How to securely add a switch in front of the firewall--and which switch you recommend?

JeffRyer
JeffRyer Posts: 7  Freshman Member
First Comment Friend Collector Third Anniversary
edited March 8 in Switch

The ISP is giving us one port on their switch for Internet, but we have two firewalls (separate organizations needing to share the same Internet) that we need to plug in. I'm looking to put a switch behind the ISP switch and in front of the two firewalls. We use Nebula. I think I'm looking for a small Nebula switch—only 4 ports are required—that can be in front of the firewall yet still secured. Ideally, the switch would have a separate management port that I could plug into the management VLAN that would go out Nebula, but not allow access from the other ports to keeps things separate and secure. Is there such a switch? If not, then I'm thinking the next best thing would be to assign a port to the management VLAN and plug it into our network (an existing Nebula switch). Is that enough security? What do you recommend? Which model switch is best?

EDIT: The ISP provides a block of 5 usable public static IP addresses. Each firewall gets a public IP.

Thanks,

Jeff

Accepted Solution

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @JeffRyer,

    You may reference the configuration example below, I assume VLAN 1 is your management VLAN here:

    For management VLAN ports:

    For non-management VLAN ports:

    In addition, if your switch uses a public IP to connect to the Nebula, I suggest enabling access management, which is in the switch settings page, to block unauthorized access from the Internet.

    Additionally, the configurations are similar if the switch management VLAN is under the LAN interface of one of your firewalls. You just need to change the connection. Like below:

    GS1915(management VLAN port) —- Firewall LAN ——- Firewall WAN —— (non-management VLAN port) GS1915 (non-management VLAN port) ——— ISP

All Replies

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 7

    what firewalls do you have? is your ISP giving you more then one WAN IP?

    Here is a setup I do for one WAN IP which a GS1915-8 should be able to do like my GS2210-24

    Or if you only have one WAN IP you need another USG firewall

    Or if your ISP gives you more then one WAN IP a simple Unmanaged switch would work

    Note if you only have one WAN IP you can only have one port 443 from any source

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate

    Hi @JeffRyer,

    There are many ways to achieve your purpose. Before providing advice to you, how many IP addresses does your ISP provide? One static IP address with 4 dynamic IP addresses (PPPoE)?

  • JeffRyer
    JeffRyer Posts: 7  Freshman Member
    First Comment Friend Collector Third Anniversary
    edited March 8

    The ISP provides a block of 5 usable public static IP addresses. Each firewall gets a public IP. One firewall is Sophos and the other it Fortinet.

    @PeterUK , that makes sense. How do I do that in Nebula? The VLANing is quite a bit different in Nebula—I don't see a Forbidden setting. I think the GS1915-8 is what I'm looking for.

    I'd also like to plug the proposed GS1915-8 into my network (a Nebula switch behind the Sophos firewall) on its management VLAN where GS1915-8 will get access to Internet/Nebula and we can manage and monitor the GS1915-8.

  • PeterUK
    PeterUK Posts: 3,389  Guru Member
    100 Answers 2500 Comments Friend Collector Seventh Anniversary
    edited March 8

    As you have a block of 5 usable public static IP the setup is more simple if you don't seeing Forbidden it might be if not set as part of the VLAN I don't use Nebula so can't tell.

    As for plug the proposed GS1915-8 into my network just use one of the VLAN1 ports 3-7 onto a lan behind the firewall

    note the GS1915-8 is not a rackmount

  • Zyxel_Melen
    Zyxel_Melen Posts: 2,409  Zyxel Employee
    Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Switch Zyxel Certified Network Administrator - Nebula Zyxel Certified Sales Associate
    Answer ✓

    Hi @JeffRyer,

    You may reference the configuration example below, I assume VLAN 1 is your management VLAN here:

    For management VLAN ports:

    For non-management VLAN ports:

    In addition, if your switch uses a public IP to connect to the Nebula, I suggest enabling access management, which is in the switch settings page, to block unauthorized access from the Internet.

    Additionally, the configurations are similar if the switch management VLAN is under the LAN interface of one of your firewalls. You just need to change the connection. Like below:

    GS1915(management VLAN port) —- Firewall LAN ——- Firewall WAN —— (non-management VLAN port) GS1915 (non-management VLAN port) ——— ISP