How to securely add a switch in front of the firewall--and which switch you recommend?

JeffRyer

The ISP is giving us one port on their switch for Internet, but we have two firewalls (separate organizations needing to share the same Internet) that we need to plug in. I'm looking to put a switch behind the ISP switch and in front of the two firewalls. We use Nebula. I think I'm looking for a small Nebula switch—only 4 ports are required—that can be in front of the firewall yet still secured. Ideally, the switch would have a separate management port that I could plug into the management VLAN that would go out Nebula, but not allow access from the other ports to keeps things separate and secure. Is there such a switch? If not, then I'm thinking the next best thing would be to assign a port to the management VLAN and plug it into our network (an existing Nebula switch). Is that enough security? What do you recommend? Which model switch is best?

EDIT: The ISP provides a block of 5 usable public static IP addresses. Each firewall gets a public IP.

Thanks,

Jeff

PeterUK

what firewalls do you have? is your ISP giving you more then one WAN IP?

Here is a setup I do for one WAN IP which a GS1915-8 should be able to do like my GS2210-24

Or if you only have one WAN IP you need another USG firewall

Or if your ISP gives you more then one WAN IP a simple Unmanaged switch would work

Note if you only have one WAN IP you can only have one port 443 from any source

Zyxel_Melen

Hi @JeffRyer,

There are many ways to achieve your purpose. Before providing advice to you, how many IP addresses does your ISP provide? One static IP address with 4 dynamic IP addresses (PPPoE)?

JeffRyer

The ISP provides a block of 5 usable public static IP addresses. Each firewall gets a public IP. One firewall is Sophos and the other it Fortinet.

@PeterUK , that makes sense. How do I do that in Nebula? The VLANing is quite a bit different in Nebula—I don't see a Forbidden setting. I think the GS1915-8 is what I'm looking for.

I'd also like to plug the proposed GS1915-8 into my network (a Nebula switch behind the Sophos firewall) on its management VLAN where GS1915-8 will get access to Internet/Nebula and we can manage and monitor the GS1915-8.

PeterUK

As you have a block of 5 usable public static IP the setup is more simple if you don't seeing Forbidden it might be if not set as part of the VLAN I don't use Nebula so can't tell.

As for plug the proposed GS1915-8 into my network just use one of the VLAN1 ports 3-7 onto a lan behind the firewall

note the GS1915-8 is not a rackmount

Zyxel_Melen

Hi @JeffRyer,

You may reference the configuration example below, I assume VLAN 1 is your management VLAN here:

For management VLAN ports:

For non-management VLAN ports:

In addition, if your switch uses a public IP to connect to the Nebula, I suggest enabling access management, which is in the switch settings page, to block unauthorized access from the Internet.

Additionally, the configurations are similar if the switch management VLAN is under the LAN interface of one of your firewalls. You just need to change the connection. Like below:

GS1915(management VLAN port) —- Firewall LAN ——- Firewall WAN —— (non-management VLAN port) GS1915 (non-management VLAN port) ——— ISP