* NAS.

I did it one time to make sure my router wasn't holding my network performance back. I wound up using a really old socket 423 P4 and after trying a few I wound up using the x86 DD-WRT build, as I wanted DMZ, and DMZ to an advanced firewall like m0n0wall is not the same DMZ you may be used to when looking at conventional routers, and m0n0wall, though I could manage it, was simply too complicated and over the top for what I wanted. I then had to have a separate switch as well as a wireless AP to fulfill the networking needs I had. I decided the setup was too bulky, inefficient and over the top for what I wanted. Now that I have a good router (ASUS RT-N66R) I haven't looked back. The only reason to do that now would be for advanced security I don't need.


----------



## remixedcat (Jan 1, 2015)

I outgrew consumer routers.


----------



## hat (Jan 1, 2015)

remixedcat said:


> I outgrew consumer routers.


I'd be interested to hear what needs you have that a standard consumer router couldn't meet.

_Note to self: this is an enthusiast forum, we're techno-extremists, 'if it ain't broke don't fix it' need not apply to us_


----------



## FireFox (Jan 1, 2015)

hat said:


> only the benefit of having one firewall that's better than the one you already had


That was my point.
i decided to keep it as I have it setup right now, I don't want to go that deep into Modem, Routers and Firewall configurations as thing just can get more complicated and so far my Router and my Firewall have done a good job,  @Aquinus idea is good but I want to keep the Netgear Firewall running because I paid over 200€ for it and would be a pity just have it laying around and because it does he job.


----------



## remixedcat (Jan 1, 2015)

hat said:


> I'd be interested to hear what needs you have that a standard consumer router couldn't meet.
> 
> _Note to self: this is an enthusiast forum, we're techno-extremists, 'if it ain't broke don't fix it' need not apply to us_




VLANs with custom IP ranges/firewall settings, advanced traffic shaping beyond simple QoS, monitoring of all aspects of the network, RF control beyond transmit levels, Full trunk ports to pass VLANs over to switches, APs, etc.

I fix a lot of client computers that still require connectivity to get anti-virus updates, windows updates, etc. I keep them on a 3rd VLAN with strict ACLs and only have a few services allowed. Anyone is a dumbass if they fix a client system on the same segment as their main/production systems.

Good enough reason for yah  ??


----------



## Aquinus (Jan 2, 2015)

remixedcat said:


> VLANs with custom IP ranges/firewall settings, advanced traffic shaping beyond simple QoS, monitoring of all aspects of the network, RF control beyond transmit levels, Full trunk ports to pass VLANs over to switches, APs, etc.
> 
> I fix a lot of client computers that still require connectivity to get anti-virus updates, windows updates, etc. I keep them on a 3rd VLAN with strict ACLs and only have a few services allowed. Anyone is a dumbass if they fix a client system on the same segment as their main/production systems.
> 
> Good enough reason for yah  ??


We are talking consumer hardware aren't we? Most consumers don't need VLANing or anything beyond simple QoS. What you describe are features you describe would be useful for businesses and people who know what their doing. Your every day person won't care about fixing laptops on a segregated VLAN, advanced packet shaping, full network logging and stats tracking, or full wifi control.

I think it's important to say a lot of people here at TPU like yourself and I are the exception, not the rule. We do things most people don't care about or even knew existed, mainly because our field and jobs demanded that we know about it. ...and why not utilize skills at home and at work if the situation called for it? That doesn't mean we're still not the exception to the rule though. Consumer grade routers fulfill consumer grade networks and users. It is we who aren't the typical consumers. Also, I don't consider business use to fall under the "consumer" category.


----------



## joyman (Jan 2, 2015)

No need for all the trouble you will get. Just buy some nice router that is supported by dd-wrt or open-wrt. Flash it with either and configure whatever you like or need. For your need I doubt you need full fledged PC as router and it will consume much more power for no benefit.


----------



## erixx (Jan 2, 2015)

I have a cablemodem + a router, both with firewall active, plus Windows firewall. I guess I should not even have a working internet  but it works flawlesssly.


----------



## Aquinus (Jan 2, 2015)

erixx said:


> I have a cablemodem + a router, both with firewall active, plus Windows firewall. I guess I should not even have a working internet  but it works flawlesssly.


A router actually does packet routing. A firewall decides if traffic should be let through or not. There is nothing wrong with having two firewalls in front of each other, it just doesn't serve much purpose. The issue comes up when you try to have two routers in series because packets start having trouble traversing two levels of NAT. This only isn't a case if you're using bridge mode (in which case, you're not using the firewall either,) or if you're using static routes to segregate physical networks, but none of this has to do with the fact there are two or more Firewalls. My laptops always have a firewall enabled since they're roaming and I have a pretty strict firewall on my gateway here at home, so that's a non-issue.

Not that anyone really cares, but since we're on the topic of firewalls, I feel that this is a great time to share my iptables config on my gateway. It's pretty basic but, it gets the job done.

```
root@Sophia:~# iptables -L -v
Chain INPUT (policy DROP 1450K packets, 152M bytes)
pkts bytes target     prot opt in     out     source               destination    
    0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:domain
    0     0 ACCEPT     udp  --  virbr0 any     anywhere             anywhere             udp dpt:bootps
    0     0 ACCEPT     tcp  --  virbr0 any     anywhere             anywhere             tcp dpt:bootps
 343K  161M ACCEPT     all  --  lo     any     anywhere             anywhere        
  20M   19G ACCEPT     all  --  eth0   any     anywhere             anywhere             ctstate RELATED,ESTABLISHED
  43M   15G ACCEPT     all  --  any    any     10.10.10.0/24        anywhere        
    0     0 ACCEPT     udp  --  eth0   any     google-public-dns-a.google.com  anywhere             udp dpt:domain
    0     0 ACCEPT     udp  --  eth0   any     google-public-dns-b.google.com  anywhere             udp dpt:domain
    0     0 ACCEPT     udp  --  eth0   any     cdns01.comcast.net   anywhere             udp dpt:domain
    0     0 ACCEPT     udp  --  eth0   any     cdns02.comcast.net   anywhere             udp dpt:domain
    0     0 ACCEPT     tcp  --  eth0   any     google-public-dns-a.google.com  anywhere             tcp dpt:domain
    0     0 ACCEPT     tcp  --  eth0   any     google-public-dns-b.google.com  anywhere             tcp dpt:domain
    0     0 ACCEPT     tcp  --  eth0   any     cdns01.comcast.net   anywhere             tcp dpt:domain
    0     0 ACCEPT     tcp  --  eth0   any     cdns02.comcast.net   anywhere             tcp dpt:domain
 120K   40M ACCEPT     udp  --  eth0   any     anywhere             anywhere             udp dpt:bootpc
    9   576 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:60022
    1    40 ACCEPT     tcp  --  eth0   any     anywhere             anywhere             tcp dpt:60088

Chain FORWARD (policy ACCEPT 146M packets, 214G bytes)
pkts bytes target     prot opt in     out     source               destination    
    0     0 ACCEPT     all  --  virbr0 virbr0  anywhere             anywhere        
    0     0 REJECT     all  --  any    virbr0  anywhere             anywhere             reject-with icmp-port-unreachable
    0     0 REJECT     all  --  virbr0 any     anywhere             anywhere             reject-with icmp-port-unreachable

Chain OUTPUT (policy ACCEPT 35M packets, 124G bytes)
pkts bytes target     prot opt in     out     source               destination
```


----------



## FireFox (Jan 2, 2015)

joyman said:


> Just buy some nice router


I already own a good Router and just for the fact that I paid 200€ for it I won't even remotely think to change it.



erixx said:


> I have a cablemodem + a router, both with firewall active, plus Windows firewall


I use two Firewalls, the one that is included with the Router and unfortunately it can't be turn off and the Netgear one, windows Firewall is turn off.


----------



## hat (Jan 2, 2015)

Well then why don't you just eliminate one of the routers?


----------



## FireFox (Jan 2, 2015)

hat said:


> Well then why don't you just eliminate one of the routers?


Why?
Becasue the Netgear Firewall must be connected to a Modem and the Router that i have can be Configurated to work as Modem or Router.


----------



## hat (Jan 2, 2015)

I take it the Netgear router is the one you paid 200 euro for? You can't make the other one act as a modem only?

If no, why not contact the ISP and have them replace it with a modem only box... might save on the bill too. My ISP charged a small monthly fee to use their router.

_Side Question:_ since we're talking about double routers and such... what happens if someone builds an extremely large network with over 250 computers? Do you then need another router to open up another subnet (192.168.0.x is full, so now we have to use 192.168.1.x)? Can the computers on the .0 subnet communicate with the .1 subnet?


----------



## FireFox (Jan 2, 2015)

hat said:


> I take it the Netgear router is the one you paid 200 euro for? You can't make the other one act as a modem only?
> 
> If no, why not contact the ISP and have them replace it with a modem only box... might save on the bill too. My ISP charged a small monthly fee to use their router.


Each one costed me 200€. (400€ both)
That's what I meant, one is acting as Modem, it's Router and Modem but it can be set up to act as just Modem and so i did, i  had a Router Modem from my ISP but I returned it back and then i bought the same Router Modem that my ISP gave me but the newest version.


----------



## hat (Jan 2, 2015)

So why not just return the Netgear router then and just use the modem+router you bought? The less stuff you have between you and the modem (and thusly the Internet) the better off you are, from a performance and compatibility (and less complications/headaches) standpoint.


----------



## FireFox (Jan 2, 2015)

hat said:


> So why not just return the Netgear router


Becasue i have with the Netgear 1 year and six months  and as I tried to explain the Modem+Router is acting just as Modem and the Netgear as Firewall.

Read here to have a clear idea what the Netgear is.

http://www.netgear.com/business/products/security/FVS318N.aspx#tab-overview


----------



## brandonwh64 (Jan 2, 2015)

Hat, this should help on the 2 routers topic.







Having 2 firewalls is not ideal and is not recommended. Whats the model number of the router you say cannot have the firewall turned off.


----------



## hat (Jan 2, 2015)

Well, you said the one firewall (I assume the modem+router box?) unfortunately could not be turned off. This led me to believe you were somewhat unhappy with that. Could you possibly return the modem/router box and replace it with a modem only unit?


----------



## FireFox (Jan 2, 2015)

brandonwh64 said:


> Whats the model number of the router you say cannot have the firewall turned off.



It's a Telekom Speedport W 921V

Model Number: 40259777



hat said:


> Well, you said the one firewall (I assume the modem+router
> box?) unfortunately could not be turned
> off. This led me to believe you were
> somewhat unhappy with that. Could you possibly return the modem/router box and replace it with a modem only unit?


That's right the Firewall of the modem+router can't be turn off.

Can't be return it becasue I have with it almost 2 years.


----------



## hat (Jan 2, 2015)

Well then, I am not sure what feature(s) you would be missing out on by removing the router, and using only the modem/router box. If the only reason you don't want to retire it is because it would be a shame to leave it collecting dust, maybe consider putting it up for sale somewhere.

Unless you would be missing out on a feature the Netgear router has that the Telekom one does not, or you want a separate subnet or something, I fully recommend removing the Netgear router and finding a nice home for it. Adding more routers can only complicate things and potentially cause issues.


----------



## FireFox (Jan 2, 2015)

hat said:


> I fully recommend removing the Netgear router and finding a nice home for it


I think that is what i am going to do, I am right now turning off the Netgear and setting up the Telekom one


----------



## hat (Jan 2, 2015)

Sounds good.

It would be nice if someone made a modem/router that ALSO had phone lines. Currently I only see modem/router and modem/phone boxes. I wish I could have an all in one box that did it all... moot point anyway however as my ISP won't let me use my own modem.


----------



## FireFox (Jan 2, 2015)

hat said:


> Sounds good.
> 
> It would be nice if someone made a modem/router that ALSO had phone lines. Currently I only see modem/router and modem/phone boxes. I wish I could have an all in one box that did it all... moot point anyway however as my ISP won't let me use my own modem.


set up done, i am using just the modem+router, btw this modem router is great and as you said is has phone lines, i have my fax connected to it and my phone connect to the fax.


----------



## hat (Jan 2, 2015)

I looked and looked and looked some more a while back, but I hadn't found a phone/modem/router combo.

Moot point anyway... they won't let me use it!


----------



## FireFox (Jan 2, 2015)

hat said:


> Moot point anyway... they won't let me use it!


That's no fear, it's all becasue they want that you pay for use their Modem

here you can choose to use a Modem that your ISP gives you and pay around 4,50€ per month or just you can buy one.



hat said:


> Well then, I am not sure what feature(s) you would be missing out on by removing the router, and using only the modem/router box.


the only feature that i will miss is that with the Netgear i can block:

porn Websites


----------



## remixedcat (Jan 3, 2015)

I can block whole categories on a VLAN basis with my Cisco Meraki Z1 router as well as my Aruba RAP109s

This is for the guest VLAN





and also using the standard domains, IPs, etc.

I can also do that PER USER regardless of VLAN


----------



## FireFox (Jan 3, 2015)

I  can't compare my Router+Modem with the Netgear Firewall business, the Netgear is far way  better and it has many features that I won't never ever use.


----------

